[jira] [Commented] (SENTRY-988) It's better to let SentryAuthorization setter path always fall through and update HDFS

Wed, 16 Dec 2015 09:53:26 -0800 

    [ 
https://issues.apache.org/jira/browse/SENTRY-988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15060393#comment-15060393
 ] 

Sravya Tirukkovalur commented on SENTRY-988:
--------------------------------------------

[~yzhangal], thanks for the patch! About the test failure: at this point of 
time Sentry HDFS sync tests are disabled until we can get SENTRY-709, which 
would switch using newer HDFS interfaces.
Changes mostly look good to me!

Some comments on the patch:
- While you are here, will you be able to refactor the name isManaged -> 
isPrefix ?
- Not sure what "YJD:"in the info message? 

> It's better to let SentryAuthorization setter path always fall through and 
> update HDFS
> --------------------------------------------------------------------------------------
>
>                 Key: SENTRY-988
>                 URL: https://issues.apache.org/jira/browse/SENTRY-988
>             Project: Sentry
>          Issue Type: Bug
>          Components: Hdfs Plugin
>            Reporter: Yongjun Zhang
>            Assignee: Yongjun Zhang
>         Attachments: SENTRY-988.001.patch
>
>
> Currently SentryAuthorizationProvider rejects setter calls to Sentry-managed 
> paths, and issue an error message when enabled.
> There are two issues:
> 1. When creating a file or dir, the parent dir's group will be set to the 
> newly created file/dir, this is supposed to be logged to fsimage in-memory 
> representation, but because the rejection of Sentry, it's not.
> 2. (as an example) When user issue a setOwner call via the following RPC:
> {code}
> @Override // ClientProtocol
>   public void setOwner(String src, String username, String groupname)
>       throws IOException {
>     checkNNStartup();
>     namesystem.setOwner(src, username, groupname);
>   }
> {code}
> Two calls are executed in the deep stack:
> {code}
> a.     dir.setOwner(src, username, group);
> b.     getEditLog().logSetOwner(src, username, group);
> {code}
> The first call is the one gets rejected by Sentry, however, the second one 
> still updates the entry to Edit log. This would indicate an inconsistency 
> between in-memory representation of the attribute and what's recorded on edit 
> log.
> Creating this jira to make SentryAuthorizationProvider always fallthrough to 
> write to HDFS, and issue a warning msg when it "rejects" (for Sentry-managed 
> paths).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to