Review Request 21894: SENTRY-183 Sentry Policy Service goes into an unusable state when granting privileges. Subsequent access fail with a DataNucleusException: "Iteration request failed: SELECT ..."

Prasad Mujumdar Sat, 24 May 2014 20:27:07 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/21894/
-----------------------------------------------------------


Review request for sentry, Arun Suresh, Jarek Cecho, and Sravya Tirukkovalur.


Bugs: SENTRY-183
    https://issues.apache.org/jira/browse/SENTRY-183


Repository: sentry


Description
-------

With latest build, I am hitting a different error for drop role.

Error: Error while processing statement: FAILED: Execution Error, return code 1 
from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. Unknown error for 
request: TDropSentryRoleRequest(protocol_version:1, requestorUserName:prasadm, 
requestorGroupNames:[prasadm], roleName:user_role), message: Privileges should 
be empty: [MSentryPrivilege [privilegeScope=TABLE, 
privilegeName=server1+default+t1+INSERT, serverName=server1, dbName=default, 
tableName=t1, URI=null, action=INSERT, roles=[...], createTime=1400898494165, 
grantorPrincipal=prasadm]]. Server Stacktrace: java.lang.IllegalStateException: 
Privileges should be empty: [MSentryPrivilege [privilegeScope=TABLE, 
privilegeName=server1+default+t1+INSERT, serverName=server1, dbName=default, 
tableName=t1, URI=null, action=INSERT, roles=[...], 
createTime=140089849l=prasadm]]
        at 
com.google.common.base.Preconditions.checkState(Preconditions.java:145)
        at 
org.apache.sentry.provider.db.service.model.MSentryRole.removePrivileges(MSentryRole.jav
        at 
org.apache.sentry.provider.db.service.persistent.SentryStore.dropSentryRole(SentryStore.
        at 
org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.drop_sentry_rolecessor.java:224)

In the current m:n relation mapping, dataNucleus doens't populate the roles 
list in the MSentryPrivilege object. Hence remove call remove privilege 
unconditionally.


Diffs
-----

  
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
 82d701f 
  
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
 86aaeb4 
  
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
 8f0ecfd 
  
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServerWithoutKerberos.java
 81a9ea4 

Diff: https://reviews.apache.org/r/21894/diff/


Testing
-------

Added testcase to drop and recreate role with multiple privileges.


Thanks,

Prasad Mujumdar

Review Request 21894: SENTRY-183 Sentry Policy Service goes into an unusable state when granting privileges. Subsequent access fail with a DataNucleusException: "Iteration request failed: SELECT ..."

Reply via email to