Problem Description
A user is set up with read-write-udf permission, verified via aql:
aql> show users +-------------+------------------------------+ | user | roles | +-------------+------------------------------+ | "udfrunner" | "read-write, read-write-udf" | +-------------+------------------------------+ 1 rows in set (0.001 secs)
However, trying to run a UDF as this user with code like the following (example in Java) results in an ERROR:81:role violation exception.
public static void test2(AerospikeClient client,Statement stmt) {
// UDF truncate.truncate_set() removes all records from namespace/set in stmt
System.out.println("Beginning UDF execution...");
ExecuteTask task = client.execute(new writePolicy(), stmt, "truncate", "truncate_set");
task.waitTillComplete(1000, 0);
System.out.println("Done executing UDF.");
}
Explanation
As described in Configuring Access Control, theread-write-udf privilege allows the user to execute UDFs, and in fact, in the example above, the records do actually get removed even though the role violation exception is thrown. However, using the scan-query job monitoring system, which is what the task.waitTillComplete() method needs to find out whether the task is complete, requires data-admin privilege, as job monitoring subsystem also allows to abort a running job.Solution
Either grant thedata-admin permission to that role for the necessary namespace and set, or remove the call to task.waitTillComplete() and find some other method of determining when the UDF has finished.