Vamsee Yarlagadda created SENTRY-1825:
-----------------------------------------
Summary: Dropping a Hive database/table doesn't cleanup the
permissions associated with it
Key: SENTRY-1825
URL: https://issues.apache.org/jira/browse/SENTRY-1825
Project: Sentry
Issue Type: Bug
Affects Versions: sentry-ha-redesign
Reporter: Vamsee Yarlagadda
Priority: Critical
Sasha helped in finding this bug. Looks like dropping a database/table does no
longer clean up the privileges associated with it.
This problem is because of:
https://github.com/apache/sentry/blob/sentry-ha-redesign/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java#L126-L127
{code}
final HiveConf hiveConf = new HiveConf();
hiveInstance =
hiveConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar());
{code}
With the latest redesign, we are only setting this property on Hive's
(sentry-site.xml) and not on Sentry's (sentry-site.xml).
So during permission grants, Hive ensures to supply the *server1* for
permission updates. But when we drop the table/database that has the perms
attached, it goes through HMSFollower and this code sets the property as NULL
as sentry-site.xml doesn't have this set. So it attempts to remove permissions
with NULL server setting and this always returns without deleting anything.
We need to ensure that the corresponding property is set on both (Sentry, Hive)
sentry-site.xml to ensure referring to proper privileges.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
