You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Vamsee Yarlagadda (JIRA)" <ji...@apache.org> on 2017/06/29 01:48:00 UTC
[jira] [Created] (SENTRY-1825) Dropping a Hive database/table
doesn't cleanup the permissions associated with it
Vamsee Yarlagadda created SENTRY-1825:
-----------------------------------------
Summary: Dropping a Hive database/table doesn't cleanup the permissions associated with it
Key: SENTRY-1825
URL: https://issues.apache.org/jira/browse/SENTRY-1825
Project: Sentry
Issue Type: Bug
Affects Versions: sentry-ha-redesign
Reporter: Vamsee Yarlagadda
Priority: Critical
Sasha helped in finding this bug. Looks like dropping a database/table does no longer clean up the privileges associated with it.
This problem is because of:
https://github.com/apache/sentry/blob/sentry-ha-redesign/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java#L126-L127
{code}
final HiveConf hiveConf = new HiveConf();
hiveInstance = hiveConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar());
{code}
With the latest redesign, we are only setting this property on Hive's (sentry-site.xml) and not on Sentry's (sentry-site.xml).
So during permission grants, Hive ensures to supply the *server1* for permission updates. But when we drop the table/database that has the perms attached, it goes through HMSFollower and this code sets the property as NULL as sentry-site.xml doesn't have this set. So it attempts to remove permissions with NULL server setting and this always returns without deleting anything.
We need to ensure that the corresponding property is set on both (Sentry, Hive) sentry-site.xml to ensure referring to proper privileges.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)