You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@impala.apache.org by "Tim Armstrong (Jira)" <ji...@apache.org> on 2020/12/22 21:43:00 UTC
[jira] [Resolved] (IMPALA-8550) Sentry refresh privileges has race
conditions
[ https://issues.apache.org/jira/browse/IMPALA-8550?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tim Armstrong resolved IMPALA-8550.
-----------------------------------
Resolution: Won't Fix
We removed sentry support
> Sentry refresh privileges has race conditions
> ---------------------------------------------
>
> Key: IMPALA-8550
> URL: https://issues.apache.org/jira/browse/IMPALA-8550
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog
> Reporter: Vihang Karajgaonkar
> Priority: Major
>
> Recently, I encountered a race condition in {{SentryProxy}}'s refreshSentryAuthorization loop. The race happens when Sentry server is slow to update its information based on changes in HMS. Consider the following scenario:
> # Impala session from user A creates a database/table.
> # AuthorizationManager will updateDatabaseOwnerPrivilege [here|[https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/service/CatalogOpExecutor.java#L1159]] Note that this add adds the user privilege in Catalog's cache out-of-band (without confirming that Sentry has added this privilege in its database)
> # Assume that Sentry is slow to update its database of roles/privileges. (Actually depending on the timing of these events, it doesn't really matter but likelihood of the issue increases if Sentry is slow.
> # The refreshSentryAuthorization loop is triggered based on a configured interval [here|[https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/sentry/SentryProxy.java#L174]]. Since Sentry has not yet updated its database of the owner information, this loop will remove the privilege from Catalog. Any subsequent SQL which requires privileges will fail until Sentry is synced and refresh loop adds this privilege again the catalog cache.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)