You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2017/10/17 17:45:03 UTC
sentry git commit: SENTRY-1231: Sentry doesn't secure index location
uri, when do "CREATE INDEX LOCATION ''/uri" (Sergio Pena,
reviewed by kalyan kumar kalvagadda)
Repository: sentry
Updated Branches:
refs/heads/master 74d7d3ad7 -> e0bdf3e65
SENTRY-1231: Sentry doesn't secure index location uri, when do "CREATE INDEX LOCATION ''/uri" (Sergio Pena, reviewed by kalyan kumar kalvagadda)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/e0bdf3e6
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/e0bdf3e6
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/e0bdf3e6
Branch: refs/heads/master
Commit: e0bdf3e65c0e999d2190269ae497a3c03a449462
Parents: 74d7d3a
Author: Sergio Pena <se...@cloudera.com>
Authored: Tue Oct 17 12:42:52 2017 -0500
Committer: Sergio Pena <se...@cloudera.com>
Committed: Tue Oct 17 12:42:52 2017 -0500
----------------------------------------------------------------------
.../binding/hive/HiveAuthzBindingHook.java | 1 +
.../hive/authz/HiveAuthzBindingHookBase.java | 23 +++++++++++++++++++
.../hive/authz/HiveAuthzPrivilegesMap.java | 2 ++
.../tests/e2e/hive/TestOperationsPart2.java | 24 ++++++++++++++++++++
4 files changed, 50 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/e0bdf3e6/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index f1531ed..802bf9c 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -148,6 +148,7 @@ public class HiveAuthzBindingHook extends HiveAuthzBindingHookBase {
case HiveParser.TOK_UNLOCKTABLE:
currTab = extractTable((ASTNode)ast.getFirstChildWithType(HiveParser.TOK_TABNAME));
currDB = extractDatabase((ASTNode) ast.getChild(0));
+ indexURI = extractTableLocation(ast);//As index location is captured using token HiveParser.TOK_TABLELOCATION
break;
case HiveParser.TOK_ALTERINDEX_REBUILD:
currTab = extractTable((ASTNode)ast.getChild(0)); //type is not TOK_TABNAME
http://git-wip-us.apache.org/repos/asf/sentry/blob/e0bdf3e6/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
index b4f220e..2e299a9 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
@@ -90,6 +90,7 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
protected List<AccessURI> udfURIs;
protected AccessURI serdeURI;
protected AccessURI partitionURI;
+ protected AccessURI indexURI;
protected Table currOutTab = null;
protected Database currOutDB = null;
protected final List<String> serdeWhiteList;
@@ -290,6 +291,24 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
}
}
+ protected static AccessURI extractTableLocation(ASTNode ast) throws SemanticException {
+ ASTNode locationChild = (ASTNode)ast.getFirstChildWithType(HiveParser.TOK_TABLELOCATION);
+ if (locationChild == null) {
+ LOG.debug("Token HiveParser.TOK_TABLELOCATION not found in ast. "
+ + "This means command does not have a location clause");
+ return null;
+ }
+
+ if (locationChild.getChildCount() != 1) {
+ LOG.error("Found Token HiveParser.TOK_TABLELOCATION, but was expecting the URI as its only "
+ + "child. This means it is possible that permissions on the URI are not checked for this "
+ + "command ");
+ return null;
+ }
+
+ return parseURI(BaseSemanticAnalyzer.unescapeSQLString(locationChild.getChild(0).getText()));
+ }
+
public static void runFailureHook(SentryOnFailureHookContext hookContext,
String csHooks) {
try {
@@ -371,6 +390,10 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
inputHierarchy.add(ImmutableList.of(hiveAuthzBinding.getAuthServer(), partitionURI));
}
+ if(indexURI != null) {
+ outputHierarchy.add(ImmutableList.of(hiveAuthzBinding.getAuthServer(), indexURI));
+ }
+
getInputHierarchyFromInputs(inputHierarchy, inputs);
for (WriteEntity writeEntity: outputs) {
if (filterWriteEntity(writeEntity)) {
http://git-wip-us.apache.org/repos/asf/sentry/blob/e0bdf3e6/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
index 2a215c4..ffa193f 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
@@ -77,6 +77,8 @@ public class HiveAuthzPrivilegesMap {
build();
HiveAuthzPrivileges indexTablePrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder().
addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.INDEX)).
+ //Only used for create index location
+ addOutputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.ALL)).
setOperationScope(HiveOperationScope.TABLE).
setOperationType(HiveOperationType.DDL).
build();
http://git-wip-us.apache.org/repos/asf/sentry/blob/e0bdf3e6/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
index 0e79ece..cf89b5d 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
@@ -112,9 +112,13 @@ public class TestOperationsPart2 extends AbstractTestWithStaticConfiguration {
@Test
public void testIndexTable() throws Exception {
adminCreate(DB1, tableName, true);
+ String indexLocation = dfs.getBaseDir() + "/" + Math.random();
policyFile
.addPermissionsToRole("index_db1_tb1", privileges.get("index_db1_tb1"))
.addRolesToGroup(USERGROUP1, "index_db1_tb1")
+ .addRolesToGroup(USERGROUP3, "index_db1_tb1")
+ .addPermissionsToRole("uri_role", "server=server1->uri=" + indexLocation)
+ .addRolesToGroup(USERGROUP3, "uri_role")
.addPermissionsToRole("insert_db1_tb1", privileges.get("insert_db1_tb1"))
.addRolesToGroup(USERGROUP2, "insert_db1_tb1");
writePolicyFile(policyFile);
@@ -148,6 +152,26 @@ public class TestOperationsPart2 extends AbstractTestWithStaticConfiguration {
exec(statement, "DROP INDEX table01_index ON tb1");
statement.close();
connection.close();
+
+ //Positive case for location
+ connection = context.createConnection(USER3_1);
+ statement = context.createStatement(connection);
+ exec(statement, "Use " + DB1);
+ exec(statement, "CREATE INDEX table01_index ON TABLE tb1 (a) AS 'COMPACT' WITH DEFERRED REBUILD LOCATION '"
+ + indexLocation + "'");
+ exec(statement, "ALTER INDEX table01_index ON tb1 REBUILD");
+ exec(statement, "DROP INDEX table01_index ON tb1");
+ statement.close();
+ connection.close();
+
+ //Negative case
+ connection = context.createConnection(USER1_1);
+ statement = context.createStatement(connection);
+ exec(statement, "Use " + DB1);
+ assertSemanticException(statement, "CREATE INDEX table01_index ON TABLE tb1 (a) AS 'COMPACT' WITH DEFERRED REBUILD " +
+ "LOCATION '" + indexLocation + "'");
+ statement.close();
+ connection.close();
}
/* Test all operations that require drop on table alone
Re: Sentry-HA status
Posted by Kalyan Kumar Kalvagadda <kk...@cloudera.com>.
Hello Shang,
We are planning to release sentry 2.0.0 in next couple of weeks which will
have sentry HA.
Stay tuned for more updates.
-Kalyan
-Kalyan
On Tue, Oct 17, 2017 at 3:13 PM, shang xinli <sh...@hotmail.com> wrote:
> Hi all,
>
>
> Can somebody share with me about sentry-HA status and timeline to release?
> Or somebody can 'r' me so that I can connect with somebody in the team to
> get in touch is also great. Our Hadoop system started to use sentry and we
> need HA. Our system is quite huge that we have several thousands of node.
> So HA is very important to us. Thanks.
>
>
> Xinli
>
Sentry-HA status
Posted by shang xinli <sh...@hotmail.com>.
Hi all,
Can somebody share with me about sentry-HA status and timeline to release? Or somebody can 'r' me so that I can connect with somebody in the team to get in touch is also great. Our Hadoop system started to use sentry and we need HA. Our system is quite huge that we have several thousands of node. So HA is very important to us. Thanks.
Xinli