[
https://issues.apache.org/jira/browse/IMPALA-9220?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fang-Yu Rao updated IMPALA-9220:
--------------------------------
Description:
In {{AuthorizationTestBase.java}}, when granting privileges to a {{Role}}, we
will first add a grant group to the name of the {{Role}}. However, only the
corresponding {{AuthorizationPolicy}} is updated by {{addRoleGrantGroup()}} in
{{CatalogServiceCatalog.java}}
(https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/catalog/CatalogServiceCatalog.java#L2360).
The corresponding {{SentryPolicyService}} is not updated accordingly.
Therefore, later on when {{refreshSentryAuthorization()}}
(https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/sentry/SentryProxy.java#L182-L212)
is run to synchronize the {{AuthorizationPolicy}} with its associated
{{SentryPolicyService}}, the grant group added earlier will be removed from the
{{AuthorizationPolicy}} by {{refreshRolePrivileges()}}
(https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/sentry/SentryProxy.java#L214-L266)
in {{refreshSentryAuthorization()}} since the grant group does not exist in
the {{SentryPolicyService}}, resulting in a failed test that would otherwise
pass.
A similar issue also occurs when we grant privileges to a {{User}}.
The issues described above will not affect the result of a Sentry test as long
as it takes less than {{sentry_catalog_polling_frequency_s}} seconds to finish
the test after the {{AuthorizationPolicy}} is updated by
{{addRoleGrantGroup()}}. However, the result of the Sentry test will be failed
once we spend more than {{sentry_catalog_polling_frequency_s}} seconds in the
test after granting the privileges. Recall that the refresh frequency is
defined as 60 seconds at
https://github.com/apache/impala/blame/master/be/src/catalog/catalog.cc#L48-L50
and is used to set the refresh frequency of a {{PolicyReader}} at
https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/sentry/SentryProxy.java#L141-L143).
Hence, this problem could likely happen when we attach a debugger to the
Sentry test.
In this regard, we should make sure that the {{AuthorizationPolicy}} and
{{SentryPolicyService}} are updated in a consistent way.
was:
In {{AuthorizationTestBase.java}}, when granting privileges to a {{Role}}, we
will first add a grant group to the name of the {{Role}}. However, only the
corresponding {{AuthorizationPolicy}} is updated by {{addRoleGrantGroup()}} in
{{CatalogServiceCatalog.java}}
(https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/catalog/CatalogServiceCatalog.java#L2360).
The corresponding {{SentryPolicyService}} is not updated accordingly.
Therefore, later on when {{refreshSentryAuthorization()}}
(https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/sentry/SentryProxy.java#L182-L212)
is run to synchronize the {{AuthorizationPolicy}} with its associated
{{SentryPolicyService}}, the grant group added earlier will be removed from the
{{AuthorizationPolicy}} by {{refreshRolePrivileges()}}
(https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/sentry/SentryProxy.java#L214-L266)
in {{refreshSentryAuthorization()}} since the grant group does not exist in
the {{SentryPolicyService}}, resulting in a failed test that would otherwise
pass.
A similar issue also occurs when we grant privileges to a {{User}}.
The issues described above will not affect the result of a Sentry test as long
as it takes less than {{sentry_catalog_polling_frequency_s}} seconds (defined
as 60 seconds at
https://github.com/apache/impala/blame/master/be/src/catalog/catalog.cc#L48-L50
and used to set the refresh frequency of a {{PolicyReader}} at
https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/sentry/SentryProxy.java#L141-L143)
to finish the test after the {{AuthorizationPolicy}} is updated by
{{addRoleGrantGroup()}}. However, the result of the Sentry test will be failed
once we spend more than {{sentry_catalog_polling_frequency_s}} seconds in the
test after granting the privileges. For example, this could happen when we
attach a debugger to the Sentry test.
In this regard, we should make sure that the {{AuthorizationPolicy}} and
{{SentryPolicyService}} should be updated in a consistent way.
> AuthorizationStmtTest creates inconsistent views between AuthorizationPolicy
> and SentryPolicyService in Sentry tests
> --------------------------------------------------------------------------------------------------------------------
>
> Key: IMPALA-9220
> URL: https://issues.apache.org/jira/browse/IMPALA-9220
> Project: IMPALA
> Issue Type: Test
> Components: Frontend
> Affects Versions: Product Backlog
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Minor
>
> In {{AuthorizationTestBase.java}}, when granting privileges to a {{Role}}, we
> will first add a grant group to the name of the {{Role}}. However, only the
> corresponding {{AuthorizationPolicy}} is updated by {{addRoleGrantGroup()}}
> in {{CatalogServiceCatalog.java}}
> (https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/catalog/CatalogServiceCatalog.java#L2360).
> The corresponding {{SentryPolicyService}} is not updated accordingly.
> Therefore, later on when {{refreshSentryAuthorization()}}
> (https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/sentry/SentryProxy.java#L182-L212)
> is run to synchronize the {{AuthorizationPolicy}} with its associated
> {{SentryPolicyService}}, the grant group added earlier will be removed from
> the {{AuthorizationPolicy}} by {{refreshRolePrivileges()}}
> (https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/sentry/SentryProxy.java#L214-L266)
> in {{refreshSentryAuthorization()}} since the grant group does not exist in
> the {{SentryPolicyService}}, resulting in a failed test that would otherwise
> pass.
> A similar issue also occurs when we grant privileges to a {{User}}.
> The issues described above will not affect the result of a Sentry test as
> long as it takes less than {{sentry_catalog_polling_frequency_s}} seconds to
> finish the test after the {{AuthorizationPolicy}} is updated by
> {{addRoleGrantGroup()}}. However, the result of the Sentry test will be
> failed once we spend more than {{sentry_catalog_polling_frequency_s}} seconds
> in the test after granting the privileges. Recall that the refresh frequency
> is defined as 60 seconds at
> https://github.com/apache/impala/blame/master/be/src/catalog/catalog.cc#L48-L50
> and is used to set the refresh frequency of a {{PolicyReader}} at
> https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/sentry/SentryProxy.java#L141-L143).
> Hence, this problem could likely happen when we attach a debugger to the
> Sentry test.
> In this regard, we should make sure that the {{AuthorizationPolicy}} and
> {{SentryPolicyService}} are updated in a consistent way.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
