[
https://issues.apache.org/jira/browse/SENTRY-769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16238484#comment-16238484
]
Na Li commented on SENTRY-769:
------------------------------
[~spena][~kkalyan] This change is desirable because it gives direct reason why
authorization fails. Without this change, thrift calls with empty groups could
generate cryptic error messages that is hard to know why, and make debugging
and support much harder.
For example, in
SentryGenericPolicyProcessor.list_sentry_privileges_for_provider(), sentry
first gets groups of a user, then gets role names of the groups found, then get
privileges from the role names. Any empty result will cause authorization to
fail. Without throwing exception when there is no group associated with the
user, it is hard to know right away why authorization fails.
In order to support user based authorization in the future, we need to check
the roles associated with user directly even when there is no group associated
with the user.
> [Improve error handling] Make sure groups in
> list_sentry_privileges_for_provider is not empty
> ---------------------------------------------------------------------------------------------
>
> Key: SENTRY-769
> URL: https://issues.apache.org/jira/browse/SENTRY-769
> Project: Sentry
> Issue Type: Bug
> Reporter: Sravya Tirukkovalur
> Assignee: Colin Ma
> Priority: Major
> Fix For: 1.7.0
>
> Attachments: SENTRY-769.001.patch, SENTRY-769.002.patch,
> SENTRY-769.003.patch, SENTRY-769.004.patch, SENTRY-769.005.patch,
> SENTRY-769.006.patch, SENTRY-769.007.patch, SENTRY-769.008.patch,
> SENTRY-769.009.patch
>
>
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
