[
https://issues.apache.org/jira/browse/SENTRY-2178?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hrishikesh Gadre updated SENTRY-2178:
-------------------------------------
Description:
SENTRY-1480 implemented a command-line tool to migrate Sentry permissions from
1.x to 2.x. During upgrade testing I found a bug in the migration process where
the pre-upgrade permissions are deleted. Specifically following permission was
configured on Sentry v1
{noformat}
collection=*->action=*
{noformat}
After the migration, following permissions were available on Sentry service
{noformat}
admin=collections->action=*
admin=cores->action=*
{noformat}
Note that the original permission is missing. From the following log snippet of
Sentry service, it looks like the original permission was incorrectly revoked.
{noformat}
2018-03-08 21:40:20,856 INFO DataNucleus.Datastore: Collection field
"org.apache.sentry.provider.db.service.model.MSentryRole.gmPrivileges" of
"org.apache.sentry.provider.db.service.model.MSentryRole@4dc76fa5" was asked to
add element "MSentryGMPrivilege [serverName=service1, componentName=solr,
authorizables=Admin=collections, scope=Admin, action=*, roles=[...],
createTime=1520574020823, grantOption=false]" to the M-N bidirectional relation
but the element already has this field in its collection (maybe added from the
other side)
2018-03-08 21:40:20,997 INFO sentry.generic.authorization.ddl.logger:
\{"serviceName":"Sentry-Service","userName":"solr","impersonator":"[email protected]","ipAddress":"/172.31.117.188","operation":"GRANT_PRIVILEGE","eventTime":"1520574020991","operationText":"GRANT
ALL ON Admin collections TO ROLE solr-admin ON COMPONENT
SOLR","allowed":"true","databaseName":null,"tableName":null,"column":null,"resourcePath":null,"objectType":"PRINCIPAL"}
2018-03-08 21:40:21,015 INFO DataNucleus.Datastore: Collection field
"org.apache.sentry.provider.db.service.model.MSentryRole.gmPrivileges" of
"org.apache.sentry.provider.db.service.model.MSentryRole@46f3fe41" was asked to
add element "MSentryGMPrivilege [serverName=service1, componentName=solr,
authorizables=Admin=cores, scope=Admin, action=*, roles=[...],
createTime=1520574021011, grantOption=false]" to the M-N bidirectional relation
but the element already has this field in its collection (maybe added from the
other side)
2018-03-08 21:40:21,022 INFO sentry.generic.authorization.ddl.logger:
\{"serviceName":"Sentry-Service","userName":"solr","impersonator":"[email protected]","ipAddress":"/172.31.117.188","operation":"GRANT_PRIVILEGE","eventTime":"1520574021022","operationText":"GRANT
ALL ON Admin cores TO ROLE solr-admin ON COMPONENT
SOLR","allowed":"true","databaseName":null,"tableName":null,"column":null,"resourcePath":null,"objectType":"PRINCIPAL"}
2018-03-08 21:40:21,035 INFO sentry.generic.authorization.ddl.logger:
\{"serviceName":"Sentry-Service","userName":"solr","impersonator":"[email protected]","ipAddress":"/172.31.117.188","operation":"GRANT_PRIVILEGE","eventTime":"1520574021035","operationText":"GRANT
ALL ON Collection * TO ROLE solr-admin ON COMPONENT
SOLR","allowed":"true","databaseName":null,"tableName":null,"column":null,"resourcePath":null,"objectType":"PRINCIPAL"}
2018-03-08 21:40:21,080 INFO sentry.generic.authorization.ddl.logger:
\{"serviceName":"Sentry-Service","userName":"solr","impersonator":"[email protected]","ipAddress":"/172.31.117.188","operation":"REVOKE_PRIVILEGE","eventTime":"1520574021080","operationText":"REVOKE
ALL ON Collection * FROM ROLE solr-admin ON COMPONENT
SOLR","allowed":"true","databaseName":null,"tableName":null,"column":null,"resourcePath":null,"objectType":"PRINCIPAL"}
{noformat}
was:
SENTRY-1480 implemented a command-line tool to migrate Sentry permissions from
1.x to 2.x. During upgrade testing I found a bug in the migration process where
the pre-upgrade permissions are deleted. Specifically following permission was
configured on Sentry 2
{noformat}
collection=*->action=*
{noformat}
After the migration, following permissions were available on Sentry service
{noformat}
admin=collections->action=*
admin=cores->action=*
{noformat}
Note that the original permission is missing. From the following log snippet of
Sentry service, it looks like the original permission was incorrectly revoked.
{noformat}
2018-03-08 21:40:20,856 INFO DataNucleus.Datastore: Collection field
"org.apache.sentry.provider.db.service.model.MSentryRole.gmPrivileges" of
"org.apache.sentry.provider.db.service.model.MSentryRole@4dc76fa5" was asked to
add element "MSentryGMPrivilege [serverName=service1, componentName=solr,
authorizables=Admin=collections, scope=Admin, action=*, roles=[...],
createTime=1520574020823, grantOption=false]" to the M-N bidirectional relation
but the element already has this field in its collection (maybe added from the
other side)
2018-03-08 21:40:20,997 INFO sentry.generic.authorization.ddl.logger:
\{"serviceName":"Sentry-Service","userName":"solr","impersonator":"[email protected]","ipAddress":"/172.31.117.188","operation":"GRANT_PRIVILEGE","eventTime":"1520574020991","operationText":"GRANT
ALL ON Admin collections TO ROLE solr-admin ON COMPONENT
SOLR","allowed":"true","databaseName":null,"tableName":null,"column":null,"resourcePath":null,"objectType":"PRINCIPAL"}
2018-03-08 21:40:21,015 INFO DataNucleus.Datastore: Collection field
"org.apache.sentry.provider.db.service.model.MSentryRole.gmPrivileges" of
"org.apache.sentry.provider.db.service.model.MSentryRole@46f3fe41" was asked to
add element "MSentryGMPrivilege [serverName=service1, componentName=solr,
authorizables=Admin=cores, scope=Admin, action=*, roles=[...],
createTime=1520574021011, grantOption=false]" to the M-N bidirectional relation
but the element already has this field in its collection (maybe added from the
other side)
2018-03-08 21:40:21,022 INFO sentry.generic.authorization.ddl.logger:
\{"serviceName":"Sentry-Service","userName":"solr","impersonator":"[email protected]","ipAddress":"/172.31.117.188","operation":"GRANT_PRIVILEGE","eventTime":"1520574021022","operationText":"GRANT
ALL ON Admin cores TO ROLE solr-admin ON COMPONENT
SOLR","allowed":"true","databaseName":null,"tableName":null,"column":null,"resourcePath":null,"objectType":"PRINCIPAL"}
2018-03-08 21:40:21,035 INFO sentry.generic.authorization.ddl.logger:
\{"serviceName":"Sentry-Service","userName":"solr","impersonator":"[email protected]","ipAddress":"/172.31.117.188","operation":"GRANT_PRIVILEGE","eventTime":"1520574021035","operationText":"GRANT
ALL ON Collection * TO ROLE solr-admin ON COMPONENT
SOLR","allowed":"true","databaseName":null,"tableName":null,"column":null,"resourcePath":null,"objectType":"PRINCIPAL"}
2018-03-08 21:40:21,080 INFO sentry.generic.authorization.ddl.logger:
\{"serviceName":"Sentry-Service","userName":"solr","impersonator":"[email protected]","ipAddress":"/172.31.117.188","operation":"REVOKE_PRIVILEGE","eventTime":"1520574021080","operationText":"REVOKE
ALL ON Collection * FROM ROLE solr-admin ON COMPONENT
SOLR","allowed":"true","databaseName":null,"tableName":null,"column":null,"resourcePath":null,"objectType":"PRINCIPAL"}
{noformat}
> Sentry permissions for Solr are deleted as part of migration process
> --------------------------------------------------------------------
>
> Key: SENTRY-2178
> URL: https://issues.apache.org/jira/browse/SENTRY-2178
> Project: Sentry
> Issue Type: Bug
> Components: Solr Plugin
> Affects Versions: 2.0.0
> Reporter: Hrishikesh Gadre
> Assignee: Hrishikesh Gadre
> Priority: Critical
>
> SENTRY-1480 implemented a command-line tool to migrate Sentry permissions
> from 1.x to 2.x. During upgrade testing I found a bug in the migration
> process where the pre-upgrade permissions are deleted. Specifically following
> permission was configured on Sentry v1
> {noformat}
> collection=*->action=*
> {noformat}
> After the migration, following permissions were available on Sentry service
> {noformat}
> admin=collections->action=*
> admin=cores->action=*
> {noformat}
> Note that the original permission is missing. From the following log snippet
> of Sentry service, it looks like the original permission was incorrectly
> revoked.
> {noformat}
> 2018-03-08 21:40:20,856 INFO DataNucleus.Datastore: Collection field
> "org.apache.sentry.provider.db.service.model.MSentryRole.gmPrivileges" of
> "org.apache.sentry.provider.db.service.model.MSentryRole@4dc76fa5" was asked
> to add element "MSentryGMPrivilege [serverName=service1, componentName=solr,
> authorizables=Admin=collections, scope=Admin, action=*, roles=[...],
> createTime=1520574020823, grantOption=false]" to the M-N bidirectional
> relation but the element already has this field in its collection (maybe
> added from the other side)
> 2018-03-08 21:40:20,997 INFO sentry.generic.authorization.ddl.logger:
> \{"serviceName":"Sentry-Service","userName":"solr","impersonator":"[email protected]","ipAddress":"/172.31.117.188","operation":"GRANT_PRIVILEGE","eventTime":"1520574020991","operationText":"GRANT
> ALL ON Admin collections TO ROLE solr-admin ON COMPONENT
> SOLR","allowed":"true","databaseName":null,"tableName":null,"column":null,"resourcePath":null,"objectType":"PRINCIPAL"}
> 2018-03-08 21:40:21,015 INFO DataNucleus.Datastore: Collection field
> "org.apache.sentry.provider.db.service.model.MSentryRole.gmPrivileges" of
> "org.apache.sentry.provider.db.service.model.MSentryRole@46f3fe41" was asked
> to add element "MSentryGMPrivilege [serverName=service1, componentName=solr,
> authorizables=Admin=cores, scope=Admin, action=*, roles=[...],
> createTime=1520574021011, grantOption=false]" to the M-N bidirectional
> relation but the element already has this field in its collection (maybe
> added from the other side)
> 2018-03-08 21:40:21,022 INFO sentry.generic.authorization.ddl.logger:
> \{"serviceName":"Sentry-Service","userName":"solr","impersonator":"[email protected]","ipAddress":"/172.31.117.188","operation":"GRANT_PRIVILEGE","eventTime":"1520574021022","operationText":"GRANT
> ALL ON Admin cores TO ROLE solr-admin ON COMPONENT
> SOLR","allowed":"true","databaseName":null,"tableName":null,"column":null,"resourcePath":null,"objectType":"PRINCIPAL"}
> 2018-03-08 21:40:21,035 INFO sentry.generic.authorization.ddl.logger:
> \{"serviceName":"Sentry-Service","userName":"solr","impersonator":"[email protected]","ipAddress":"/172.31.117.188","operation":"GRANT_PRIVILEGE","eventTime":"1520574021035","operationText":"GRANT
> ALL ON Collection * TO ROLE solr-admin ON COMPONENT
> SOLR","allowed":"true","databaseName":null,"tableName":null,"column":null,"resourcePath":null,"objectType":"PRINCIPAL"}
> 2018-03-08 21:40:21,080 INFO sentry.generic.authorization.ddl.logger:
> \{"serviceName":"Sentry-Service","userName":"solr","impersonator":"[email protected]","ipAddress":"/172.31.117.188","operation":"REVOKE_PRIVILEGE","eventTime":"1520574021080","operationText":"REVOKE
> ALL ON Collection * FROM ROLE solr-admin ON COMPONENT
> SOLR","allowed":"true","databaseName":null,"tableName":null,"column":null,"resourcePath":null,"objectType":"PRINCIPAL"}
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
