You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Sergio Pena via Review Board <no...@reviews.apache.org> on 2017/10/11 19:02:52 UTC
Review Request 62902: Move the hive-authz2 grant/revoke
implementation into the sentry-binding-hive module
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/
-----------------------------------------------------------
Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
Bugs: sentry-1978
https://issues.apache.org/jira/browse/sentry-1978
Repository: sentry
Description
-------
This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
The patch does the following:
- Stop using the SentryGrantRevokeTask for grant/revoke task execution.
- Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
- Configure the new controller on the HiveAuthzBindingSessionHook class.
- Configure tests to run the authz2 access controller.
Diffs
-----
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120
Diff: https://reviews.apache.org/r/62902/diff/1/
Testing
-------
All tests passed.
Thanks,
Sergio Pena
Re: Review Request 62902: SENTRY-1978: Move the hive-authz2
grant/revoke implementation into the sentry-binding-hive module
Posted by Na Li via Review Board <no...@reviews.apache.org>.
> On Oct. 13, 2017, 8:57 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
> > Line 165 (original), 184 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852558#file1852558line184>
> >
> > filter should be based on user's privileges. Where is the username or group info is used?
>
> Sergio Pena wrote:
> This is done internally on the SentryMetaStoreFilterHook. This code is just passing the information to it.
I looked at the implementation SentryMetaStoreFilterHook, shown below. It does not do real filtering. Can you doublecheck? profile hive v2 filtering is more complicated than this.
public Table filterTable(Table table) throws NoSuchObjectException {
return table;
}
- Na
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188013
-----------------------------------------------------------
On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
>
> (Updated Oct. 12, 2017, 7:35 p.m.)
>
>
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
>
>
> Bugs: sentry-1978
> https://issues.apache.org/jira/browse/sentry-1978
>
>
> Repository: sentry
>
>
> Description
> -------
>
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
>
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution.
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120
>
>
> Diff: https://reviews.apache.org/r/62902/diff/1/
>
>
> Testing
> -------
>
> All tests passed.
>
>
> Thanks,
>
> Sergio Pena
>
>
Re: Review Request 62902: SENTRY-1978: Move the hive-authz2
grant/revoke implementation into the sentry-binding-hive module
Posted by Na Li via Review Board <no...@reviews.apache.org>.
> On Oct. 13, 2017, 8:57 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
> > Line 165 (original), 184 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852558#file1852558line184>
> >
> > filter should be based on user's privileges. Where is the username or group info is used?
>
> Sergio Pena wrote:
> This is done internally on the SentryMetaStoreFilterHook. This code is just passing the information to it.
>
> Na Li wrote:
> I looked at the implementation SentryMetaStoreFilterHook, shown below. It does not do real filtering. Can you doublecheck? profile hive v2 filtering is more complicated than this.
>
> public Table filterTable(Table table) throws NoSuchObjectException {
> return table;
> }
Since the next patch is going to fix the filter implementation. I am ok for this patch to be committed first.
- Na
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188013
-----------------------------------------------------------
On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
>
> (Updated Oct. 12, 2017, 7:35 p.m.)
>
>
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
>
>
> Bugs: sentry-1978
> https://issues.apache.org/jira/browse/sentry-1978
>
>
> Repository: sentry
>
>
> Description
> -------
>
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
>
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution.
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120
>
>
> Diff: https://reviews.apache.org/r/62902/diff/1/
>
>
> Testing
> -------
>
> All tests passed.
>
>
> Thanks,
>
> Sergio Pena
>
>
Re: Review Request 62902: SENTRY-1978: Move the hive-authz2
grant/revoke implementation into the sentry-binding-hive module
Posted by Sergio Pena via Review Board <no...@reviews.apache.org>.
> On Oct. 13, 2017, 8:57 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
> > Line 52 (original), 64 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852558#file1852558line64>
> >
> > should it be v2? This is auth-2 API
I don't know what this version is. This is alsto part of the hive-authz2 profile and even Hive 2.0 HiveAuthorizer.java has it:
public enum VERSION { V1 };
> On Oct. 13, 2017, 8:57 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
> > Line 112 (original), 126 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852558#file1852558line126>
> >
> > should we just return here?
> >
> > This function will be called by Hive when auth-2 is enabled. If we do authorization at semantic hook (called before this function), it should be OK to just return.
> >
> > If we throw exception here, it will cause every hive command to fail.
I'm not throwing an exception. I put a comment that says there is nothing to do:
// Nothing to do there. Privileges are checked on the Semantic hooks
The method is void so I don't need to return anything
> On Oct. 13, 2017, 8:57 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
> > Line 165 (original), 184 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852558#file1852558line184>
> >
> > filter should be based on user's privileges. Where is the username or group info is used?
This is done internally on the SentryMetaStoreFilterHook. This code is just passing the information to it.
> On Oct. 13, 2017, 8:57 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
> > Line 184 (original), 203 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852558#file1852558line203>
> >
> > Is it true all objects in the list have the same DB? If not, then we need to get DB for each object, and filter it
It is true. I don't know why Hive sends the list of objects in this way, but Hive adds the same DB to the list.
Also, the hive-authz2 profile uses a similar approach.
- Sergio
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188013
-----------------------------------------------------------
On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
>
> (Updated Oct. 12, 2017, 7:35 p.m.)
>
>
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
>
>
> Bugs: sentry-1978
> https://issues.apache.org/jira/browse/sentry-1978
>
>
> Repository: sentry
>
>
> Description
> -------
>
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
>
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution.
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120
>
>
> Diff: https://reviews.apache.org/r/62902/diff/1/
>
>
> Testing
> -------
>
> All tests passed.
>
>
> Thanks,
>
> Sergio Pena
>
>
Re: Review Request 62902: SENTRY-1978: Move the hive-authz2
grant/revoke implementation into the sentry-binding-hive module
Posted by Na Li via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188013
-----------------------------------------------------------
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
Line 52 (original), 64 (patched)
<https://reviews.apache.org/r/62902/#comment265085>
should it be v2? This is auth-2 API
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
Line 112 (original), 126 (patched)
<https://reviews.apache.org/r/62902/#comment265086>
should we just return here?
This function will be called by Hive when auth-2 is enabled. If we do authorization at semantic hook (called before this function), it should be OK to just return.
If we throw exception here, it will cause every hive command to fail.
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
Line 165 (original), 184 (patched)
<https://reviews.apache.org/r/62902/#comment265092>
filter should be based on user's privileges. Where is the username or group info is used?
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
Line 184 (original), 203 (patched)
<https://reviews.apache.org/r/62902/#comment265096>
Is it true all objects in the list have the same DB? If not, then we need to get DB for each object, and filter it
- Na Li
On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
>
> (Updated Oct. 12, 2017, 7:35 p.m.)
>
>
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
>
>
> Bugs: sentry-1978
> https://issues.apache.org/jira/browse/sentry-1978
>
>
> Repository: sentry
>
>
> Description
> -------
>
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
>
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution.
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120
>
>
> Diff: https://reviews.apache.org/r/62902/diff/1/
>
>
> Testing
> -------
>
> All tests passed.
>
>
> Thanks,
>
> Sergio Pena
>
>
Re: Review Request 62902: SENTRY-1978: Move the hive-authz2
grant/revoke implementation into the sentry-binding-hive module
Posted by Na Li via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188138
-----------------------------------------------------------
Ship it!
Ship It!
- Na Li
On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
>
> (Updated Oct. 12, 2017, 7:35 p.m.)
>
>
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
>
>
> Bugs: sentry-1978
> https://issues.apache.org/jira/browse/sentry-1978
>
>
> Repository: sentry
>
>
> Description
> -------
>
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
>
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution.
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120
>
>
> Diff: https://reviews.apache.org/r/62902/diff/1/
>
>
> Testing
> -------
>
> All tests passed.
>
>
> Thanks,
>
> Sergio Pena
>
>
Re: Review Request 62902: SENTRY-1978: Move the hive-authz2
grant/revoke implementation into the sentry-binding-hive module
Posted by kalyan kumar kalvagadda via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188197
-----------------------------------------------------------
Ship it!
Segio,
I'm good with the changes. It's just refactoring of code by getting the access controller logic from v-2 binding. Reasoning for doing this has been in various mail chains but please update the reasoning in the jira for future reference.
- kalyan kumar kalvagadda
On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
>
> (Updated Oct. 12, 2017, 7:35 p.m.)
>
>
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
>
>
> Bugs: sentry-1978
> https://issues.apache.org/jira/browse/sentry-1978
>
>
> Repository: sentry
>
>
> Description
> -------
>
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
>
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution.
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120
>
>
> Diff: https://reviews.apache.org/r/62902/diff/1/
>
>
> Testing
> -------
>
> All tests passed.
>
>
> Thanks,
>
> Sergio Pena
>
>
Re: Review Request 62902: SENTRY-1978: Move the hive-authz2
grant/revoke implementation into the sentry-binding-hive module
Posted by Na Li via Review Board <no...@reviews.apache.org>.
> On Oct. 13, 2017, 9:09 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java
> > Lines 129 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852559#file1852559line129>
> >
> > Can you add the following for function?
> >
> > baseHierarchy.add(server);
> > baseHierarchy.add(new Database(privilege.getDbname()));
> > baseHierarchy.add(new Function(privilege.getObjectName(), privilege.getClassName()));
> > objectHierarchy.add(baseHierarchy);
> > break;
> >
> >
> > and have a new class Function
> >
> > public class Function implements DBModelAuthorizable {
> > private final String name;
> > private final String className;
> >
> > public Function(String name, String className) {
> > this.name = name;
> > this.className = className;
> > }
> >
> > @Override
> > public String getName() {
> > return name;
> > }
> >
> > public String getClassName() { return className; }
> >
> > @Override
> > public String toString() {
> > return "Function [name=" + name + "]";
> > }
> >
> > @Override
> > public AuthorizableType getAuthzType() {
> > return AuthorizableType.Function;
> > }
> >
> > @Override
> > public String getTypeName() {
> > return getAuthzType().name();
> > }
> >
> > }
>
> Sergio Pena wrote:
> Probably better to have this patch in another JIRA so that we add more tests cases as well. This sounds like a new feature as all the current tests cases related to FUNCTION already pass.
> Why do we need this code? Anyway, please file a JIRA for this as well.
it is tracked in SENTRY-1971. This issue needs to be fixed if we switch to use checkPrivileges() for authorization. When we use semantic hook, it may be OK not to fix this.
- Na
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188022
-----------------------------------------------------------
On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
>
> (Updated Oct. 12, 2017, 7:35 p.m.)
>
>
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
>
>
> Bugs: sentry-1978
> https://issues.apache.org/jira/browse/sentry-1978
>
>
> Repository: sentry
>
>
> Description
> -------
>
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
>
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution.
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120
>
>
> Diff: https://reviews.apache.org/r/62902/diff/1/
>
>
> Testing
> -------
>
> All tests passed.
>
>
> Thanks,
>
> Sergio Pena
>
>
Re: Review Request 62902: SENTRY-1978: Move the hive-authz2
grant/revoke implementation into the sentry-binding-hive module
Posted by Sergio Pena via Review Board <no...@reviews.apache.org>.
> On Oct. 13, 2017, 9:09 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java
> > Lines 129 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852559#file1852559line129>
> >
> > Can you add the following for function?
> >
> > baseHierarchy.add(server);
> > baseHierarchy.add(new Database(privilege.getDbname()));
> > baseHierarchy.add(new Function(privilege.getObjectName(), privilege.getClassName()));
> > objectHierarchy.add(baseHierarchy);
> > break;
> >
> >
> > and have a new class Function
> >
> > public class Function implements DBModelAuthorizable {
> > private final String name;
> > private final String className;
> >
> > public Function(String name, String className) {
> > this.name = name;
> > this.className = className;
> > }
> >
> > @Override
> > public String getName() {
> > return name;
> > }
> >
> > public String getClassName() { return className; }
> >
> > @Override
> > public String toString() {
> > return "Function [name=" + name + "]";
> > }
> >
> > @Override
> > public AuthorizableType getAuthzType() {
> > return AuthorizableType.Function;
> > }
> >
> > @Override
> > public String getTypeName() {
> > return getAuthzType().name();
> > }
> >
> > }
Probably better to have this patch in another JIRA so that we add more tests cases as well. This sounds like a new feature as all the current tests cases related to FUNCTION already pass.
Why do we need this code? Anyway, please file a JIRA for this as well.
- Sergio
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188022
-----------------------------------------------------------
On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
>
> (Updated Oct. 12, 2017, 7:35 p.m.)
>
>
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
>
>
> Bugs: sentry-1978
> https://issues.apache.org/jira/browse/sentry-1978
>
>
> Repository: sentry
>
>
> Description
> -------
>
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
>
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution.
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120
>
>
> Diff: https://reviews.apache.org/r/62902/diff/1/
>
>
> Testing
> -------
>
> All tests passed.
>
>
> Thanks,
>
> Sergio Pena
>
>
Re: Review Request 62902: SENTRY-1978: Move the hive-authz2
grant/revoke implementation into the sentry-binding-hive module
Posted by Na Li via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188022
-----------------------------------------------------------
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java
Lines 129 (patched)
<https://reviews.apache.org/r/62902/#comment265098>
Can you add the following for function?
baseHierarchy.add(server);
baseHierarchy.add(new Database(privilege.getDbname()));
baseHierarchy.add(new Function(privilege.getObjectName(), privilege.getClassName()));
objectHierarchy.add(baseHierarchy);
break;
and have a new class Function
public class Function implements DBModelAuthorizable {
private final String name;
private final String className;
public Function(String name, String className) {
this.name = name;
this.className = className;
}
@Override
public String getName() {
return name;
}
public String getClassName() { return className; }
@Override
public String toString() {
return "Function [name=" + name + "]";
}
@Override
public AuthorizableType getAuthzType() {
return AuthorizableType.Function;
}
@Override
public String getTypeName() {
return getAuthzType().name();
}
}
- Na Li
On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
>
> (Updated Oct. 12, 2017, 7:35 p.m.)
>
>
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
>
>
> Bugs: sentry-1978
> https://issues.apache.org/jira/browse/sentry-1978
>
>
> Repository: sentry
>
>
> Description
> -------
>
> This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
>
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution.
> - Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120
>
>
> Diff: https://reviews.apache.org/r/62902/diff/1/
>
>
> Testing
> -------
>
> All tests passed.
>
>
> Thanks,
>
> Sergio Pena
>
>
Re: Review Request 62902: SENTRY-1978: Move the hive-authz2
grant/revoke implementation into the sentry-binding-hive module
Posted by Sergio Pena via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/
-----------------------------------------------------------
(Updated Oct. 12, 2017, 7:35 p.m.)
Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and kalyan kumar kalvagadda.
Summary (updated)
-----------------
SENTRY-1978: Move the hive-authz2 grant/revoke implementation into the sentry-binding-hive module
Bugs: sentry-1978
https://issues.apache.org/jira/browse/sentry-1978
Repository: sentry
Description
-------
This patch is moving some hive-authz2 profile classes related to the grant/revoke tasks to allow running the current tests with it and start doing the switch to authz2.
The patch does the following:
- Stop using the SentryGrantRevokeTask for grant/revoke task execution.
- Use SentryHiveAccessController to execute similar tasks that SentryGrantRevokeTask used to have.
- Configure the new controller on the HiveAuthzBindingSessionHook class.
- Configure tests to run the authz2 access controller.
Diffs
-----
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 3454910db1950f11e3317011bf4c08041a4ec5ac
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java 994ae7a852d36653eb642112da7c0c58952f2f33
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java PRE-CREATION
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java PRE-CREATION
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java PRE-CREATION
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java f6297e9a19e4624cfc9c5a57d939e5873261263d
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java 9c72876abbde2d1217503b90dfbfcd6d609427a8
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java PRE-CREATION
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java a62a0a66f1894f9039f099691b9fcfa2e98d8549
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java 27cfba9fab49f44f74f7b7d24564b22e3ac437ba
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java 35cb2bb4ffb9109721ba24e6dac84667bfdefa37
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java 5cd69e17b3d70dfc7b739354e9fe21a5f7678120
Diff: https://reviews.apache.org/r/62902/diff/1/
Testing
-------
All tests passed.
Thanks,
Sergio Pena