Fang-Yu Rao created IMPALA-9220:
-----------------------------------

             Summary: AuthorizationStmtTest creates inconsistent views between 
AuthorizationPolicy and SentryPolicyService in Sentry tests
                 Key: IMPALA-9220
                 URL: https://issues.apache.org/jira/browse/IMPALA-9220
             Project: IMPALA
          Issue Type: Test
          Components: Frontend
    Affects Versions: Product Backlog
            Reporter: Fang-Yu Rao
            Assignee: Fang-Yu Rao


In {{AuthorizationTestBase.java}}, when granting privileges to a {{Role}}, we 
will first add a grant group to the name of the {{Role}}. However, only the 
corresponding {{AuthorizationPolicy}} is updated by {{addRoleGrantGroup()}} in 
{{CatalogServiceCatalog.java}} 
(https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/catalog/CatalogServiceCatalog.java#L2360).
 The corresponding {{SentryPolicyService}} is not updated accordingly. 
Therefore, later on when {{refreshSentryAuthorization()}} 
(https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/sentry/SentryProxy.java#L182-L212)
 is run to synchronize the {{AuthorizationPolicy}} with its associated 
{{SentryPolicyService}}, the grant group added earlier will be removed from the 
{{AuthorizationPolicy}} by {{refreshRolePrivileges()}} 
(https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/sentry/SentryProxy.java#L214-L266)
 in {{refreshSentryAuthorization()}} since the grant group does not exist in 
the {{SentryPolicyService}}.

A similar issue also occurs when we grant privileges to a {{User}}.

The issues described above will not affect the result of a Sentry test as long 
as it takes less than {{sentry_catalog_polling_frequency_s}} seconds (defined 
at 
https://github.com/apache/impala/blame/master/be/src/catalog/catalog.cc#L48-L50 
and used to set the refresh frequency of a {{PolicyReader}} at 
https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/sentry/SentryProxy.java#L141-L143)
 to finish the test after the {{AuthorizationPolicy}} is updated by 
{{addRoleGrantGroup()}}. However, the result of the Sentry test will be failed 
once we spend more than {{sentry_catalog_polling_frequency_s}} seconds in the 
test after granting the privileges. For example, this could happen when we 
attach a debugger to the Sentry test.

In this regard, we should make sure that the {{AuthorizationPolicy}} and 
{{SentryPolicyService}} should be updated in a consistent way.




--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to