[
https://issues.apache.org/jira/browse/SENTRY-1825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16076834#comment-16076834
]
Na Li commented on SENTRY-1825:
-------------------------------
There are several problems:
1) HMSFollower should read sentry-site.xml to get the server name, not from
hive-site.xml through hiveConf. The input configuration for HMSFollower
constructor is from sentry-site.xm. We should use that configuration to get
server name.
2) There are two variable names that could hold the value of the server.
{quote}hive.sentry.server{quote} is deprecated and is in
{quote}HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME_DEPRECATED{quote}. The new
name is {quote}sentry.hive.server{quote} in
{quote}HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME{quote}
We should check the {quote}sentry.hive.server{quote} first. If it is not set,
check the deprecated {quote}hive.sentry.server{quote} to be backward compatible.
3) Whoever generates the sentry-site.xml for hive and sentry needs to make sure
the variable is set for both host hive and sentry and of the same value.
[~kkalyan] will make update for items 1) and 2) as he is refectoring
HMSFollower. I will make sure item 3) is handled by proper team. And add e2e
test to show the issue and verify the fix. In e2e test, the sentry-site.xml
will be manually generated in test setup
> Dropping a Hive database/table doesn't cleanup the permissions associated
> with it
> ----------------------------------------------------------------------------------
>
> Key: SENTRY-1825
> URL: https://issues.apache.org/jira/browse/SENTRY-1825
> Project: Sentry
> Issue Type: Sub-task
> Affects Versions: sentry-ha-redesign
> Reporter: Vamsee Yarlagadda
> Assignee: Na Li
> Priority: Critical
> Labels: sentry-ha
>
> Sasha helped in finding this bug. Looks like dropping a database/table does
> no longer clean up the privileges associated with it.
> This problem is because of:
> https://github.com/apache/sentry/blob/sentry-ha-redesign/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java#L126-L127
> {code}
> final HiveConf hiveConf = new HiveConf();
> hiveInstance =
> hiveConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar());
> {code}
> With the latest redesign, we are only setting this property on Hive's
> (sentry-site.xml) and not on Sentry's (sentry-site.xml).
> So during permission grants, Hive ensures to supply the *server1* for
> permission updates. But when we drop the table/database that has the perms
> attached, it goes through HMSFollower and this code sets the property as NULL
> as sentry-site.xml doesn't have this set. So it attempts to remove
> permissions with NULL server setting and this always returns without deleting
> anything.
> We need to ensure that the corresponding property is set on both (Sentry,
> Hive) sentry-site.xml to ensure referring to proper privileges.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
