Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-11815

Dataset upgrade step doesn't properly impersonate

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.1.1
    • Fix Version/s: 4.2.0, 4.1.2
    • Component/s: Datasets, Security
    • Labels:
    • Release Notes:
      Fix impersonation when upgrading datasets in UpgradeTool
    • Rank:
      1|i0039r:

      Description

      To reproduce:
      1. Create a CDAP namespace, which is configured to impersonate a user; have a custom-mapped hbase namespace.
      2. Do not allow the cdap system user any privilege on this hbase namespace.
      3. Have at least one table in this hbase namespace.
      4. Run the UpgradeTool

      There will be an error like below. This is a regression introduced in 4.1.1, due to a change (CDAP-9278) that made the updates to the table happen in a different (and asynchronous) thread than the calling thread which did the impersonation.

      2017-06-04 02:33:18,356 - INFO  [hbase-cmd-executor-7:c.c.c.d.t.DatasetUpgrader@203] - Upgrading hbase table: TableId{namespace=cdap_alice, tableName=foo}, desc: 'cdap_alice:foo', {TABLE_ATTRIBUTES => {coprocessor$1 => '/cdap/cdap/lib/coprocessor-4.2.0-SNAPSHOT-1496523165684-HBASE_10_CDH55.jar|co.cask.cdap.data2.transaction.coprocessor.hbase10cdh550.DefaultTransactionProcessor|1073741823|', METADATA => {'cdap.version' => '4.2.0-SNAPSHOT-1496523165684', 'dataset.table.prefix' => 'cdap'}}, {NAME => 'd', DATA_BLOCK_ENCODING => 'NONE', BLOOMFILTER => 'ROW', REPLICATION_SCOPE => '0', VERSIONS => '2147483647', COMPRESSION => 'SNAPPY', MIN_VERSIONS => '0', TTL => 'FOREVER', KEEP_DELETED_CELLS => 'FALSE', BLOCKSIZE => '65536', IN_MEMORY => 'false', BLOCKCACHE => 'true'}
      2017-06-04 02:33:18,570 - ERROR [main:c.c.c.d.t.DatasetUpgrader@166] - Failed to upgrade user table cdap_alice:foo
      org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=cdap/<HOSTNAME>@<REALM>, scope=cdap_alice:foo, params=[table=cdap_alice:foo],action=CREATE)
      	at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:429)
      	at org.apache.hadoop.hbase.security.access.AccessController.preGetTableDescriptors(AccessController.java:2370)
      	at org.apache.hadoop.hbase.master.MasterCoprocessorHost$73.call(MasterCoprocessorHost.java:858)
      	at org.apache.hadoop.hbase.master.MasterCoprocessorHost.execOperation(MasterCoprocessorHost.java:1056)
      	at org.apache.hadoop.hbase.master.MasterCoprocessorHost.preGetTableDescriptors(MasterCoprocessorHost.java:854)
      	at org.apache.hadoop.hbase.master.HMaster.listTableDescriptors(HMaster.java:2230)
      	at org.apache.hadoop.hbase.master.MasterRpcServices.getTableDescriptors(MasterRpcServices.java:802)
      	at org.apache.hadoop.hbase.protobuf.generated.MasterProtos$MasterService$2.callBlockingMethod(MasterProtos.java:44205)
      	at org.apache.hadoop.hbase.ipc.RpcServer.call(RpcServer.java:2034)
      	at org.apache.hadoop.hbase.ipc.CallRunner.run(CallRunner.java:107)
      	at org.apache.hadoop.hbase.ipc.RpcExecutor.consumerLoop(RpcExecutor.java:130)
      	at org.apache.hadoop.hbase.ipc.RpcExecutor$1.run(RpcExecutor.java:107)
      	at java.lang.Thread.run(Thread.java:745)
      
      	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.7.0_75]
      	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) ~[na:1.7.0_75]
      	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[na:1.7.0_75]
      	at java.lang.reflect.Constructor.newInstance(Constructor.java:526) ~[na:1.7.0_75]
      	at org.apache.hadoop.ipc.RemoteException.instantiateException(RemoteException.java:106) ~[hadoop-common-2.6.0-cdh5.5.6.jar:na]
      	at org.apache.hadoop.ipc.RemoteException.unwrapRemoteException(RemoteException.java:95) ~[hadoop-common-2.6.0-cdh5.5.6.jar:na]
      	at org.apache.hadoop.hbase.client.RpcRetryingCaller.translateException(RpcRetryingCaller.java:226) ~[hbase-client-1.0.0-cdh5.5.6.jar:na]
      	at org.apache.hadoop.hbase.client.RpcRetryingCaller.translateException(RpcRetryingCaller.java:240) ~[hbase-client-1.0.0-cdh5.5.6.jar:na]
      	at org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithRetries(RpcRetryingCaller.java:140) ~[hbase-client-1.0.0-cdh5.5.6.jar:na]
      	at org.apache.hadoop.hbase.client.HBaseAdmin.executeCallable(HBaseAdmin.java:3678) ~[hbase-client-1.0.0-cdh5.5.6.jar:na]
      	at org.apache.hadoop.hbase.client.HBaseAdmin.getTableDescriptor(HBaseAdmin.java:451) ~[hbase-client-1.0.0-cdh5.5.6.jar:na]
      	at co.cask.cdap.data2.util.hbase.HBase10CDH550TableUtil.getHTableDescriptor(HBase10CDH550TableUtil.java:78) ~[co.cask.cdap.cdap-hbase-compat-1.0-cdh5.5.0-4.2.0-SNAPSHOT.jar:na]
      	at co.cask.cdap.data2.dataset2.lib.hbase.AbstractHBaseDataSetAdmin.updateTable(AbstractHBaseDataSetAdmin.java:138) ~[co.cask.cdap.cdap-data-fabric-4.2.0-SNAPSHOT.jar:na]
      	at co.cask.cdap.data2.dataset2.lib.hbase.AbstractHBaseDataSetAdmin.upgrade(AbstractHBaseDataSetAdmin.java:95) ~[co.cask.cdap.cdap-data-fabric-4.2.0-SNAPSHOT.jar:na]
      	at co.cask.cdap.data.tools.DatasetUpgrader.upgradeUserTable(DatasetUpgrader.java:228) ~[co.cask.cdap.cdap-master-4.2.0-SNAPSHOT.jar:na]
      	at co.cask.cdap.data.tools.DatasetUpgrader.access$400(DatasetUpgrader.java:59) ~[co.cask.cdap.cdap-master-4.2.0-SNAPSHOT.jar:na]
      	at co.cask.cdap.data.tools.DatasetUpgrader$3.run(DatasetUpgrader.java:184) ~[co.cask.cdap.cdap-master-4.2.0-SNAPSHOT.jar:na]
      	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) ~[na:1.7.0_75]
      	at java.util.concurrent.FutureTask.run(FutureTask.java:262) ~[na:1.7.0_75]
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) ~[na:1.7.0_75]
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) ~[na:1.7.0_75]
      	at java.lang.Thread.run(Thread.java:745) ~[na:1.7.0_75]
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ali.anwar Ali Anwar
                Reporter:
                ali.anwar Ali Anwar
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: