You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Na Li (JIRA)" <ji...@apache.org> on 2017/07/06 16:28:00 UTC

[jira] [Commented] (SENTRY-1825) Dropping a Hive database/table doesn't cleanup the permissions associated with it

    [ https://issues.apache.org/jira/browse/SENTRY-1825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16076834#comment-16076834 ] 

Na Li commented on SENTRY-1825:
-------------------------------

There are several problems:

1) HMSFollower should read sentry-site.xml to get the server name, not from hive-site.xml through hiveConf. The input configuration for HMSFollower constructor is from sentry-site.xm. We should use that configuration to get server name.
2) There are two variable names that could hold the value of the server. 
{quote}hive.sentry.server{quote} is deprecated and is in {quote}HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME_DEPRECATED{quote}. The new name is {quote}sentry.hive.server{quote} in {quote}HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME{quote}
We should check the {quote}sentry.hive.server{quote} first. If it is not set, check the deprecated {quote}hive.sentry.server{quote} to be backward compatible.
3) Whoever generates the sentry-site.xml for hive and sentry needs to make sure the variable is set for both host hive and sentry and of the same value. 

[~kkalyan] will make update for items 1) and 2) as he is refectoring HMSFollower. I will make sure item 3) is handled by proper team. And add e2e test to show the issue and verify the fix. In e2e test, the sentry-site.xml will be manually generated in test setup



> Dropping a Hive database/table doesn't cleanup the permissions associated with it 
> ----------------------------------------------------------------------------------
>
>                 Key: SENTRY-1825
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1825
>             Project: Sentry
>          Issue Type: Sub-task
>    Affects Versions: sentry-ha-redesign
>            Reporter: Vamsee Yarlagadda
>            Assignee: Na Li
>            Priority: Critical
>              Labels: sentry-ha
>
> Sasha helped in finding this bug. Looks like dropping a database/table does no longer clean up the privileges associated with it.
> This problem is because of:
> https://github.com/apache/sentry/blob/sentry-ha-redesign/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java#L126-L127
> {code}
> final HiveConf hiveConf = new HiveConf();
>     hiveInstance = hiveConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar());
> {code}
> With the latest redesign, we are only setting this property on Hive's (sentry-site.xml) and not on Sentry's (sentry-site.xml).
> So during permission grants, Hive ensures to supply the *server1* for permission updates. But when we drop the table/database that has the perms attached, it goes through HMSFollower and this code sets the property as NULL as sentry-site.xml doesn't have this set. So it attempts to remove permissions with NULL server setting and this always returns without deleting anything. 
> We need to ensure that the corresponding property is set on both (Sentry, Hive) sentry-site.xml to ensure referring to proper privileges. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)