Re: Review Request 22847: SENTRY-310: Make Hive operation to required privileges more granular

Sun, 22 Jun 2014 16:15:07 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/22847/
-----------------------------------------------------------

(Updated June 22, 2014, 11:14 p.m.)


Review request for sentry, Arun Suresh, Jarek Cecho, Lenni Kuff, and Prasad 
Mujumdar.


Changes
-------

Updated based on Prasad's review feedback.

- As part of it, cleaned up the way we verify privileges based on input/output 
hierarchies. Which can lead to semantic check success if the input/output 
privileges are not built properly with sufficient information to do a auth 
check.
- Now, the required privilege list for each operation is a strict AND (earlier 
it was OR, it was skipped if the input/output privilege doesn't have it) with 
the only exception of URIs.
- Added more test cases.


Bugs: SENTRY-310
    https://issues.apache.org/jira/browse/SENTRY-310


Repository: sentry


Description
-------

Required privileges for a given hive operation is too restrictive in some 
cases. This patch cleans that up. The new model is documented as a pdf attached 
to the ticket.

In short:
- All DDL statements on an object require ALL on that object, except the create 
database/table/view/partition which requires all on the parent, as we should 
not allow granting privileges on non existing objects.
- Cleaned up some unwanted uri privileges, now we only support all on URI.
- Fixed some more non intuitive mappings


Diffs (updated)
-----

  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
 6c507b83419ab5e5e2797c62dc71bfa0fdf36776 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
 cedf368825a153be13d3a05d1519a581bc30082f 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
 7d241d0ea7957e6b6c334c78c6bcf0934f1a36ab 
  
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
 fd969a6cb221656d2dee65a068cdce77e1efc5cd 
  
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
 e725eb06fc9915b0bcc2609e428a62feea80ec43 
  
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java
 PRE-CREATION 

Diff: https://reviews.apache.org/r/22847/diff/


Testing
-------

Captured most of the Hive operations in TestOperations test class. All of them 
pass. 

Added todos for the operations which need test cases. Now running the entire 
suite.


Thanks,

Sravya Tirukkovalur

Reply via email to