Re: Compatible Sentry version to Hive 2.3

2018-08-14 Thread Guang Yang 
Oh btw, is Sentry 2.0 compatible with Hive 1.1.0? If not, what's the latest
version compatible with Hive 1.1.0?

Thanks,
Guang

On Fri, Aug 10, 2018 at 11:26 AM, Guang Yang  wrote:

> Awesome! Thanks Sergio!
>
> On Fri, Aug 10, 2018 at 11:21 AM, Sergio Pena  invalid> wrote:
>
>> Hey Guang,
>>
>> Sentry 2.0 is the latest version compatible with Hive 2.3.2.
>>
>> - Sergio
>>
>> On Fri, Aug 10, 2018 at 12:21 PM Guang Yang 
>> wrote:
>>
>> > Hi guys,
>> >
>> > We're using Sentry currently, but it's a very old version 1.5.1. So we
>> plan
>> > to upgrade to the latest version. I know there is a dependency with
>> Hive,
>> > so what's the latest Sentry version compatible to Hive 2.3?
>> >
>> > Thanks,
>> > Guang
>> >
>>
>
>

Sentry and Presto

2018-08-14 Thread Matt Fuller 
Hello --

I am building a Sentry Plugin for Presto. But was curious if one could
simply leverage the HDFS-Sentry plugin and have that sync with the Hive
Metastore (
https://www.cloudera.com/documentation/enterprise/latest/topics/sg_hdfs_sentry_sync.html)
because Presto uses the objects defined in the Hive Metastore. This would
seem like a decent work around until a Presto plugin is fully functioning.

It seems that Spark SQL works this way. Whereas Hive and Impala have their
own plugins. So it seems I could simply do the same as Spark SQL for
Presto.

The disadvantages to using the HDFS-Sentry plugin would be that it likely
does not support column access control nor could I view or manage the
Sentry permissions from Presto. Which I'm assuming Spark SQL has the same
limitations.

Could someone confirm my understanding? Or correct me if I am wrong here?

Thank you.

Re: VOTE] Release Sentry version 2.0.1

2018-08-14 Thread Na Li 
+1

On Tue, Aug 14, 2018 at 2:58 PM, Kalyan Kumar Kalvagadda <
kkal...@cloudera.com.invalid> wrote:

> Hello all,
>
>
> This is the release of Apache Sentry, version 2.0.1.
>
> It fixes the following issues:
> *https://issues.apache.org/jira/projects/SENTRY/versions/12343306
> *
>
> Maven artifacts are available
> here:https://repository.apache.org/content/repositories/orgapachesentry-
> 1012/
>   >
>
>
> Tag to be voted on
> *https://git-wip-us.apache.org/repos/asf/sentry/?p=
> sentry.git;a=tag;h=refs/tags/release-2.0.
>  sentry.git;a=tag;h=refs/tags/release-2.0.0>1*
>
> Sentry's KEYS containing the PGP key we used to sign the release:
> http://www.apache.org/dist/sentry/KEYS
>
>  we are voting on the source:tag=release-2.0.1, SHA=
> a8954b221945154a43dd2a3180de909555310f85
>  (You can get the hash of the tag by doing "git rev-list release-2.0.1 |
> head -n 1" )
>
> Vote will be open for 72 hours.
>
> [ ] +1 approve
> [ ] +0 no opinion
> [ ] -1 disapprove (and reason why)
>
> Thanks,
> Kalyan
>

VOTE] Release Sentry version 2.0.1

2018-08-14 Thread Kalyan Kumar Kalvagadda 
Hello all,


This is the release of Apache Sentry, version 2.0.1.

It fixes the following issues:
*https://issues.apache.org/jira/projects/SENTRY/versions/12343306
*

Maven artifacts are available
here:https://repository.apache.org/content/repositories/orgapachesentry-1012/
 


Tag to be voted on
*https://git-wip-us.apache.org/repos/asf/sentry/?p=sentry.git;a=tag;h=refs/tags/release-2.0.
1*

Sentry's KEYS containing the PGP key we used to sign the release:
http://www.apache.org/dist/sentry/KEYS

 we are voting on the source:tag=release-2.0.1, SHA=
a8954b221945154a43dd2a3180de909555310f85
 (You can get the hash of the tag by doing "git rev-list release-2.0.1 |
head -n 1" )

Vote will be open for 72 hours.

[ ] +1 approve
[ ] +0 no opinion
[ ] -1 disapprove (and reason why)

Thanks,
Kalyan

Re: Review Request 68332: SENTRY-2352: User roles with ALTER on a table can not show or describe the table on which they have ALTER

2018-08-14 Thread Na Li via Review Board 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68332/#review207247
---


Ship it!




Ship It!

- Na Li


On Aug. 13, 2018, 10:49 p.m., Sergio Pena wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68332/
> ---
> 
> (Updated Aug. 13, 2018, 10:49 p.m.)
> 
> 
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
> 
> 
> Bugs: sentry-2352
> https://issues.apache.org/jira/browse/sentry-2352
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Added the following matrix of privileges on the DESCRIBE TABLE and SHOW 
> TABLES:
> 
> DESCRIBE table allowed and not allowed privileges:
> 
>   { null,  NOT_ALLOWED }, // Means no privileges
>   { DBModelAction.ALL, ALLOWED },
>   { DBModelAction.CREATE,  NOT_ALLOWED },
>   { DBModelAction.SELECT,  ALLOWED },
>   { DBModelAction.INSERT,  ALLOWED },
>   { DBModelAction.ALTER,   ALLOWED },
>   { DBModelAction.DROP,NOT_ALLOWED },
>   { DBModelAction.INDEX,   NOT_ALLOWED },
>   { DBModelAction.LOCK,NOT_ALLOWED },
>   
> SHOW TABLES allowed and not allowed privileges:
> 
>   { null,  NOT_ALLOWED }, // Means no privileges
>   { DBModelAction.ALL, ALLOWED },
>   { DBModelAction.CREATE,  NOT_ALLOWED },
>   { DBModelAction.SELECT,  ALLOWED },
>   { DBModelAction.INSERT,  ALLOWED },
>   { DBModelAction.ALTER,   ALLOWED },
>   { DBModelAction.DROP,ALLOWED },
>   { DBModelAction.INDEX,   ALLOWED },
>   { DBModelAction.LOCK,ALLOWED },
> 
> 
> Diffs
> -
> 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
>  1ab5be35dcb7991f723c0bb885ed2a15c6f5873a 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
>  447deaf5831675257be1bbb05934a1ab4826fe9e 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
>  78742fdacd72531eed4a7dde86871a57cf54493b 
>   
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDescribeMetadataPrivileges.java
>  PRE-CREATION 
>   
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestShowMetadataPrivileges.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/68332/diff/1/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 68332: SENTRY-2352: User roles with ALTER on a table can not show or describe the table on which they have ALTER

2018-08-14 Thread Sergio Pena via Review Board 


> On Aug. 13, 2018, 11:25 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
> > Line 104 (original), 104 (patched)
> > 
> >
> > does Alter apply to column?

Yes, a user with ALTER privileges should be able to view column metadata. ALTER 
Is used to change column names, add columns ,etc; so they need to be able to 
see what they can change.


> On Aug. 13, 2018, 11:25 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
> > Lines 177 (patched)
> > 
> >
> > should Drop be included as well?

I don't see a need for a user with DROP privileges to be able to view the 
column names and the rest of the table metadata. If a user has DROP privileges, 
then they should only see the table with the SHOW TABLES.


- Sergio


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68332/#review207179
---


On Aug. 13, 2018, 10:49 p.m., Sergio Pena wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68332/
> ---
> 
> (Updated Aug. 13, 2018, 10:49 p.m.)
> 
> 
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
> 
> 
> Bugs: sentry-2352
> https://issues.apache.org/jira/browse/sentry-2352
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Added the following matrix of privileges on the DESCRIBE TABLE and SHOW 
> TABLES:
> 
> DESCRIBE table allowed and not allowed privileges:
> 
>   { null,  NOT_ALLOWED }, // Means no privileges
>   { DBModelAction.ALL, ALLOWED },
>   { DBModelAction.CREATE,  NOT_ALLOWED },
>   { DBModelAction.SELECT,  ALLOWED },
>   { DBModelAction.INSERT,  ALLOWED },
>   { DBModelAction.ALTER,   ALLOWED },
>   { DBModelAction.DROP,NOT_ALLOWED },
>   { DBModelAction.INDEX,   NOT_ALLOWED },
>   { DBModelAction.LOCK,NOT_ALLOWED },
>   
> SHOW TABLES allowed and not allowed privileges:
> 
>   { null,  NOT_ALLOWED }, // Means no privileges
>   { DBModelAction.ALL, ALLOWED },
>   { DBModelAction.CREATE,  NOT_ALLOWED },
>   { DBModelAction.SELECT,  ALLOWED },
>   { DBModelAction.INSERT,  ALLOWED },
>   { DBModelAction.ALTER,   ALLOWED },
>   { DBModelAction.DROP,ALLOWED },
>   { DBModelAction.INDEX,   ALLOWED },
>   { DBModelAction.LOCK,ALLOWED },
> 
> 
> Diffs
> -
> 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
>  1ab5be35dcb7991f723c0bb885ed2a15c6f5873a 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
>  447deaf5831675257be1bbb05934a1ab4826fe9e 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
>  78742fdacd72531eed4a7dde86871a57cf54493b 
>   
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDescribeMetadataPrivileges.java
>  PRE-CREATION 
>   
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestShowMetadataPrivileges.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/68332/diff/1/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>