You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Na Li via Review Board <no...@reviews.apache.org> on 2019/01/25 21:07:44 UTC
Review Request 69841: SENTRY-2486: Wrong user name when sentry
HMSFollower gets full snapshot from HMS at insecure mode
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69841/
-----------------------------------------------------------
Review request for sentry, Arjun Mishra, Haley Reeve, and kalyan kumar kalvagadda.
Bugs: sentry-2486
https://issues.apache.org/jira/browse/sentry-2486
Repository: sentry
Description
-------
In insecure mode, the current login user name is passed from Sentry to HMS server when sentry HMSFollower gets full snapshot from HMS.
The user name should be "sentry" instead of current login user.
This issue should not happen in production because secure mode is always used. Insecure mode is only used in test.
Diffs
-----
sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java 31e58fd
sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java 0d62941
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 47f7466
Diff: https://reviews.apache.org/r/69841/diff/1/
Testing
-------
Tested manually and verified the user name now is "sentry" when sentry HMSFollower gets notifications from HMS server
Thanks,
Na Li
Re: Review Request 69841: SENTRY-2486: Wrong user name when sentry
HMSFollower gets full snapshot from HMS at insecure mode
Posted by Na Li via Review Board <no...@reviews.apache.org>.
> On Jan. 28, 2019, 1:55 a.m., kalyan kumar kalvagadda wrote:
> > Idea here is to make sure that hive client knows the details of the user who is sending the request. In this specific case, hive should know the details of the user who running sentry service. Using sentry.service.server.principal and entry.service.realm doesn’t seem correct.
> >
> >
> > I have a thought.
> > ```
> > public HMSClient connect() throws IOException, InterruptedException, MetaException
> > {?
> > UserGroupInformation clientUGI = null;
> > if (insecure) {?
> > clientUGI = UserGroupInformation.getCurrentUser();?
> > } else {?
> > clientUGI = UserGroupInformation.getUGIFromSubject(kerberosContext.getSubject());?
> > }?
> > return new HMSClient(clientUGI.doAs(new PrivilegedExceptionAction<HiveMetaStoreClient>()
> > {?
> > @Override?
> > public HiveMetaStoreClient run() throws MetaException {?
> > return new HiveMetaStoreClient(hiveConf);?
> > }?
> > }));
> > }
> >
> > ```
> > All you have additionally do is change the tests to run sentry server as user “sentry”.
> >
> > Here is the sample code. I have tested it locally.
>
> Na Li wrote:
> HiveSimpleConnectionFactory is used by HMSFollower to get notifications from HMS server. It is not used for any other purposes in Sentry.
>
> If we following your suggestion, the user will be the login user, it could be "root" for one run, and "jenkins" for another run. How to make sure fetching notification from sentry works in your suggested approach?
>
> That is why I have this solution here. Make sure the user is "sentry" in insecured mode, and add "sentry" as services in HMS server.
>
> kalyan kumar kalvagadda wrote:
> Lina, Idea is to use the UserGroupInformation.getCurrentUser(). Please look at the patch i sugessted. All you have to do is perform doAs() while starting the service. I have sent you details offline.
>
> What you are suggesting will effect the users who are using sentry in non secure mode. Approach that i'm usggesting will address the issues with the tests and not change the behavior.
>
> Na Li wrote:
> Kalyan, your suggestion is the current code behavior without my code change.
>
> 1) Do you agree that when sentry HMS follower gets notification, the user name should be "sentry" instead of your name, or my name?
> 2) If you agree above, then your suggestion of using "UserGroupInformation.getCurrentUser()" won't work because it returns current login name, which is your name when you run the test, and my name if I run the test, or Jenkins name name if it runs on build machine.
> 3) When we have read authorization, HMS needs to check if the user has read access to the metadata or if user is service users.
> 3.1) If your approach is used, how do we write a test for read authorization? We don't know what user name to configure as service user, or give read access.
> 3.2) If my approach is used, we can add "sentry" as service user in test to pass read authorization, and sentry can get notifications
Thanks! I have updated according to your suggestion: change caller of the HiveSimpleConnectionFactory
- Na
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69841/#review212365
-----------------------------------------------------------
On Jan. 25, 2019, 9:07 p.m., Na Li wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69841/
> -----------------------------------------------------------
>
> (Updated Jan. 25, 2019, 9:07 p.m.)
>
>
> Review request for sentry, Arjun Mishra, Haley Reeve, and kalyan kumar kalvagadda.
>
>
> Bugs: sentry-2486
> https://issues.apache.org/jira/browse/sentry-2486
>
>
> Repository: sentry
>
>
> Description
> -------
>
> In insecure mode, the current login user name is passed from Sentry to HMS server when sentry HMSFollower gets full snapshot from HMS.
>
> The user name should be "sentry" instead of current login user.
>
> This issue should not happen in production because secure mode is always used. Insecure mode is only used in test.
>
>
> Diffs
> -----
>
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java 31e58fd
> sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java 0d62941
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 47f7466
>
>
> Diff: https://reviews.apache.org/r/69841/diff/1/
>
>
> Testing
> -------
>
> Tested manually and verified the user name now is "sentry" when sentry HMSFollower gets notifications from HMS server
>
>
> Thanks,
>
> Na Li
>
>
Re: Review Request 69841: SENTRY-2486: Wrong user name when sentry
HMSFollower gets full snapshot from HMS at insecure mode
Posted by Na Li via Review Board <no...@reviews.apache.org>.
> On Jan. 28, 2019, 1:55 a.m., kalyan kumar kalvagadda wrote:
> > Idea here is to make sure that hive client knows the details of the user who is sending the request. In this specific case, hive should know the details of the user who running sentry service. Using sentry.service.server.principal and entry.service.realm doesn’t seem correct.
> >
> >
> > I have a thought.
> > ```
> > public HMSClient connect() throws IOException, InterruptedException, MetaException
> > {?
> > UserGroupInformation clientUGI = null;
> > if (insecure) {?
> > clientUGI = UserGroupInformation.getCurrentUser();?
> > } else {?
> > clientUGI = UserGroupInformation.getUGIFromSubject(kerberosContext.getSubject());?
> > }?
> > return new HMSClient(clientUGI.doAs(new PrivilegedExceptionAction<HiveMetaStoreClient>()
> > {?
> > @Override?
> > public HiveMetaStoreClient run() throws MetaException {?
> > return new HiveMetaStoreClient(hiveConf);?
> > }?
> > }));
> > }
> >
> > ```
> > All you have additionally do is change the tests to run sentry server as user “sentry”.
> >
> > Here is the sample code. I have tested it locally.
>
> Na Li wrote:
> HiveSimpleConnectionFactory is used by HMSFollower to get notifications from HMS server. It is not used for any other purposes in Sentry.
>
> If we following your suggestion, the user will be the login user, it could be "root" for one run, and "jenkins" for another run. How to make sure fetching notification from sentry works in your suggested approach?
>
> That is why I have this solution here. Make sure the user is "sentry" in insecured mode, and add "sentry" as services in HMS server.
>
> kalyan kumar kalvagadda wrote:
> Lina, Idea is to use the UserGroupInformation.getCurrentUser(). Please look at the patch i sugessted. All you have to do is perform doAs() while starting the service. I have sent you details offline.
>
> What you are suggesting will effect the users who are using sentry in non secure mode. Approach that i'm usggesting will address the issues with the tests and not change the behavior.
Kalyan, your suggestion is the current code behavior without my code change.
1) Do you agree that when sentry HMS follower gets notification, the user name should be "sentry" instead of your name, or my name?
2) If you agree above, then your suggestion of using "UserGroupInformation.getCurrentUser()" won't work because it returns current login name, which is your name when you run the test, and my name if I run the test, or Jenkins name name if it runs on build machine.
3) When we have read authorization, HMS needs to check if the user has read access to the metadata or if user is service users.
3.1) If your approach is used, how do we write a test for read authorization? We don't know what user name to configure as service user, or give read access.
3.2) If my approach is used, we can add "sentry" as service user in test to pass read authorization, and sentry can get notifications
- Na
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69841/#review212365
-----------------------------------------------------------
On Jan. 25, 2019, 9:07 p.m., Na Li wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69841/
> -----------------------------------------------------------
>
> (Updated Jan. 25, 2019, 9:07 p.m.)
>
>
> Review request for sentry, Arjun Mishra, Haley Reeve, and kalyan kumar kalvagadda.
>
>
> Bugs: sentry-2486
> https://issues.apache.org/jira/browse/sentry-2486
>
>
> Repository: sentry
>
>
> Description
> -------
>
> In insecure mode, the current login user name is passed from Sentry to HMS server when sentry HMSFollower gets full snapshot from HMS.
>
> The user name should be "sentry" instead of current login user.
>
> This issue should not happen in production because secure mode is always used. Insecure mode is only used in test.
>
>
> Diffs
> -----
>
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java 31e58fd
> sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java 0d62941
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 47f7466
>
>
> Diff: https://reviews.apache.org/r/69841/diff/1/
>
>
> Testing
> -------
>
> Tested manually and verified the user name now is "sentry" when sentry HMSFollower gets notifications from HMS server
>
>
> Thanks,
>
> Na Li
>
>
Re: Review Request 69841: SENTRY-2486: Wrong user name when sentry
HMSFollower gets full snapshot from HMS at insecure mode
Posted by kalyan kumar kalvagadda via Review Board <no...@reviews.apache.org>.
> On Jan. 28, 2019, 1:55 a.m., kalyan kumar kalvagadda wrote:
> > Idea here is to make sure that hive client knows the details of the user who is sending the request. In this specific case, hive should know the details of the user who running sentry service. Using sentry.service.server.principal and entry.service.realm doesn’t seem correct.
> >
> >
> > I have a thought.
> > ```
> > public HMSClient connect() throws IOException, InterruptedException, MetaException
> > {?
> > UserGroupInformation clientUGI = null;
> > if (insecure) {?
> > clientUGI = UserGroupInformation.getCurrentUser();?
> > } else {?
> > clientUGI = UserGroupInformation.getUGIFromSubject(kerberosContext.getSubject());?
> > }?
> > return new HMSClient(clientUGI.doAs(new PrivilegedExceptionAction<HiveMetaStoreClient>()
> > {?
> > @Override?
> > public HiveMetaStoreClient run() throws MetaException {?
> > return new HiveMetaStoreClient(hiveConf);?
> > }?
> > }));
> > }
> >
> > ```
> > All you have additionally do is change the tests to run sentry server as user “sentry”.
> >
> > Here is the sample code. I have tested it locally.
>
> Na Li wrote:
> HiveSimpleConnectionFactory is used by HMSFollower to get notifications from HMS server. It is not used for any other purposes in Sentry.
>
> If we following your suggestion, the user will be the login user, it could be "root" for one run, and "jenkins" for another run. How to make sure fetching notification from sentry works in your suggested approach?
>
> That is why I have this solution here. Make sure the user is "sentry" in insecured mode, and add "sentry" as services in HMS server.
Lina, Idea is to use the UserGroupInformation.getCurrentUser(). Please look at the patch i sugessted. All you have to do is perform doAs() while starting the service. I have sent you details offline.
What you are suggesting will effect the users who are using sentry in non secure mode. Approach that i'm usggesting will address the issues with the tests and not change the behavior.
- kalyan kumar
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69841/#review212365
-----------------------------------------------------------
On Jan. 25, 2019, 9:07 p.m., Na Li wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69841/
> -----------------------------------------------------------
>
> (Updated Jan. 25, 2019, 9:07 p.m.)
>
>
> Review request for sentry, Arjun Mishra, Haley Reeve, and kalyan kumar kalvagadda.
>
>
> Bugs: sentry-2486
> https://issues.apache.org/jira/browse/sentry-2486
>
>
> Repository: sentry
>
>
> Description
> -------
>
> In insecure mode, the current login user name is passed from Sentry to HMS server when sentry HMSFollower gets full snapshot from HMS.
>
> The user name should be "sentry" instead of current login user.
>
> This issue should not happen in production because secure mode is always used. Insecure mode is only used in test.
>
>
> Diffs
> -----
>
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java 31e58fd
> sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java 0d62941
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 47f7466
>
>
> Diff: https://reviews.apache.org/r/69841/diff/1/
>
>
> Testing
> -------
>
> Tested manually and verified the user name now is "sentry" when sentry HMSFollower gets notifications from HMS server
>
>
> Thanks,
>
> Na Li
>
>
Re: Review Request 69841: SENTRY-2486: Wrong user name when sentry
HMSFollower gets full snapshot from HMS at insecure mode
Posted by Na Li via Review Board <no...@reviews.apache.org>.
> On Jan. 28, 2019, 1:55 a.m., kalyan kumar kalvagadda wrote:
> > Idea here is to make sure that hive client knows the details of the user who is sending the request. In this specific case, hive should know the details of the user who running sentry service. Using sentry.service.server.principal and entry.service.realm doesn’t seem correct.
> >
> >
> > I have a thought.
> > ```
> > public HMSClient connect() throws IOException, InterruptedException, MetaException
> > {?
> > UserGroupInformation clientUGI = null;
> > if (insecure) {?
> > clientUGI = UserGroupInformation.getCurrentUser();?
> > } else {?
> > clientUGI = UserGroupInformation.getUGIFromSubject(kerberosContext.getSubject());?
> > }?
> > return new HMSClient(clientUGI.doAs(new PrivilegedExceptionAction<HiveMetaStoreClient>()
> > {?
> > @Override?
> > public HiveMetaStoreClient run() throws MetaException {?
> > return new HiveMetaStoreClient(hiveConf);?
> > }?
> > }));
> > }
> >
> > ```
> > All you have additionally do is change the tests to run sentry server as user “sentry”.
> >
> > Here is the sample code. I have tested it locally.
HiveSimpleConnectionFactory is used by HMSFollower to get notifications from HMS server. It is not used for any other purposes in Sentry.
If we following your suggestion, the user will be the login user, it could be "root" for one run, and "jenkins" for another run. How to make sure fetching notification from sentry works in your suggested approach?
That is why I have this solution here. Make sure the user is "sentry" in insecured mode, and add "sentry" as services in HMS server.
- Na
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69841/#review212365
-----------------------------------------------------------
On Jan. 25, 2019, 9:07 p.m., Na Li wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69841/
> -----------------------------------------------------------
>
> (Updated Jan. 25, 2019, 9:07 p.m.)
>
>
> Review request for sentry, Arjun Mishra, Haley Reeve, and kalyan kumar kalvagadda.
>
>
> Bugs: sentry-2486
> https://issues.apache.org/jira/browse/sentry-2486
>
>
> Repository: sentry
>
>
> Description
> -------
>
> In insecure mode, the current login user name is passed from Sentry to HMS server when sentry HMSFollower gets full snapshot from HMS.
>
> The user name should be "sentry" instead of current login user.
>
> This issue should not happen in production because secure mode is always used. Insecure mode is only used in test.
>
>
> Diffs
> -----
>
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java 31e58fd
> sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java 0d62941
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 47f7466
>
>
> Diff: https://reviews.apache.org/r/69841/diff/1/
>
>
> Testing
> -------
>
> Tested manually and verified the user name now is "sentry" when sentry HMSFollower gets notifications from HMS server
>
>
> Thanks,
>
> Na Li
>
>
Re: Review Request 69841: SENTRY-2486: Wrong user name when sentry
HMSFollower gets full snapshot from HMS at insecure mode
Posted by kalyan kumar kalvagadda via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69841/#review212365
-----------------------------------------------------------
Idea here is to make sure that hive client knows the details of the user who is sending the request. In this specific case, hive should know the details of the user who running sentry service. Using sentry.service.server.principal and entry.service.realm doesn’t seem correct.
I have a thought.
```
public HMSClient connect() throws IOException, InterruptedException, MetaException
{?
UserGroupInformation clientUGI = null;
if (insecure) {?
clientUGI = UserGroupInformation.getCurrentUser();?
} else {?
clientUGI = UserGroupInformation.getUGIFromSubject(kerberosContext.getSubject());?
}?
return new HMSClient(clientUGI.doAs(new PrivilegedExceptionAction<HiveMetaStoreClient>()
{?
@Override?
public HiveMetaStoreClient run() throws MetaException {?
return new HiveMetaStoreClient(hiveConf);?
}?
}));
}
```
All you have additionally do is change the tests to run sentry server as user “sentry”.
Here is the sample code. I have tested it locally.
- kalyan kumar kalvagadda
On Jan. 25, 2019, 9:07 p.m., Na Li wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69841/
> -----------------------------------------------------------
>
> (Updated Jan. 25, 2019, 9:07 p.m.)
>
>
> Review request for sentry, Arjun Mishra, Haley Reeve, and kalyan kumar kalvagadda.
>
>
> Bugs: sentry-2486
> https://issues.apache.org/jira/browse/sentry-2486
>
>
> Repository: sentry
>
>
> Description
> -------
>
> In insecure mode, the current login user name is passed from Sentry to HMS server when sentry HMSFollower gets full snapshot from HMS.
>
> The user name should be "sentry" instead of current login user.
>
> This issue should not happen in production because secure mode is always used. Insecure mode is only used in test.
>
>
> Diffs
> -----
>
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java 31e58fd
> sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java 0d62941
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 47f7466
>
>
> Diff: https://reviews.apache.org/r/69841/diff/1/
>
>
> Testing
> -------
>
> Tested manually and verified the user name now is "sentry" when sentry HMSFollower gets notifications from HMS server
>
>
> Thanks,
>
> Na Li
>
>
Re: Review Request 69841: SENTRY-2486: Wrong user name when sentry
HMSFollower gets full snapshot from HMS at insecure mode
Posted by kalyan kumar kalvagadda via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69841/#review212388
-----------------------------------------------------------
Looks good. Wiating for the tests to pass to give a +2.
- kalyan kumar kalvagadda
On Jan. 28, 2019, 6:55 p.m., Na Li wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69841/
> -----------------------------------------------------------
>
> (Updated Jan. 28, 2019, 6:55 p.m.)
>
>
> Review request for sentry, Arjun Mishra, Haley Reeve, and kalyan kumar kalvagadda.
>
>
> Bugs: sentry-2486
> https://issues.apache.org/jira/browse/sentry-2486
>
>
> Repository: sentry
>
>
> Description
> -------
>
> In insecure mode, the current login user name is passed from Sentry to HMS server when sentry HMSFollower gets full snapshot from HMS.
>
> The user name should be "sentry" instead of current login user.
>
> This issue should not happen in production because secure mode is always used. Insecure mode is only used in test.
>
>
> Diffs
> -----
>
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java 31e58fd
> sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java 0d62941
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 47f7466
>
>
> Diff: https://reviews.apache.org/r/69841/diff/2/
>
>
> Testing
> -------
>
> Tested manually and verified the user name now is "sentry" when sentry HMSFollower gets notifications from HMS server
>
>
> Thanks,
>
> Na Li
>
>
Re: Review Request 69841: SENTRY-2486: Wrong user name when sentry
HMSFollower gets full snapshot from HMS at insecure mode
Posted by Arjun Mishra via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69841/#review212389
-----------------------------------------------------------
Ship it!
Ship It!
- Arjun Mishra
On Jan. 28, 2019, 6:55 p.m., Na Li wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69841/
> -----------------------------------------------------------
>
> (Updated Jan. 28, 2019, 6:55 p.m.)
>
>
> Review request for sentry, Arjun Mishra, Haley Reeve, and kalyan kumar kalvagadda.
>
>
> Bugs: sentry-2486
> https://issues.apache.org/jira/browse/sentry-2486
>
>
> Repository: sentry
>
>
> Description
> -------
>
> In insecure mode, the current login user name is passed from Sentry to HMS server when sentry HMSFollower gets full snapshot from HMS.
>
> The user name should be "sentry" instead of current login user.
>
> This issue should not happen in production because secure mode is always used. Insecure mode is only used in test.
>
>
> Diffs
> -----
>
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java 31e58fd
> sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java 0d62941
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 47f7466
>
>
> Diff: https://reviews.apache.org/r/69841/diff/2/
>
>
> Testing
> -------
>
> Tested manually and verified the user name now is "sentry" when sentry HMSFollower gets notifications from HMS server
>
>
> Thanks,
>
> Na Li
>
>
Re: Review Request 69841: SENTRY-2486: Wrong user name when sentry
HMSFollower gets full snapshot from HMS at insecure mode
Posted by Na Li via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69841/
-----------------------------------------------------------
(Updated Jan. 28, 2019, 6:55 p.m.)
Review request for sentry, Arjun Mishra, Haley Reeve, and kalyan kumar kalvagadda.
Bugs: sentry-2486
https://issues.apache.org/jira/browse/sentry-2486
Repository: sentry
Description
-------
In insecure mode, the current login user name is passed from Sentry to HMS server when sentry HMSFollower gets full snapshot from HMS.
The user name should be "sentry" instead of current login user.
This issue should not happen in production because secure mode is always used. Insecure mode is only used in test.
Diffs (updated)
-----
sentry-service/sentry-service-server/src/main/java/org/apache/sentry/service/thrift/HiveSimpleConnectionFactory.java 31e58fd
sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestHMSFollower.java 0d62941
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 47f7466
Diff: https://reviews.apache.org/r/69841/diff/2/
Changes: https://reviews.apache.org/r/69841/diff/1-2/
Testing
-------
Tested manually and verified the user name now is "sentry" when sentry HMSFollower gets notifications from HMS server
Thanks,
Na Li