Proposal to release Sentry 2.0.0

[Kalyan Kumar Kalvagadda <kk...@cloudera.com>]

Hello all,

We need to release sentry HA functionality so that community can start
using it. In this regard I proposed to have a sentry 1.9.0 release as there
were some outstanding issues integrating with Hive. Community was not
positive on this proposal for various reasons.

With recent findings we think we don't have to wait for Hive fixes. With
the changes that are planned for below listed Jira's sentry would use a
combination of Semantic Hooks and AuthV2 interface to integrate with HIVE
2.0.


   1. SENTRY-1978 <https://issues.apache.org/jira/browse/SENTRY-1978> -Move
   the hive-authz2 grant/revoke implementation into the sentry-binding-hive
   module


   1. SENTRY-1980 <https://issues.apache.org/jira/browse/SENTRY-1980>- Move
   the hive-authz2 HMS client filtering implementation into the
   sentry-binding-hive module.



I have created a umbrella jira for releasing Sentry 2.0 .

   1. SENTRY-1982 <https://issues.apache.org/jira/browse/SENTRY-1982> -Release
   sentry 2.0.0 upstream


I have linked issues that are blocking the release. If you see any issue
that is blocking please attach it to this jira. That way we can fix them
and clear all the road blocks for releasing SENTYR 2.0.0


-Kalyan

Re: Proposal to release Sentry 2.0.0

[Kalyan Kumar Kalvagadda <kk...@cloudera.com>]

Sergio,

I will do it today.
Thanks for letting me know.

-Kalyan

On Wed, Nov 22, 2017 at 6:03 PM, Sergio Pena <se...@cloudera.com>
wrote:

> Thanks Kalyan.
>
> Those JIRAs are committed now and the 2.0 release is not blocked anymore.
> You may want to cut the branch now to freeze the 2.0 version.
>
>
> - Sergio
>
> On Wed, Nov 22, 2017 at 9:13 AM, Kalyan Kumar Kalvagadda <
> kkalyan@cloudera.com> wrote:
>
> > I have started the release process. As initial step I have moved all the
> > unresolved jira's to 2.1.0 release except for SENTRY-2062 and
> SENTRY-1812.
> > Please let me know if you want your changes to be part of sentry 2.0.0. I
> > will be cutting branch for sentry 2.0.0 later today.
> >
> >
> > -Kalyan
> >
> > On Mon, Oct 16, 2017 at 9:49 AM, Kalyan Kumar Kalvagadda <
> > kkalyan@cloudera.com> wrote:
> >
> > > I feel, we should stop using the terms authz1 and authz2 now on as it
> can
> > > create confusion.. With the new approach we have taken there is no
> > authz1. Sentry
> > > binding that will be enabled by default uses functionality of both
> older
> > > bindings.
> > >
> > > -Kalyan
> > >
> > > On Mon, Oct 16, 2017 at 9:42 AM, Sergio Pena <sergio.pena@cloudera.com
> >
> > > wrote:
> > >
> > >> I won't be necessary to have both binding jars. But we will keep the
> > code
> > >> around for one more release and remove it later just as backup for us
> in
> > >> case we forgot to refactor something.
> > >>
> > >> On Mon, Oct 16, 2017 at 8:54 AM, Colm O hEigeartaigh <
> > coheigea@apache.org
> > >> >
> > >> wrote:
> > >>
> > >> > Sounds good thanks. Just one other query - will we still have two
> > >> separate
> > >> > binding jars for authz1 and authz2?
> > >> >
> > >> > Colm.
> > >> >
> > >> > On Mon, Oct 16, 2017 at 2:31 PM, Sergio Pena <
> > sergio.pena@cloudera.com>
> > >> > wrote:
> > >> >
> > >> > > Nop. The plan is to ship authz2 but only when grant/revoke tasks
> are
> > >> > > executed and HMS filters are used. The current HiveAuthzBinding
> > class
> > >> > will
> > >> > > still be used when a command is executed and Hive requests
> > >> authorization
> > >> > to
> > >> > > Sentry (this is part of the authz1 profile). Btw, the HMS server
> > side
> > >> > > checks still use MetastoreAuthzBinding.java in both authz1 and
> > authz2.
> > >> > >
> > >> > > The plans for Solr is to support the latest Solr 6.x which added
> > >> support
> > >> > > for authorization modules. Hrishikesh is a Solr contributor and is
> > >> > helping
> > >> > > us integrate it on SENTRY-1475
> > >> > > <https://issues.apache.org/jira/browse/SENTRY-1475>. Solr 7 was
> > just
> > >> > > released last month, but he said he already has the code for Solr
> 6,
> > >> but
> > >> > he
> > >> > > will try to see if Solr 7 is easy to do, but the initial
> > expectations
> > >> > were
> > >> > > to have Solr 6.
> > >> > >
> > >> > > What do you think about the plans? Any comments regarding about
> > them?
> > >> > Would
> > >> > > you like to see something else or different?
> > >> > >
> > >> > > Sergio.
> > >> > >
> > >> > > On Mon, Oct 16, 2017 at 4:52 AM, Colm O hEigeartaigh <
> > >> > coheigea@apache.org>
> > >> > > wrote:
> > >> > >
> > >> > > > Hi Sergio,
> > >> > > >
> > >> > > > Is the plan to ship both the authz1 and authz2 bindings for
> Sentry
> > >> > 2.0.0?
> > >> > > > If so, which is recommended for use? Also, what are the plans to
> > >> get a
> > >> > > more
> > >> > > > recent version of Solr supported?
> > >> > > >
> > >> > > > Colm.
> > >> > > >
> > >> > > > On Sat, Oct 14, 2017 at 5:12 PM, Na Li <li...@cloudera.com>
> > >> wrote:
> > >> > > >
> > >> > > > > Kalyan,
> > >> > > > >
> > >> > > > > Thanks for the update. I am up to releasing sentry 2.0.0 as
> > well.
> > >> > > > >
> > >> > > > > Lina
> > >> > > > >
> > >> > > > > On Fri, Oct 13, 2017 at 6:18 PM, Kalyan Kumar Kalvagadda <
> > >> > > > > kkalyan@cloudera.com> wrote:
> > >> > > > >
> > >> > > > > > Sasha,
> > >> > > > > >
> > >> > > > > > See my response in-line below
> > >> > > > > >
> > >> > > > > > -Kalyan
> > >> > > > > >
> > >> > > > > > On Fri, Oct 13, 2017 at 1:09 PM, Alexander Kolbasov <
> > >> > > > akolb@cloudera.com>
> > >> > > > > > wrote:
> > >> > > > > >
> > >> > > > > > > Kalyan,
> > >> > > > > > >
> > >> > > > > > > Thank you for pushing forward 2.0 release!
> > >> > > > > > >
> > >> > > > > > > > On Oct 13, 2017, at 7:20 AM, Kalyan Kumar Kalvagadda <
> > >> > > > > > > kkalyan@cloudera.com> wrote:
> > >> > > > > > > >
> > >> > > > > > > > Hello all,
> > >> > > > > > > >
> > >> > > > > > > > We need to release sentry HA functionality so that
> > community
> > >> > can
> > >> > > > > start
> > >> > > > > > > > using it. In this regard I proposed to have a sentry
> 1.9.0
> > >> > > release
> > >> > > > as
> > >> > > > > > > there
> > >> > > > > > > > were some outstanding issues integrating with Hive.
> > >> Community
> > >> > was
> > >> > > > not
> > >> > > > > > > > positive on this proposal for various reasons.
> > >> > > > > > >
> > >> > > > > > > It would be great if you can summarize these reasons here
> > for
> > >> > > future
> > >> > > > > > > reference.
> > >> > > > > > > One major concern was that sentry 1.9.0 should still be
> > >> backward
> > >> > > > > > > compatible and work with Hive1.1.
> > >> > > > > >
> > >> > > > > >
> > >> > > > > >
> > >> > > > > > > >
> > >> > > > > > > > With recent findings we think we don't have to wait for
> > Hive
> > >> > > fixes.
> > >> > > > > > With
> > >> > > > > > > > the changes that are planned for below listed Jira's
> > sentry
> > >> > would
> > >> > > > > use a
> > >> > > > > > > > combination of Semantic Hooks and AuthV2 interface to
> > >> integrate
> > >> > > > with
> > >> > > > > > HIVE
> > >> > > > > > > > 2.0.
> > >> > > > > > >
> > >> > > > > > > In your earlier email regarding 1.9 release you also
> mention
> > >> > issues
> > >> > > > > with
> > >> > > > > > > moving up to Java 8 and some issues with Solr-7
> integration.
> > >> Does
> > >> > > > this
> > >> > > > > > mean
> > >> > > > > > > that you have a better idea of how to deal with these
> issues
> > >> now?
> > >> > > > > > > Yes, Changes for java version bumup are under review and
> the
> > >> code
> > >> > > > > changes
> > >> > > > > > > for Solr-6 integration will be co
> > >> > > > > > >
> > >> > > > > > > >
> > >> > > > > > > >   1. SENTRY-1978 <https://issues.apache.org/
> > >> > > > jira/browse/SENTRY-1978>
> > >> > > > > > > -Move
> > >> > > > > > > >   the hive-authz2 grant/revoke implementation into the
> > >> > > > > > > sentry-binding-hive
> > >> > > > > > > >   module
> > >> > > > > > >
> > >> > > > > > > This looks like “refactoring change” so it doesn’t
> actually
> > >> > change
> > >> > > > any
> > >> > > > > > > existing functionality - right?
> > >> > > > > > >
> > >> > > > > > This is not just refactoring. With this change Sentry would
> > use
> > >> the
> > >> > > > > > Schematic Hook implemented as part of Authv-2 support.
> Sentry
> > >> still
> > >> > > > would
> > >> > > > > > still continue using the older implementation for PreAnalyze
> > and
> > >> > > > > > PostAnalyze schematic hooks.
> > >> > > > > >
> > >> > > > > > >
> > >> > > > > > > >
> > >> > > > > > > >
> > >> > > > > > > >   1. SENTRY-1980 <https://issues.apache.org/
> > >> > > > jira/browse/SENTRY-1980
> > >> > > > > >-
> > >> > > > > > > Move
> > >> > > > > > > >   the hive-authz2 HMS client filtering implementation
> into
> > >> the
> > >> > > > > > > >   sentry-binding-hive module.
> > >> > > > > > >
> > >> > > > > > > Same here - this seems to be a refactoring change which
> > >> doesn’t
> > >> > > > affect
> > >> > > > > > any
> > >> > > > > > > existing functionality.
> > >> > > > > > > This is not just refactoring. With this change Sentry
> would
> > >> use
> > >> > the
> > >> > > > > > > Schematic Hook implemented as part of Authv-2 support.
> > Sentry
> > >> > still
> > >> > > > > would
> > >> > > > > > > still continue using the older implementation for
> PreAnalyze
> > >> and
> > >> > > > > > > PostAnalyze schematic hooks.
> > >> > > > > > > I think you are referring to some planned follow-up work
> to
> > >> > > actually
> > >> > > > > > solve
> > >> > > > > > > the authorization problem for Hive 2 - right? Yes.
> > >> > > > > > >
> > >> > > > > > > >
> > >> > > > > > > >
> > >> > > > > > > >
> > >> > > > > > > > I have created a umbrella jira for releasing Sentry 2.0
> .
> > >> > > > > > > >
> > >> > > > > > > >   1. SENTRY-1982 <https://issues.apache.org/
> > >> > > > jira/browse/SENTRY-1982>
> > >> > > > > > > -Release
> > >> > > > > > > >   sentry 2.0.0 upstream
> > >> > > > > > > >
> > >> > > > > > > >
> > >> > > > > > > > I have linked issues that are blocking the release. If
> you
> > >> see
> > >> > > any
> > >> > > > > > issue
> > >> > > > > > > > that is blocking please attach it to this jira. That way
> > we
> > >> can
> > >> > > fix
> > >> > > > > > them
> > >> > > > > > > > and clear all the road blocks for releasing SENTYR 2.0.0
> > >> > > > > > >
> > >> > > > > > > What is your impression once you looked at these issues -
> do
> > >> you
> > >> > > > think
> > >> > > > > > > that you should be able to fix majority of these or do you
> > >> think
> > >> > > that
> > >> > > > > > these
> > >> > > > > > > ca nbe simply moved out of the release?
> > >> > > > > > >
> > >> > > > > > Issues blocking SENTRY-1982 should be fixed before sentry
> > 2.0.0
> > >> is
> > >> > > > > > released.
> > >> > > > > >
> > >> > > > > >
> > >> > > > > > >
> > >> > > > > > > >
> > >> > > > > > > >
> > >> > > > > > > > -Kalyan
> > >> > > > > > >
> > >> > > > > > > - Alex
> > >> > > > > > >
> > >> > > > > > >
> > >> > > > > >
> > >> > > > >
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > > --
> > >> > > > Colm O hEigeartaigh
> > >> > > >
> > >> > > > Talend Community Coder
> > >> > > > http://coders.talend.com
> > >> > > >
> > >> > >
> > >> >
> > >> >
> > >> >
> > >> > --
> > >> > Colm O hEigeartaigh
> > >> >
> > >> > Talend Community Coder
> > >> > http://coders.talend.com
> > >> >
> > >>
> > >
> > >
> >
>

Re: Proposal to release Sentry 2.0.0

[Sergio Pena <se...@cloudera.com>]

Thanks Kalyan.

Those JIRAs are committed now and the 2.0 release is not blocked anymore.
You may want to cut the branch now to freeze the 2.0 version.


- Sergio

On Wed, Nov 22, 2017 at 9:13 AM, Kalyan Kumar Kalvagadda <
kkalyan@cloudera.com> wrote:

> I have started the release process. As initial step I have moved all the
> unresolved jira's to 2.1.0 release except for SENTRY-2062 and SENTRY-1812.
> Please let me know if you want your changes to be part of sentry 2.0.0. I
> will be cutting branch for sentry 2.0.0 later today.
>
>
> -Kalyan
>
> On Mon, Oct 16, 2017 at 9:49 AM, Kalyan Kumar Kalvagadda <
> kkalyan@cloudera.com> wrote:
>
> > I feel, we should stop using the terms authz1 and authz2 now on as it can
> > create confusion.. With the new approach we have taken there is no
> authz1. Sentry
> > binding that will be enabled by default uses functionality of both older
> > bindings.
> >
> > -Kalyan
> >
> > On Mon, Oct 16, 2017 at 9:42 AM, Sergio Pena <se...@cloudera.com>
> > wrote:
> >
> >> I won't be necessary to have both binding jars. But we will keep the
> code
> >> around for one more release and remove it later just as backup for us in
> >> case we forgot to refactor something.
> >>
> >> On Mon, Oct 16, 2017 at 8:54 AM, Colm O hEigeartaigh <
> coheigea@apache.org
> >> >
> >> wrote:
> >>
> >> > Sounds good thanks. Just one other query - will we still have two
> >> separate
> >> > binding jars for authz1 and authz2?
> >> >
> >> > Colm.
> >> >
> >> > On Mon, Oct 16, 2017 at 2:31 PM, Sergio Pena <
> sergio.pena@cloudera.com>
> >> > wrote:
> >> >
> >> > > Nop. The plan is to ship authz2 but only when grant/revoke tasks are
> >> > > executed and HMS filters are used. The current HiveAuthzBinding
> class
> >> > will
> >> > > still be used when a command is executed and Hive requests
> >> authorization
> >> > to
> >> > > Sentry (this is part of the authz1 profile). Btw, the HMS server
> side
> >> > > checks still use MetastoreAuthzBinding.java in both authz1 and
> authz2.
> >> > >
> >> > > The plans for Solr is to support the latest Solr 6.x which added
> >> support
> >> > > for authorization modules. Hrishikesh is a Solr contributor and is
> >> > helping
> >> > > us integrate it on SENTRY-1475
> >> > > <https://issues.apache.org/jira/browse/SENTRY-1475>. Solr 7 was
> just
> >> > > released last month, but he said he already has the code for Solr 6,
> >> but
> >> > he
> >> > > will try to see if Solr 7 is easy to do, but the initial
> expectations
> >> > were
> >> > > to have Solr 6.
> >> > >
> >> > > What do you think about the plans? Any comments regarding about
> them?
> >> > Would
> >> > > you like to see something else or different?
> >> > >
> >> > > Sergio.
> >> > >
> >> > > On Mon, Oct 16, 2017 at 4:52 AM, Colm O hEigeartaigh <
> >> > coheigea@apache.org>
> >> > > wrote:
> >> > >
> >> > > > Hi Sergio,
> >> > > >
> >> > > > Is the plan to ship both the authz1 and authz2 bindings for Sentry
> >> > 2.0.0?
> >> > > > If so, which is recommended for use? Also, what are the plans to
> >> get a
> >> > > more
> >> > > > recent version of Solr supported?
> >> > > >
> >> > > > Colm.
> >> > > >
> >> > > > On Sat, Oct 14, 2017 at 5:12 PM, Na Li <li...@cloudera.com>
> >> wrote:
> >> > > >
> >> > > > > Kalyan,
> >> > > > >
> >> > > > > Thanks for the update. I am up to releasing sentry 2.0.0 as
> well.
> >> > > > >
> >> > > > > Lina
> >> > > > >
> >> > > > > On Fri, Oct 13, 2017 at 6:18 PM, Kalyan Kumar Kalvagadda <
> >> > > > > kkalyan@cloudera.com> wrote:
> >> > > > >
> >> > > > > > Sasha,
> >> > > > > >
> >> > > > > > See my response in-line below
> >> > > > > >
> >> > > > > > -Kalyan
> >> > > > > >
> >> > > > > > On Fri, Oct 13, 2017 at 1:09 PM, Alexander Kolbasov <
> >> > > > akolb@cloudera.com>
> >> > > > > > wrote:
> >> > > > > >
> >> > > > > > > Kalyan,
> >> > > > > > >
> >> > > > > > > Thank you for pushing forward 2.0 release!
> >> > > > > > >
> >> > > > > > > > On Oct 13, 2017, at 7:20 AM, Kalyan Kumar Kalvagadda <
> >> > > > > > > kkalyan@cloudera.com> wrote:
> >> > > > > > > >
> >> > > > > > > > Hello all,
> >> > > > > > > >
> >> > > > > > > > We need to release sentry HA functionality so that
> community
> >> > can
> >> > > > > start
> >> > > > > > > > using it. In this regard I proposed to have a sentry 1.9.0
> >> > > release
> >> > > > as
> >> > > > > > > there
> >> > > > > > > > were some outstanding issues integrating with Hive.
> >> Community
> >> > was
> >> > > > not
> >> > > > > > > > positive on this proposal for various reasons.
> >> > > > > > >
> >> > > > > > > It would be great if you can summarize these reasons here
> for
> >> > > future
> >> > > > > > > reference.
> >> > > > > > > One major concern was that sentry 1.9.0 should still be
> >> backward
> >> > > > > > > compatible and work with Hive1.1.
> >> > > > > >
> >> > > > > >
> >> > > > > >
> >> > > > > > > >
> >> > > > > > > > With recent findings we think we don't have to wait for
> Hive
> >> > > fixes.
> >> > > > > > With
> >> > > > > > > > the changes that are planned for below listed Jira's
> sentry
> >> > would
> >> > > > > use a
> >> > > > > > > > combination of Semantic Hooks and AuthV2 interface to
> >> integrate
> >> > > > with
> >> > > > > > HIVE
> >> > > > > > > > 2.0.
> >> > > > > > >
> >> > > > > > > In your earlier email regarding 1.9 release you also mention
> >> > issues
> >> > > > > with
> >> > > > > > > moving up to Java 8 and some issues with Solr-7 integration.
> >> Does
> >> > > > this
> >> > > > > > mean
> >> > > > > > > that you have a better idea of how to deal with these issues
> >> now?
> >> > > > > > > Yes, Changes for java version bumup are under review and the
> >> code
> >> > > > > changes
> >> > > > > > > for Solr-6 integration will be co
> >> > > > > > >
> >> > > > > > > >
> >> > > > > > > >   1. SENTRY-1978 <https://issues.apache.org/
> >> > > > jira/browse/SENTRY-1978>
> >> > > > > > > -Move
> >> > > > > > > >   the hive-authz2 grant/revoke implementation into the
> >> > > > > > > sentry-binding-hive
> >> > > > > > > >   module
> >> > > > > > >
> >> > > > > > > This looks like “refactoring change” so it doesn’t actually
> >> > change
> >> > > > any
> >> > > > > > > existing functionality - right?
> >> > > > > > >
> >> > > > > > This is not just refactoring. With this change Sentry would
> use
> >> the
> >> > > > > > Schematic Hook implemented as part of Authv-2 support. Sentry
> >> still
> >> > > > would
> >> > > > > > still continue using the older implementation for PreAnalyze
> and
> >> > > > > > PostAnalyze schematic hooks.
> >> > > > > >
> >> > > > > > >
> >> > > > > > > >
> >> > > > > > > >
> >> > > > > > > >   1. SENTRY-1980 <https://issues.apache.org/
> >> > > > jira/browse/SENTRY-1980
> >> > > > > >-
> >> > > > > > > Move
> >> > > > > > > >   the hive-authz2 HMS client filtering implementation into
> >> the
> >> > > > > > > >   sentry-binding-hive module.
> >> > > > > > >
> >> > > > > > > Same here - this seems to be a refactoring change which
> >> doesn’t
> >> > > > affect
> >> > > > > > any
> >> > > > > > > existing functionality.
> >> > > > > > > This is not just refactoring. With this change Sentry would
> >> use
> >> > the
> >> > > > > > > Schematic Hook implemented as part of Authv-2 support.
> Sentry
> >> > still
> >> > > > > would
> >> > > > > > > still continue using the older implementation for PreAnalyze
> >> and
> >> > > > > > > PostAnalyze schematic hooks.
> >> > > > > > > I think you are referring to some planned follow-up work to
> >> > > actually
> >> > > > > > solve
> >> > > > > > > the authorization problem for Hive 2 - right? Yes.
> >> > > > > > >
> >> > > > > > > >
> >> > > > > > > >
> >> > > > > > > >
> >> > > > > > > > I have created a umbrella jira for releasing Sentry 2.0 .
> >> > > > > > > >
> >> > > > > > > >   1. SENTRY-1982 <https://issues.apache.org/
> >> > > > jira/browse/SENTRY-1982>
> >> > > > > > > -Release
> >> > > > > > > >   sentry 2.0.0 upstream
> >> > > > > > > >
> >> > > > > > > >
> >> > > > > > > > I have linked issues that are blocking the release. If you
> >> see
> >> > > any
> >> > > > > > issue
> >> > > > > > > > that is blocking please attach it to this jira. That way
> we
> >> can
> >> > > fix
> >> > > > > > them
> >> > > > > > > > and clear all the road blocks for releasing SENTYR 2.0.0
> >> > > > > > >
> >> > > > > > > What is your impression once you looked at these issues - do
> >> you
> >> > > > think
> >> > > > > > > that you should be able to fix majority of these or do you
> >> think
> >> > > that
> >> > > > > > these
> >> > > > > > > ca nbe simply moved out of the release?
> >> > > > > > >
> >> > > > > > Issues blocking SENTRY-1982 should be fixed before sentry
> 2.0.0
> >> is
> >> > > > > > released.
> >> > > > > >
> >> > > > > >
> >> > > > > > >
> >> > > > > > > >
> >> > > > > > > >
> >> > > > > > > > -Kalyan
> >> > > > > > >
> >> > > > > > > - Alex
> >> > > > > > >
> >> > > > > > >
> >> > > > > >
> >> > > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > > --
> >> > > > Colm O hEigeartaigh
> >> > > >
> >> > > > Talend Community Coder
> >> > > > http://coders.talend.com
> >> > > >
> >> > >
> >> >
> >> >
> >> >
> >> > --
> >> > Colm O hEigeartaigh
> >> >
> >> > Talend Community Coder
> >> > http://coders.talend.com
> >> >
> >>
> >
> >
>

Re: Proposal to release Sentry 2.0.0

[Kalyan Kumar Kalvagadda <kk...@cloudera.com>]

I have started the release process. As initial step I have moved all the
unresolved jira's to 2.1.0 release except for SENTRY-2062 and SENTRY-1812.
Please let me know if you want your changes to be part of sentry 2.0.0. I
will be cutting branch for sentry 2.0.0 later today.


-Kalyan

On Mon, Oct 16, 2017 at 9:49 AM, Kalyan Kumar Kalvagadda <
kkalyan@cloudera.com> wrote:

> I feel, we should stop using the terms authz1 and authz2 now on as it can
> create confusion.. With the new approach we have taken there is no authz1. Sentry
> binding that will be enabled by default uses functionality of both older
> bindings.
>
> -Kalyan
>
> On Mon, Oct 16, 2017 at 9:42 AM, Sergio Pena <se...@cloudera.com>
> wrote:
>
>> I won't be necessary to have both binding jars. But we will keep the code
>> around for one more release and remove it later just as backup for us in
>> case we forgot to refactor something.
>>
>> On Mon, Oct 16, 2017 at 8:54 AM, Colm O hEigeartaigh <coheigea@apache.org
>> >
>> wrote:
>>
>> > Sounds good thanks. Just one other query - will we still have two
>> separate
>> > binding jars for authz1 and authz2?
>> >
>> > Colm.
>> >
>> > On Mon, Oct 16, 2017 at 2:31 PM, Sergio Pena <se...@cloudera.com>
>> > wrote:
>> >
>> > > Nop. The plan is to ship authz2 but only when grant/revoke tasks are
>> > > executed and HMS filters are used. The current HiveAuthzBinding class
>> > will
>> > > still be used when a command is executed and Hive requests
>> authorization
>> > to
>> > > Sentry (this is part of the authz1 profile). Btw, the HMS server side
>> > > checks still use MetastoreAuthzBinding.java in both authz1 and authz2.
>> > >
>> > > The plans for Solr is to support the latest Solr 6.x which added
>> support
>> > > for authorization modules. Hrishikesh is a Solr contributor and is
>> > helping
>> > > us integrate it on SENTRY-1475
>> > > <https://issues.apache.org/jira/browse/SENTRY-1475>. Solr 7 was just
>> > > released last month, but he said he already has the code for Solr 6,
>> but
>> > he
>> > > will try to see if Solr 7 is easy to do, but the initial expectations
>> > were
>> > > to have Solr 6.
>> > >
>> > > What do you think about the plans? Any comments regarding about them?
>> > Would
>> > > you like to see something else or different?
>> > >
>> > > Sergio.
>> > >
>> > > On Mon, Oct 16, 2017 at 4:52 AM, Colm O hEigeartaigh <
>> > coheigea@apache.org>
>> > > wrote:
>> > >
>> > > > Hi Sergio,
>> > > >
>> > > > Is the plan to ship both the authz1 and authz2 bindings for Sentry
>> > 2.0.0?
>> > > > If so, which is recommended for use? Also, what are the plans to
>> get a
>> > > more
>> > > > recent version of Solr supported?
>> > > >
>> > > > Colm.
>> > > >
>> > > > On Sat, Oct 14, 2017 at 5:12 PM, Na Li <li...@cloudera.com>
>> wrote:
>> > > >
>> > > > > Kalyan,
>> > > > >
>> > > > > Thanks for the update. I am up to releasing sentry 2.0.0 as well.
>> > > > >
>> > > > > Lina
>> > > > >
>> > > > > On Fri, Oct 13, 2017 at 6:18 PM, Kalyan Kumar Kalvagadda <
>> > > > > kkalyan@cloudera.com> wrote:
>> > > > >
>> > > > > > Sasha,
>> > > > > >
>> > > > > > See my response in-line below
>> > > > > >
>> > > > > > -Kalyan
>> > > > > >
>> > > > > > On Fri, Oct 13, 2017 at 1:09 PM, Alexander Kolbasov <
>> > > > akolb@cloudera.com>
>> > > > > > wrote:
>> > > > > >
>> > > > > > > Kalyan,
>> > > > > > >
>> > > > > > > Thank you for pushing forward 2.0 release!
>> > > > > > >
>> > > > > > > > On Oct 13, 2017, at 7:20 AM, Kalyan Kumar Kalvagadda <
>> > > > > > > kkalyan@cloudera.com> wrote:
>> > > > > > > >
>> > > > > > > > Hello all,
>> > > > > > > >
>> > > > > > > > We need to release sentry HA functionality so that community
>> > can
>> > > > > start
>> > > > > > > > using it. In this regard I proposed to have a sentry 1.9.0
>> > > release
>> > > > as
>> > > > > > > there
>> > > > > > > > were some outstanding issues integrating with Hive.
>> Community
>> > was
>> > > > not
>> > > > > > > > positive on this proposal for various reasons.
>> > > > > > >
>> > > > > > > It would be great if you can summarize these reasons here for
>> > > future
>> > > > > > > reference.
>> > > > > > > One major concern was that sentry 1.9.0 should still be
>> backward
>> > > > > > > compatible and work with Hive1.1.
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > > >
>> > > > > > > > With recent findings we think we don't have to wait for Hive
>> > > fixes.
>> > > > > > With
>> > > > > > > > the changes that are planned for below listed Jira's sentry
>> > would
>> > > > > use a
>> > > > > > > > combination of Semantic Hooks and AuthV2 interface to
>> integrate
>> > > > with
>> > > > > > HIVE
>> > > > > > > > 2.0.
>> > > > > > >
>> > > > > > > In your earlier email regarding 1.9 release you also mention
>> > issues
>> > > > > with
>> > > > > > > moving up to Java 8 and some issues with Solr-7 integration.
>> Does
>> > > > this
>> > > > > > mean
>> > > > > > > that you have a better idea of how to deal with these issues
>> now?
>> > > > > > > Yes, Changes for java version bumup are under review and the
>> code
>> > > > > changes
>> > > > > > > for Solr-6 integration will be co
>> > > > > > >
>> > > > > > > >
>> > > > > > > >   1. SENTRY-1978 <https://issues.apache.org/
>> > > > jira/browse/SENTRY-1978>
>> > > > > > > -Move
>> > > > > > > >   the hive-authz2 grant/revoke implementation into the
>> > > > > > > sentry-binding-hive
>> > > > > > > >   module
>> > > > > > >
>> > > > > > > This looks like “refactoring change” so it doesn’t actually
>> > change
>> > > > any
>> > > > > > > existing functionality - right?
>> > > > > > >
>> > > > > > This is not just refactoring. With this change Sentry would use
>> the
>> > > > > > Schematic Hook implemented as part of Authv-2 support. Sentry
>> still
>> > > > would
>> > > > > > still continue using the older implementation for PreAnalyze and
>> > > > > > PostAnalyze schematic hooks.
>> > > > > >
>> > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > > >   1. SENTRY-1980 <https://issues.apache.org/
>> > > > jira/browse/SENTRY-1980
>> > > > > >-
>> > > > > > > Move
>> > > > > > > >   the hive-authz2 HMS client filtering implementation into
>> the
>> > > > > > > >   sentry-binding-hive module.
>> > > > > > >
>> > > > > > > Same here - this seems to be a refactoring change which
>> doesn’t
>> > > > affect
>> > > > > > any
>> > > > > > > existing functionality.
>> > > > > > > This is not just refactoring. With this change Sentry would
>> use
>> > the
>> > > > > > > Schematic Hook implemented as part of Authv-2 support. Sentry
>> > still
>> > > > > would
>> > > > > > > still continue using the older implementation for PreAnalyze
>> and
>> > > > > > > PostAnalyze schematic hooks.
>> > > > > > > I think you are referring to some planned follow-up work to
>> > > actually
>> > > > > > solve
>> > > > > > > the authorization problem for Hive 2 - right? Yes.
>> > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > > > I have created a umbrella jira for releasing Sentry 2.0 .
>> > > > > > > >
>> > > > > > > >   1. SENTRY-1982 <https://issues.apache.org/
>> > > > jira/browse/SENTRY-1982>
>> > > > > > > -Release
>> > > > > > > >   sentry 2.0.0 upstream
>> > > > > > > >
>> > > > > > > >
>> > > > > > > > I have linked issues that are blocking the release. If you
>> see
>> > > any
>> > > > > > issue
>> > > > > > > > that is blocking please attach it to this jira. That way we
>> can
>> > > fix
>> > > > > > them
>> > > > > > > > and clear all the road blocks for releasing SENTYR 2.0.0
>> > > > > > >
>> > > > > > > What is your impression once you looked at these issues - do
>> you
>> > > > think
>> > > > > > > that you should be able to fix majority of these or do you
>> think
>> > > that
>> > > > > > these
>> > > > > > > ca nbe simply moved out of the release?
>> > > > > > >
>> > > > > > Issues blocking SENTRY-1982 should be fixed before sentry 2.0.0
>> is
>> > > > > > released.
>> > > > > >
>> > > > > >
>> > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > > > -Kalyan
>> > > > > > >
>> > > > > > > - Alex
>> > > > > > >
>> > > > > > >
>> > > > > >
>> > > > >
>> > > >
>> > > >
>> > > >
>> > > > --
>> > > > Colm O hEigeartaigh
>> > > >
>> > > > Talend Community Coder
>> > > > http://coders.talend.com
>> > > >
>> > >
>> >
>> >
>> >
>> > --
>> > Colm O hEigeartaigh
>> >
>> > Talend Community Coder
>> > http://coders.talend.com
>> >
>>
>
>

Re: Proposal to release Sentry 2.0.0

[Kalyan Kumar Kalvagadda <kk...@cloudera.com>]

I feel, we should stop using the terms authz1 and authz2 now on as it can
create confusion.. With the new approach we have taken there is no
authz1. Sentry
binding that will be enabled by default uses functionality of both older
bindings.

-Kalyan

On Mon, Oct 16, 2017 at 9:42 AM, Sergio Pena <se...@cloudera.com>
wrote:

> I won't be necessary to have both binding jars. But we will keep the code
> around for one more release and remove it later just as backup for us in
> case we forgot to refactor something.
>
> On Mon, Oct 16, 2017 at 8:54 AM, Colm O hEigeartaigh <co...@apache.org>
> wrote:
>
> > Sounds good thanks. Just one other query - will we still have two
> separate
> > binding jars for authz1 and authz2?
> >
> > Colm.
> >
> > On Mon, Oct 16, 2017 at 2:31 PM, Sergio Pena <se...@cloudera.com>
> > wrote:
> >
> > > Nop. The plan is to ship authz2 but only when grant/revoke tasks are
> > > executed and HMS filters are used. The current HiveAuthzBinding class
> > will
> > > still be used when a command is executed and Hive requests
> authorization
> > to
> > > Sentry (this is part of the authz1 profile). Btw, the HMS server side
> > > checks still use MetastoreAuthzBinding.java in both authz1 and authz2.
> > >
> > > The plans for Solr is to support the latest Solr 6.x which added
> support
> > > for authorization modules. Hrishikesh is a Solr contributor and is
> > helping
> > > us integrate it on SENTRY-1475
> > > <https://issues.apache.org/jira/browse/SENTRY-1475>. Solr 7 was just
> > > released last month, but he said he already has the code for Solr 6,
> but
> > he
> > > will try to see if Solr 7 is easy to do, but the initial expectations
> > were
> > > to have Solr 6.
> > >
> > > What do you think about the plans? Any comments regarding about them?
> > Would
> > > you like to see something else or different?
> > >
> > > Sergio.
> > >
> > > On Mon, Oct 16, 2017 at 4:52 AM, Colm O hEigeartaigh <
> > coheigea@apache.org>
> > > wrote:
> > >
> > > > Hi Sergio,
> > > >
> > > > Is the plan to ship both the authz1 and authz2 bindings for Sentry
> > 2.0.0?
> > > > If so, which is recommended for use? Also, what are the plans to get
> a
> > > more
> > > > recent version of Solr supported?
> > > >
> > > > Colm.
> > > >
> > > > On Sat, Oct 14, 2017 at 5:12 PM, Na Li <li...@cloudera.com> wrote:
> > > >
> > > > > Kalyan,
> > > > >
> > > > > Thanks for the update. I am up to releasing sentry 2.0.0 as well.
> > > > >
> > > > > Lina
> > > > >
> > > > > On Fri, Oct 13, 2017 at 6:18 PM, Kalyan Kumar Kalvagadda <
> > > > > kkalyan@cloudera.com> wrote:
> > > > >
> > > > > > Sasha,
> > > > > >
> > > > > > See my response in-line below
> > > > > >
> > > > > > -Kalyan
> > > > > >
> > > > > > On Fri, Oct 13, 2017 at 1:09 PM, Alexander Kolbasov <
> > > > akolb@cloudera.com>
> > > > > > wrote:
> > > > > >
> > > > > > > Kalyan,
> > > > > > >
> > > > > > > Thank you for pushing forward 2.0 release!
> > > > > > >
> > > > > > > > On Oct 13, 2017, at 7:20 AM, Kalyan Kumar Kalvagadda <
> > > > > > > kkalyan@cloudera.com> wrote:
> > > > > > > >
> > > > > > > > Hello all,
> > > > > > > >
> > > > > > > > We need to release sentry HA functionality so that community
> > can
> > > > > start
> > > > > > > > using it. In this regard I proposed to have a sentry 1.9.0
> > > release
> > > > as
> > > > > > > there
> > > > > > > > were some outstanding issues integrating with Hive. Community
> > was
> > > > not
> > > > > > > > positive on this proposal for various reasons.
> > > > > > >
> > > > > > > It would be great if you can summarize these reasons here for
> > > future
> > > > > > > reference.
> > > > > > > One major concern was that sentry 1.9.0 should still be
> backward
> > > > > > > compatible and work with Hive1.1.
> > > > > >
> > > > > >
> > > > > >
> > > > > > > >
> > > > > > > > With recent findings we think we don't have to wait for Hive
> > > fixes.
> > > > > > With
> > > > > > > > the changes that are planned for below listed Jira's sentry
> > would
> > > > > use a
> > > > > > > > combination of Semantic Hooks and AuthV2 interface to
> integrate
> > > > with
> > > > > > HIVE
> > > > > > > > 2.0.
> > > > > > >
> > > > > > > In your earlier email regarding 1.9 release you also mention
> > issues
> > > > > with
> > > > > > > moving up to Java 8 and some issues with Solr-7 integration.
> Does
> > > > this
> > > > > > mean
> > > > > > > that you have a better idea of how to deal with these issues
> now?
> > > > > > > Yes, Changes for java version bumup are under review and the
> code
> > > > > changes
> > > > > > > for Solr-6 integration will be co
> > > > > > >
> > > > > > > >
> > > > > > > >   1. SENTRY-1978 <https://issues.apache.org/
> > > > jira/browse/SENTRY-1978>
> > > > > > > -Move
> > > > > > > >   the hive-authz2 grant/revoke implementation into the
> > > > > > > sentry-binding-hive
> > > > > > > >   module
> > > > > > >
> > > > > > > This looks like “refactoring change” so it doesn’t actually
> > change
> > > > any
> > > > > > > existing functionality - right?
> > > > > > >
> > > > > > This is not just refactoring. With this change Sentry would use
> the
> > > > > > Schematic Hook implemented as part of Authv-2 support. Sentry
> still
> > > > would
> > > > > > still continue using the older implementation for PreAnalyze and
> > > > > > PostAnalyze schematic hooks.
> > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >   1. SENTRY-1980 <https://issues.apache.org/
> > > > jira/browse/SENTRY-1980
> > > > > >-
> > > > > > > Move
> > > > > > > >   the hive-authz2 HMS client filtering implementation into
> the
> > > > > > > >   sentry-binding-hive module.
> > > > > > >
> > > > > > > Same here - this seems to be a refactoring change which doesn’t
> > > > affect
> > > > > > any
> > > > > > > existing functionality.
> > > > > > > This is not just refactoring. With this change Sentry would use
> > the
> > > > > > > Schematic Hook implemented as part of Authv-2 support. Sentry
> > still
> > > > > would
> > > > > > > still continue using the older implementation for PreAnalyze
> and
> > > > > > > PostAnalyze schematic hooks.
> > > > > > > I think you are referring to some planned follow-up work to
> > > actually
> > > > > > solve
> > > > > > > the authorization problem for Hive 2 - right? Yes.
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > I have created a umbrella jira for releasing Sentry 2.0 .
> > > > > > > >
> > > > > > > >   1. SENTRY-1982 <https://issues.apache.org/
> > > > jira/browse/SENTRY-1982>
> > > > > > > -Release
> > > > > > > >   sentry 2.0.0 upstream
> > > > > > > >
> > > > > > > >
> > > > > > > > I have linked issues that are blocking the release. If you
> see
> > > any
> > > > > > issue
> > > > > > > > that is blocking please attach it to this jira. That way we
> can
> > > fix
> > > > > > them
> > > > > > > > and clear all the road blocks for releasing SENTYR 2.0.0
> > > > > > >
> > > > > > > What is your impression once you looked at these issues - do
> you
> > > > think
> > > > > > > that you should be able to fix majority of these or do you
> think
> > > that
> > > > > > these
> > > > > > > ca nbe simply moved out of the release?
> > > > > > >
> > > > > > Issues blocking SENTRY-1982 should be fixed before sentry 2.0.0
> is
> > > > > > released.
> > > > > >
> > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > -Kalyan
> > > > > > >
> > > > > > > - Alex
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Colm O hEigeartaigh
> > > >
> > > > Talend Community Coder
> > > > http://coders.talend.com
> > > >
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>

Re: Proposal to release Sentry 2.0.0

[Sergio Pena <se...@cloudera.com>]

I won't be necessary to have both binding jars. But we will keep the code
around for one more release and remove it later just as backup for us in
case we forgot to refactor something.

On Mon, Oct 16, 2017 at 8:54 AM, Colm O hEigeartaigh <co...@apache.org>
wrote:

> Sounds good thanks. Just one other query - will we still have two separate
> binding jars for authz1 and authz2?
>
> Colm.
>
> On Mon, Oct 16, 2017 at 2:31 PM, Sergio Pena <se...@cloudera.com>
> wrote:
>
> > Nop. The plan is to ship authz2 but only when grant/revoke tasks are
> > executed and HMS filters are used. The current HiveAuthzBinding class
> will
> > still be used when a command is executed and Hive requests authorization
> to
> > Sentry (this is part of the authz1 profile). Btw, the HMS server side
> > checks still use MetastoreAuthzBinding.java in both authz1 and authz2.
> >
> > The plans for Solr is to support the latest Solr 6.x which added support
> > for authorization modules. Hrishikesh is a Solr contributor and is
> helping
> > us integrate it on SENTRY-1475
> > <https://issues.apache.org/jira/browse/SENTRY-1475>. Solr 7 was just
> > released last month, but he said he already has the code for Solr 6, but
> he
> > will try to see if Solr 7 is easy to do, but the initial expectations
> were
> > to have Solr 6.
> >
> > What do you think about the plans? Any comments regarding about them?
> Would
> > you like to see something else or different?
> >
> > Sergio.
> >
> > On Mon, Oct 16, 2017 at 4:52 AM, Colm O hEigeartaigh <
> coheigea@apache.org>
> > wrote:
> >
> > > Hi Sergio,
> > >
> > > Is the plan to ship both the authz1 and authz2 bindings for Sentry
> 2.0.0?
> > > If so, which is recommended for use? Also, what are the plans to get a
> > more
> > > recent version of Solr supported?
> > >
> > > Colm.
> > >
> > > On Sat, Oct 14, 2017 at 5:12 PM, Na Li <li...@cloudera.com> wrote:
> > >
> > > > Kalyan,
> > > >
> > > > Thanks for the update. I am up to releasing sentry 2.0.0 as well.
> > > >
> > > > Lina
> > > >
> > > > On Fri, Oct 13, 2017 at 6:18 PM, Kalyan Kumar Kalvagadda <
> > > > kkalyan@cloudera.com> wrote:
> > > >
> > > > > Sasha,
> > > > >
> > > > > See my response in-line below
> > > > >
> > > > > -Kalyan
> > > > >
> > > > > On Fri, Oct 13, 2017 at 1:09 PM, Alexander Kolbasov <
> > > akolb@cloudera.com>
> > > > > wrote:
> > > > >
> > > > > > Kalyan,
> > > > > >
> > > > > > Thank you for pushing forward 2.0 release!
> > > > > >
> > > > > > > On Oct 13, 2017, at 7:20 AM, Kalyan Kumar Kalvagadda <
> > > > > > kkalyan@cloudera.com> wrote:
> > > > > > >
> > > > > > > Hello all,
> > > > > > >
> > > > > > > We need to release sentry HA functionality so that community
> can
> > > > start
> > > > > > > using it. In this regard I proposed to have a sentry 1.9.0
> > release
> > > as
> > > > > > there
> > > > > > > were some outstanding issues integrating with Hive. Community
> was
> > > not
> > > > > > > positive on this proposal for various reasons.
> > > > > >
> > > > > > It would be great if you can summarize these reasons here for
> > future
> > > > > > reference.
> > > > > > One major concern was that sentry 1.9.0 should still be backward
> > > > > > compatible and work with Hive1.1.
> > > > >
> > > > >
> > > > >
> > > > > > >
> > > > > > > With recent findings we think we don't have to wait for Hive
> > fixes.
> > > > > With
> > > > > > > the changes that are planned for below listed Jira's sentry
> would
> > > > use a
> > > > > > > combination of Semantic Hooks and AuthV2 interface to integrate
> > > with
> > > > > HIVE
> > > > > > > 2.0.
> > > > > >
> > > > > > In your earlier email regarding 1.9 release you also mention
> issues
> > > > with
> > > > > > moving up to Java 8 and some issues with Solr-7 integration. Does
> > > this
> > > > > mean
> > > > > > that you have a better idea of how to deal with these issues now?
> > > > > > Yes, Changes for java version bumup are under review and the code
> > > > changes
> > > > > > for Solr-6 integration will be co
> > > > > >
> > > > > > >
> > > > > > >   1. SENTRY-1978 <https://issues.apache.org/
> > > jira/browse/SENTRY-1978>
> > > > > > -Move
> > > > > > >   the hive-authz2 grant/revoke implementation into the
> > > > > > sentry-binding-hive
> > > > > > >   module
> > > > > >
> > > > > > This looks like “refactoring change” so it doesn’t actually
> change
> > > any
> > > > > > existing functionality - right?
> > > > > >
> > > > > This is not just refactoring. With this change Sentry would use the
> > > > > Schematic Hook implemented as part of Authv-2 support. Sentry still
> > > would
> > > > > still continue using the older implementation for PreAnalyze and
> > > > > PostAnalyze schematic hooks.
> > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > >   1. SENTRY-1980 <https://issues.apache.org/
> > > jira/browse/SENTRY-1980
> > > > >-
> > > > > > Move
> > > > > > >   the hive-authz2 HMS client filtering implementation into the
> > > > > > >   sentry-binding-hive module.
> > > > > >
> > > > > > Same here - this seems to be a refactoring change which doesn’t
> > > affect
> > > > > any
> > > > > > existing functionality.
> > > > > > This is not just refactoring. With this change Sentry would use
> the
> > > > > > Schematic Hook implemented as part of Authv-2 support. Sentry
> still
> > > > would
> > > > > > still continue using the older implementation for PreAnalyze and
> > > > > > PostAnalyze schematic hooks.
> > > > > > I think you are referring to some planned follow-up work to
> > actually
> > > > > solve
> > > > > > the authorization problem for Hive 2 - right? Yes.
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > I have created a umbrella jira for releasing Sentry 2.0 .
> > > > > > >
> > > > > > >   1. SENTRY-1982 <https://issues.apache.org/
> > > jira/browse/SENTRY-1982>
> > > > > > -Release
> > > > > > >   sentry 2.0.0 upstream
> > > > > > >
> > > > > > >
> > > > > > > I have linked issues that are blocking the release. If you see
> > any
> > > > > issue
> > > > > > > that is blocking please attach it to this jira. That way we can
> > fix
> > > > > them
> > > > > > > and clear all the road blocks for releasing SENTYR 2.0.0
> > > > > >
> > > > > > What is your impression once you looked at these issues - do you
> > > think
> > > > > > that you should be able to fix majority of these or do you think
> > that
> > > > > these
> > > > > > ca nbe simply moved out of the release?
> > > > > >
> > > > > Issues blocking SENTRY-1982 should be fixed before sentry 2.0.0 is
> > > > > released.
> > > > >
> > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > -Kalyan
> > > > > >
> > > > > > - Alex
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>

Re: Proposal to release Sentry 2.0.0

[Colm O hEigeartaigh <co...@apache.org>]

Sounds good thanks. Just one other query - will we still have two separate
binding jars for authz1 and authz2?

Colm.

On Mon, Oct 16, 2017 at 2:31 PM, Sergio Pena <se...@cloudera.com>
wrote:

> Nop. The plan is to ship authz2 but only when grant/revoke tasks are
> executed and HMS filters are used. The current HiveAuthzBinding class will
> still be used when a command is executed and Hive requests authorization to
> Sentry (this is part of the authz1 profile). Btw, the HMS server side
> checks still use MetastoreAuthzBinding.java in both authz1 and authz2.
>
> The plans for Solr is to support the latest Solr 6.x which added support
> for authorization modules. Hrishikesh is a Solr contributor and is helping
> us integrate it on SENTRY-1475
> <https://issues.apache.org/jira/browse/SENTRY-1475>. Solr 7 was just
> released last month, but he said he already has the code for Solr 6, but he
> will try to see if Solr 7 is easy to do, but the initial expectations were
> to have Solr 6.
>
> What do you think about the plans? Any comments regarding about them? Would
> you like to see something else or different?
>
> Sergio.
>
> On Mon, Oct 16, 2017 at 4:52 AM, Colm O hEigeartaigh <co...@apache.org>
> wrote:
>
> > Hi Sergio,
> >
> > Is the plan to ship both the authz1 and authz2 bindings for Sentry 2.0.0?
> > If so, which is recommended for use? Also, what are the plans to get a
> more
> > recent version of Solr supported?
> >
> > Colm.
> >
> > On Sat, Oct 14, 2017 at 5:12 PM, Na Li <li...@cloudera.com> wrote:
> >
> > > Kalyan,
> > >
> > > Thanks for the update. I am up to releasing sentry 2.0.0 as well.
> > >
> > > Lina
> > >
> > > On Fri, Oct 13, 2017 at 6:18 PM, Kalyan Kumar Kalvagadda <
> > > kkalyan@cloudera.com> wrote:
> > >
> > > > Sasha,
> > > >
> > > > See my response in-line below
> > > >
> > > > -Kalyan
> > > >
> > > > On Fri, Oct 13, 2017 at 1:09 PM, Alexander Kolbasov <
> > akolb@cloudera.com>
> > > > wrote:
> > > >
> > > > > Kalyan,
> > > > >
> > > > > Thank you for pushing forward 2.0 release!
> > > > >
> > > > > > On Oct 13, 2017, at 7:20 AM, Kalyan Kumar Kalvagadda <
> > > > > kkalyan@cloudera.com> wrote:
> > > > > >
> > > > > > Hello all,
> > > > > >
> > > > > > We need to release sentry HA functionality so that community can
> > > start
> > > > > > using it. In this regard I proposed to have a sentry 1.9.0
> release
> > as
> > > > > there
> > > > > > were some outstanding issues integrating with Hive. Community was
> > not
> > > > > > positive on this proposal for various reasons.
> > > > >
> > > > > It would be great if you can summarize these reasons here for
> future
> > > > > reference.
> > > > > One major concern was that sentry 1.9.0 should still be backward
> > > > > compatible and work with Hive1.1.
> > > >
> > > >
> > > >
> > > > > >
> > > > > > With recent findings we think we don't have to wait for Hive
> fixes.
> > > > With
> > > > > > the changes that are planned for below listed Jira's sentry would
> > > use a
> > > > > > combination of Semantic Hooks and AuthV2 interface to integrate
> > with
> > > > HIVE
> > > > > > 2.0.
> > > > >
> > > > > In your earlier email regarding 1.9 release you also mention issues
> > > with
> > > > > moving up to Java 8 and some issues with Solr-7 integration. Does
> > this
> > > > mean
> > > > > that you have a better idea of how to deal with these issues now?
> > > > > Yes, Changes for java version bumup are under review and the code
> > > changes
> > > > > for Solr-6 integration will be co
> > > > >
> > > > > >
> > > > > >   1. SENTRY-1978 <https://issues.apache.org/
> > jira/browse/SENTRY-1978>
> > > > > -Move
> > > > > >   the hive-authz2 grant/revoke implementation into the
> > > > > sentry-binding-hive
> > > > > >   module
> > > > >
> > > > > This looks like “refactoring change” so it doesn’t actually change
> > any
> > > > > existing functionality - right?
> > > > >
> > > > This is not just refactoring. With this change Sentry would use the
> > > > Schematic Hook implemented as part of Authv-2 support. Sentry still
> > would
> > > > still continue using the older implementation for PreAnalyze and
> > > > PostAnalyze schematic hooks.
> > > >
> > > > >
> > > > > >
> > > > > >
> > > > > >   1. SENTRY-1980 <https://issues.apache.org/
> > jira/browse/SENTRY-1980
> > > >-
> > > > > Move
> > > > > >   the hive-authz2 HMS client filtering implementation into the
> > > > > >   sentry-binding-hive module.
> > > > >
> > > > > Same here - this seems to be a refactoring change which doesn’t
> > affect
> > > > any
> > > > > existing functionality.
> > > > > This is not just refactoring. With this change Sentry would use the
> > > > > Schematic Hook implemented as part of Authv-2 support. Sentry still
> > > would
> > > > > still continue using the older implementation for PreAnalyze and
> > > > > PostAnalyze schematic hooks.
> > > > > I think you are referring to some planned follow-up work to
> actually
> > > > solve
> > > > > the authorization problem for Hive 2 - right? Yes.
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > I have created a umbrella jira for releasing Sentry 2.0 .
> > > > > >
> > > > > >   1. SENTRY-1982 <https://issues.apache.org/
> > jira/browse/SENTRY-1982>
> > > > > -Release
> > > > > >   sentry 2.0.0 upstream
> > > > > >
> > > > > >
> > > > > > I have linked issues that are blocking the release. If you see
> any
> > > > issue
> > > > > > that is blocking please attach it to this jira. That way we can
> fix
> > > > them
> > > > > > and clear all the road blocks for releasing SENTYR 2.0.0
> > > > >
> > > > > What is your impression once you looked at these issues - do you
> > think
> > > > > that you should be able to fix majority of these or do you think
> that
> > > > these
> > > > > ca nbe simply moved out of the release?
> > > > >
> > > > Issues blocking SENTRY-1982 should be fixed before sentry 2.0.0 is
> > > > released.
> > > >
> > > >
> > > > >
> > > > > >
> > > > > >
> > > > > > -Kalyan
> > > > >
> > > > > - Alex
> > > > >
> > > > >
> > > >
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: Proposal to release Sentry 2.0.0

[Sergio Pena <se...@cloudera.com>]

Nop. The plan is to ship authz2 but only when grant/revoke tasks are
executed and HMS filters are used. The current HiveAuthzBinding class will
still be used when a command is executed and Hive requests authorization to
Sentry (this is part of the authz1 profile). Btw, the HMS server side
checks still use MetastoreAuthzBinding.java in both authz1 and authz2.

The plans for Solr is to support the latest Solr 6.x which added support
for authorization modules. Hrishikesh is a Solr contributor and is helping
us integrate it on SENTRY-1475
<https://issues.apache.org/jira/browse/SENTRY-1475>. Solr 7 was just
released last month, but he said he already has the code for Solr 6, but he
will try to see if Solr 7 is easy to do, but the initial expectations were
to have Solr 6.

What do you think about the plans? Any comments regarding about them? Would
you like to see something else or different?

Sergio.

On Mon, Oct 16, 2017 at 4:52 AM, Colm O hEigeartaigh <co...@apache.org>
wrote:

> Hi Sergio,
>
> Is the plan to ship both the authz1 and authz2 bindings for Sentry 2.0.0?
> If so, which is recommended for use? Also, what are the plans to get a more
> recent version of Solr supported?
>
> Colm.
>
> On Sat, Oct 14, 2017 at 5:12 PM, Na Li <li...@cloudera.com> wrote:
>
> > Kalyan,
> >
> > Thanks for the update. I am up to releasing sentry 2.0.0 as well.
> >
> > Lina
> >
> > On Fri, Oct 13, 2017 at 6:18 PM, Kalyan Kumar Kalvagadda <
> > kkalyan@cloudera.com> wrote:
> >
> > > Sasha,
> > >
> > > See my response in-line below
> > >
> > > -Kalyan
> > >
> > > On Fri, Oct 13, 2017 at 1:09 PM, Alexander Kolbasov <
> akolb@cloudera.com>
> > > wrote:
> > >
> > > > Kalyan,
> > > >
> > > > Thank you for pushing forward 2.0 release!
> > > >
> > > > > On Oct 13, 2017, at 7:20 AM, Kalyan Kumar Kalvagadda <
> > > > kkalyan@cloudera.com> wrote:
> > > > >
> > > > > Hello all,
> > > > >
> > > > > We need to release sentry HA functionality so that community can
> > start
> > > > > using it. In this regard I proposed to have a sentry 1.9.0 release
> as
> > > > there
> > > > > were some outstanding issues integrating with Hive. Community was
> not
> > > > > positive on this proposal for various reasons.
> > > >
> > > > It would be great if you can summarize these reasons here for future
> > > > reference.
> > > > One major concern was that sentry 1.9.0 should still be backward
> > > > compatible and work with Hive1.1.
> > >
> > >
> > >
> > > > >
> > > > > With recent findings we think we don't have to wait for Hive fixes.
> > > With
> > > > > the changes that are planned for below listed Jira's sentry would
> > use a
> > > > > combination of Semantic Hooks and AuthV2 interface to integrate
> with
> > > HIVE
> > > > > 2.0.
> > > >
> > > > In your earlier email regarding 1.9 release you also mention issues
> > with
> > > > moving up to Java 8 and some issues with Solr-7 integration. Does
> this
> > > mean
> > > > that you have a better idea of how to deal with these issues now?
> > > > Yes, Changes for java version bumup are under review and the code
> > changes
> > > > for Solr-6 integration will be co
> > > >
> > > > >
> > > > >   1. SENTRY-1978 <https://issues.apache.org/
> jira/browse/SENTRY-1978>
> > > > -Move
> > > > >   the hive-authz2 grant/revoke implementation into the
> > > > sentry-binding-hive
> > > > >   module
> > > >
> > > > This looks like “refactoring change” so it doesn’t actually change
> any
> > > > existing functionality - right?
> > > >
> > > This is not just refactoring. With this change Sentry would use the
> > > Schematic Hook implemented as part of Authv-2 support. Sentry still
> would
> > > still continue using the older implementation for PreAnalyze and
> > > PostAnalyze schematic hooks.
> > >
> > > >
> > > > >
> > > > >
> > > > >   1. SENTRY-1980 <https://issues.apache.org/
> jira/browse/SENTRY-1980
> > >-
> > > > Move
> > > > >   the hive-authz2 HMS client filtering implementation into the
> > > > >   sentry-binding-hive module.
> > > >
> > > > Same here - this seems to be a refactoring change which doesn’t
> affect
> > > any
> > > > existing functionality.
> > > > This is not just refactoring. With this change Sentry would use the
> > > > Schematic Hook implemented as part of Authv-2 support. Sentry still
> > would
> > > > still continue using the older implementation for PreAnalyze and
> > > > PostAnalyze schematic hooks.
> > > > I think you are referring to some planned follow-up work to actually
> > > solve
> > > > the authorization problem for Hive 2 - right? Yes.
> > > >
> > > > >
> > > > >
> > > > >
> > > > > I have created a umbrella jira for releasing Sentry 2.0 .
> > > > >
> > > > >   1. SENTRY-1982 <https://issues.apache.org/
> jira/browse/SENTRY-1982>
> > > > -Release
> > > > >   sentry 2.0.0 upstream
> > > > >
> > > > >
> > > > > I have linked issues that are blocking the release. If you see any
> > > issue
> > > > > that is blocking please attach it to this jira. That way we can fix
> > > them
> > > > > and clear all the road blocks for releasing SENTYR 2.0.0
> > > >
> > > > What is your impression once you looked at these issues - do you
> think
> > > > that you should be able to fix majority of these or do you think that
> > > these
> > > > ca nbe simply moved out of the release?
> > > >
> > > Issues blocking SENTRY-1982 should be fixed before sentry 2.0.0 is
> > > released.
> > >
> > >
> > > >
> > > > >
> > > > >
> > > > > -Kalyan
> > > >
> > > > - Alex
> > > >
> > > >
> > >
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>

Re: Proposal to release Sentry 2.0.0

[Colm O hEigeartaigh <co...@apache.org>]

Hi Sergio,

Is the plan to ship both the authz1 and authz2 bindings for Sentry 2.0.0?
If so, which is recommended for use? Also, what are the plans to get a more
recent version of Solr supported?

Colm.

On Sat, Oct 14, 2017 at 5:12 PM, Na Li <li...@cloudera.com> wrote:

> Kalyan,
>
> Thanks for the update. I am up to releasing sentry 2.0.0 as well.
>
> Lina
>
> On Fri, Oct 13, 2017 at 6:18 PM, Kalyan Kumar Kalvagadda <
> kkalyan@cloudera.com> wrote:
>
> > Sasha,
> >
> > See my response in-line below
> >
> > -Kalyan
> >
> > On Fri, Oct 13, 2017 at 1:09 PM, Alexander Kolbasov <ak...@cloudera.com>
> > wrote:
> >
> > > Kalyan,
> > >
> > > Thank you for pushing forward 2.0 release!
> > >
> > > > On Oct 13, 2017, at 7:20 AM, Kalyan Kumar Kalvagadda <
> > > kkalyan@cloudera.com> wrote:
> > > >
> > > > Hello all,
> > > >
> > > > We need to release sentry HA functionality so that community can
> start
> > > > using it. In this regard I proposed to have a sentry 1.9.0 release as
> > > there
> > > > were some outstanding issues integrating with Hive. Community was not
> > > > positive on this proposal for various reasons.
> > >
> > > It would be great if you can summarize these reasons here for future
> > > reference.
> > > One major concern was that sentry 1.9.0 should still be backward
> > > compatible and work with Hive1.1.
> >
> >
> >
> > > >
> > > > With recent findings we think we don't have to wait for Hive fixes.
> > With
> > > > the changes that are planned for below listed Jira's sentry would
> use a
> > > > combination of Semantic Hooks and AuthV2 interface to integrate with
> > HIVE
> > > > 2.0.
> > >
> > > In your earlier email regarding 1.9 release you also mention issues
> with
> > > moving up to Java 8 and some issues with Solr-7 integration. Does this
> > mean
> > > that you have a better idea of how to deal with these issues now?
> > > Yes, Changes for java version bumup are under review and the code
> changes
> > > for Solr-6 integration will be co
> > >
> > > >
> > > >   1. SENTRY-1978 <https://issues.apache.org/jira/browse/SENTRY-1978>
> > > -Move
> > > >   the hive-authz2 grant/revoke implementation into the
> > > sentry-binding-hive
> > > >   module
> > >
> > > This looks like “refactoring change” so it doesn’t actually change any
> > > existing functionality - right?
> > >
> > This is not just refactoring. With this change Sentry would use the
> > Schematic Hook implemented as part of Authv-2 support. Sentry still would
> > still continue using the older implementation for PreAnalyze and
> > PostAnalyze schematic hooks.
> >
> > >
> > > >
> > > >
> > > >   1. SENTRY-1980 <https://issues.apache.org/jira/browse/SENTRY-1980
> >-
> > > Move
> > > >   the hive-authz2 HMS client filtering implementation into the
> > > >   sentry-binding-hive module.
> > >
> > > Same here - this seems to be a refactoring change which doesn’t affect
> > any
> > > existing functionality.
> > > This is not just refactoring. With this change Sentry would use the
> > > Schematic Hook implemented as part of Authv-2 support. Sentry still
> would
> > > still continue using the older implementation for PreAnalyze and
> > > PostAnalyze schematic hooks.
> > > I think you are referring to some planned follow-up work to actually
> > solve
> > > the authorization problem for Hive 2 - right? Yes.
> > >
> > > >
> > > >
> > > >
> > > > I have created a umbrella jira for releasing Sentry 2.0 .
> > > >
> > > >   1. SENTRY-1982 <https://issues.apache.org/jira/browse/SENTRY-1982>
> > > -Release
> > > >   sentry 2.0.0 upstream
> > > >
> > > >
> > > > I have linked issues that are blocking the release. If you see any
> > issue
> > > > that is blocking please attach it to this jira. That way we can fix
> > them
> > > > and clear all the road blocks for releasing SENTYR 2.0.0
> > >
> > > What is your impression once you looked at these issues - do you think
> > > that you should be able to fix majority of these or do you think that
> > these
> > > ca nbe simply moved out of the release?
> > >
> > Issues blocking SENTRY-1982 should be fixed before sentry 2.0.0 is
> > released.
> >
> >
> > >
> > > >
> > > >
> > > > -Kalyan
> > >
> > > - Alex
> > >
> > >
> >
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: Proposal to release Sentry 2.0.0

[Na Li <li...@cloudera.com>]

Kalyan,

Thanks for the update. I am up to releasing sentry 2.0.0 as well.

Lina

On Fri, Oct 13, 2017 at 6:18 PM, Kalyan Kumar Kalvagadda <
kkalyan@cloudera.com> wrote:

> Sasha,
>
> See my response in-line below
>
> -Kalyan
>
> On Fri, Oct 13, 2017 at 1:09 PM, Alexander Kolbasov <ak...@cloudera.com>
> wrote:
>
> > Kalyan,
> >
> > Thank you for pushing forward 2.0 release!
> >
> > > On Oct 13, 2017, at 7:20 AM, Kalyan Kumar Kalvagadda <
> > kkalyan@cloudera.com> wrote:
> > >
> > > Hello all,
> > >
> > > We need to release sentry HA functionality so that community can start
> > > using it. In this regard I proposed to have a sentry 1.9.0 release as
> > there
> > > were some outstanding issues integrating with Hive. Community was not
> > > positive on this proposal for various reasons.
> >
> > It would be great if you can summarize these reasons here for future
> > reference.
> > One major concern was that sentry 1.9.0 should still be backward
> > compatible and work with Hive1.1.
>
>
>
> > >
> > > With recent findings we think we don't have to wait for Hive fixes.
> With
> > > the changes that are planned for below listed Jira's sentry would use a
> > > combination of Semantic Hooks and AuthV2 interface to integrate with
> HIVE
> > > 2.0.
> >
> > In your earlier email regarding 1.9 release you also mention issues with
> > moving up to Java 8 and some issues with Solr-7 integration. Does this
> mean
> > that you have a better idea of how to deal with these issues now?
> > Yes, Changes for java version bumup are under review and the code changes
> > for Solr-6 integration will be co
> >
> > >
> > >   1. SENTRY-1978 <https://issues.apache.org/jira/browse/SENTRY-1978>
> > -Move
> > >   the hive-authz2 grant/revoke implementation into the
> > sentry-binding-hive
> > >   module
> >
> > This looks like “refactoring change” so it doesn’t actually change any
> > existing functionality - right?
> >
> This is not just refactoring. With this change Sentry would use the
> Schematic Hook implemented as part of Authv-2 support. Sentry still would
> still continue using the older implementation for PreAnalyze and
> PostAnalyze schematic hooks.
>
> >
> > >
> > >
> > >   1. SENTRY-1980 <https://issues.apache.org/jira/browse/SENTRY-1980>-
> > Move
> > >   the hive-authz2 HMS client filtering implementation into the
> > >   sentry-binding-hive module.
> >
> > Same here - this seems to be a refactoring change which doesn’t affect
> any
> > existing functionality.
> > This is not just refactoring. With this change Sentry would use the
> > Schematic Hook implemented as part of Authv-2 support. Sentry still would
> > still continue using the older implementation for PreAnalyze and
> > PostAnalyze schematic hooks.
> > I think you are referring to some planned follow-up work to actually
> solve
> > the authorization problem for Hive 2 - right? Yes.
> >
> > >
> > >
> > >
> > > I have created a umbrella jira for releasing Sentry 2.0 .
> > >
> > >   1. SENTRY-1982 <https://issues.apache.org/jira/browse/SENTRY-1982>
> > -Release
> > >   sentry 2.0.0 upstream
> > >
> > >
> > > I have linked issues that are blocking the release. If you see any
> issue
> > > that is blocking please attach it to this jira. That way we can fix
> them
> > > and clear all the road blocks for releasing SENTYR 2.0.0
> >
> > What is your impression once you looked at these issues - do you think
> > that you should be able to fix majority of these or do you think that
> these
> > ca nbe simply moved out of the release?
> >
> Issues blocking SENTRY-1982 should be fixed before sentry 2.0.0 is
> released.
>
>
> >
> > >
> > >
> > > -Kalyan
> >
> > - Alex
> >
> >
>

Re: Proposal to release Sentry 2.0.0

[Kalyan Kumar Kalvagadda <kk...@cloudera.com>]

Sasha,

See my response in-line below

-Kalyan

On Fri, Oct 13, 2017 at 1:09 PM, Alexander Kolbasov <ak...@cloudera.com>
wrote:

> Kalyan,
>
> Thank you for pushing forward 2.0 release!
>
> > On Oct 13, 2017, at 7:20 AM, Kalyan Kumar Kalvagadda <
> kkalyan@cloudera.com> wrote:
> >
> > Hello all,
> >
> > We need to release sentry HA functionality so that community can start
> > using it. In this regard I proposed to have a sentry 1.9.0 release as
> there
> > were some outstanding issues integrating with Hive. Community was not
> > positive on this proposal for various reasons.
>
> It would be great if you can summarize these reasons here for future
> reference.
> One major concern was that sentry 1.9.0 should still be backward
> compatible and work with Hive1.1.



> >
> > With recent findings we think we don't have to wait for Hive fixes. With
> > the changes that are planned for below listed Jira's sentry would use a
> > combination of Semantic Hooks and AuthV2 interface to integrate with HIVE
> > 2.0.
>
> In your earlier email regarding 1.9 release you also mention issues with
> moving up to Java 8 and some issues with Solr-7 integration. Does this mean
> that you have a better idea of how to deal with these issues now?
> Yes, Changes for java version bumup are under review and the code changes
> for Solr-6 integration will be co
>
> >
> >   1. SENTRY-1978 <https://issues.apache.org/jira/browse/SENTRY-1978>
> -Move
> >   the hive-authz2 grant/revoke implementation into the
> sentry-binding-hive
> >   module
>
> This looks like “refactoring change” so it doesn’t actually change any
> existing functionality - right?
>
This is not just refactoring. With this change Sentry would use the
Schematic Hook implemented as part of Authv-2 support. Sentry still would
still continue using the older implementation for PreAnalyze and
PostAnalyze schematic hooks.

>
> >
> >
> >   1. SENTRY-1980 <https://issues.apache.org/jira/browse/SENTRY-1980>-
> Move
> >   the hive-authz2 HMS client filtering implementation into the
> >   sentry-binding-hive module.
>
> Same here - this seems to be a refactoring change which doesn’t affect any
> existing functionality.
> This is not just refactoring. With this change Sentry would use the
> Schematic Hook implemented as part of Authv-2 support. Sentry still would
> still continue using the older implementation for PreAnalyze and
> PostAnalyze schematic hooks.
> I think you are referring to some planned follow-up work to actually solve
> the authorization problem for Hive 2 - right? Yes.
>
> >
> >
> >
> > I have created a umbrella jira for releasing Sentry 2.0 .
> >
> >   1. SENTRY-1982 <https://issues.apache.org/jira/browse/SENTRY-1982>
> -Release
> >   sentry 2.0.0 upstream
> >
> >
> > I have linked issues that are blocking the release. If you see any issue
> > that is blocking please attach it to this jira. That way we can fix them
> > and clear all the road blocks for releasing SENTYR 2.0.0
>
> What is your impression once you looked at these issues - do you think
> that you should be able to fix majority of these or do you think that these
> ca nbe simply moved out of the release?
>
Issues blocking SENTRY-1982 should be fixed before sentry 2.0.0 is released.


>
> >
> >
> > -Kalyan
>
> - Alex
>
>

Re: Proposal to release Sentry 2.0.0

[Sergio Pena <se...@cloudera.com>]

Thanks Kalyan.

I like the proposal. The original idea was to switch to hive-authz2 on
Sentry 2.0, but we can have this mix for now. It won't be incompatible to
switch completely to checkPrivileges() in the future once we understand
hive and sentry relationship on this area.

+1



On Fri, Oct 13, 2017 at 1:09 PM, Alexander Kolbasov <ak...@cloudera.com>
wrote:

> Kalyan,
>
> Thank you for pushing forward 2.0 release!
>
> > On Oct 13, 2017, at 7:20 AM, Kalyan Kumar Kalvagadda <
> kkalyan@cloudera.com> wrote:
> >
> > Hello all,
> >
> > We need to release sentry HA functionality so that community can start
> > using it. In this regard I proposed to have a sentry 1.9.0 release as
> there
> > were some outstanding issues integrating with Hive. Community was not
> > positive on this proposal for various reasons.
>
> It would be great if you can summarize these reasons here for future
> reference.
>
> >
> > With recent findings we think we don't have to wait for Hive fixes. With
> > the changes that are planned for below listed Jira's sentry would use a
> > combination of Semantic Hooks and AuthV2 interface to integrate with HIVE
> > 2.0.
>
> In your earlier email regarding 1.9 release you also mention issues with
> moving up to Java 8 and some issues with Solr-7 integration. Does this mean
> that you have a better idea of how to deal with these issues now?
>
>
> >
> >   1. SENTRY-1978 <https://issues.apache.org/jira/browse/SENTRY-1978>
> -Move
> >   the hive-authz2 grant/revoke implementation into the
> sentry-binding-hive
> >   module
>
> This looks like “refactoring change” so it doesn’t actually change any
> existing functionality - right?
>
> >
> >
> >   1. SENTRY-1980 <https://issues.apache.org/jira/browse/SENTRY-1980>-
> Move
> >   the hive-authz2 HMS client filtering implementation into the
> >   sentry-binding-hive module.
>
> Same here - this seems to be a refactoring change which doesn’t affect any
> existing functionality.
>
> I think you are referring to some planned follow-up work to actually solve
> the authorization problem for Hive 2 - right?
>
> >
> >
> >
> > I have created a umbrella jira for releasing Sentry 2.0 .
> >
> >   1. SENTRY-1982 <https://issues.apache.org/jira/browse/SENTRY-1982>
> -Release
> >   sentry 2.0.0 upstream
> >
> >
> > I have linked issues that are blocking the release. If you see any issue
> > that is blocking please attach it to this jira. That way we can fix them
> > and clear all the road blocks for releasing SENTYR 2.0.0
>
> What is your impression once you looked at these issues - do you think
> that you should be able to fix majority of these or do you think that these
> ca nbe simply moved out of the release?
>
> >
> >
> > -Kalyan
>
> - Alex
>
>

Re: Proposal to release Sentry 2.0.0

[Alexander Kolbasov <ak...@cloudera.com>]

Kalyan,

Thank you for pushing forward 2.0 release!

> On Oct 13, 2017, at 7:20 AM, Kalyan Kumar Kalvagadda <kk...@cloudera.com> wrote:
> 
> Hello all,
> 
> We need to release sentry HA functionality so that community can start
> using it. In this regard I proposed to have a sentry 1.9.0 release as there
> were some outstanding issues integrating with Hive. Community was not
> positive on this proposal for various reasons.

It would be great if you can summarize these reasons here for future reference.

> 
> With recent findings we think we don't have to wait for Hive fixes. With
> the changes that are planned for below listed Jira's sentry would use a
> combination of Semantic Hooks and AuthV2 interface to integrate with HIVE
> 2.0.

In your earlier email regarding 1.9 release you also mention issues with moving up to Java 8 and some issues with Solr-7 integration. Does this mean that you have a better idea of how to deal with these issues now?


> 
>   1. SENTRY-1978 <https://issues.apache.org/jira/browse/SENTRY-1978> -Move
>   the hive-authz2 grant/revoke implementation into the sentry-binding-hive
>   module

This looks like “refactoring change” so it doesn’t actually change any existing functionality - right?

> 
> 
>   1. SENTRY-1980 <https://issues.apache.org/jira/browse/SENTRY-1980>- Move
>   the hive-authz2 HMS client filtering implementation into the
>   sentry-binding-hive module.

Same here - this seems to be a refactoring change which doesn’t affect any existing functionality.

I think you are referring to some planned follow-up work to actually solve the authorization problem for Hive 2 - right?

> 
> 
> 
> I have created a umbrella jira for releasing Sentry 2.0 .
> 
>   1. SENTRY-1982 <https://issues.apache.org/jira/browse/SENTRY-1982> -Release
>   sentry 2.0.0 upstream
> 
> 
> I have linked issues that are blocking the release. If you see any issue
> that is blocking please attach it to this jira. That way we can fix them
> and clear all the road blocks for releasing SENTYR 2.0.0

What is your impression once you looked at these issues - do you think that you should be able to fix majority of these or do you think that these ca nbe simply moved out of the release?

> 
> 
> -Kalyan

- Alex