phoenix icon indicating copy to clipboard operation
phoenix copied to clipboard
verified publisher icon apache

PHOENIX-7069 : Fix permission related ITs when initializing list of region servers in CQSI.init

Open palashc opened this issue 2 years ago • 4 comments

palashc avatar Dec 05 '23 16:12 palashc

@shahrs87 Permission*ITs fail because a regular user created in these tests does not have permissions to list the decom region servers i.e. admin.getRegionServers() works but admin.getRegionServers(true) does not. Does it make sense to give Permission.Action.ADMIN access to the regular user in these tests? Is there a lesser privileged set of perms I can give the user? What kind of perms do clients have in production?

CC: @virajjasani if you can clarify some of these things, it will be very helpful.

palashc avatar Dec 06 '23 07:12 palashc

Hmm that's interesting, in fact we have to deal with somewhat similar perm issues in case of namespace enabled system tables too. But since this is admin operation, perhaps we might not have any other choice but to provide sufficient access to client.

@palashc do you have the full stacktrace?

virajjasani avatar Jan 03 '24 01:01 virajjasani

@virajjasani Here is the stack trace from one of the tests in PermissionNSDisabledIT.java. It occurs when we try to initialize list of live region servers in CQSI.init().

java.lang.reflect.UndeclaredThrowableException
	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1780)
	at org.apache.hadoop.hbase.security.User$SecureHadoopUser.runAs(User.java:320)
	at org.apache.phoenix.end2end.BasePermissionsIT.verifyAllowed(BasePermissionsIT.java:914)
	at org.apache.phoenix.end2end.BasePermissionsIT.verifyAllowed(BasePermissionsIT.java:907)
	at org.apache.phoenix.end2end.BasePermissionsIT.testReadPermsOnTableIndexAndView(BasePermissionsIT.java:1164)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
	at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63)
	at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
	at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
	at org.apache.phoenix.SystemExitRule$1.evaluate(SystemExitRule.java:40)
	at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:54)
	at org.junit.rules.RunRules.evaluate(RunRules.java:20)
	at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
	at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
	at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
	at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:69)
	at com.intellij.rt.junit.IdeaTestRunner$Repeater$1.execute(IdeaTestRunner.java:38)
	at com.intellij.rt.execution.junit.TestsRepeater.repeat(TestsRepeater.java:11)
	at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:35)
	at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:235)
	at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:54)
Caused by: org.apache.phoenix.exception.PhoenixIOException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'regularUser1_N000056' (global, action=ADMIN)
	at org.apache.hadoop.hbase.security.access.AccessChecker.requireGlobalPermission(AccessChecker.java:152)
	at org.apache.hadoop.hbase.security.access.AccessChecker.requirePermission(AccessChecker.java:125)
	at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:322)
	at org.apache.hadoop.hbase.security.access.AccessController.preListDecommissionedRegionServers(AccessController.java:1207)
	at org.apache.hadoop.hbase.master.MasterCoprocessorHost$152.call(MasterCoprocessorHost.java:1766)
	at org.apache.hadoop.hbase.master.MasterCoprocessorHost$152.call(MasterCoprocessorHost.java:1763)
	at org.apache.hadoop.hbase.coprocessor.CoprocessorHost$ObserverOperationWithoutResult.callObserver(CoprocessorHost.java:558)
	at org.apache.hadoop.hbase.coprocessor.CoprocessorHost.execOperation(CoprocessorHost.java:631)
	at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preListDecommissionedRegionServers(MasterCoprocessorHost.java:1763)
	at org.apache.hadoop.hbase.master.MasterRpcServices.listDecommissionedRegionServers(MasterRpcServices.java:2097)
	at org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos$MasterService$2.callBlockingMethod(MasterProtos.java)
	at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:415)
	at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:124)
	at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:102)
	at org.apache.hadoop.hbase.ipc.RpcHandler.run(RpcHandler.java:82)

	at org.apache.phoenix.util.ClientUtil.parseServerException(ClientUtil.java:70)
	at org.apache.phoenix.query.ConnectionQueryServicesImpl.refreshLiveRegionServers(ConnectionQueryServicesImpl.java:5279)
	at org.apache.phoenix.query.ConnectionQueryServicesImpl$12.call(ConnectionQueryServicesImpl.java:3561)
	at org.apache.phoenix.query.ConnectionQueryServicesImpl$12.call(ConnectionQueryServicesImpl.java:3529)
	at org.apache.phoenix.util.PhoenixContextExecutor.call(PhoenixContextExecutor.java:76)
	at org.apache.phoenix.query.ConnectionQueryServicesImpl.init(ConnectionQueryServicesImpl.java:3529)
	at org.apache.phoenix.jdbc.PhoenixDriver.getConnectionQueryServices(PhoenixDriver.java:271)
	at org.apache.phoenix.jdbc.PhoenixEmbeddedDriver.createConnection(PhoenixEmbeddedDriver.java:150)
	at org.apache.phoenix.jdbc.PhoenixDriver.connect(PhoenixDriver.java:228)
	at java.sql.DriverManager.getConnection(DriverManager.java:664)
	at java.sql.DriverManager.getConnection(DriverManager.java:208)
	at org.apache.phoenix.end2end.BasePermissionsIT.getConnection(BasePermissionsIT.java:351)
	at org.apache.phoenix.end2end.BasePermissionsIT.getConnection(BasePermissionsIT.java:347)
	at org.apache.phoenix.end2end.BasePermissionsIT$12.run(BasePermissionsIT.java:549)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:422)
	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1762)
	... 36 more
	```

palashc avatar Jan 03 '24 20:01 palashc

Got it, now if we provide the access to the user, i wonder if the intent of the original test would remain the same.

virajjasani avatar Jan 03 '24 20:01 virajjasani