subject:"Review Request 69586\: SENTRY\-2481\: Filter HMS server\-side objects based on HMS user authorization"

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

2018-12-21 Thread Sergio Pena via Review Board



> On Dec. 20, 2018, 6:07 p.m., Arjun Mishra wrote:
> > Sergio I don't see the binding instantiated with privilege cache. Can you 
> > please implement it? It really speeds up performance. Thoughts?
> > 
> > ===
> > HiveAuthzBinding binding = null;
> > try {
> >   binding = getHiveBindingWithPrivilegeCache(hiveAuthzBinding, 
> > context.getUserName());
> > } catch (SemanticException e) {
> >   // Will use the original hiveAuthzBinding
> >   binding = hiveAuthzBinding;
> > }
> > ===
> 
> Sergio Pena wrote:
> I'm not sure about it. The cache binding is generated on every filter 
> call, so how does the cache performns here?

Thanks for the review. Just FYI. I looked at the cache, and it has more 
overhead if we use the cache in the filter than not usingi it. The reason is 
that the filter only requires 1 hierarchy permission, and the HiveAuthzBinding 
calls Sentry one per hierarchy. So building a cache will bring more data than 
is required for only one check. We should be safe.


- Sergio


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69586/#review211469
---


On Dec. 20, 2018, 3:45 p.m., Sergio Pena wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69586/
> ---
> 
> (Updated Dec. 20, 2018, 3:45 p.m.)
> 
> 
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
> 
> 
> Bugs: sentry-2481
> https://issues.apache.org/jira/browse/sentry-2481
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Re-use the SentryMetaStoreFilterHook to support HMS server-side object 
> filtering. The SentryMetaStoreFilterHook class was deprecated and not used in 
> the HMS client anymore (replaced by the calls to DefaultSentryValidator). Due 
> to code duplication between SentryMetaStoreFilterHook and 
> DefaultSentryValidator, a new class MetaStoreAuthzObjectFilter is created 
> that accepts different types of objects to be filtered (unit tests are added 
> to verify the cases).
> 
> 
> Diffs
> -
> 
>   .gitignore 6ce3a6c11f6caf743fb00271af2cb4d33a18aa5d 
>   pom.xml f28be5afb7c9673c0b111325d7728381f8c89d2f 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
>  520de52ac3a41d0b4c01b1bdf60944fd44add5e7 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java
>  c37ce646da97afb2e5c033fb3acf43190a4fae80 
>   
> sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
>  cd4ae4a8c80b34769c65d4b8b86b2d6ecc78b075 
>   sentry-binding/sentry-binding-hive/pom.xml 
> b74516d70eaf873ef46914e2fbcfe08753bc1be4 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
>  38ce2db374ee4f46190544479bc0713de2fce420 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStore.java
>  92eb1366be44bd53f57e0900634b1cb4eae6470e 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStoreBase.java
>  d015085c71822c34a3315dc884596acc8ee2421a 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/HiveAuthzBindingFactory.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBindingBase.java
>  8ad9e50350a1a45ebdde9d8acb7f039b14a13f41 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryHiveMetaStoreClient.java
>  e30a86050a23a69cb9d613ec3500a1915974ed65 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java
>  5ecc87f9be36d6096e30de1f3c8697cd2d4da091 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/authz/TestMetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentryMetaStoreFilterHook.java
>  PRE-CREATION 
>   
> sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/Subject.java
>  bcd1fa2351f7e7928f5499aa5f86906640f62504 
> 
> 
> Diff: https://reviews.apache.org/r/69586/diff/3/
> 
> 
> Testing
> ---
> 
>

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

2018-12-20 Thread Arjun Mishra via Review Board


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69586/#review211479
---


Ship it!




Ship It!

- Arjun Mishra


On Dec. 20, 2018, 3:45 p.m., Sergio Pena wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69586/
> ---
> 
> (Updated Dec. 20, 2018, 3:45 p.m.)
> 
> 
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
> 
> 
> Bugs: sentry-2481
> https://issues.apache.org/jira/browse/sentry-2481
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Re-use the SentryMetaStoreFilterHook to support HMS server-side object 
> filtering. The SentryMetaStoreFilterHook class was deprecated and not used in 
> the HMS client anymore (replaced by the calls to DefaultSentryValidator). Due 
> to code duplication between SentryMetaStoreFilterHook and 
> DefaultSentryValidator, a new class MetaStoreAuthzObjectFilter is created 
> that accepts different types of objects to be filtered (unit tests are added 
> to verify the cases).
> 
> 
> Diffs
> -
> 
>   .gitignore 6ce3a6c11f6caf743fb00271af2cb4d33a18aa5d 
>   pom.xml f28be5afb7c9673c0b111325d7728381f8c89d2f 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
>  520de52ac3a41d0b4c01b1bdf60944fd44add5e7 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java
>  c37ce646da97afb2e5c033fb3acf43190a4fae80 
>   
> sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
>  cd4ae4a8c80b34769c65d4b8b86b2d6ecc78b075 
>   sentry-binding/sentry-binding-hive/pom.xml 
> b74516d70eaf873ef46914e2fbcfe08753bc1be4 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
>  38ce2db374ee4f46190544479bc0713de2fce420 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStore.java
>  92eb1366be44bd53f57e0900634b1cb4eae6470e 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStoreBase.java
>  d015085c71822c34a3315dc884596acc8ee2421a 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/HiveAuthzBindingFactory.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBindingBase.java
>  8ad9e50350a1a45ebdde9d8acb7f039b14a13f41 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryHiveMetaStoreClient.java
>  e30a86050a23a69cb9d613ec3500a1915974ed65 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java
>  5ecc87f9be36d6096e30de1f3c8697cd2d4da091 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/authz/TestMetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentryMetaStoreFilterHook.java
>  PRE-CREATION 
>   
> sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/Subject.java
>  bcd1fa2351f7e7928f5499aa5f86906640f62504 
> 
> 
> Diff: https://reviews.apache.org/r/69586/diff/3/
> 
> 
> Testing
> ---
> 
> Added unit tests for the SentryMetaStoreFilterHook.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

2018-12-20 Thread Sergio Pena via Review Board



> On Dec. 20, 2018, 6:12 p.m., Arjun Mishra wrote:
> > Sergio, seems like we are authorizing one database or one table at a time 
> > and then adding it to the list of filtered entities. Can we authorize them 
> > collectively in a single transacation?

This would be a good idea to improve, but the current code in the 
HiveAuthzBinding.authorize() does not allow to do so. If I pass a list of 
objects to check for authorization, if at least one is denied, then the method 
will throw an AuthorizationException which it is not desired. The Hive binding 
will need to be improved to allow this.


- Sergio


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69586/#review211470
---


On Dec. 20, 2018, 3:45 p.m., Sergio Pena wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69586/
> ---
> 
> (Updated Dec. 20, 2018, 3:45 p.m.)
> 
> 
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
> 
> 
> Bugs: sentry-2481
> https://issues.apache.org/jira/browse/sentry-2481
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Re-use the SentryMetaStoreFilterHook to support HMS server-side object 
> filtering. The SentryMetaStoreFilterHook class was deprecated and not used in 
> the HMS client anymore (replaced by the calls to DefaultSentryValidator). Due 
> to code duplication between SentryMetaStoreFilterHook and 
> DefaultSentryValidator, a new class MetaStoreAuthzObjectFilter is created 
> that accepts different types of objects to be filtered (unit tests are added 
> to verify the cases).
> 
> 
> Diffs
> -
> 
>   .gitignore 6ce3a6c11f6caf743fb00271af2cb4d33a18aa5d 
>   pom.xml f28be5afb7c9673c0b111325d7728381f8c89d2f 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
>  520de52ac3a41d0b4c01b1bdf60944fd44add5e7 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java
>  c37ce646da97afb2e5c033fb3acf43190a4fae80 
>   
> sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
>  cd4ae4a8c80b34769c65d4b8b86b2d6ecc78b075 
>   sentry-binding/sentry-binding-hive/pom.xml 
> b74516d70eaf873ef46914e2fbcfe08753bc1be4 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
>  38ce2db374ee4f46190544479bc0713de2fce420 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStore.java
>  92eb1366be44bd53f57e0900634b1cb4eae6470e 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStoreBase.java
>  d015085c71822c34a3315dc884596acc8ee2421a 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/HiveAuthzBindingFactory.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBindingBase.java
>  8ad9e50350a1a45ebdde9d8acb7f039b14a13f41 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryHiveMetaStoreClient.java
>  e30a86050a23a69cb9d613ec3500a1915974ed65 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java
>  5ecc87f9be36d6096e30de1f3c8697cd2d4da091 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/authz/TestMetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentryMetaStoreFilterHook.java
>  PRE-CREATION 
>   
> sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/Subject.java
>  bcd1fa2351f7e7928f5499aa5f86906640f62504 
> 
> 
> Diff: https://reviews.apache.org/r/69586/diff/3/
> 
> 
> Testing
> ---
> 
> Added unit tests for the SentryMetaStoreFilterHook.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

2018-12-20 Thread Sergio Pena via Review Board



> On Dec. 20, 2018, 6:07 p.m., Arjun Mishra wrote:
> > Sergio I don't see the binding instantiated with privilege cache. Can you 
> > please implement it? It really speeds up performance. Thoughts?
> > 
> > ===
> > HiveAuthzBinding binding = null;
> > try {
> >   binding = getHiveBindingWithPrivilegeCache(hiveAuthzBinding, 
> > context.getUserName());
> > } catch (SemanticException e) {
> >   // Will use the original hiveAuthzBinding
> >   binding = hiveAuthzBinding;
> > }
> > ===

I'm not sure about it. The cache binding is generated on every filter call, so 
how does the cache performns here?


- Sergio


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69586/#review211469
---


On Dec. 20, 2018, 3:45 p.m., Sergio Pena wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69586/
> ---
> 
> (Updated Dec. 20, 2018, 3:45 p.m.)
> 
> 
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
> 
> 
> Bugs: sentry-2481
> https://issues.apache.org/jira/browse/sentry-2481
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Re-use the SentryMetaStoreFilterHook to support HMS server-side object 
> filtering. The SentryMetaStoreFilterHook class was deprecated and not used in 
> the HMS client anymore (replaced by the calls to DefaultSentryValidator). Due 
> to code duplication between SentryMetaStoreFilterHook and 
> DefaultSentryValidator, a new class MetaStoreAuthzObjectFilter is created 
> that accepts different types of objects to be filtered (unit tests are added 
> to verify the cases).
> 
> 
> Diffs
> -
> 
>   .gitignore 6ce3a6c11f6caf743fb00271af2cb4d33a18aa5d 
>   pom.xml f28be5afb7c9673c0b111325d7728381f8c89d2f 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
>  520de52ac3a41d0b4c01b1bdf60944fd44add5e7 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java
>  c37ce646da97afb2e5c033fb3acf43190a4fae80 
>   
> sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
>  cd4ae4a8c80b34769c65d4b8b86b2d6ecc78b075 
>   sentry-binding/sentry-binding-hive/pom.xml 
> b74516d70eaf873ef46914e2fbcfe08753bc1be4 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
>  38ce2db374ee4f46190544479bc0713de2fce420 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStore.java
>  92eb1366be44bd53f57e0900634b1cb4eae6470e 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStoreBase.java
>  d015085c71822c34a3315dc884596acc8ee2421a 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/HiveAuthzBindingFactory.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBindingBase.java
>  8ad9e50350a1a45ebdde9d8acb7f039b14a13f41 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryHiveMetaStoreClient.java
>  e30a86050a23a69cb9d613ec3500a1915974ed65 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java
>  5ecc87f9be36d6096e30de1f3c8697cd2d4da091 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/authz/TestMetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentryMetaStoreFilterHook.java
>  PRE-CREATION 
>   
> sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/Subject.java
>  bcd1fa2351f7e7928f5499aa5f86906640f62504 
> 
> 
> Diff: https://reviews.apache.org/r/69586/diff/3/
> 
> 
> Testing
> ---
> 
> Added unit tests for the SentryMetaStoreFilterHook.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

2018-12-20 Thread Sergio Pena via Review Board



> On Dec. 20, 2018, 6:06 p.m., Arjun Mishra wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
> > Lines 184 (patched)
> > 
> >
> > We should throw an AuthorizationException with message here. Otherwise 
> > the expected privileges won't be printed out on Hive console

Not possible. This filter is for the HMS server, and the denied authorization 
is to let the user know that the object does not exist. The reason is to avoid 
users to guess which objects exist and which do not.


- Sergio


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69586/#review211468
---


On Dec. 20, 2018, 3:45 p.m., Sergio Pena wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69586/
> ---
> 
> (Updated Dec. 20, 2018, 3:45 p.m.)
> 
> 
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
> 
> 
> Bugs: sentry-2481
> https://issues.apache.org/jira/browse/sentry-2481
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Re-use the SentryMetaStoreFilterHook to support HMS server-side object 
> filtering. The SentryMetaStoreFilterHook class was deprecated and not used in 
> the HMS client anymore (replaced by the calls to DefaultSentryValidator). Due 
> to code duplication between SentryMetaStoreFilterHook and 
> DefaultSentryValidator, a new class MetaStoreAuthzObjectFilter is created 
> that accepts different types of objects to be filtered (unit tests are added 
> to verify the cases).
> 
> 
> Diffs
> -
> 
>   .gitignore 6ce3a6c11f6caf743fb00271af2cb4d33a18aa5d 
>   pom.xml f28be5afb7c9673c0b111325d7728381f8c89d2f 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
>  520de52ac3a41d0b4c01b1bdf60944fd44add5e7 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java
>  c37ce646da97afb2e5c033fb3acf43190a4fae80 
>   
> sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
>  cd4ae4a8c80b34769c65d4b8b86b2d6ecc78b075 
>   sentry-binding/sentry-binding-hive/pom.xml 
> b74516d70eaf873ef46914e2fbcfe08753bc1be4 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
>  38ce2db374ee4f46190544479bc0713de2fce420 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStore.java
>  92eb1366be44bd53f57e0900634b1cb4eae6470e 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStoreBase.java
>  d015085c71822c34a3315dc884596acc8ee2421a 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/HiveAuthzBindingFactory.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBindingBase.java
>  8ad9e50350a1a45ebdde9d8acb7f039b14a13f41 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryHiveMetaStoreClient.java
>  e30a86050a23a69cb9d613ec3500a1915974ed65 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java
>  5ecc87f9be36d6096e30de1f3c8697cd2d4da091 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/authz/TestMetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentryMetaStoreFilterHook.java
>  PRE-CREATION 
>   
> sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/Subject.java
>  bcd1fa2351f7e7928f5499aa5f86906640f62504 
> 
> 
> Diff: https://reviews.apache.org/r/69586/diff/3/
> 
> 
> Testing
> ---
> 
> Added unit tests for the SentryMetaStoreFilterHook.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

2018-12-20 Thread Arjun Mishra via Review Board


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69586/#review211470
---



Sergio, seems like we are authorizing one database or one table at a time and 
then adding it to the list of filtered entities. Can we authorize them 
collectively in a single transacation?

- Arjun Mishra


On Dec. 20, 2018, 3:45 p.m., Sergio Pena wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69586/
> ---
> 
> (Updated Dec. 20, 2018, 3:45 p.m.)
> 
> 
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
> 
> 
> Bugs: sentry-2481
> https://issues.apache.org/jira/browse/sentry-2481
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Re-use the SentryMetaStoreFilterHook to support HMS server-side object 
> filtering. The SentryMetaStoreFilterHook class was deprecated and not used in 
> the HMS client anymore (replaced by the calls to DefaultSentryValidator). Due 
> to code duplication between SentryMetaStoreFilterHook and 
> DefaultSentryValidator, a new class MetaStoreAuthzObjectFilter is created 
> that accepts different types of objects to be filtered (unit tests are added 
> to verify the cases).
> 
> 
> Diffs
> -
> 
>   .gitignore 6ce3a6c11f6caf743fb00271af2cb4d33a18aa5d 
>   pom.xml f28be5afb7c9673c0b111325d7728381f8c89d2f 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
>  520de52ac3a41d0b4c01b1bdf60944fd44add5e7 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java
>  c37ce646da97afb2e5c033fb3acf43190a4fae80 
>   
> sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
>  cd4ae4a8c80b34769c65d4b8b86b2d6ecc78b075 
>   sentry-binding/sentry-binding-hive/pom.xml 
> b74516d70eaf873ef46914e2fbcfe08753bc1be4 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
>  38ce2db374ee4f46190544479bc0713de2fce420 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStore.java
>  92eb1366be44bd53f57e0900634b1cb4eae6470e 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStoreBase.java
>  d015085c71822c34a3315dc884596acc8ee2421a 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/HiveAuthzBindingFactory.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBindingBase.java
>  8ad9e50350a1a45ebdde9d8acb7f039b14a13f41 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryHiveMetaStoreClient.java
>  e30a86050a23a69cb9d613ec3500a1915974ed65 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java
>  5ecc87f9be36d6096e30de1f3c8697cd2d4da091 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/authz/TestMetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentryMetaStoreFilterHook.java
>  PRE-CREATION 
>   
> sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/Subject.java
>  bcd1fa2351f7e7928f5499aa5f86906640f62504 
> 
> 
> Diff: https://reviews.apache.org/r/69586/diff/3/
> 
> 
> Testing
> ---
> 
> Added unit tests for the SentryMetaStoreFilterHook.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

2018-12-20 Thread Arjun Mishra via Review Board


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69586/#review211469
---



Sergio I don't see the binding instantiated with privilege cache. Can you 
please implement it? It really speeds up performance. Thoughts?

===
HiveAuthzBinding binding = null;
try {
  binding = getHiveBindingWithPrivilegeCache(hiveAuthzBinding, 
context.getUserName());
} catch (SemanticException e) {
  // Will use the original hiveAuthzBinding
  binding = hiveAuthzBinding;
}
===

- Arjun Mishra


On Dec. 20, 2018, 3:45 p.m., Sergio Pena wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69586/
> ---
> 
> (Updated Dec. 20, 2018, 3:45 p.m.)
> 
> 
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
> 
> 
> Bugs: sentry-2481
> https://issues.apache.org/jira/browse/sentry-2481
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Re-use the SentryMetaStoreFilterHook to support HMS server-side object 
> filtering. The SentryMetaStoreFilterHook class was deprecated and not used in 
> the HMS client anymore (replaced by the calls to DefaultSentryValidator). Due 
> to code duplication between SentryMetaStoreFilterHook and 
> DefaultSentryValidator, a new class MetaStoreAuthzObjectFilter is created 
> that accepts different types of objects to be filtered (unit tests are added 
> to verify the cases).
> 
> 
> Diffs
> -
> 
>   .gitignore 6ce3a6c11f6caf743fb00271af2cb4d33a18aa5d 
>   pom.xml f28be5afb7c9673c0b111325d7728381f8c89d2f 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
>  520de52ac3a41d0b4c01b1bdf60944fd44add5e7 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java
>  c37ce646da97afb2e5c033fb3acf43190a4fae80 
>   
> sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
>  cd4ae4a8c80b34769c65d4b8b86b2d6ecc78b075 
>   sentry-binding/sentry-binding-hive/pom.xml 
> b74516d70eaf873ef46914e2fbcfe08753bc1be4 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
>  38ce2db374ee4f46190544479bc0713de2fce420 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStore.java
>  92eb1366be44bd53f57e0900634b1cb4eae6470e 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStoreBase.java
>  d015085c71822c34a3315dc884596acc8ee2421a 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/HiveAuthzBindingFactory.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBindingBase.java
>  8ad9e50350a1a45ebdde9d8acb7f039b14a13f41 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryHiveMetaStoreClient.java
>  e30a86050a23a69cb9d613ec3500a1915974ed65 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java
>  5ecc87f9be36d6096e30de1f3c8697cd2d4da091 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/authz/TestMetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentryMetaStoreFilterHook.java
>  PRE-CREATION 
>   
> sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/Subject.java
>  bcd1fa2351f7e7928f5499aa5f86906640f62504 
> 
> 
> Diff: https://reviews.apache.org/r/69586/diff/3/
> 
> 
> Testing
> ---
> 
> Added unit tests for the SentryMetaStoreFilterHook.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

2018-12-20 Thread Arjun Mishra via Review Board


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69586/#review211468
---




sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
Lines 184 (patched)


We should throw an AuthorizationException with message here. Otherwise the 
expected privileges won't be printed out on Hive console


- Arjun Mishra


On Dec. 20, 2018, 3:45 p.m., Sergio Pena wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69586/
> ---
> 
> (Updated Dec. 20, 2018, 3:45 p.m.)
> 
> 
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
> 
> 
> Bugs: sentry-2481
> https://issues.apache.org/jira/browse/sentry-2481
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Re-use the SentryMetaStoreFilterHook to support HMS server-side object 
> filtering. The SentryMetaStoreFilterHook class was deprecated and not used in 
> the HMS client anymore (replaced by the calls to DefaultSentryValidator). Due 
> to code duplication between SentryMetaStoreFilterHook and 
> DefaultSentryValidator, a new class MetaStoreAuthzObjectFilter is created 
> that accepts different types of objects to be filtered (unit tests are added 
> to verify the cases).
> 
> 
> Diffs
> -
> 
>   .gitignore 6ce3a6c11f6caf743fb00271af2cb4d33a18aa5d 
>   pom.xml f28be5afb7c9673c0b111325d7728381f8c89d2f 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
>  520de52ac3a41d0b4c01b1bdf60944fd44add5e7 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java
>  c37ce646da97afb2e5c033fb3acf43190a4fae80 
>   
> sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
>  cd4ae4a8c80b34769c65d4b8b86b2d6ecc78b075 
>   sentry-binding/sentry-binding-hive/pom.xml 
> b74516d70eaf873ef46914e2fbcfe08753bc1be4 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
>  38ce2db374ee4f46190544479bc0713de2fce420 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStore.java
>  92eb1366be44bd53f57e0900634b1cb4eae6470e 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStoreBase.java
>  d015085c71822c34a3315dc884596acc8ee2421a 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/HiveAuthzBindingFactory.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBindingBase.java
>  8ad9e50350a1a45ebdde9d8acb7f039b14a13f41 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryHiveMetaStoreClient.java
>  e30a86050a23a69cb9d613ec3500a1915974ed65 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java
>  5ecc87f9be36d6096e30de1f3c8697cd2d4da091 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/authz/TestMetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentryMetaStoreFilterHook.java
>  PRE-CREATION 
>   
> sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/Subject.java
>  bcd1fa2351f7e7928f5499aa5f86906640f62504 
> 
> 
> Diff: https://reviews.apache.org/r/69586/diff/3/
> 
> 
> Testing
> ---
> 
> Added unit tests for the SentryMetaStoreFilterHook.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

2018-12-20 Thread Sergio Pena via Review Board


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69586/
---

(Updated Dec. 20, 2018, 3:45 p.m.)


Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.


Changes
---

Call the new MetastoreAuthzObjectFitler from AuthorizingObjectStore classes.


Bugs: sentry-2481
https://issues.apache.org/jira/browse/sentry-2481


Repository: sentry


Description
---

Re-use the SentryMetaStoreFilterHook to support HMS server-side object 
filtering. The SentryMetaStoreFilterHook class was deprecated and not used in 
the HMS client anymore (replaced by the calls to DefaultSentryValidator). Due 
to code duplication between SentryMetaStoreFilterHook and 
DefaultSentryValidator, a new class MetaStoreAuthzObjectFilter is created that 
accepts different types of objects to be filtered (unit tests are added to 
verify the cases).


Diffs (updated)
-

  .gitignore 6ce3a6c11f6caf743fb00271af2cb4d33a18aa5d 
  pom.xml f28be5afb7c9673c0b111325d7728381f8c89d2f 
  
sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
 520de52ac3a41d0b4c01b1bdf60944fd44add5e7 
  
sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java
 c37ce646da97afb2e5c033fb3acf43190a4fae80 
  
sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
 cd4ae4a8c80b34769c65d4b8b86b2d6ecc78b075 
  sentry-binding/sentry-binding-hive/pom.xml 
b74516d70eaf873ef46914e2fbcfe08753bc1be4 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
 38ce2db374ee4f46190544479bc0713de2fce420 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
 PRE-CREATION 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStore.java
 92eb1366be44bd53f57e0900634b1cb4eae6470e 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/AuthorizingObjectStoreBase.java
 d015085c71822c34a3315dc884596acc8ee2421a 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/HiveAuthzBindingFactory.java
 PRE-CREATION 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBindingBase.java
 8ad9e50350a1a45ebdde9d8acb7f039b14a13f41 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryHiveMetaStoreClient.java
 e30a86050a23a69cb9d613ec3500a1915974ed65 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java
 5ecc87f9be36d6096e30de1f3c8697cd2d4da091 
  
sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/authz/TestMetastoreAuthzObjectFilter.java
 PRE-CREATION 
  
sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentryMetaStoreFilterHook.java
 PRE-CREATION 
  
sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/Subject.java
 bcd1fa2351f7e7928f5499aa5f86906640f62504 


Diff: https://reviews.apache.org/r/69586/diff/3/

Changes: https://reviews.apache.org/r/69586/diff/2-3/


Testing
---

Added unit tests for the SentryMetaStoreFilterHook.


Thanks,

Sergio Pena

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

2018-12-19 Thread Na Li via Review Board


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69586/#review211441
---


Ship it!




Ship It!

- Na Li


On Dec. 19, 2018, 3:24 p.m., Sergio Pena wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69586/
> ---
> 
> (Updated Dec. 19, 2018, 3:24 p.m.)
> 
> 
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
> 
> 
> Bugs: sentry-2481
> https://issues.apache.org/jira/browse/sentry-2481
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Re-use the SentryMetaStoreFilterHook to support HMS server-side object 
> filtering. The SentryMetaStoreFilterHook class was deprecated and not used in 
> the HMS client anymore (replaced by the calls to DefaultSentryValidator). Due 
> to code duplication between SentryMetaStoreFilterHook and 
> DefaultSentryValidator, a new class MetaStoreAuthzObjectFilter is created 
> that accepts different types of objects to be filtered (unit tests are added 
> to verify the cases).
> 
> 
> Diffs
> -
> 
>   .gitignore 6ce3a6c11f6caf743fb00271af2cb4d33a18aa5d 
>   pom.xml f28be5afb7c9673c0b111325d7728381f8c89d2f 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
>  520de52ac3a41d0b4c01b1bdf60944fd44add5e7 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java
>  c37ce646da97afb2e5c033fb3acf43190a4fae80 
>   
> sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
>  cd4ae4a8c80b34769c65d4b8b86b2d6ecc78b075 
>   sentry-binding/sentry-binding-hive/pom.xml 
> b74516d70eaf873ef46914e2fbcfe08753bc1be4 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
>  38ce2db374ee4f46190544479bc0713de2fce420 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/HiveAuthzBindingFactory.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBindingBase.java
>  8ad9e50350a1a45ebdde9d8acb7f039b14a13f41 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java
>  5ecc87f9be36d6096e30de1f3c8697cd2d4da091 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/authz/TestMetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentryMetaStoreFilterHook.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/69586/diff/2/
> 
> 
> Testing
> ---
> 
> Added unit tests for the SentryMetaStoreFilterHook.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

2018-12-19 Thread Sergio Pena via Review Board


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69586/
---

(Updated Dec. 19, 2018, 3:24 p.m.)


Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.


Changes
---

Addressed lina's feedback.


Bugs: sentry-2481
https://issues.apache.org/jira/browse/sentry-2481


Repository: sentry


Description
---

Re-use the SentryMetaStoreFilterHook to support HMS server-side object 
filtering. The SentryMetaStoreFilterHook class was deprecated and not used in 
the HMS client anymore (replaced by the calls to DefaultSentryValidator). Due 
to code duplication between SentryMetaStoreFilterHook and 
DefaultSentryValidator, a new class MetaStoreAuthzObjectFilter is created that 
accepts different types of objects to be filtered (unit tests are added to 
verify the cases).


Diffs (updated)
-

  .gitignore 6ce3a6c11f6caf743fb00271af2cb4d33a18aa5d 
  pom.xml f28be5afb7c9673c0b111325d7728381f8c89d2f 
  
sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
 520de52ac3a41d0b4c01b1bdf60944fd44add5e7 
  
sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java
 c37ce646da97afb2e5c033fb3acf43190a4fae80 
  
sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
 cd4ae4a8c80b34769c65d4b8b86b2d6ecc78b075 
  sentry-binding/sentry-binding-hive/pom.xml 
b74516d70eaf873ef46914e2fbcfe08753bc1be4 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
 38ce2db374ee4f46190544479bc0713de2fce420 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
 PRE-CREATION 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/HiveAuthzBindingFactory.java
 PRE-CREATION 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBindingBase.java
 8ad9e50350a1a45ebdde9d8acb7f039b14a13f41 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java
 5ecc87f9be36d6096e30de1f3c8697cd2d4da091 
  
sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/authz/TestMetastoreAuthzObjectFilter.java
 PRE-CREATION 
  
sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentryMetaStoreFilterHook.java
 PRE-CREATION 


Diff: https://reviews.apache.org/r/69586/diff/2/

Changes: https://reviews.apache.org/r/69586/diff/1-2/


Testing
---

Added unit tests for the SentryMetaStoreFilterHook.


Thanks,

Sergio Pena

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

2018-12-19 Thread Sergio Pena via Review Board



> On Dec. 18, 2018, 7:52 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
> > Lines 67 (patched)
> > 
> >
> > If the object is not a table, then this would be wrong. Is there a type 
> > field to check it is indeed a table?

Good catch. I don't think is necessary to check if it is a table or not because 
the code will never call the filterTable with an object that is not a table, 
but it would be good to check just in case. I found that getType() returns the 
type of the object.


> On Dec. 18, 2018, 7:52 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java
> > Lines 115 (patched)
> > 
> >
> > should we keep the username case? see 
> > https://issues.apache.org/jira/browse/SENTRY-2432

True.


- Sergio


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69586/#review211412
---


On Dec. 18, 2018, 7:28 p.m., Sergio Pena wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69586/
> ---
> 
> (Updated Dec. 18, 2018, 7:28 p.m.)
> 
> 
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
> 
> 
> Bugs: sentry-2481
> https://issues.apache.org/jira/browse/sentry-2481
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Re-use the SentryMetaStoreFilterHook to support HMS server-side object 
> filtering. The SentryMetaStoreFilterHook class was deprecated and not used in 
> the HMS client anymore (replaced by the calls to DefaultSentryValidator). Due 
> to code duplication between SentryMetaStoreFilterHook and 
> DefaultSentryValidator, a new class MetaStoreAuthzObjectFilter is created 
> that accepts different types of objects to be filtered (unit tests are added 
> to verify the cases).
> 
> 
> Diffs
> -
> 
>   .gitignore 6ce3a6c11f6caf743fb00271af2cb4d33a18aa5d 
>   pom.xml f28be5afb7c9673c0b111325d7728381f8c89d2f 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
>  520de52ac3a41d0b4c01b1bdf60944fd44add5e7 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java
>  c37ce646da97afb2e5c033fb3acf43190a4fae80 
>   
> sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
>  cd4ae4a8c80b34769c65d4b8b86b2d6ecc78b075 
>   sentry-binding/sentry-binding-hive/pom.xml 
> b74516d70eaf873ef46914e2fbcfe08753bc1be4 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
>  38ce2db374ee4f46190544479bc0713de2fce420 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/HiveAuthzBindingFactory.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBindingBase.java
>  8ad9e50350a1a45ebdde9d8acb7f039b14a13f41 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java
>  5ecc87f9be36d6096e30de1f3c8697cd2d4da091 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/authz/TestMetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentryMetaStoreFilterHook.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/69586/diff/1/
> 
> 
> Testing
> ---
> 
> Added unit tests for the SentryMetaStoreFilterHook.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

2018-12-18 Thread Na Li via Review Board


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69586/#review211412
---




sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
Lines 67 (patched)


If the object is not a table, then this would be wrong. Is there a type 
field to check it is indeed a table?



sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java
Lines 115 (patched)


should we keep the username case? see 
https://issues.apache.org/jira/browse/SENTRY-2432


- Na Li


On Dec. 18, 2018, 7:28 p.m., Sergio Pena wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69586/
> ---
> 
> (Updated Dec. 18, 2018, 7:28 p.m.)
> 
> 
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
> 
> 
> Bugs: sentry-2481
> https://issues.apache.org/jira/browse/sentry-2481
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Re-use the SentryMetaStoreFilterHook to support HMS server-side object 
> filtering. The SentryMetaStoreFilterHook class was deprecated and not used in 
> the HMS client anymore (replaced by the calls to DefaultSentryValidator). Due 
> to code duplication between SentryMetaStoreFilterHook and 
> DefaultSentryValidator, a new class MetaStoreAuthzObjectFilter is created 
> that accepts different types of objects to be filtered (unit tests are added 
> to verify the cases).
> 
> 
> Diffs
> -
> 
>   .gitignore 6ce3a6c11f6caf743fb00271af2cb4d33a18aa5d 
>   pom.xml f28be5afb7c9673c0b111325d7728381f8c89d2f 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
>  520de52ac3a41d0b4c01b1bdf60944fd44add5e7 
>   
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java
>  c37ce646da97afb2e5c033fb3acf43190a4fae80 
>   
> sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
>  cd4ae4a8c80b34769c65d4b8b86b2d6ecc78b075 
>   sentry-binding/sentry-binding-hive/pom.xml 
> b74516d70eaf873ef46914e2fbcfe08753bc1be4 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
>  38ce2db374ee4f46190544479bc0713de2fce420 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/HiveAuthzBindingFactory.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBindingBase.java
>  8ad9e50350a1a45ebdde9d8acb7f039b14a13f41 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java
>  5ecc87f9be36d6096e30de1f3c8697cd2d4da091 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/authz/TestMetastoreAuthzObjectFilter.java
>  PRE-CREATION 
>   
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentryMetaStoreFilterHook.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/69586/diff/1/
> 
> 
> Testing
> ---
> 
> Added unit tests for the SentryMetaStoreFilterHook.
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

2018-12-18 Thread Sergio Pena via Review Board


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69586/
---

Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.


Bugs: sentry-2481
https://issues.apache.org/jira/browse/sentry-2481


Repository: sentry


Description
---

Re-use the SentryMetaStoreFilterHook to support HMS server-side object 
filtering. The SentryMetaStoreFilterHook class was deprecated and not used in 
the HMS client anymore (replaced by the calls to DefaultSentryValidator). Due 
to code duplication between SentryMetaStoreFilterHook and 
DefaultSentryValidator, a new class MetaStoreAuthzObjectFilter is created that 
accepts different types of objects to be filtered (unit tests are added to 
verify the cases).


Diffs
-

  .gitignore 6ce3a6c11f6caf743fb00271af2cb4d33a18aa5d 
  pom.xml f28be5afb7c9673c0b111325d7728381f8c89d2f 
  
sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
 520de52ac3a41d0b4c01b1bdf60944fd44add5e7 
  
sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivileges.java
 c37ce646da97afb2e5c033fb3acf43190a4fae80 
  
sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
 cd4ae4a8c80b34769c65d4b8b86b2d6ecc78b075 
  sentry-binding/sentry-binding-hive/pom.xml 
b74516d70eaf873ef46914e2fbcfe08753bc1be4 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
 38ce2db374ee4f46190544479bc0713de2fce420 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/MetastoreAuthzObjectFilter.java
 PRE-CREATION 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/HiveAuthzBindingFactory.java
 PRE-CREATION 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBindingBase.java
 8ad9e50350a1a45ebdde9d8acb7f039b14a13f41 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/SentryMetaStoreFilterHook.java
 5ecc87f9be36d6096e30de1f3c8697cd2d4da091 
  
sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/authz/TestMetastoreAuthzObjectFilter.java
 PRE-CREATION 
  
sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/metastore/TestSentryMetaStoreFilterHook.java
 PRE-CREATION 


Diff: https://reviews.apache.org/r/69586/diff/1/


Testing
---

Added unit tests for the SentryMetaStoreFilterHook.


Thanks,

Sergio Pena

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

Re: Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

Review Request 69586: SENTRY-2481: Filter HMS server-side objects based on HMS user authorization

14 matches

Site Navigation

Mail list logo

Footer information