Exception ERROR:81:role violation When Running UDF Through Client

Exception ERROR:81:role violation When Running UDF Through Client

Problem Description

A user is set up with read-write-udf permission, verified via aql:

aql> show users
+-------------+------------------------------+
| user        | roles                        |
+-------------+------------------------------+
| "udfrunner" | "read-write, read-write-udf" |
+-------------+------------------------------+
1 rows in set (0.001 secs)

However, trying to run a UDF as this user with code like the following (example in Java) results in an ERROR:81:role violation exception.

public static void test2(AerospikeClient client,Statement stmt) {
       // UDF truncate.truncate_set() removes all records from namespace/set in stmt
       System.out.println("Beginning UDF execution...");
       ExecuteTask task = client.execute(new writePolicy(), stmt, "truncate", "truncate_set");
       task.waitTillComplete(1000, 0);
       System.out.println("Done executing UDF.");
}

Explanation

As described in Configuring Access Control, the read-write-udf privilege allows the user to execute UDFs, and in fact, in the example above, the records do actually get removed even though the role violation exception is thrown. However, using the scan-query job monitoring system, which is what the task.waitTillComplete() method needs to find out whether the task is complete, requires data-admin privilege, as job monitoring subsystem also allows to abort a running job.

Solution

Either grant the data-admin permission to that role for the necessary namespace and set, or remove the call to task.waitTillComplete() and find some other method of determining when the UDF has finished.

Keywords

UDF ERROR CODE 81 EXCEPTION SECURITY ROLE USER PERMISSION READ-WRITE-UDF DATA-ADMIN

Timestamp

April 2020

© 2015 Copyright Aerospike, Inc. | All rights reserved. Creators of the Aerospike Database.