You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Alexander Kolbasov (JIRA)" <ji...@apache.org> on 2016/11/29 04:43:58 UTC
[jira] [Comment Edited] (SENTRY-1549) Attempt to remove privilege
fails on role access
[ https://issues.apache.org/jira/browse/SENTRY-1549?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15704174#comment-15704174 ]
Alexander Kolbasov edited comment on SENTRY-1549 at 11/29/16 4:43 AM:
----------------------------------------------------------------------
Here is the actual failing code:
{code}
private void revokePrivilegeFromRole(PersistenceManager pm, TSentryPrivilege tPrivilege,
MSentryRole mRole, MSentryPrivilege mPrivilege) throws SentryInvalidInputException {
if (PARTIAL_REVOKE_ACTIONS.contains(mPrivilege.getAction())) {
// if this privilege is in {ALL,SELECT,INSERT}
// we will do partial revoke
revokePartial(pm, tPrivilege, mRole, mPrivilege);
} else {
// if this privilege is not ALL, SELECT nor INSERT,
// we will revoke it from role directly
MSentryPrivilege persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(mPrivilege), pm);
if (persistedPriv != null) {
mPrivilege.removeRole(mRole); // <-- Here
privCleaner.incPrivRemoval();
pm.makePersistent(mPrivilege);
}
}
}
{code}
In this case the privilege is not ALL, SELECT nor INSERT
was (Author: akolb):
Here is the actual failing code:
{code}
private void revokePrivilegeFromRole(PersistenceManager pm, TSentryPrivilege tPrivilege,
MSentryRole mRole, MSentryPrivilege mPrivilege) throws SentryInvalidInputException {
if (PARTIAL_REVOKE_ACTIONS.contains(mPrivilege.getAction())) {
// if this privilege is in {ALL,SELECT,INSERT}
// we will do partial revoke
revokePartial(pm, tPrivilege, mRole, mPrivilege);
} else {
// if this privilege is not ALL, SELECT nor INSERT,
// we will revoke it from role directly
MSentryPrivilege persistedPriv = getMSentryPrivilege(convertToTSentryPrivilege(mPrivilege), pm);
if (persistedPriv != null) {
mPrivilege.removeRole(mRole); // <-- Here
privCleaner.incPrivRemoval();
pm.makePersistent(mPrivilege);
}
}
}
{code}
> Attempt to remove privilege fails on role access
> ------------------------------------------------
>
> Key: SENTRY-1549
> URL: https://issues.apache.org/jira/browse/SENTRY-1549
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
> Affects Versions: 1.8.0
> Reporter: Alexander Kolbasov
> Fix For: sentry-ha-redesign
>
>
> I was trying to remove a privilege from a role. This privilege had only WITH GRANT OPTION set. It was done using Thrift API. The result was interesting:
> {code}
> TransactionManager.executeTransactionWithRetry(TransactionManager.java:102)] The transaction has reac
> hed max retry number, will not retry again.
> javax.jdo.JDODetachedFieldAccessException: You have just attempted to access field "roles" yet this field was not detached when you detached the object. Either dont access this field, or detach it when detaching the object.
> at org.apache.sentry.provider.db.service.model.MSentryPrivilege.jdoGetroles(MSentryPrivilege.java)
> at org.apache.sentry.provider.db.service.model.MSentryPrivilege.removeRole(MSentryPrivilege.java:173)
> at org.apache.sentry.provider.db.service.persistent.SentryStore.revokePrivilegeFromRole(SentryStore.java:570)
> at org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleRevokePrivilegeCore(SentryStore.java:498)
> at org.apache.sentry.provider.db.service.persistent.SentryStore.access$800(SentryStore.java:95)
> at org.apache.sentry.provider.db.service.persistent.SentryStore$9.execute(SentryStore.java:458)
> at org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransaction(TransactionManager.java:72)
> at org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransactionWithRetry(TransactionManager.java:93)
> at org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleRevokePrivileges(SentryStore.java:451)
> at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_revoke_privilege(SentryPolicyStoreProcessor.java:344)
> at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_revoke_privilege.getResult(SentryPolicyService.java:1257)
> at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_revoke_privilege.getResult(SentryPolicyService.java:1242)
> at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
> at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
> at org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:35)
> at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
> at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> {code}
> 2016-11-28 20:35:52,439 (pool-7-thread-10) [ERROR - org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_revoke_privilege(SentryPolicyStoreProcessor.java:384)] Unknown error for request: TAlterSentryRoleRevokePrivilegeRequest(protocol_version:2, requestorUserName:akolb, roleName:r3, privilege:TSentryPrivilege(privilegeScope:, serverName:, dbName:, tableName:, URI:, action:, grantOption:TRUE, columnName:), privileges:[TSentryPrivilege(privilegeScope:, serverName:, dbName:, tableName:, URI:, action:, grantOption:TRUE, columnName:)]), message: The transaction has reached max retry number, will not retry again.
> {code}
> {code}
> java.lang.Exception: The transaction has reached max retry number, will not retry again.
> at org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransactionWithRetry(TransactionManager.java:103)
> at org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleRevokePrivileges(SentryStore.java:451)
> at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_revoke_privilege(SentryPolicyStoreProcessor.java:344)
> at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_revoke_privilege.getResult(SentryPolicyService.java:1257)
> at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_revoke_privilege.getResult(SentryPolicyService.java:1242)
> at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
> at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
> at org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:35)
> at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
> at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.jdo.JDODetachedFieldAccessException: You have just attempted to access field "roles" yet this field was not detached when you detached the object. Either dont access this field, or detach it when detaching the object.
> at org.apache.sentry.provider.db.service.model.MSentryPrivilege.jdoGetroles(MSentryPrivilege.java)
> at org.apache.sentry.provider.db.service.model.MSentryPrivilege.removeRole(MSentryPrivilege.java:173)
> at org.apache.sentry.provider.db.service.persistent.SentryStore.revokePrivilegeFromRole(SentryStore.java:570)
> at org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleRevokePrivilegeCore(SentryStore.java:498)
> at org.apache.sentry.provider.db.service.persistent.SentryStore.access$800(SentryStore.java:95)
> at org.apache.sentry.provider.db.service.persistent.SentryStore$9.execute(SentryStore.java:458)
> at org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransaction(TransactionManager.java:72)
> at org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransactionWithRetry(TransactionManager.java:93)
> ... 12 more
> 2016-11-28 20:35:52,440 (pool-7-thread-10) [INFO - org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_revoke_privilege(SentryPolicyStoreProcessor.java:394)] {"serviceName":"Sentry-Service","userName":"akolb","impersonator":"","ipAddress":"/127.0.0.1","operation":"REVOKE_PRIVILEGE","eventTime":"1480394152439","operationText":"REVOKE ON FROM ROLE r3 WITH GRANT OPTION","allowed":"false","databaseName":"","tableName":"","column":null,"resourcePath":"","objectType":"PRINCIPAL"}
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)