[ https://issues.apache.org/jira/browse/SENTRY-2372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16665732#comment-16665732 ]
Hadoop QA commented on SENTRY-2372: ----------------------------------- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12945818/SENTRY-2372.7.patch against master. {color:green}Overall:{color} +1 all checks pass {color:green}SUCCESS:{color} all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/4204/console This message is automatically generated. > SentryStore should not implement grantOptionCheck > ------------------------------------------------- > > Key: SENTRY-2372 > URL: https://issues.apache.org/jira/browse/SENTRY-2372 > Project: Sentry > Issue Type: Improvement > Components: Sentry, sentrystore > Affects Versions: 2.1.0 > Reporter: Sergio Peña > Assignee: Sergio Peña > Priority: Major > Attachments: SENTRY-2372.1.patch, SENTRY-2372.2.patch, > SENTRY-2372.3.patch, SENTRY-2372.4.patch, SENTRY-2372.5.patch, > SENTRY-2372.6.patch, SENTRY-2372.7.patch > > > During functional testing it was found that SentryStore implementation > contains logic that enforces sentry rights and depends on cluster-specific > context. Specifically grantOptionCheck needs to be able to resolve hadoop > user's groups and sentry admin groups configured on the cluster. > There are two problems with this: > # Some backends use SentryStore in a multi-tenant way and does have the > context that SentryStore expects when it is used in cluster. > # Security enforcement logic shouldn't be in SentryStore if it is to be > trusted. Since the backends Sentry API may be stateless the caller has to > pass request context to such implementation backend together with the > explicit SentryStore arguments. If the context (e.g. groups) is passed with > the request the checks become unenforceable since caller controls variables > on both sides of the comparison. > The recommendation is to remove {{grantOptionCheck}} and {{SentryStore}} and > to implement equivalent logic in {{SentryPolicyStoreProcessor}}. -- This message was sent by Atlassian JIRA (v7.6.3#76005)