Fang-Yu Rao has posted comments on this change. ( http://gerrit.cloudera.org:8080/16837 )
Change subject: IMPALA-10211 (Part 1): Add support for role-related statements ...................................................................... Patch Set 10: (1 comment) http://gerrit.cloudera.org:8080/#/c/16837/10/tests/authorization/test_ranger.py File tests/authorization/test_ranger.py: http://gerrit.cloudera.org:8080/#/c/16837/10/tests/authorization/test_ranger.py@534 PS10, Line 534: # TODO(IMPALA-10399): We found that if this test is run after : # test_grant_revoke_with_role() in the exhaustive tests, the test could fail due to an : # empty list returned from the first call to _get_ranger_privileges_db() although a : # list consisting of "lock" and "select" is expected. We suspect there might be : # something wrong with the underlying Ranger API but it requires more thorough : # investigation. > Does this mean after this patch, the exhaustive builds will always fail? I Thanks Quanlong for the detailed suggestion! I think the exhaustive tests will still be green after merging this patch. According to the console output at https://jenkins.impala.io/job/pre-review-test/811/console, this patch passes the exhaustive tests. The reason I think is that in this patch I moved the test of test_grant_revoke_with_role() to the bottom of the class TestRanger so that test_grant_revoke_with_role() will be executed after test_show_grant_hive_privilege(). Before changing the relative order between these 2 tests, I was able to reproduce the issue in the exhaustive tests in a private Jenkins environment but not the public pre-review tests at https://jenkins.impala.io/job/pre-review-test/. Specifically, I was only able to reproduce the issue by moving test_grant_revoke_with_role() to a place such that test_grant_revoke_with_role() will be executed before test_show_grant_hive_privilege() in the exhaustive tests in the private Jenkins environment mentioned above. I was not even able to reproduce this issue by only running these 2 tests in that private Jenkins environment. According to our discussion offline, I will try to do the following as you suggested to investigate the issue. 1. Enable ranger audit logs. Ranger can log audits into a HDFS location. We can enable it in our minicluster. 2. Enable debug level ranger logs. DEBUG level logs will contain the request details. -- To view, visit http://gerrit.cloudera.org:8080/16837 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ic2b204e62a1d8ae1932d955b4efc28be22202860 Gerrit-Change-Number: 16837 Gerrit-PatchSet: 10 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Comment-Date: Sun, 20 Dec 2020 19:23:03 +0000 Gerrit-HasComments: Yes
