You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Prasad Mujumdar <pr...@cloudera.com> on 2014/05/25 05:26:09 UTC
Review Request 21894: SENTRY-183 Sentry Policy Service goes into an unusable
state when granting privileges. Subsequent access fail with a
DataNucleusException: "Iteration request failed: SELECT ..."
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/21894/
-----------------------------------------------------------
Review request for sentry, Arun Suresh, Jarek Cecho, and Sravya Tirukkovalur.
Bugs: SENTRY-183
https://issues.apache.org/jira/browse/SENTRY-183
Repository: sentry
Description
-------
With latest build, I am hitting a different error for drop role.
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. Unknown error for request: TDropSentryRoleRequest(protocol_version:1, requestorUserName:prasadm, requestorGroupNames:[prasadm], roleName:user_role), message: Privileges should be empty: [MSentryPrivilege [privilegeScope=TABLE, privilegeName=server1+default+t1+INSERT, serverName=server1, dbName=default, tableName=t1, URI=null, action=INSERT, roles=[...], createTime=1400898494165, grantorPrincipal=prasadm]]. Server Stacktrace: java.lang.IllegalStateException: Privileges should be empty: [MSentryPrivilege [privilegeScope=TABLE, privilegeName=server1+default+t1+INSERT, serverName=server1, dbName=default, tableName=t1, URI=null, action=INSERT, roles=[...], createTime=140089849l=prasadm]]
at com.google.common.base.Preconditions.checkState(Preconditions.java:145)
at org.apache.sentry.provider.db.service.model.MSentryRole.removePrivileges(MSentryRole.jav
at org.apache.sentry.provider.db.service.persistent.SentryStore.dropSentryRole(SentryStore.
at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.drop_sentry_rolecessor.java:224)
In the current m:n relation mapping, dataNucleus doens't populate the roles list in the MSentryPrivilege object. Hence remove call remove privilege unconditionally.
Diffs
-----
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java 82d701f
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java 86aaeb4
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java 8f0ecfd
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java 81a9ea4
Diff: https://reviews.apache.org/r/21894/diff/
Testing
-------
Added testcase to drop and recreate role with multiple privileges.
Thanks,
Prasad Mujumdar
Re: Review Request 21894: SENTRY-183 Sentry Policy Service goes into an
unusable state when granting privileges. Subsequent access fail with a
DataNucleusException: "Iteration request failed: SELECT ..."
Posted by Arun Suresh <ar...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/21894/#review43904
-----------------------------------------------------------
Ship it!
looks good
- Arun Suresh
On May 25, 2014, 3:26 a.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/21894/
> -----------------------------------------------------------
>
> (Updated May 25, 2014, 3:26 a.m.)
>
>
> Review request for sentry, Arun Suresh, Jarek Cecho, and Sravya Tirukkovalur.
>
>
> Bugs: SENTRY-183
> https://issues.apache.org/jira/browse/SENTRY-183
>
>
> Repository: sentry
>
>
> Description
> -------
>
> With latest build, I am hitting a different error for drop role.
>
> Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. Unknown error for request: TDropSentryRoleRequest(protocol_version:1, requestorUserName:prasadm, requestorGroupNames:[prasadm], roleName:user_role), message: Privileges should be empty: [MSentryPrivilege [privilegeScope=TABLE, privilegeName=server1+default+t1+INSERT, serverName=server1, dbName=default, tableName=t1, URI=null, action=INSERT, roles=[...], createTime=1400898494165, grantorPrincipal=prasadm]]. Server Stacktrace: java.lang.IllegalStateException: Privileges should be empty: [MSentryPrivilege [privilegeScope=TABLE, privilegeName=server1+default+t1+INSERT, serverName=server1, dbName=default, tableName=t1, URI=null, action=INSERT, roles=[...], createTime=140089849l=prasadm]]
> at com.google.common.base.Preconditions.checkState(Preconditions.java:145)
> at org.apache.sentry.provider.db.service.model.MSentryRole.removePrivileges(MSentryRole.jav
> at org.apache.sentry.provider.db.service.persistent.SentryStore.dropSentryRole(SentryStore.
> at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.drop_sentry_rolecessor.java:224)
>
> In the current m:n relation mapping, dataNucleus doens't populate the roles list in the MSentryPrivilege object. Hence remove call remove privilege unconditionally.
>
>
> Diffs
> -----
>
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java 82d701f
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java 86aaeb4
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java 8f0ecfd
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java 81a9ea4
>
> Diff: https://reviews.apache.org/r/21894/diff/
>
>
> Testing
> -------
>
> Added testcase to drop and recreate role with multiple privileges.
>
>
> Thanks,
>
> Prasad Mujumdar
>
>
Re: Review Request 21894: SENTRY-183 Sentry Policy Service goes into an
unusable state when granting privileges. Subsequent access fail with a
DataNucleusException: "Iteration request failed: SELECT ..."
Posted by Jarek Cecho <ja...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/21894/#review43905
-----------------------------------------------------------
Ship it!
Ship It!
- Jarek Cecho
On May 25, 2014, 3:26 a.m., Prasad Mujumdar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/21894/
> -----------------------------------------------------------
>
> (Updated May 25, 2014, 3:26 a.m.)
>
>
> Review request for sentry, Arun Suresh, Jarek Cecho, and Sravya Tirukkovalur.
>
>
> Bugs: SENTRY-183
> https://issues.apache.org/jira/browse/SENTRY-183
>
>
> Repository: sentry
>
>
> Description
> -------
>
> With latest build, I am hitting a different error for drop role.
>
> Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. Unknown error for request: TDropSentryRoleRequest(protocol_version:1, requestorUserName:prasadm, requestorGroupNames:[prasadm], roleName:user_role), message: Privileges should be empty: [MSentryPrivilege [privilegeScope=TABLE, privilegeName=server1+default+t1+INSERT, serverName=server1, dbName=default, tableName=t1, URI=null, action=INSERT, roles=[...], createTime=1400898494165, grantorPrincipal=prasadm]]. Server Stacktrace: java.lang.IllegalStateException: Privileges should be empty: [MSentryPrivilege [privilegeScope=TABLE, privilegeName=server1+default+t1+INSERT, serverName=server1, dbName=default, tableName=t1, URI=null, action=INSERT, roles=[...], createTime=140089849l=prasadm]]
> at com.google.common.base.Preconditions.checkState(Preconditions.java:145)
> at org.apache.sentry.provider.db.service.model.MSentryRole.removePrivileges(MSentryRole.jav
> at org.apache.sentry.provider.db.service.persistent.SentryStore.dropSentryRole(SentryStore.
> at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.drop_sentry_rolecessor.java:224)
>
> In the current m:n relation mapping, dataNucleus doens't populate the roles list in the MSentryPrivilege object. Hence remove call remove privilege unconditionally.
>
>
> Diffs
> -----
>
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java 82d701f
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java 86aaeb4
> sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java 8f0ecfd
> sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java 81a9ea4
>
> Diff: https://reviews.apache.org/r/21894/diff/
>
>
> Testing
> -------
>
> Added testcase to drop and recreate role with multiple privileges.
>
>
> Thanks,
>
> Prasad Mujumdar
>
>