You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sentry.apache.org by Prasad Mujumdar <pr...@cloudera.com> on 2014/05/25 05:26:09 UTC

Review Request 21894: SENTRY-183 Sentry Policy Service goes into an unusable state when granting privileges. Subsequent access fail with a DataNucleusException: "Iteration request failed: SELECT ..."

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/21894/
-----------------------------------------------------------

Review request for sentry, Arun Suresh, Jarek Cecho, and Sravya Tirukkovalur.


Bugs: SENTRY-183
    https://issues.apache.org/jira/browse/SENTRY-183


Repository: sentry


Description
-------

With latest build, I am hitting a different error for drop role.

Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. Unknown error for request: TDropSentryRoleRequest(protocol_version:1, requestorUserName:prasadm, requestorGroupNames:[prasadm], roleName:user_role), message: Privileges should be empty: [MSentryPrivilege [privilegeScope=TABLE, privilegeName=server1+default+t1+INSERT, serverName=server1, dbName=default, tableName=t1, URI=null, action=INSERT, roles=[...], createTime=1400898494165, grantorPrincipal=prasadm]]. Server Stacktrace: java.lang.IllegalStateException: Privileges should be empty: [MSentryPrivilege [privilegeScope=TABLE, privilegeName=server1+default+t1+INSERT, serverName=server1, dbName=default, tableName=t1, URI=null, action=INSERT, roles=[...], createTime=140089849l=prasadm]]
        at com.google.common.base.Preconditions.checkState(Preconditions.java:145)
        at org.apache.sentry.provider.db.service.model.MSentryRole.removePrivileges(MSentryRole.jav
        at org.apache.sentry.provider.db.service.persistent.SentryStore.dropSentryRole(SentryStore.
        at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.drop_sentry_rolecessor.java:224)

In the current m:n relation mapping, dataNucleus doens't populate the roles list in the MSentryPrivilege object. Hence remove call remove privilege unconditionally.


Diffs
-----

  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java 82d701f 
  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java 86aaeb4 
  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java 8f0ecfd 
  sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java 81a9ea4 

Diff: https://reviews.apache.org/r/21894/diff/


Testing
-------

Added testcase to drop and recreate role with multiple privileges.


Thanks,

Prasad Mujumdar

Re: Review Request 21894: SENTRY-183 Sentry Policy Service goes into an unusable state when granting privileges. Subsequent access fail with a DataNucleusException: "Iteration request failed: SELECT ..."

Posted by Arun Suresh <ar...@gmail.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/21894/#review43904
-----------------------------------------------------------

Ship it!


looks good

- Arun Suresh


On May 25, 2014, 3:26 a.m., Prasad Mujumdar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/21894/
> -----------------------------------------------------------
> 
> (Updated May 25, 2014, 3:26 a.m.)
> 
> 
> Review request for sentry, Arun Suresh, Jarek Cecho, and Sravya Tirukkovalur.
> 
> 
> Bugs: SENTRY-183
>     https://issues.apache.org/jira/browse/SENTRY-183
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> With latest build, I am hitting a different error for drop role.
> 
> Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. Unknown error for request: TDropSentryRoleRequest(protocol_version:1, requestorUserName:prasadm, requestorGroupNames:[prasadm], roleName:user_role), message: Privileges should be empty: [MSentryPrivilege [privilegeScope=TABLE, privilegeName=server1+default+t1+INSERT, serverName=server1, dbName=default, tableName=t1, URI=null, action=INSERT, roles=[...], createTime=1400898494165, grantorPrincipal=prasadm]]. Server Stacktrace: java.lang.IllegalStateException: Privileges should be empty: [MSentryPrivilege [privilegeScope=TABLE, privilegeName=server1+default+t1+INSERT, serverName=server1, dbName=default, tableName=t1, URI=null, action=INSERT, roles=[...], createTime=140089849l=prasadm]]
>         at com.google.common.base.Preconditions.checkState(Preconditions.java:145)
>         at org.apache.sentry.provider.db.service.model.MSentryRole.removePrivileges(MSentryRole.jav
>         at org.apache.sentry.provider.db.service.persistent.SentryStore.dropSentryRole(SentryStore.
>         at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.drop_sentry_rolecessor.java:224)
> 
> In the current m:n relation mapping, dataNucleus doens't populate the roles list in the MSentryPrivilege object. Hence remove call remove privilege unconditionally.
> 
> 
> Diffs
> -----
> 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java 82d701f 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java 86aaeb4 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java 8f0ecfd 
>   sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java 81a9ea4 
> 
> Diff: https://reviews.apache.org/r/21894/diff/
> 
> 
> Testing
> -------
> 
> Added testcase to drop and recreate role with multiple privileges.
> 
> 
> Thanks,
> 
> Prasad Mujumdar
> 
>

Re: Review Request 21894: SENTRY-183 Sentry Policy Service goes into an unusable state when granting privileges. Subsequent access fail with a DataNucleusException: "Iteration request failed: SELECT ..."

Posted by Jarek Cecho <ja...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/21894/#review43905
-----------------------------------------------------------

Ship it!


Ship It!

- Jarek Cecho


On May 25, 2014, 3:26 a.m., Prasad Mujumdar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/21894/
> -----------------------------------------------------------
> 
> (Updated May 25, 2014, 3:26 a.m.)
> 
> 
> Review request for sentry, Arun Suresh, Jarek Cecho, and Sravya Tirukkovalur.
> 
> 
> Bugs: SENTRY-183
>     https://issues.apache.org/jira/browse/SENTRY-183
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> With latest build, I am hitting a different error for drop role.
> 
> Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. Unknown error for request: TDropSentryRoleRequest(protocol_version:1, requestorUserName:prasadm, requestorGroupNames:[prasadm], roleName:user_role), message: Privileges should be empty: [MSentryPrivilege [privilegeScope=TABLE, privilegeName=server1+default+t1+INSERT, serverName=server1, dbName=default, tableName=t1, URI=null, action=INSERT, roles=[...], createTime=1400898494165, grantorPrincipal=prasadm]]. Server Stacktrace: java.lang.IllegalStateException: Privileges should be empty: [MSentryPrivilege [privilegeScope=TABLE, privilegeName=server1+default+t1+INSERT, serverName=server1, dbName=default, tableName=t1, URI=null, action=INSERT, roles=[...], createTime=140089849l=prasadm]]
>         at com.google.common.base.Preconditions.checkState(Preconditions.java:145)
>         at org.apache.sentry.provider.db.service.model.MSentryRole.removePrivileges(MSentryRole.jav
>         at org.apache.sentry.provider.db.service.persistent.SentryStore.dropSentryRole(SentryStore.
>         at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.drop_sentry_rolecessor.java:224)
> 
> In the current m:n relation mapping, dataNucleus doens't populate the roles list in the MSentryPrivilege object. Hence remove call remove privilege unconditionally.
> 
> 
> Diffs
> -----
> 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java 82d701f 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java 86aaeb4 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java 8f0ecfd 
>   sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java 81a9ea4 
> 
> Diff: https://reviews.apache.org/r/21894/diff/
> 
> 
> Testing
> -------
> 
> Added testcase to drop and recreate role with multiple privileges.
> 
> 
> Thanks,
> 
> Prasad Mujumdar
> 
>