[jira] [Commented] (SENTRY-1610) list_sentry_roles_by_group() semantics for Generic model is broken

Wed, 25 Jan 2017 13:26:56 -0800 

    [ 
https://issues.apache.org/jira/browse/SENTRY-1610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15838615#comment-15838615
 ] 

Alexander Kolbasov commented on SENTRY-1610:
--------------------------------------------

It seems that the largely undocumented assumption is that Sentry groups are the 
same as Unix/AD groups although Sentry doesn't provide any enforcement for this.

The semantics of "*" in this context is also not documented anywhere.

> list_sentry_roles_by_group() semantics for Generic model is broken
> ------------------------------------------------------------------
>
>                 Key: SENTRY-1610
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1610
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 1.8.0, sentry-ha-redesign
>            Reporter: Alexander Kolbasov
>            Assignee: Alexander Kolbasov
>
> Looking at SentryGenericPolicyProcessor:
> {code}
>   @Override
>   public TListSentryRolesResponse list_sentry_roles_by_group(
>       final TListSentryRolesRequest request) throws TException {
>     Response<Set<TSentryRole>> respose = requestHandle(new 
> RequestHandler<Set<TSentryRole>>() {
>       @Override
>       public Response<Set<TSentryRole>> handle() throws Exception {
>         validateClientVersion(request.getProtocol_version());
>         // Here we assign groups to the requestor's Unix groups!
>         Set<String> groups = getRequestorGroups(conf, 
> request.getRequestorUserName());
>         if (!AccessConstants.ALL.equalsIgnoreCase(request.getGroupName())) {
>           boolean admin = inAdminGroups(groups);
>           // Only admin users can list all roles in the system ( groupname = 
> null)
>           // Non admin users are only allowed to list only groups which they 
> belong to
>           if(!admin && (request.getGroupName() == null || 
> !groups.contains(request.getGroupName()))) {
>             throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + 
> request.getRequestorUserName());
>           }
>           groups.clear();
>           groups.add(request.getGroupName());
>         }
>         // And here we use Unix groups if the group is "*"
>         Set<String> roleNames = 
> store.getRolesByGroups(request.getComponent(), groups);
> ...
> {code}
> What happens here is weird - when the group in the request is ALL ("*"), we 
> attempt to return roles for Unix groups that the requestor belongs to, not 
> Sentry groups. The problem is that Sentry groups and User groups have nothing 
> in common, so this is completely wrong.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to