Re: Review Request 39928: SENTRY-944: Setting HDFS rules on Sentry managed hdfs paths should not affect original hdfs rules.

Thu, 05 Nov 2015 17:05:25 -0800 


> On Nov. 5, 2015, 11:45 p.m., Sravya Tirukkovalur wrote:
> >
> 
> Hao Hao wrote:
>     In getUser / getGroup and some otehr APIs we are doing the same checking, 
> if the condition is not good, then we should change all of them at the same 
> time to be consistent?
> 
> Sravya Tirukkovalur wrote:
>     There is a difference between the two
>     
>     if (!authzInfo.isManaged(pathElements)
>                 || !authzInfo.doesBelongToAuthzObject(pathElements)) //Either 
> not in prefix or not a hive object
>     
>     
>     
>     if (!authzInfo.isManaged(pathElements)) { //If not in prefix
>           group = getDefaultProviderGroup(node, snapshotId);
>         } else if (!authzInfo.doesBelongToAuthzObject(pathElements)) { //If 
> in prefix and not a hive object
>           group = getDefaultProviderGroup(node, snapshotId);
>         }

If a path is associated with hive object but not in prefix, the following 
statement will be evaluated to be true and writes to hdfs, which is what we 
desire, right? No op is only for paths inside the prefix + hive object. 

if (!authzInfo.isManaged(pathElements)
            || !authzInfo.doesBelongToAuthzObject(pathElements))


- Hao


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39928/#review105329
-----------------------------------------------------------


On Nov. 5, 2015, 5:38 a.m., Hao Hao wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/39928/
> -----------------------------------------------------------
> 
> (Updated Nov. 5, 2015, 5:38 a.m.)
> 
> 
> Review request for sentry, Anne Yu, Lenni Kuff, and Sravya Tirukkovalur.
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> Paths that are sentry managed should not succesfully chmod/chown/removeACL.
> We should update setGroup/setUser/setPermission and removeAclFeature.
> 
> Old behavior:
> chmod/chown
>     if not under prefix + unmanaged: writes to hdfs.
>     if managed: writes to hdfs.
> Removing acls:
>     if not under prefix + unmanag: removes from hdfs.
>     if managed: removes from hdfs.
> 
> New behavior:
> If not under prefix: writes to/removes from hdfs.
> If else: no op.
> 
> 
> Diffs
> -----
> 
>   
> sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryAuthorizationProvider.java
>  419ab68e0d03f995c55d229b762453468de47571 
>   
> sentry-hdfs/sentry-hdfs-namenode-plugin/src/test/java/org/apache/sentry/hdfs/TestSentryAuthorizationProvider.java
>  fd5146f079d93687738a522f42beaa59031a4f82 
> 
> Diff: https://reviews.apache.org/r/39928/diff/
> 
> 
> Testing
> -------
> 
> Added several new unit tests for setPermission/setUser/setGroup/removeAcl 
> cases validation.
> 
> 
> Thanks,
> 
> Hao Hao
> 
>

Reply via email to