You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Sergio Pena via Review Board <no...@reviews.apache.org> on 2017/10/11 19:02:52 UTC

Review Request 62902: Move the hive-authz2 grant/revoke implementation into the sentry-binding-hive module

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/
-----------------------------------------------------------

Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.


Bugs: sentry-1978
    https://issues.apache.org/jira/browse/sentry-1978


Repository: sentry


Description
-------

This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.

The patch does the following:
- Stop using the SentryGrantRevokeTask for grant/revoke task execution. 
- Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
- Configure the new controller on the HiveAuthzBindingSessionHook class.
- Configure tests to run the authz2 access controller.


Diffs
-----

  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION 
  sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549 
  sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba 
  sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37 
  sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120 


Diff: https://reviews.apache.org/r/62902/diff/1/


Testing
-------

All tests passed.


Thanks,

Sergio Pena

Re: Review Request 62902: SENTRY-1978: Move the hive-authz2 grant/revoke implementation into the sentry-binding-hive module

Posted by Na Li via Review Board <no...@reviews.apache.org>.

> On Oct. 13, 2017, 8:57 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
> > Line 165 (original), 184 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852558#file1852558line184>
> >
> >     filter should be based on user's privileges. Where is the username or group info is used?
> 
> Sergio Pena wrote:
>     This is done internally on the SentryMetaStoreFilterHook. This code is just passing the information to it.

I looked at the implementation SentryMetaStoreFilterHook, shown below. It does not do real filtering. Can you doublecheck? profile hive v2 filtering is more complicated than this.

public Table filterTable(Table table) throws NoSuchObjectException {
    return table;
  }


- Na


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188013
-----------------------------------------------------------


On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
> 
> (Updated Oct. 12, 2017, 7:35 p.m.)
> 
> 
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
> 
> 
> Bugs: sentry-1978
>     https://issues.apache.org/jira/browse/sentry-1978
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
> 
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution. 
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120 
> 
> 
> Diff: https://reviews.apache.org/r/62902/diff/1/
> 
> 
> Testing
> -------
> 
> All tests passed.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 62902: SENTRY-1978: Move the hive-authz2 grant/revoke implementation into the sentry-binding-hive module

Posted by Na Li via Review Board <no...@reviews.apache.org>.

> On Oct. 13, 2017, 8:57 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
> > Line 165 (original), 184 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852558#file1852558line184>
> >
> >     filter should be based on user's privileges. Where is the username or group info is used?
> 
> Sergio Pena wrote:
>     This is done internally on the SentryMetaStoreFilterHook. This code is just passing the information to it.
> 
> Na Li wrote:
>     I looked at the implementation SentryMetaStoreFilterHook, shown below. It does not do real filtering. Can you doublecheck? profile hive v2 filtering is more complicated than this.
>     
>     public Table filterTable(Table table) throws NoSuchObjectException {
>         return table;
>       }

Since the next patch is going to fix the filter implementation. I am ok for this patch to be committed first.


- Na


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188013
-----------------------------------------------------------


On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
> 
> (Updated Oct. 12, 2017, 7:35 p.m.)
> 
> 
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
> 
> 
> Bugs: sentry-1978
>     https://issues.apache.org/jira/browse/sentry-1978
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
> 
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution. 
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120 
> 
> 
> Diff: https://reviews.apache.org/r/62902/diff/1/
> 
> 
> Testing
> -------
> 
> All tests passed.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 62902: SENTRY-1978: Move the hive-authz2 grant/revoke implementation into the sentry-binding-hive module

Posted by Sergio Pena via Review Board <no...@reviews.apache.org>.

> On Oct. 13, 2017, 8:57 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
> > Line 52 (original), 64 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852558#file1852558line64>
> >
> >     should it be v2? This is auth-2 API

I don't know what this version is. This is alsto part of the hive-authz2 profile and even Hive 2.0 HiveAuthorizer.java has it:

    public enum VERSION { V1 };


> On Oct. 13, 2017, 8:57 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
> > Line 112 (original), 126 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852558#file1852558line126>
> >
> >     should we just return here? 
> >     
> >     This function will be called by Hive when auth-2 is enabled. If we do authorization at semantic hook (called before this function), it should be OK to just return. 
> >     
> >     If we throw exception here, it will cause every hive command to fail.

I'm not throwing an exception. I put a comment that says there is nothing to do:
     // Nothing to do there. Privileges are checked on the Semantic hooks
  
The method is void so I don't need to return anything


> On Oct. 13, 2017, 8:57 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
> > Line 165 (original), 184 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852558#file1852558line184>
> >
> >     filter should be based on user's privileges. Where is the username or group info is used?

This is done internally on the SentryMetaStoreFilterHook. This code is just passing the information to it.


> On Oct. 13, 2017, 8:57 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
> > Line 184 (original), 203 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852558#file1852558line203>
> >
> >     Is it true all objects in the list have the same DB? If not, then we need to get DB for each object, and filter it

It is true. I don't know why Hive sends the list of objects in this way, but Hive adds the same DB to the list.
Also, the hive-authz2 profile uses a similar approach.


- Sergio


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188013
-----------------------------------------------------------


On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
> 
> (Updated Oct. 12, 2017, 7:35 p.m.)
> 
> 
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
> 
> 
> Bugs: sentry-1978
>     https://issues.apache.org/jira/browse/sentry-1978
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
> 
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution. 
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120 
> 
> 
> Diff: https://reviews.apache.org/r/62902/diff/1/
> 
> 
> Testing
> -------
> 
> All tests passed.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 62902: SENTRY-1978: Move the hive-authz2 grant/revoke implementation into the sentry-binding-hive module

Posted by Na Li via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188013
-----------------------------------------------------------




sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
Line 52 (original), 64 (patched)
<https://reviews.apache.org/r/62902/#comment265085>

    should it be v2? This is auth-2 API



sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
Line 112 (original), 126 (patched)
<https://reviews.apache.org/r/62902/#comment265086>

    should we just return here? 
    
    This function will be called by Hive when auth-2 is enabled. If we do authorization at semantic hook (called before this function), it should be OK to just return. 
    
    If we throw exception here, it will cause every hive command to fail.



sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
Line 165 (original), 184 (patched)
<https://reviews.apache.org/r/62902/#comment265092>

    filter should be based on user's privileges. Where is the username or group info is used?



sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
Line 184 (original), 203 (patched)
<https://reviews.apache.org/r/62902/#comment265096>

    Is it true all objects in the list have the same DB? If not, then we need to get DB for each object, and filter it


- Na Li


On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
> 
> (Updated Oct. 12, 2017, 7:35 p.m.)
> 
> 
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
> 
> 
> Bugs: sentry-1978
>     https://issues.apache.org/jira/browse/sentry-1978
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
> 
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution. 
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120 
> 
> 
> Diff: https://reviews.apache.org/r/62902/diff/1/
> 
> 
> Testing
> -------
> 
> All tests passed.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 62902: SENTRY-1978: Move the hive-authz2 grant/revoke implementation into the sentry-binding-hive module

Posted by Na Li via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188138
-----------------------------------------------------------


Ship it!




Ship It!

- Na Li


On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
> 
> (Updated Oct. 12, 2017, 7:35 p.m.)
> 
> 
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
> 
> 
> Bugs: sentry-1978
>     https://issues.apache.org/jira/browse/sentry-1978
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
> 
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution. 
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120 
> 
> 
> Diff: https://reviews.apache.org/r/62902/diff/1/
> 
> 
> Testing
> -------
> 
> All tests passed.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 62902: SENTRY-1978: Move the hive-authz2 grant/revoke implementation into the sentry-binding-hive module

Posted by kalyan kumar kalvagadda via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188197
-----------------------------------------------------------


Ship it!




Segio,

I'm good with the changes. It's just refactoring of code by getting the access controller logic from v-2 binding. Reasoning for doing this has been in various mail chains but please update the reasoning in the jira for future reference.

- kalyan kumar kalvagadda


On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
> 
> (Updated Oct. 12, 2017, 7:35 p.m.)
> 
> 
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
> 
> 
> Bugs: sentry-1978
>     https://issues.apache.org/jira/browse/sentry-1978
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
> 
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution. 
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120 
> 
> 
> Diff: https://reviews.apache.org/r/62902/diff/1/
> 
> 
> Testing
> -------
> 
> All tests passed.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 62902: SENTRY-1978: Move the hive-authz2 grant/revoke implementation into the sentry-binding-hive module

Posted by Na Li via Review Board <no...@reviews.apache.org>.

> On Oct. 13, 2017, 9:09 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java
> > Lines 129 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852559#file1852559line129>
> >
> >     Can you add the following for function?
> >     
> >               baseHierarchy.add(server);
> >               baseHierarchy.add(new Database(privilege.getDbname()));
> >               baseHierarchy.add(new Function(privilege.getObjectName(), privilege.getClassName()));
> >               objectHierarchy.add(baseHierarchy);
> >               break;
> >               
> >               
> >     and have a new class Function 
> >     
> >     public class Function implements DBModelAuthorizable {
> >       private final String name;
> >       private final String className;
> >     
> >       public Function(String name, String className) {
> >         this.name = name;
> >         this.className = className;
> >       }
> >     
> >       @Override
> >       public String getName() {
> >         return name;
> >       }
> >     
> >       public String getClassName() { return className; }
> >     
> >       @Override
> >       public String toString() {
> >         return "Function [name=" + name + "]";
> >       }
> >     
> >       @Override
> >       public AuthorizableType getAuthzType() {
> >         return AuthorizableType.Function;
> >       }
> >     
> >       @Override
> >       public String getTypeName() {
> >         return getAuthzType().name();
> >       }
> >     
> >     }
> 
> Sergio Pena wrote:
>     Probably better to have this patch in another JIRA so that we add more tests cases as well. This sounds like a new feature as all the current tests cases related to FUNCTION already pass. 
>     Why do we need this code? Anyway, please file a JIRA for this as well.

it is tracked in SENTRY-1971. This issue needs to be fixed if we switch to use checkPrivileges() for authorization. When we use semantic hook, it may be OK not to fix this.


- Na


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188022
-----------------------------------------------------------


On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
> 
> (Updated Oct. 12, 2017, 7:35 p.m.)
> 
> 
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
> 
> 
> Bugs: sentry-1978
>     https://issues.apache.org/jira/browse/sentry-1978
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
> 
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution. 
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120 
> 
> 
> Diff: https://reviews.apache.org/r/62902/diff/1/
> 
> 
> Testing
> -------
> 
> All tests passed.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 62902: SENTRY-1978: Move the hive-authz2 grant/revoke implementation into the sentry-binding-hive module

Posted by Sergio Pena via Review Board <no...@reviews.apache.org>.

> On Oct. 13, 2017, 9:09 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java
> > Lines 129 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852559#file1852559line129>
> >
> >     Can you add the following for function?
> >     
> >               baseHierarchy.add(server);
> >               baseHierarchy.add(new Database(privilege.getDbname()));
> >               baseHierarchy.add(new Function(privilege.getObjectName(), privilege.getClassName()));
> >               objectHierarchy.add(baseHierarchy);
> >               break;
> >               
> >               
> >     and have a new class Function 
> >     
> >     public class Function implements DBModelAuthorizable {
> >       private final String name;
> >       private final String className;
> >     
> >       public Function(String name, String className) {
> >         this.name = name;
> >         this.className = className;
> >       }
> >     
> >       @Override
> >       public String getName() {
> >         return name;
> >       }
> >     
> >       public String getClassName() { return className; }
> >     
> >       @Override
> >       public String toString() {
> >         return "Function [name=" + name + "]";
> >       }
> >     
> >       @Override
> >       public AuthorizableType getAuthzType() {
> >         return AuthorizableType.Function;
> >       }
> >     
> >       @Override
> >       public String getTypeName() {
> >         return getAuthzType().name();
> >       }
> >     
> >     }

Probably better to have this patch in another JIRA so that we add more tests cases as well. This sounds like a new feature as all the current tests cases related to FUNCTION already pass. 
Why do we need this code? Anyway, please file a JIRA for this as well.


- Sergio


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188022
-----------------------------------------------------------


On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
> 
> (Updated Oct. 12, 2017, 7:35 p.m.)
> 
> 
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
> 
> 
> Bugs: sentry-1978
>     https://issues.apache.org/jira/browse/sentry-1978
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
> 
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution. 
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120 
> 
> 
> Diff: https://reviews.apache.org/r/62902/diff/1/
> 
> 
> Testing
> -------
> 
> All tests passed.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 62902: SENTRY-1978: Move the hive-authz2 grant/revoke implementation into the sentry-binding-hive module

Posted by Na Li via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188022
-----------------------------------------------------------




sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java
Lines 129 (patched)
<https://reviews.apache.org/r/62902/#comment265098>

    Can you add the following for function?
    
              baseHierarchy.add(server);
              baseHierarchy.add(new Database(privilege.getDbname()));
              baseHierarchy.add(new Function(privilege.getObjectName(), privilege.getClassName()));
              objectHierarchy.add(baseHierarchy);
              break;
              
              
    and have a new class Function 
    
    public class Function implements DBModelAuthorizable {
      private final String name;
      private final String className;
    
      public Function(String name, String className) {
        this.name = name;
        this.className = className;
      }
    
      @Override
      public String getName() {
        return name;
      }
    
      public String getClassName() { return className; }
    
      @Override
      public String toString() {
        return "Function [name=" + name + "]";
      }
    
      @Override
      public AuthorizableType getAuthzType() {
        return AuthorizableType.Function;
      }
    
      @Override
      public String getTypeName() {
        return getAuthzType().name();
      }
    
    }


- Na Li


On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
> 
> (Updated Oct. 12, 2017, 7:35 p.m.)
> 
> 
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
> 
> 
> Bugs: sentry-1978
>     https://issues.apache.org/jira/browse/sentry-1978
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
> 
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution. 
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120 
> 
> 
> Diff: https://reviews.apache.org/r/62902/diff/1/
> 
> 
> Testing
> -------
> 
> All tests passed.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 62902: SENTRY-1978: Move the hive-authz2 grant/revoke implementation into the sentry-binding-hive module

Posted by Sergio Pena via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/
-----------------------------------------------------------

(Updated Oct. 12, 2017, 7:35 p.m.)


Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.


Summary (updated)
-----------------

SENTRY-1978: Move the hive-authz2 grant/revoke implementation into the sentry-binding-hive module


Bugs: sentry-1978
    https://issues.apache.org/jira/browse/sentry-1978


Repository: sentry


Description
-------

This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.

The patch does the following:
- Stop using the SentryGrantRevokeTask for grant/revoke task execution. 
- Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
- Configure the new controller on the HiveAuthzBindingSessionHook class.
- Configure tests to run the authz2 access controller.


Diffs
-----

  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION 
  sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549 
  sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba 
  sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37 
  sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120 


Diff: https://reviews.apache.org/r/62902/diff/1/


Testing
-------

All tests passed.


Thanks,

Sergio Pena