You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@sentry.apache.org by "Stephen Measmer (JIRA)" <ji...@apache.org> on 2017/02/28 13:12:45 UTC

[jira] [Issue Comment Deleted] (SENTRY-1295) Investigate malformed paths in HMS db

     [ https://issues.apache.org/jira/browse/SENTRY-1295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stephen Measmer updated SENTRY-1295:
------------------------------------
    Comment: was deleted

(was: 1) Add rule to deny access to DB/TBL entries that exhibit this condition
2) Log on start up the rule has been added
3) Continue initialization   

The motivation is that a malicious user could cause HMS to fail just by modifying a record in the HMS DB when Sentry is enable.  I see it as a stability issue especially for Hive instances that have been upgraded many times.)

> Investigate malformed paths in HMS db
> -------------------------------------
>
>                 Key: SENTRY-1295
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1295
>             Project: Sentry
>          Issue Type: Bug
>            Reporter: Sravya Tirukkovalur
>            Assignee: Colin Ma
>            Priority: Critical
>
> Paths in HMS are expected to be in one of these forms:
> * hdfs://hostname:port/path
> * hdfs:///path
> * /path, in which case, scheme will be constructed from FileSystem.getDefaultURI
> * URIs with non hdfs scheme will just be ignored
> I came across atleast 2 sentry users where HMS did have paths which do not comply with above rules and hence HMS plugin initialization for pathupdates failed. See sentry-1260 and sentry-1270 for details on how these errors surface. 
> With 1260 and 1270 we should have more information on what these malformed paths were. But we should continue to investigate and fix the root cause, It would most likely be in HMS code base. Until then, here is how you can diagnose and fix it manually:
> *Look for malformed paths in HMS* : Look in DBS as well as SDS tables.
> {code}
> SELECT "NAME", "DB_LOCATION_URI" FROM "DBS" WHERE NOT "DB_LOCATION_URI" LIKE 'hdfs://%/%';
> NAME | DB_LOCATION_URI 
> -----------+--------------------
> db_name | hdfs://nameservice1
> (1 row)
> {code}
> *Fix it manually updating the HMS location*
> {code}
> UPDATE DBS
> SET DB_LOCATION_URI='hdfs://nameservice1/user/hive/warehouse/db_name.db'
> WHERE DB_ID=12345;
> {code}
> Lets track occurrences of these malformed paths here:
> * hdfs://nameservice1 : Not sure why would any one create a db/table in root directory? Should we accept this in Sentry?
> What does SKEWED_COL_VALUE_LOC_MAP.location in HMS correspond to? Double check if there are any malformed paths here?



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)