[
https://issues.apache.org/jira/browse/SENTRY-1549?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15704174#comment-15704174
]
Alexander Kolbasov commented on SENTRY-1549:
--------------------------------------------
Here is the actual failing code:
{code}
private void revokePrivilegeFromRole(PersistenceManager pm, TSentryPrivilege
tPrivilege,
MSentryRole mRole, MSentryPrivilege mPrivilege) throws
SentryInvalidInputException {
if (PARTIAL_REVOKE_ACTIONS.contains(mPrivilege.getAction())) {
// if this privilege is in {ALL,SELECT,INSERT}
// we will do partial revoke
revokePartial(pm, tPrivilege, mRole, mPrivilege);
} else {
// if this privilege is not ALL, SELECT nor INSERT,
// we will revoke it from role directly
MSentryPrivilege persistedPriv =
getMSentryPrivilege(convertToTSentryPrivilege(mPrivilege), pm);
if (persistedPriv != null) {
mPrivilege.removeRole(mRole); // <-- Here
privCleaner.incPrivRemoval();
pm.makePersistent(mPrivilege);
}
}
}
{code}
> Attempt to remove privilege fails on role access
> ------------------------------------------------
>
> Key: SENTRY-1549
> URL: https://issues.apache.org/jira/browse/SENTRY-1549
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
> Affects Versions: 1.8.0
> Reporter: Alexander Kolbasov
> Fix For: sentry-ha-redesign
>
>
> I was trying to remove a privilege from a role. This privilege had only WITH
> GRANT OPTION set. It was done using Thrift API. The result was interesting:
> {code}
> TransactionManager.executeTransactionWithRetry(TransactionManager.java:102)]
> The transaction has reac
> hed max retry number, will not retry again.
> javax.jdo.JDODetachedFieldAccessException: You have just attempted to access
> field "roles" yet this field was not detached when you detached the object.
> Either dont access this field, or detach it when detaching the object.
> at
> org.apache.sentry.provider.db.service.model.MSentryPrivilege.jdoGetroles(MSentryPrivilege.java)
> at
> org.apache.sentry.provider.db.service.model.MSentryPrivilege.removeRole(MSentryPrivilege.java:173)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.revokePrivilegeFromRole(SentryStore.java:570)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleRevokePrivilegeCore(SentryStore.java:498)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.access$800(SentryStore.java:95)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore$9.execute(SentryStore.java:458)
> at
> org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransaction(TransactionManager.java:72)
> at
> org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransactionWithRetry(TransactionManager.java:93)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleRevokePrivileges(SentryStore.java:451)
> at
> org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_revoke_privilege(SentryPolicyStoreProcessor.java:344)
> at
> org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_revoke_privilege.getResult(SentryPolicyService.java:1257)
> at
> org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_revoke_privilege.getResult(SentryPolicyService.java:1242)
> at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
> at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
> at
> org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:35)
> at
> org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> {code}
> 2016-11-28 20:35:52,439 (pool-7-thread-10) [ERROR -
> org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_revoke_privilege(SentryPolicyStoreProcessor.java:384)]
> Unknown error for request:
> TAlterSentryRoleRevokePrivilegeRequest(protocol_version:2,
> requestorUserName:akolb, roleName:r3,
> privilege:TSentryPrivilege(privilegeScope:, serverName:, dbName:, tableName:,
> URI:, action:, grantOption:TRUE, columnName:),
> privileges:[TSentryPrivilege(privilegeScope:, serverName:, dbName:,
> tableName:, URI:, action:, grantOption:TRUE, columnName:)]), message: The
> transaction has reached max retry number, will not retry again.
> {code}
> {code}
> java.lang.Exception: The transaction has reached max retry number, will not
> retry again.
> at
> org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransactionWithRetry(TransactionManager.java:103)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleRevokePrivileges(SentryStore.java:451)
> at
> org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_revoke_privilege(SentryPolicyStoreProcessor.java:344)
> at
> org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_revoke_privilege.getResult(SentryPolicyService.java:1257)
> at
> org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_revoke_privilege.getResult(SentryPolicyService.java:1242)
> at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
> at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
> at
> org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:35)
> at
> org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.jdo.JDODetachedFieldAccessException: You have just attempted
> to access field "roles" yet this field was not detached when you detached the
> object. Either dont access this field, or detach it when detaching the object.
> at
> org.apache.sentry.provider.db.service.model.MSentryPrivilege.jdoGetroles(MSentryPrivilege.java)
> at
> org.apache.sentry.provider.db.service.model.MSentryPrivilege.removeRole(MSentryPrivilege.java:173)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.revokePrivilegeFromRole(SentryStore.java:570)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleRevokePrivilegeCore(SentryStore.java:498)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.access$800(SentryStore.java:95)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore$9.execute(SentryStore.java:458)
> at
> org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransaction(TransactionManager.java:72)
> at
> org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransactionWithRetry(TransactionManager.java:93)
> ... 12 more
> 2016-11-28 20:35:52,440 (pool-7-thread-10) [INFO -
> org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_revoke_privilege(SentryPolicyStoreProcessor.java:394)]
>
> {"serviceName":"Sentry-Service","userName":"akolb","impersonator":"","ipAddress":"/127.0.0.1","operation":"REVOKE_PRIVILEGE","eventTime":"1480394152439","operationText":"REVOKE
> ON FROM ROLE r3 WITH GRANT
> OPTION","allowed":"false","databaseName":"","tableName":"","column":null,"resourcePath":"","objectType":"PRINCIPAL"}
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
