You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@accumulo.apache.org by "Yudong Wu (JIRA)" <ji...@apache.org> on 2016/11/19 00:38:58 UTC
[jira] [Comment Edited] (ACCUMULO-4519) System permission bug in
Thrift Proxy
[ https://issues.apache.org/jira/browse/ACCUMULO-4519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15677874#comment-15677874 ]
Yudong Wu edited comment on ACCUMULO-4519 at 11/19/16 12:38 AM:
----------------------------------------------------------------
Oh, I see.
Yep those API does not relate to the enum defined in Thrift proxy files I mentioned before. That API should refer to permissions related information in package *org.apache.accumulo.core.security*, where no permission absence happened.
was (Author: cutylewiwi):
Oh, I see.
Yep those API does not relate to the enum defined in Thrift proxy files I mentioned before. That API should refer to permissions related information in package `org.apache.accumulo.core.security`, where no permission absence happened.
> System permission bug in Thrift Proxy
> -------------------------------------
>
> Key: ACCUMULO-4519
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4519
> Project: Accumulo
> Issue Type: Bug
> Components: proxy
> Affects Versions: 1.8.0
> Reporter: Yudong Wu
> Fix For: 1.7.3, 1.8.1, 2.0.0
>
>
> The system permission list between core and Thrift proxy is inconsistent. The proxy lacks the support for some of the newly added system permissions, including:
> {{System.CREATE_NAMESPACE}}
> {{System.DROP_NAMESPACE}}
> {{System.ALTER_NAMESPACE}}
> {{System.OBTAIN_DELEGATION_TOKEN}}
> Currently, when connecting through Thrift proxy, we can't grant, check or revoke the above 4 System permissions. When a proxy client sends permissions (i.e., {{System.CREATE_NAMESPACE}}), it will receive {{AccumuloException}} wrapping around {{java.lang.NullPointerException}}:
> {code:borderStyle=solid}
> Traceback (most recent call last):
> File "Client.py", line 32, in <module>
> client.grantSystemPermission(login, username, CREATE_NAMESPACE_PERM)
> File "***AccumuloProxy.py", line 2980, in grantSystemPermission
> self.recv_grantSystemPermission()
> File "***AccumuloProxy.py", line 3006, in recv_grantSystemPermission
> raise result.ouch1
> accumulo.ttypes.AccumuloException: AccumuloException(msg='java.lang.NullPointerException')
> {code}
> The bug is in the Thrift proxy file
> {code:title=accumulo/proxy/src/main/thrift/proxy/thrift|borderStyle=solid}
> enum SystemPermission {
> GRANT = 0,
> CREATE_TABLE = 1,
> DROP_TABLE = 2,
> ALTER_TABLE = 3,
> CREATE_USER = 4,
> DROP_USER = 5,
> ALTER_USER = 6,
> SYSTEM = 7,
> }
> {code}
> The {{SystemPermission}} enum clearly misses Permission #8--#11 defined in Accumulo core:
> {code:title=accumulo/core/.../SystemPermission.java|borderStyle=solid}
> public enum SystemPermission {
> /*
> * One may add new permissions, but new permissions must use new numbers. Current numbers in use must not be changed.
> */
> GRANT((byte) 0),
> CREATE_TABLE((byte) 1),
> DROP_TABLE((byte) 2),
> ALTER_TABLE((byte) 3),
> CREATE_USER((byte) 4),
> DROP_USER((byte) 5),
> ALTER_USER((byte) 6),
> SYSTEM((byte) 7),
> CREATE_NAMESPACE((byte) 8),
> DROP_NAMESPACE((byte) 9),
> ALTER_NAMESPACE((byte) 10),
> OBTAIN_DELEGATION_TOKEN((byte) 11);
> }
> {code}
> The fix should be straightforward---just add the corresponding permissions into the Thrift proxy file.
> Let me know if you need any more info, or want a patch for this.
> Thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)