You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Fang-Yu Rao (Jira)" <ji...@apache.org> on 2019/12/06 06:06:00 UTC

[jira] [Created] (IMPALA-9220) AuthorizationStmtTest creates inconsistent views between AuthorizationPolicy and SentryPolicyService in Sentry tests

Fang-Yu Rao created IMPALA-9220:
-----------------------------------

             Summary: AuthorizationStmtTest creates inconsistent views between AuthorizationPolicy and SentryPolicyService in Sentry tests
                 Key: IMPALA-9220
                 URL: https://issues.apache.org/jira/browse/IMPALA-9220
             Project: IMPALA
          Issue Type: Test
          Components: Frontend
    Affects Versions: Product Backlog
            Reporter: Fang-Yu Rao
            Assignee: Fang-Yu Rao


In {{AuthorizationTestBase.java}}, when granting privileges to a {{Role}}, we will first add a grant group to the name of the {{Role}}. However, only the corresponding {{AuthorizationPolicy}} is updated by {{addRoleGrantGroup()}} in {{CatalogServiceCatalog.java}} (https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/catalog/CatalogServiceCatalog.java#L2360). The corresponding {{SentryPolicyService}} is not updated accordingly. Therefore, later on when {{refreshSentryAuthorization()}} (https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/sentry/SentryProxy.java#L182-L212) is run to synchronize the {{AuthorizationPolicy}} with its associated {{SentryPolicyService}}, the grant group added earlier will be removed from the {{AuthorizationPolicy}} by {{refreshRolePrivileges()}} (https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/sentry/SentryProxy.java#L214-L266) in {{refreshSentryAuthorization()}} since the grant group does not exist in the {{SentryPolicyService}}.

A similar issue also occurs when we grant privileges to a {{User}}.

The issues described above will not affect the result of a Sentry test as long as it takes less than {{sentry_catalog_polling_frequency_s}} seconds (defined at https://github.com/apache/impala/blame/master/be/src/catalog/catalog.cc#L48-L50 and used to set the refresh frequency of a {{PolicyReader}} at https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/sentry/SentryProxy.java#L141-L143) to finish the test after the {{AuthorizationPolicy}} is updated by {{addRoleGrantGroup()}}. However, the result of the Sentry test will be failed once we spend more than {{sentry_catalog_polling_frequency_s}} seconds in the test after granting the privileges. For example, this could happen when we attach a debugger to the Sentry test.

In this regard, we should make sure that the {{AuthorizationPolicy}} and {{SentryPolicyService}} should be updated in a consistent way.




--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org