Quanlong Huang has posted comments on this change. ( http://gerrit.cloudera.org:8080/14798 )
Change subject: IMPALA-9149: part 1: Re-enabe Ranger-related FE tests ...................................................................... Patch Set 9: (3 comments) Thanks for addressing the comments! The changes for Ranger ownership are good to me. But it still looks wired to me that we accept so many different behaviors (not relative to ownership) between Sentry and Ranger... If the cause is Ranger-2.0 changes the default policies, can we fix the tests by modifying the policies after we create ranger-hive service in bin/create-test-configuration.sh? For instance, I manually edit the "all - database" policy to remove the "Allow Conditions" of CREATE to "public" group. Then normal users can't create databases. http://gerrit.cloudera.org:8080/#/c/14798/9//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/14798/9//COMMIT_MSG@22 PS9, Line 22: creating a database is able to do so. Do you know what change(JIRA) of Ranger causes this? Just know that RANGER-2536 causes the first one. I'm confused why Ranger allows everyone to create databases. It looks unacceptable in a production cluster... http://gerrit.cloudera.org:8080/#/c/14798/9/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java File fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java: http://gerrit.cloudera.org:8080/#/c/14798/9/fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java@1168 PS9, Line 1168: AnalysisError(stmt, "Database does not exist: nodb"); AnalysisError is a method of FrontendTestBase (the super class of AuthorizationTestBase). I'm not quite clear whether authorization is turned on when using it... Could you point me to the codes? http://gerrit.cloudera.org:8080/#/c/14798/9/fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java File fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java: http://gerrit.cloudera.org:8080/#/c/14798/9/fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java@177 PS9, Line 177: user_.getName() It can be changed to sentry_user_ too. -- To view, visit http://gerrit.cloudera.org:8080/14798 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I228533aae34b9ac03bdbbcd51a380770ff17c7f2 Gerrit-Change-Number: 14798 Gerrit-PatchSet: 9 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Kurt Deschler <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Comment-Date: Mon, 16 Dec 2019 09:50:35 +0000 Gerrit-HasComments: Yes
