[
https://issues.apache.org/jira/browse/SENTRY-985?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Anne Yu updated SENTRY-985:
---------------------------
Description:
The Hadoop Security book introduces the tool as a good way to check policy
files for errors and to verify privileges for a given user. You can also use
it to import policies from policy files to the Sentry Service. In the quote
below it implies that you should use it for Solr policy files to avoid syntax
errors.
>From O'Reilly Hadoop Security book:
"It is important to point out that while SQL policy files allow for separate
policy files per database, Solr does not. This means that Solr policy
administrators need to be extra careful when modifying the policies because, as
with the SQL policy files, a syntax error invalidates the entire policy file,
thus inadvertently denying access to everyone. A nice feature to help combat
typos and mistakes is to validate the policy file using the config-tool, which
leads us into the next section."
However, as I've dug into it I see that config-tool does not support of
AuthorizableType of "collection", which is the "authorizable" used in Solr
Sentry policy files.
[nwhite@host-10-17-80-38 ~]$ sentry --command config-tool -l -u nwhite -i
file:///home/nwhite/sentry-provider.ini -s
file:///etc/sentry/conf/sentry-site.xml -d
Configuration:
15/12/10 06:58:55 INFO file.SimpleFileProviderBackend: Parsing
file:/home/nwhite/sentry-provider.ini
15/12/10 06:58:55 INFO file.SimpleFileProviderBackend: Filesystem: file:///
15/12/10 06:58:55 INFO file.PolicyFiles: Opening
file:/home/nwhite/sentry-provider.ini
15/12/10 06:58:55 ERROR file.SimpleFileProviderBackend: Error processing file,
ignoring file:/home/nwhite/sentry-provider.ini
org.apache.shiro.config.ConfigurationException: No authorizable found for
collection=employees
at
org.apache.sentry.policy.db.AbstractDBPrivilegeValidator.parsePrivilege(AbstractDBPrivilegeValidator.java:42)
at
org.apache.sentry.policy.db.ServersAllIsInvalid.validate(ServersAllIsInvalid.java:29)
>From org.apache.sentry.core.model.db.DBModelAuthorizable:
public enum More ...AuthorizableType {
24 Server,
25 Db,
26 Table,
27 View,
28 URI
29 };
was:
The Hadoop Security book introduces the tool as a good way to check policy
files for errors and to verify privileges for a given user. You can also use
it to import policies from policy files to the Sentry Service. In the quote
below it implies that you should use it for Solr policy files to avoid syntax
errors.
>From O'Reilly Hadoop Security book:
"It is important to point out that while SQL policy files allow for separate
policy files per database, Solr does not. This means that Solr policy
administrators need to be extra careful when modifying the policies because, as
with the SQL policy files, a syntax error invalidates the entire policy file,
thus inadvertently denying access to everyone. A nice feature to help combat
typos and mistakes is to validate the policy file using the config-tool, which
leads us into the next section."
However, as I've dug into it I see that config-tool does not support of
AuthorizableType of "collection", which is the "authorizable" used in Solr
Sentry policy files.
[nwhite@host-10-17-80-38 ~]$ sentry --command config-tool -l -u nwhite -i
file:///home/nwhite/sentry-provider.ini -s
file:///etc/sentry/conf/sentry-site.xml -d
Configuration:
Sentry package jar:
file:/opt/cloudera/parcels/CDH-5.4.8-1.cdh5.4.8.p0.4/jars/sentry-binding-hive-1.4.0-cdh5.4.8.jar
Hive config: file:/etc/hive/conf.cloudera.hive/hive-site.xml
15/12/10 06:58:54 INFO conf.HiveAuthzConf: DefaultFS:
hdfs://host-10-17-80-38.coe.cloudera.com:8020
15/12/10 06:58:54 INFO conf.HiveAuthzConf: DefaultFS:
hdfs://host-10-17-80-38.coe.cloudera.com:8020
Sentry config: file:/etc/sentry/conf/sentry-site.xml
Sentry Policy: file:///home/nwhite/sentry-provider.ini
Sentry server: HS2
15/12/10 06:58:55 INFO file.SimpleFileProviderBackend: Parsing
file:/home/nwhite/sentry-provider.ini
15/12/10 06:58:55 INFO file.SimpleFileProviderBackend: Filesystem: file:///
15/12/10 06:58:55 INFO file.PolicyFiles: Opening
file:/home/nwhite/sentry-provider.ini
15/12/10 06:58:55 ERROR file.SimpleFileProviderBackend: Error processing file,
ignoring file:/home/nwhite/sentry-provider.ini
org.apache.shiro.config.ConfigurationException: No authorizable found for
collection=employees
at
org.apache.sentry.policy.db.AbstractDBPrivilegeValidator.parsePrivilege(AbstractDBPrivilegeValidator.java:42)
at
org.apache.sentry.policy.db.ServersAllIsInvalid.validate(ServersAllIsInvalid.java:29)
>From org.apache.sentry.core.model.db.DBModelAuthorizable:
public enum More ...AuthorizableType {
24 Server,
25 Db,
26 Table,
27 View,
28 URI
29 };
> sentry config-tool fails to import Solr sentry-provider.ini
> -----------------------------------------------------------
>
> Key: SENTRY-985
> URL: https://issues.apache.org/jira/browse/SENTRY-985
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
> Affects Versions: 1.6.0
> Reporter: Anne Yu
>
> The Hadoop Security book introduces the tool as a good way to check policy
> files for errors and to verify privileges for a given user. You can also use
> it to import policies from policy files to the Sentry Service. In the quote
> below it implies that you should use it for Solr policy files to avoid syntax
> errors.
> From O'Reilly Hadoop Security book:
> "It is important to point out that while SQL policy files allow for separate
> policy files per database, Solr does not. This means that Solr policy
> administrators need to be extra careful when modifying the policies because,
> as with the SQL policy files, a syntax error invalidates the entire policy
> file, thus inadvertently denying access to everyone. A nice feature to help
> combat typos and mistakes is to validate the policy file using the
> config-tool, which leads us into the next section."
> However, as I've dug into it I see that config-tool does not support of
> AuthorizableType of "collection", which is the "authorizable" used in Solr
> Sentry policy files.
> [nwhite@host-10-17-80-38 ~]$ sentry --command config-tool -l -u nwhite -i
> file:///home/nwhite/sentry-provider.ini -s
> file:///etc/sentry/conf/sentry-site.xml -d
> Configuration:
> 15/12/10 06:58:55 INFO file.SimpleFileProviderBackend: Parsing
> file:/home/nwhite/sentry-provider.ini
> 15/12/10 06:58:55 INFO file.SimpleFileProviderBackend: Filesystem: file:///
> 15/12/10 06:58:55 INFO file.PolicyFiles: Opening
> file:/home/nwhite/sentry-provider.ini
> 15/12/10 06:58:55 ERROR file.SimpleFileProviderBackend: Error processing
> file, ignoring file:/home/nwhite/sentry-provider.ini
> org.apache.shiro.config.ConfigurationException: No authorizable found for
> collection=employees
> at
> org.apache.sentry.policy.db.AbstractDBPrivilegeValidator.parsePrivilege(AbstractDBPrivilegeValidator.java:42)
> at
> org.apache.sentry.policy.db.ServersAllIsInvalid.validate(ServersAllIsInvalid.java:29)
> From org.apache.sentry.core.model.db.DBModelAuthorizable:
> public enum More ...AuthorizableType {
> 24 Server,
> 25 Db,
> 26 Table,
> 27 View,
> 28 URI
> 29 };
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
