You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@sentry.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2019/01/25 20:47:00 UTC

[jira] [Commented] (SENTRY-2486) Wrong user name when sentry HMSFollower gets full snapshot from HMS at insecure mode

    [ https://issues.apache.org/jira/browse/SENTRY-2486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16752654#comment-16752654 ] 

Hadoop QA commented on SENTRY-2486:
-----------------------------------

Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12956392/SENTRY-2486.001.patch against master.

{color:red}Overall:{color} -1 due to 2 errors

{color:red}ERROR:{color} mvn test exited 1
{color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.generic.service.persistent.TestPrivilegeOperatePersistence

Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/4335/console

This message is automatically generated.

> Wrong user name when sentry HMSFollower gets full snapshot from HMS at insecure mode
> ------------------------------------------------------------------------------------
>
>                 Key: SENTRY-2486
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2486
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 2.2.0
>            Reporter: Na Li
>            Assignee: Na Li
>            Priority: Major
>         Attachments: SENTRY-2486.001.patch
>
>
> In insecure mode, the current login user name is passed from Sentry to HMS server when sentry HMSFollower gets full snapshot from HMS. 
> The user name should be "sentry" instead of current login user.
> The followiong code shows how current login user name is used when subject is null.
> In UserGroupInformation, if the context does not have subject, the getLoginUser()
>   @Public
>   @Evolving
>   public static UserGroupInformation getCurrentUser() throws IOException {
>     AccessControlContext context = AccessController.getContext();
>     Subject subject = Subject.getSubject(context);
>     return subject != null && !subject.getPrincipals(User.class).isEmpty() ? new UserGroupInformation(subject) : getLoginUser();
>   }
> This issue should not happen in production because secure mode is always used. Insecure mode is only used in test.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)