Hi All, We are running into some problems with the support of Hive Authz V2 especially related to the workaround that parses Hive command strings in Sentry using regular expressions to get some info that Hive is not sending through the authz2 api. Hive 2.0 made some changes on commands that caused issues with Sentry. These are fixed but the concern of doing this SQL parsing exists. We asked the Hive community to give us extra SQL information, but we cannot implement them in Sentry until a Hive release is done. There are some concerns about the quality of authz2 too, such as create/drop table and functions calling Sentry twice for authorization and the lack of testing being done on it.
The original idea for Sentry 2.0 (future release) was to drop authz1 support and use authz2 as default but the work is getting delayed until Hive releases something. Now that we bumped the Hive version to 2.0, I was wondering if we should continue with authz1 and keep authz2 as an experimental support until Hive releases something we can consume to fix our issues. Then we can deprecate authz1 in a future 2.x release and remove it in a major version. I was thinking if we remove any hive-authz2 profile and just add the hive-authz2 classes to the current sentry-binding-hive module so that users are allowed to switch either to v1 or v2 (for testing). Also for the tests, find a way to run all sentry-tests-hive with v1 and v2 to validate the quality of it. What does the PMC community think? Is it a good or bad idea? - Sergio
