> On Oct. 13, 2017, 8:57 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
> > Line 52 (original), 64 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852558#file1852558line64>
> >
> > should it be v2? This is auth-2 API
I don't know what this version is. This is alsto part of the hive-authz2
profile and even Hive 2.0 HiveAuthorizer.java has it:
public enum VERSION { V1 };
> On Oct. 13, 2017, 8:57 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
> > Line 112 (original), 126 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852558#file1852558line126>
> >
> > should we just return here?
> >
> > This function will be called by Hive when auth-2 is enabled. If we do
> > authorization at semantic hook (called before this function), it should be
> > OK to just return.
> >
> > If we throw exception here, it will cause every hive command to fail.
I'm not throwing an exception. I put a comment that says there is nothing to do:
// Nothing to do there. Privileges are checked on the Semantic hooks
The method is void so I don't need to return anything
> On Oct. 13, 2017, 8:57 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
> > Line 165 (original), 184 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852558#file1852558line184>
> >
> > filter should be based on user's privileges. Where is the username or
> > group info is used?
This is done internally on the SentryMetaStoreFilterHook. This code is just
passing the information to it.
> On Oct. 13, 2017, 8:57 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
> > Line 184 (original), 203 (patched)
> > <https://reviews.apache.org/r/62902/diff/1/?file=1852558#file1852558line203>
> >
> > Is it true all objects in the list have the same DB? If not, then we
> > need to get DB for each object, and filter it
It is true. I don't know why Hive sends the list of objects in this way, but
Hive adds the same DB to the list.
Also, the hive-authz2 profile uses a similar approach.
- Sergio
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62902/#review188013
-----------------------------------------------------------
On Oct. 12, 2017, 7:35 p.m., Sergio Pena wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62902/
> -----------------------------------------------------------
>
> (Updated Oct. 12, 2017, 7:35 p.m.)
>
>
> Review request for sentry, Alexander Kolbasov, Colm O hEigeartaigh, and
> kalyan kumar kalvagadda.
>
>
> Bugs: sentry-1978
> https://issues.apache.org/jira/browse/sentry-1978
>
>
> Repository: sentry
>
>
> Description
> -------
>
> This patch is moving some hive-authz2 profile classes related to the
> grant/revoke tasks to allow running the current tests with it and start doing
> the switch to authz2.
>
> The patch does the following:
> - Stop using the SentryGrantRevokeTask for grant/revoke task execution.
> - Use SentryHiveAccessController to execute similar tasks that
> SentryGrantRevokeTask used to have.
> - Configure the new controller on the HiveAuthzBindingSessionHook class.
> - Configure tests to run the authz2 access controller.
>
>
> Diffs
> -----
>
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
> 3454910db1950f11e3317011bf4c08041a4ec5ac
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
> 994ae7a852d36653eb642112da7c0c58952f2f33
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java
> ceb3b17714d5dfc4c6186b5f9cf536d6ddbb662b
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java
> PRE-CREATION
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java
> PRE-CREATION
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java
> PRE-CREATION
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java
> f6297e9a19e4624cfc9c5a57d939e5873261263d
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
> 9c72876abbde2d1217503b90dfbfcd6d609427a8
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java
> PRE-CREATION
>
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
> a62a0a66f1894f9039f099691b9fcfa2e98d8549
>
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
> 27cfba9fab49f44f74f7b7d24564b22e3ac437ba
>
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java
> 35cb2bb4ffb9109721ba24e6dac84667bfdefa37
>
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java
> 5cd69e17b3d70dfc7b739354e9fe21a5f7678120
>
>
> Diff: https://reviews.apache.org/r/62902/diff/1/
>
>
> Testing
> -------
>
> All tests passed.
>
>
> Thanks,
>
> Sergio Pena
>
>
