You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by "Arun Suresh (JIRA)" <ji...@apache.org> on 2014/05/19 04:18:38 UTC
[jira] [Commented] (SENTRY-214) Sentry Service does not allow the
same Privilege to be associated to multiple Roles
[ https://issues.apache.org/jira/browse/SENTRY-214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14001341#comment-14001341 ]
Arun Suresh commented on SENTRY-214:
------------------------------------
On further investigation, I found that the SentryService was actually throwing the following error :
{quote}
2014-05-18 19:15:37,324 (pool-6-thread-1) [WARN - org.datanucleus.util.Log4JLogger.warn(Log4JLogger.java:96)] Execution of method "add" on field "privileges" caused an error : Insert of object "org.apache.sentry.provider.db.service.model.MSentryPrivilege@3f755bd2" using statement "INSERT INTO SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID,"ACTION",CREATE_TIME,PRIVILEGE_SCOPE,"TABLE_NAME",PRIVILEGE_NAME,URI,GRANTOR_PRINCIPAL,DB_NAME,"SERVER_NAME") VALUES (?,?,?,?,?,?,?,?,?,?)" failed : The statement was aborted because it would have caused a duplicate key value in a unique or primary key constraint or unique index identified by 'SENTRY_PRIVILEGE_NAME' defined on 'SENTRY_DB_PRIVILEGE'.
Insert of object "org.apache.sentry.provider.db.service.model.MSentryPrivilege@3f755bd2" using statement "INSERT INTO SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID,"ACTION",CREATE_TIME,PRIVILEGE_SCOPE,"TABLE_NAME",PRIVILEGE_NAME,URI,GRANTOR_PRINCIPAL,DB_NAME,"SERVER_NAME") VALUES (?,?,?,?,?,?,?,?,?,?)" failed : The statement was aborted because it would have caused a duplicate key value in a unique or primary key constraint or unique index identified by 'SENTRY_PRIVILEGE_NAME' defined on 'SENTRY_DB_PRIVILEGE'.
org.datanucleus.exceptions.NucleusDataStoreException: Insert of object "org.apache.sentry.provider.db.service.model.MSentryPrivilege@3f755bd2" using statement "INSERT INTO SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID,"ACTION",CREATE_TIME,PRIVILEGE_SCOPE,"TABLE_NAME",PRIVILEGE_NAME,URI,GRANTOR_PRINCIPAL,DB_NAME,"SERVER_NAME") VALUES (?,?,?,?,?,?,?,?,?,?)" failed : The statement was aborted because it would have caused a duplicate key value in a unique or primary key constraint or unique index identified by 'SENTRY_PRIVILEGE_NAME' defined on 'SENTRY_DB_PRIVILEGE'.
at org.datanucleus.store.rdbms.request.InsertRequest.execute(InsertRequest.java:504)
at org.datanucleus.store.rdbms.RDBMSPersistenceHandler.insertTable(RDBMSPersistenceHandler.java:167)
at org.datanucleus.store.rdbms.RDBMSPersistenceHandler.insertObject(RDBMSPersistenceHandler.java:143)
at org.datanucleus.state.JDOStateManager.internalMakePersistent(JDOStateManager.java:3777)
at org.datanucleus.state.JDOStateManager.makePersistent(JDOStateManager.java:3753)
at org.datanucleus.ExecutionContextImpl.persistObjectInternal(ExecutionContextImpl.java:2124)
at org.datanucleus.ExecutionContextImpl.persistObjectInternal(ExecutionContextImpl.java:2218)
at org.datanucleus.store.types.SCOUtils.validateObjectForWriting(SCOUtils.java:1524)
...
{quote}
Looks like the Issue is due to the fact that a check should be made to see if the privilege already exists, then load it from the db.. and then modify it by appending the role.
Attaching the fix..
> Sentry Service does not allow the same Privilege to be associated to multiple Roles
> -----------------------------------------------------------------------------------
>
> Key: SENTRY-214
> URL: https://issues.apache.org/jira/browse/SENTRY-214
> Project: Sentry
> Issue Type: Bug
> Affects Versions: db_policy_store, 1.4.0
> Reporter: Arun Suresh
> Attachments: SENTRY-214.1.patch, SENTRY-214.2.patch
>
>
> Steps to recreate :
> 1) Create role1
> 2) Create role2
> 3) Grant 'role1' a Privilege(ALL) to a Table t1, Db d1, server S1
> 4) the 'listPrivilegesByRoleName' API applied to 'role1' returns a set of size 1
> 5) Grant 'role2' the same Privilege as role 1.. a Privilege(ALL) to a Table t1, Db d1, server S1
> 6) the 'listPrivilegesByRoleName' API applied to 'role2' returns a set of size 0
--
This message was sent by Atlassian JIRA
(v6.2#6252)