[
https://issues.apache.org/jira/browse/IMPALA-8550?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tim Armstrong resolved IMPALA-8550.
-----------------------------------
Resolution: Won't Fix
We removed sentry support
> Sentry refresh privileges has race conditions
> ---------------------------------------------
>
> Key: IMPALA-8550
> URL: https://issues.apache.org/jira/browse/IMPALA-8550
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog
> Reporter: Vihang Karajgaonkar
> Priority: Major
>
> Recently, I encountered a race condition in {{SentryProxy}}'s
> refreshSentryAuthorization loop. The race happens when Sentry server is slow
> to update its information based on changes in HMS. Consider the following
> scenario:
> # Impala session from user A creates a database/table.
> # AuthorizationManager will updateDatabaseOwnerPrivilege
> [here|[https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/service/CatalogOpExecutor.java#L1159]]
> Note that this add adds the user privilege in Catalog's cache out-of-band
> (without confirming that Sentry has added this privilege in its database)
> # Assume that Sentry is slow to update its database of roles/privileges.
> (Actually depending on the timing of these events, it doesn't really matter
> but likelihood of the issue increases if Sentry is slow.
> # The refreshSentryAuthorization loop is triggered based on a configured
> interval
> [here|[https://github.com/apache/impala/blob/master/fe/src/main/java/org/apache/impala/authorization/sentry/SentryProxy.java#L174]].
> Since Sentry has not yet updated its database of the owner information, this
> loop will remove the privilege from Catalog. Any subsequent SQL which
> requires privileges will fail until Sentry is synced and refresh loop adds
> this privilege again the catalog cache.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
