Re: Review Request 45859: SENTRY-1120: Show role / privileges info in Sentry Service Webpage

[Li Li]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45859/
---

(Updated Oct. 7, 2016, 12:38 a.m.)


Review request for sentry, Alexander Kolbasov, Anne Yu, Hao Hao, Lenni Kuff, 
and Sravya Tirukkovalur.


Repository: sentry


Description
---

Show role / privileges info in Sentry Service Webpage. Since it is only used 
for debug / test currently, this webpage can be seen only when 
SENTRY_WEB_ADMIN_SERVLET_ENABLED is true.


Diffs (updated)
-

  
sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
 5ec364c460e74d0a9dae8a28c20042360157b8a0 
  
sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAdminServlet.java
 PRE-CREATION 
  
sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java
 a42f395270996da345ce49edca909e0438383759 

Diff: https://reviews.apache.org/r/45859/diff/


Testing
---

Already tested in kerberos cluster. When sentry.service.web.authentication.type 
is set to KERBEROS, only the SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS can see 
this page. Also this webpage can be seen only when 
SENTRY_WEB_ADMIN_SERVLET_ENABLED is true.


Thanks,

Li Li

Re: Review Request 45859: SENTRY-1120: Show role / privileges info in Sentry Service Webpage

[Li Li]

> On Oct. 7, 2016, 12:28 a.m., Alexander Kolbasov wrote:
> > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAdminServlet.java,
> >  line 92
> > 
> >
> > Since you are going to the trouble of disabling cache it makes sense to 
> > disable it for different browsers and proxies.

I see. Will fixed.


- Li


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45859/#review151614
---


On Oct. 7, 2016, 12:26 a.m., Li Li wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/45859/
> ---
> 
> (Updated Oct. 7, 2016, 12:26 a.m.)
> 
> 
> Review request for sentry, Alexander Kolbasov, Anne Yu, Hao Hao, Lenni Kuff, 
> and Sravya Tirukkovalur.
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Show role / privileges info in Sentry Service Webpage. Since it is only used 
> for debug / test currently, this webpage can be seen only when 
> SENTRY_WEB_ADMIN_SERVLET_ENABLED is true.
> 
> 
> Diffs
> -
> 
>   
> sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
>  5ec364c460e74d0a9dae8a28c20042360157b8a0 
>   
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAdminServlet.java
>  PRE-CREATION 
>   
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java
>  a42f395270996da345ce49edca909e0438383759 
> 
> Diff: https://reviews.apache.org/r/45859/diff/
> 
> 
> Testing
> ---
> 
> Already tested in kerberos cluster. When 
> sentry.service.web.authentication.type is set to KERBEROS, only the 
> SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS can see this page. Also this webpage 
> can be seen only when SENTRY_WEB_ADMIN_SERVLET_ENABLED is true.
> 
> 
> Thanks,
> 
> Li Li
> 
>

Re: Review Request 52526: SENTRY-1477: Sentry clients should retry with another server when they get connection errors

[Li Li]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/52526/
---

(Updated Oct. 7, 2016, 12:30 a.m.)


Review request for sentry, Alexander Kolbasov, Anne Yu, Hao Hao, and Sravya 
Tirukkovalur.


Repository: sentry


Description
---

Add retry logic for non-pool model.


Diffs (updated)
-

  
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
 4f42a51b1449fe15f856ba252103e66383e175d7 
  
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/ThriftUtil.java
 3a96d0b124c00efc99cef256c72c25f5c6168007 
  
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/PoolClientInvocationHandler.java
 842d5cafb06910fcbe6c53002f2101ec5b890a9e 
  
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
 abc3f58d21bb774427a34399b6e9f51a37ba51db 
  
sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/TestPoolClientInvocationHandler.java
 5b0e12bbf12510d8d424aa2b7f51076a913234c5 

Diff: https://reviews.apache.org/r/52526/diff/


Testing (updated)
---

In non-pool model, for each full retry we will cycle through all available 
sentry servers. Before each full retry, we will shuffle the server list, and 
after each full retry, we will have a small random sleep.


Thanks,

Li Li

Re: Review Request 45859: SENTRY-1120: Show role / privileges info in Sentry Service Webpage

[Alexander Kolbasov]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45859/#review151614
---




sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAdminServlet.java
 (line 92)


Since you are going to the trouble of disabling cache it makes sense to 
disable it for different browsers and proxies.


- Alexander Kolbasov


On Oct. 7, 2016, 12:26 a.m., Li Li wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/45859/
> ---
> 
> (Updated Oct. 7, 2016, 12:26 a.m.)
> 
> 
> Review request for sentry, Alexander Kolbasov, Anne Yu, Hao Hao, Lenni Kuff, 
> and Sravya Tirukkovalur.
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Show role / privileges info in Sentry Service Webpage. Since it is only used 
> for debug / test currently, this webpage can be seen only when 
> SENTRY_WEB_ADMIN_SERVLET_ENABLED is true.
> 
> 
> Diffs
> -
> 
>   
> sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
>  5ec364c460e74d0a9dae8a28c20042360157b8a0 
>   
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAdminServlet.java
>  PRE-CREATION 
>   
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java
>  a42f395270996da345ce49edca909e0438383759 
> 
> Diff: https://reviews.apache.org/r/45859/diff/
> 
> 
> Testing
> ---
> 
> Already tested in kerberos cluster. When 
> sentry.service.web.authentication.type is set to KERBEROS, only the 
> SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS can see this page. Also this webpage 
> can be seen only when SENTRY_WEB_ADMIN_SERVLET_ENABLED is true.
> 
> 
> Thanks,
> 
> Li Li
> 
>

Re: Review Request 45859: SENTRY-1120: Show role / privileges info in Sentry Service Webpage

[Li Li]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45859/
---

(Updated Oct. 7, 2016, 12:26 a.m.)


Review request for sentry, Alexander Kolbasov, Anne Yu, Hao Hao, Lenni Kuff, 
and Sravya Tirukkovalur.


Repository: sentry


Description
---

Show role / privileges info in Sentry Service Webpage. Since it is only used 
for debug / test currently, this webpage can be seen only when 
SENTRY_WEB_ADMIN_SERVLET_ENABLED is true.


Diffs (updated)
-

  
sentry-service/sentry-service-common/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
 5ec364c460e74d0a9dae8a28c20042360157b8a0 
  
sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAdminServlet.java
 PRE-CREATION 
  
sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryWebServer.java
 a42f395270996da345ce49edca909e0438383759 

Diff: https://reviews.apache.org/r/45859/diff/


Testing
---

Already tested in kerberos cluster. When sentry.service.web.authentication.type 
is set to KERBEROS, only the SENTRY_WEB_SECURITY_ALLOW_CONNECT_USERS can see 
this page. Also this webpage can be seen only when 
SENTRY_WEB_ADMIN_SERVLET_ENABLED is true.


Thanks,

Li Li

Re: Review Request 52138: SENTRY-1463: Ensure HMS point-in-time snapshot consistency

[Hao Hao]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/52138/
---

(Updated Oct. 6, 2016, 10:22 p.m.)


Review request for sentry, Alexander Kolbasov, Anne Yu, Li Li, and Sravya 
Tirukkovalur.


Repository: sentry


Description
---

SENTRY-1463: Ensure HMS point-in-time snapshot consistency

The implemented logic is:
1. Read current HMS notification ID_initial
2. Read HMS metadata state
3. Read current notification ID_new
4. If ID_initial != ID_new then discard the current state and goto 1.
 
Use configurable property: sentry.hms.snapshot.retries.max.count for max number 
of retry.

Change-Id: I7590076b875bd97b2fb340008926ea5995896d72


Diffs (updated)
-

  
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java
 89892924839df8058ea82e7819973d576420f578 
  
sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java
 9e9358b8bdcfb4177d0320da26739d990d287f09 

Diff: https://reviews.apache.org/r/52138/diff/


Testing
---


Thanks,

Hao Hao

[DISCUSS] Changing transaction isolation level used by Sentry

[Alexander Kolbasov]

I think it is worth some discussion in the list. I think that the default
read-committed isolation level used by Sentry is not sufficient - please
see https://issues.apache.org/jira/browse/SENTRY-1486. So the proposal is
to change it to repeatable-read. Does anyone have objections to it?

- Alex

Re: New User Questions

[Jim Halfpenny]

Hi Lewis,
Sentry provides role-based access control for a number of Hadoop services.
It does not provide the full-stack security hardening you are looking for
but it is an important part of the picture. The Cloudera documentation on
Sentry goes a long way to explaining  what Sentry is and how it works. If
you'd like to learn more this a good place to start.

https://www.cloudera.com/documentation/enterprise/5-7-x/topics/sg_sentry_overview.html

Secure mode i.e. Kerberos authentication is essential if you are going to
run Sentry, otherwise users can trivially bypass the access control
provided by Sentry. If you're looking at securing the whole cluster then
there's a lot to consider and you could do worse than to read Hadoop
Security from O'Reilly Books.

http://shop.oreilly.com/product/063692002.do

Regards,
Jim

On Wed, Oct 5, 2016 at 8:04 PM, lewis john mcgibbney 
wrote:

> Hi Folks,
> I've spent the last few nights trying to read through as much of the sentry
> documentation as I can and have a couple of very basic questions
> particularly surrounding my requirement to have a secure Hadoop ecosystem.
> Say for example I want to lock down the entire Hadoop cluster including all
> system ports, WebUI's as well as implementation of security based roles and
> authorization. Is Sentry the tool to use? Do I also need to have configured
> and be running Hadoop in secure mode?
> I appreciate any feedback on this one as it is not immediately obvious
> looking at the Sentry website and documentation (I don't think) if there
> are other options over and above Sentry to make the cluster secure.
> Thanks
> Lewis
>
> --
> http://home.apache.org/~lewismc/
> @hectorMcSpector
> http://www.linkedin.com/in/lmcgibbney
>



-- 
*Jim Halfpenny*
Solutions Architect

*M*   +44 (0) 7793 826085  | jhalfpe...@cloudera.com
Cloudera Inc. | www.cloudera.com
Celebrating a decade of community accomplishments
cloudera.com/hadoop10
#hadoop10