[jira] [Commented] (SENTRY-2280) The request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is null
[ https://issues.apache.org/jira/browse/SENTRY-2280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16524414#comment-16524414 ] Hadoop QA commented on SENTRY-2280: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12929279/SENTRY-2280.002.patch against master. {color:green}Overall:{color} +1 all checks pass {color:green}SUCCESS:{color} all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/3931/console This message is automatically generated. > The request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is > null > --- > > Key: SENTRY-2280 > URL: https://issues.apache.org/jira/browse/SENTRY-2280 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Na Li >Assignee: Na Li >Priority: Critical > Attachments: SENTRY-2280.001.patch, SENTRY-2280.002.patch > > > When running e2e test > TestDbPrivilegeCleanupOnDrop.testRenameTablesWithinDBSinglePrivilege, I found > the request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is > null > There are multiple issues in fix from "SENTRY-2243: Extend the thrift > definition for policy service to learn owner information" > 1. The exception was thrown because the protocol_version was not set > 2. TSentryAuthorizable.server was not set > 3. TSentryHmsEventNotification.ownerType and ownerName are not set for table > rename event > As a result, the request received by server is null since thrift at server > side cannot re-construct a valid request of type TSentryHmsEventNotification > Once we fix the above issues, we need to make sure > SentryPolicyStoreProcessor.sentry_notify_hms_event does not transfer owner in > "alter table rename" event. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2280) The request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is null
[ https://issues.apache.org/jira/browse/SENTRY-2280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Na Li updated SENTRY-2280: -- Attachment: SENTRY-2280.002.patch > The request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is > null > --- > > Key: SENTRY-2280 > URL: https://issues.apache.org/jira/browse/SENTRY-2280 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Na Li >Assignee: Na Li >Priority: Critical > Attachments: SENTRY-2280.001.patch, SENTRY-2280.002.patch > > > When running e2e test > TestDbPrivilegeCleanupOnDrop.testRenameTablesWithinDBSinglePrivilege, I found > the request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is > null > There are multiple issues in fix from "SENTRY-2243: Extend the thrift > definition for policy service to learn owner information" > 1. The exception was thrown because the protocol_version was not set > 2. TSentryAuthorizable.server was not set > 3. TSentryHmsEventNotification.ownerType and ownerName are not set for table > rename event > As a result, the request received by server is null since thrift at server > side cannot re-construct a valid request of type TSentryHmsEventNotification > Once we fix the above issues, we need to make sure > SentryPolicyStoreProcessor.sentry_notify_hms_event does not transfer owner in > "alter table rename" event. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2282) Remove hive-authzv2 binding and tests modules completely
[ https://issues.apache.org/jira/browse/SENTRY-2282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16524266#comment-16524266 ] Hadoop QA commented on SENTRY-2282: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12929241/SENTRY-2282.1.patch against master. {color:green}Overall:{color} +1 all checks pass {color:green}SUCCESS:{color} all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/3929/console This message is automatically generated. > Remove hive-authzv2 binding and tests modules completely > > > Key: SENTRY-2282 > URL: https://issues.apache.org/jira/browse/SENTRY-2282 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Sergio Peña >Priority: Major > Attachments: SENTRY-2282.1.patch > > > Hive authv2 support is already part of the sentry-binding-hive and > sentry-tests-hive since Sentry 2.0. However, the hive-authzv2 modules, such > as sentry-binding-hive-v2 ad sentry-tests-hive-v2 were left in case they were > needed, but they are not used anymore. > We should remove those modules completely. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2280) The request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is null
[ https://issues.apache.org/jira/browse/SENTRY-2280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16524210#comment-16524210 ] Hadoop QA commented on SENTRY-2280: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12929251/SENTRY-2280.001.patch against master. {color:red}Overall:{color} -1 due to 9 errors {color:red}ERROR:{color} mvn test exited 1 {color:red}ERROR:{color} Failed: org.apache.sentry.binding.metastore.TestSentrySyncHMSNotificationsPostEventListener {color:red}ERROR:{color} Failed: org.apache.sentry.binding.metastore.TestSentrySyncHMSNotificationsPostEventListener {color:red}ERROR:{color} Failed: org.apache.sentry.binding.metastore.TestSentrySyncHMSNotificationsPostEventListener {color:red}ERROR:{color} Failed: org.apache.sentry.binding.metastore.TestSentrySyncHMSNotificationsPostEventListener {color:red}ERROR:{color} Failed: org.apache.sentry.binding.metastore.TestSentrySyncHMSNotificationsPostEventListener {color:red}ERROR:{color} Failed: org.apache.sentry.binding.metastore.TestSentrySyncHMSNotificationsPostEventListener {color:red}ERROR:{color} Failed: org.apache.sentry.binding.metastore.TestSentrySyncHMSNotificationsPostEventListener {color:red}ERROR:{color} Failed: org.apache.sentry.binding.metastore.TestSentrySyncHMSNotificationsPostEventListener Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/3930/console This message is automatically generated. > The request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is > null > --- > > Key: SENTRY-2280 > URL: https://issues.apache.org/jira/browse/SENTRY-2280 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Na Li >Assignee: Na Li >Priority: Critical > Attachments: SENTRY-2280.001.patch > > > When running e2e test > TestDbPrivilegeCleanupOnDrop.testRenameTablesWithinDBSinglePrivilege, I found > the request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is > null > There are multiple issues in fix from "SENTRY-2243: Extend the thrift > definition for policy service to learn owner information" > 1. The exception was thrown because the protocol_version was not set > 2. TSentryAuthorizable.server was not set > 3. TSentryHmsEventNotification.ownerType and ownerName are not set for table > rename event > As a result, the request received by server is null since thrift at server > side cannot re-construct a valid request of type TSentryHmsEventNotification > Once we fix the above issues, we need to make sure > SentryPolicyStoreProcessor.sentry_notify_hms_event does not transfer owner in > "alter table rename" event. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2281) list_privileges_by_user() fails with a JDODetachedFieldAccessException
[ https://issues.apache.org/jira/browse/SENTRY-2281?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergio Peña updated SENTRY-2281: Resolution: Fixed Fix Version/s: 2.1.0 Status: Resolved (was: Patch Available) > list_privileges_by_user() fails with a JDODetachedFieldAccessException > -- > > Key: SENTRY-2281 > URL: https://issues.apache.org/jira/browse/SENTRY-2281 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Arjun Mishra >Priority: Major > Fix For: 2.1.0 > > Attachments: SENTRY-2281.01.patch, SENTRY-2281.02.patch > > > {noformat} > Caused by: java.lang.RuntimeException: Unknown error for request: > TListSentryPrivilegesByAuthRequest(protocol_version:2, > requestorUserName:ubuntu, > authorizableSet:[TSentryAuthorizable(server:localhost, db:default, > table:t1)], roleSet:TSentryActiveRoleSet(all:true, roles:[]), > users:[ubuntu]), message: You have just attempted to access field "users" yet > this field was not detached when you detached the object. Either dont access > this field, or detach it when detaching the object.. Server Stacktrace: > javax.jdo.JDODetachedFieldAccessException: You have just attempted to access > field "users" yet this field was not detached when you detached the object. > Either dont access this field, or detach it when detaching the object. > at > org.apache.sentry.provider.db.service.model.MSentryPrivilege.dnGetusers(MSentryPrivilege.java) > at > org.apache.sentry.provider.db.service.model.MSentryPrivilege.getUsers(MSentryPrivilege.java:186) > at > org.apache.sentry.provider.db.service.persistent.SentryStore.listSentryPrivilegesByAuthorizableForUser(SentryStore.java:2118) > at > org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor.list_sentry_privileges_by_authorizable(SentryPolicyStoreProcessor.java:1166) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1677) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1662) > at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) > at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) > at > org.apache.sentry.api.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:36) > at > org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149){noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2281) list_privileges_by_user() fails with a JDODetachedFieldAccessException
[ https://issues.apache.org/jira/browse/SENTRY-2281?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16524165#comment-16524165 ] Hadoop QA commented on SENTRY-2281: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12929235/SENTRY-2281.02.patch against master. {color:green}Overall:{color} +1 all checks pass {color:green}SUCCESS:{color} all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/3928/console This message is automatically generated. > list_privileges_by_user() fails with a JDODetachedFieldAccessException > -- > > Key: SENTRY-2281 > URL: https://issues.apache.org/jira/browse/SENTRY-2281 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2281.01.patch, SENTRY-2281.02.patch > > > {noformat} > Caused by: java.lang.RuntimeException: Unknown error for request: > TListSentryPrivilegesByAuthRequest(protocol_version:2, > requestorUserName:ubuntu, > authorizableSet:[TSentryAuthorizable(server:localhost, db:default, > table:t1)], roleSet:TSentryActiveRoleSet(all:true, roles:[]), > users:[ubuntu]), message: You have just attempted to access field "users" yet > this field was not detached when you detached the object. Either dont access > this field, or detach it when detaching the object.. Server Stacktrace: > javax.jdo.JDODetachedFieldAccessException: You have just attempted to access > field "users" yet this field was not detached when you detached the object. > Either dont access this field, or detach it when detaching the object. > at > org.apache.sentry.provider.db.service.model.MSentryPrivilege.dnGetusers(MSentryPrivilege.java) > at > org.apache.sentry.provider.db.service.model.MSentryPrivilege.getUsers(MSentryPrivilege.java:186) > at > org.apache.sentry.provider.db.service.persistent.SentryStore.listSentryPrivilegesByAuthorizableForUser(SentryStore.java:2118) > at > org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor.list_sentry_privileges_by_authorizable(SentryPolicyStoreProcessor.java:1166) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1677) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1662) > at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) > at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) > at > org.apache.sentry.api.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:36) > at > org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149){noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2264) It is possible to elevate privileges from DROP using alter table rename
[ https://issues.apache.org/jira/browse/SENTRY-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Na Li updated SENTRY-2264: -- Issue Type: Sub-task (was: Bug) Parent: SENTRY-2151 > It is possible to elevate privileges from DROP using alter table rename > --- > > Key: SENTRY-2264 > URL: https://issues.apache.org/jira/browse/SENTRY-2264 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Na Li >Assignee: Na Li >Priority: Major > Fix For: 2.1.0 > > Attachments: SENTRY-2264.001.patch, SENTRY-2264.002.patch, > SENTRY-2264.003.patch, SENTRY-2264.004.patch, SENTRY-2264.004.patch > > > After introducing FGP, a user with only DROP on a database db1 and at least > CREATE on db2 can run ALTER TABLE RENAME db1.table1 db2.table2, and thus > elevate their privileges. > To reproduce: > As admin (e.g. hive): > 1. Create db1, db1.table1, db2, role r1. > 2. Grant DROP on db1 to role r1. > 3. Grant ALL on db2 to role r1 > 4. Grant role r1 to user testuser1. > As testuser1: > 1. use db1; alter table db1.table1 rename to db2.table1 > 2. select * from db2. table1 > Result: the select command succeeds. > Desired behavior: > we should at least require following privileges to execute the table rename > command: > table level "ALL" at source > database level "CREATE" at destination. > The reason we don't require "alter, insert" for destination DB is that > "alter" and "insert" is table level privileges and when "alter table rename" > command is executed, there is no table in destination DB. So we cannot > enforce these table level privileges. Therefore the only change is add > table-level "ALL" privilege in required input privileges to avoid elevate > privilege by moving table cross DB -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2280) The request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is null
[ https://issues.apache.org/jira/browse/SENTRY-2280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Na Li updated SENTRY-2280: -- Issue Type: Sub-task (was: Bug) Parent: SENTRY-2151 > The request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is > null > --- > > Key: SENTRY-2280 > URL: https://issues.apache.org/jira/browse/SENTRY-2280 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Na Li >Assignee: Na Li >Priority: Critical > Attachments: SENTRY-2280.001.patch > > > When running e2e test > TestDbPrivilegeCleanupOnDrop.testRenameTablesWithinDBSinglePrivilege, I found > the request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is > null > There are multiple issues in fix from "SENTRY-2243: Extend the thrift > definition for policy service to learn owner information" > 1. The exception was thrown because the protocol_version was not set > 2. TSentryAuthorizable.server was not set > 3. TSentryHmsEventNotification.ownerType and ownerName are not set for table > rename event > As a result, the request received by server is null since thrift at server > side cannot re-construct a valid request of type TSentryHmsEventNotification > Once we fix the above issues, we need to make sure > SentryPolicyStoreProcessor.sentry_notify_hms_event does not transfer owner in > "alter table rename" event. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (SENTRY-2283) Multiple versions of metrics on the classpath causes Sentry to not startup
Steve Moist created SENTRY-2283: --- Summary: Multiple versions of metrics on the classpath causes Sentry to not startup Key: SENTRY-2283 URL: https://issues.apache.org/jira/browse/SENTRY-2283 Project: Sentry Issue Type: Bug Components: Sentry Affects Versions: 2.1.0 Reporter: Steve Moist Assignee: Steve Moist When starting up Sentry in a cluster that has one or more Hadoop products installed, if there is a 2.x version of metrics-core.jar or metrics-servlet.jar on the classpath, it causes Sentry to fail during startup. entry-SENTRY_SERVER/sentry-log4j.properties -conffile /var/run/cloudera-scm-agent/process/51-sentry-SENTRY_SERVER/sentry-site.xml WARNING: log4j.properties is not found. HADOOP_CONF_DIR may be incomplete. Exception in thread "main" java.lang.NoSuchMethodError: com.codahale.metrics.JmxAttributeGauge.(Ljavax/management/MBeanServerConnection;Ljavax/management/ObjectName;Ljava/lang/String;)V at com.codahale.metrics.jvm.BufferPoolMetricSet.getMetrics(BufferPoolMetricSet.java:45) at org.apache.sentry.api.service.thrift.SentryMetrics.registerMetricSet(SentryMetrics.java:273) at org.apache.sentry.api.service.thrift.SentryMetrics.(SentryMetrics.java:137) at org.apache.sentry.api.service.thrift.SentryMetrics.getInstance(SentryMetrics.java:149) at org.apache.sentry.provider.db.service.persistent.TransactionManager.(TransactionManager.java:84) at org.apache.sentry.provider.db.service.persistent.SentryStore.(SentryStore.java:281) at org.apache.sentry.service.thrift.SentryService.(SentryService.java:170) at org.apache.sentry.service.thrift.SentryService$CommandImpl.run(SentryService.java:581) at org.apache.sentry.SentryMain.main(SentryMain.java:120) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.hadoop.util.RunJar.run(RunJar.java:313) at org.apache.hadoop.util.RunJar.main(RunJar.java:227) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2264) It is possible to elevate privileges from DROP using alter table rename
[ https://issues.apache.org/jira/browse/SENTRY-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Na Li updated SENTRY-2264: -- Fix Version/s: 2.1.0 > It is possible to elevate privileges from DROP using alter table rename > --- > > Key: SENTRY-2264 > URL: https://issues.apache.org/jira/browse/SENTRY-2264 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Na Li >Assignee: Na Li >Priority: Major > Fix For: 2.1.0 > > Attachments: SENTRY-2264.001.patch, SENTRY-2264.002.patch, > SENTRY-2264.003.patch, SENTRY-2264.004.patch, SENTRY-2264.004.patch > > > After introducing FGP, a user with only DROP on a database db1 and at least > CREATE on db2 can run ALTER TABLE RENAME db1.table1 db2.table2, and thus > elevate their privileges. > To reproduce: > As admin (e.g. hive): > 1. Create db1, db1.table1, db2, role r1. > 2. Grant DROP on db1 to role r1. > 3. Grant ALL on db2 to role r1 > 4. Grant role r1 to user testuser1. > As testuser1: > 1. use db1; alter table db1.table1 rename to db2.table1 > 2. select * from db2. table1 > Result: the select command succeeds. > Desired behavior: > we should at least require following privileges to execute the table rename > command: > table level "ALL" at source > database level "CREATE" at destination. > The reason we don't require "alter, insert" for destination DB is that > "alter" and "insert" is table level privileges and when "alter table rename" > command is executed, there is no table in destination DB. So we cannot > enforce these table level privileges. Therefore the only change is add > table-level "ALL" privilege in required input privileges to avoid elevate > privilege by moving table cross DB -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2280) The request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is null
[ https://issues.apache.org/jira/browse/SENTRY-2280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Na Li updated SENTRY-2280: -- Status: Patch Available (was: Open) > The request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is > null > --- > > Key: SENTRY-2280 > URL: https://issues.apache.org/jira/browse/SENTRY-2280 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Na Li >Assignee: Na Li >Priority: Critical > Attachments: SENTRY-2280.001.patch > > > When running e2e test > TestDbPrivilegeCleanupOnDrop.testRenameTablesWithinDBSinglePrivilege, I found > the request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is > null > There are multiple issues in fix from "SENTRY-2243: Extend the thrift > definition for policy service to learn owner information" > 1. The exception was thrown because the protocol_version was not set > 2. TSentryAuthorizable.server was not set > 3. TSentryHmsEventNotification.ownerType and ownerName are not set for table > rename event > As a result, the request received by server is null since thrift at server > side cannot re-construct a valid request of type TSentryHmsEventNotification > Once we fix the above issues, we need to make sure > SentryPolicyStoreProcessor.sentry_notify_hms_event does not transfer owner in > "alter table rename" event. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2280) The request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is null
[ https://issues.apache.org/jira/browse/SENTRY-2280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Na Li updated SENTRY-2280: -- Attachment: SENTRY-2280.001.patch > The request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is > null > --- > > Key: SENTRY-2280 > URL: https://issues.apache.org/jira/browse/SENTRY-2280 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Na Li >Assignee: Na Li >Priority: Critical > Attachments: SENTRY-2280.001.patch > > > When running e2e test > TestDbPrivilegeCleanupOnDrop.testRenameTablesWithinDBSinglePrivilege, I found > the request received in SentryPolicyStoreProcessor.sentry_notify_hms_event is > null > There are multiple issues in fix from "SENTRY-2243: Extend the thrift > definition for policy service to learn owner information" > 1. The exception was thrown because the protocol_version was not set > 2. TSentryAuthorizable.server was not set > 3. TSentryHmsEventNotification.ownerType and ownerName are not set for table > rename event > As a result, the request received by server is null since thrift at server > side cannot re-construct a valid request of type TSentryHmsEventNotification > Once we fix the above issues, we need to make sure > SentryPolicyStoreProcessor.sentry_notify_hms_event does not transfer owner in > "alter table rename" event. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (SENTRY-2282) Remove hive-authzv2 binding and tests modules completely
Sergio Peña created SENTRY-2282: --- Summary: Remove hive-authzv2 binding and tests modules completely Key: SENTRY-2282 URL: https://issues.apache.org/jira/browse/SENTRY-2282 Project: Sentry Issue Type: Bug Components: Sentry Affects Versions: 2.1.0 Reporter: Sergio Peña Attachments: SENTRY-2282.1.patch Hive authv2 support is already part of the sentry-binding-hive and sentry-tests-hive since Sentry 2.0. However, the hive-authzv2 modules, such as sentry-binding-hive-v2 ad sentry-tests-hive-v2 were left in case they were needed, but they are not used anymore. We should remove those modules completely. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2282) Remove hive-authzv2 binding and tests modules completely
[ https://issues.apache.org/jira/browse/SENTRY-2282?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergio Peña updated SENTRY-2282: Status: Patch Available (was: Open) > Remove hive-authzv2 binding and tests modules completely > > > Key: SENTRY-2282 > URL: https://issues.apache.org/jira/browse/SENTRY-2282 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Sergio Peña >Priority: Major > Attachments: SENTRY-2282.1.patch > > > Hive authv2 support is already part of the sentry-binding-hive and > sentry-tests-hive since Sentry 2.0. However, the hive-authzv2 modules, such > as sentry-binding-hive-v2 ad sentry-tests-hive-v2 were left in case they were > needed, but they are not used anymore. > We should remove those modules completely. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (SENTRY-2282) Remove hive-authzv2 binding and tests modules completely
[ https://issues.apache.org/jira/browse/SENTRY-2282?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergio Peña reassigned SENTRY-2282: --- Assignee: Sergio Peña > Remove hive-authzv2 binding and tests modules completely > > > Key: SENTRY-2282 > URL: https://issues.apache.org/jira/browse/SENTRY-2282 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Sergio Peña >Priority: Major > Attachments: SENTRY-2282.1.patch > > > Hive authv2 support is already part of the sentry-binding-hive and > sentry-tests-hive since Sentry 2.0. However, the hive-authzv2 modules, such > as sentry-binding-hive-v2 ad sentry-tests-hive-v2 were left in case they were > needed, but they are not used anymore. > We should remove those modules completely. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2273) Create the SHOW GRANT USER task for Hive
[ https://issues.apache.org/jira/browse/SENTRY-2273?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16524099#comment-16524099 ] Hadoop QA commented on SENTRY-2273: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12929211/SENTRY-2273.03.patch against master. {color:green}Overall:{color} +1 all checks pass {color:green}SUCCESS:{color} all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/3926/console This message is automatically generated. > Create the SHOW GRANT USER task for Hive > > > Key: SENTRY-2273 > URL: https://issues.apache.org/jira/browse/SENTRY-2273 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2273.01.patch, SENTRY-2273.02.patch, > SENTRY-2273.03.patch > > > The SentryHiveAuthorizationTaskFactoryImpl class creates all the supported > DDL tasks for authorization in Hive. We need to add the support for the SHOW > GRANT USER as well. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2264) It is possible to elevate privileges from DROP using alter table rename
[ https://issues.apache.org/jira/browse/SENTRY-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Na Li updated SENTRY-2264: -- Resolution: Fixed Status: Resolved (was: Patch Available) > It is possible to elevate privileges from DROP using alter table rename > --- > > Key: SENTRY-2264 > URL: https://issues.apache.org/jira/browse/SENTRY-2264 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Na Li >Assignee: Na Li >Priority: Major > Attachments: SENTRY-2264.001.patch, SENTRY-2264.002.patch, > SENTRY-2264.003.patch, SENTRY-2264.004.patch, SENTRY-2264.004.patch > > > After introducing FGP, a user with only DROP on a database db1 and at least > CREATE on db2 can run ALTER TABLE RENAME db1.table1 db2.table2, and thus > elevate their privileges. > To reproduce: > As admin (e.g. hive): > 1. Create db1, db1.table1, db2, role r1. > 2. Grant DROP on db1 to role r1. > 3. Grant ALL on db2 to role r1 > 4. Grant role r1 to user testuser1. > As testuser1: > 1. use db1; alter table db1.table1 rename to db2.table1 > 2. select * from db2. table1 > Result: the select command succeeds. > Desired behavior: > we should at least require following privileges to execute the table rename > command: > table level "ALL" at source > database level "CREATE" at destination. > The reason we don't require "alter, insert" for destination DB is that > "alter" and "insert" is table level privileges and when "alter table rename" > command is executed, there is no table in destination DB. So we cannot > enforce these table level privileges. Therefore the only change is add > table-level "ALL" privilege in required input privileges to avoid elevate > privilege by moving table cross DB -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2281) list_privileges_by_user() fails with a JDODetachedFieldAccessException
[ https://issues.apache.org/jira/browse/SENTRY-2281?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Arjun Mishra updated SENTRY-2281: - Attachment: SENTRY-2281.02.patch > list_privileges_by_user() fails with a JDODetachedFieldAccessException > -- > > Key: SENTRY-2281 > URL: https://issues.apache.org/jira/browse/SENTRY-2281 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2281.01.patch, SENTRY-2281.02.patch > > > {noformat} > Caused by: java.lang.RuntimeException: Unknown error for request: > TListSentryPrivilegesByAuthRequest(protocol_version:2, > requestorUserName:ubuntu, > authorizableSet:[TSentryAuthorizable(server:localhost, db:default, > table:t1)], roleSet:TSentryActiveRoleSet(all:true, roles:[]), > users:[ubuntu]), message: You have just attempted to access field "users" yet > this field was not detached when you detached the object. Either dont access > this field, or detach it when detaching the object.. Server Stacktrace: > javax.jdo.JDODetachedFieldAccessException: You have just attempted to access > field "users" yet this field was not detached when you detached the object. > Either dont access this field, or detach it when detaching the object. > at > org.apache.sentry.provider.db.service.model.MSentryPrivilege.dnGetusers(MSentryPrivilege.java) > at > org.apache.sentry.provider.db.service.model.MSentryPrivilege.getUsers(MSentryPrivilege.java:186) > at > org.apache.sentry.provider.db.service.persistent.SentryStore.listSentryPrivilegesByAuthorizableForUser(SentryStore.java:2118) > at > org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor.list_sentry_privileges_by_authorizable(SentryPolicyStoreProcessor.java:1166) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1677) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1662) > at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) > at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) > at > org.apache.sentry.api.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:36) > at > org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149){noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2281) list_privileges_by_user() fails with a JDODetachedFieldAccessException
[ https://issues.apache.org/jira/browse/SENTRY-2281?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16524021#comment-16524021 ] Hadoop QA commented on SENTRY-2281: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12929221/SENTRY-2281.01.patch against master. {color:red}Overall:{color} -1 due to 4 errors {color:red}ERROR:{color} mvn test exited 1 {color:red}ERROR:{color} Failed: org.apache.sentry.api.service.thrift.TestSentryServiceIntegration {color:red}ERROR:{color} Failed: org.apache.sentry.api.service.thrift.TestSentryServiceIntegration {color:red}ERROR:{color} Failed: org.apache.sentry.api.service.thrift.TestSentryServiceIntegration Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/3927/console This message is automatically generated. > list_privileges_by_user() fails with a JDODetachedFieldAccessException > -- > > Key: SENTRY-2281 > URL: https://issues.apache.org/jira/browse/SENTRY-2281 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2281.01.patch > > > {noformat} > Caused by: java.lang.RuntimeException: Unknown error for request: > TListSentryPrivilegesByAuthRequest(protocol_version:2, > requestorUserName:ubuntu, > authorizableSet:[TSentryAuthorizable(server:localhost, db:default, > table:t1)], roleSet:TSentryActiveRoleSet(all:true, roles:[]), > users:[ubuntu]), message: You have just attempted to access field "users" yet > this field was not detached when you detached the object. Either dont access > this field, or detach it when detaching the object.. Server Stacktrace: > javax.jdo.JDODetachedFieldAccessException: You have just attempted to access > field "users" yet this field was not detached when you detached the object. > Either dont access this field, or detach it when detaching the object. > at > org.apache.sentry.provider.db.service.model.MSentryPrivilege.dnGetusers(MSentryPrivilege.java) > at > org.apache.sentry.provider.db.service.model.MSentryPrivilege.getUsers(MSentryPrivilege.java:186) > at > org.apache.sentry.provider.db.service.persistent.SentryStore.listSentryPrivilegesByAuthorizableForUser(SentryStore.java:2118) > at > org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor.list_sentry_privileges_by_authorizable(SentryPolicyStoreProcessor.java:1166) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1677) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1662) > at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) > at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) > at > org.apache.sentry.api.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:36) > at > org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149){noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2281) list_privileges_by_user() fails with a JDODetachedFieldAccessException
[ https://issues.apache.org/jira/browse/SENTRY-2281?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Arjun Mishra updated SENTRY-2281: - Status: Patch Available (was: Open) > list_privileges_by_user() fails with a JDODetachedFieldAccessException > -- > > Key: SENTRY-2281 > URL: https://issues.apache.org/jira/browse/SENTRY-2281 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2281.01.patch > > > {noformat} > Caused by: java.lang.RuntimeException: Unknown error for request: > TListSentryPrivilegesByAuthRequest(protocol_version:2, > requestorUserName:ubuntu, > authorizableSet:[TSentryAuthorizable(server:localhost, db:default, > table:t1)], roleSet:TSentryActiveRoleSet(all:true, roles:[]), > users:[ubuntu]), message: You have just attempted to access field "users" yet > this field was not detached when you detached the object. Either dont access > this field, or detach it when detaching the object.. Server Stacktrace: > javax.jdo.JDODetachedFieldAccessException: You have just attempted to access > field "users" yet this field was not detached when you detached the object. > Either dont access this field, or detach it when detaching the object. > at > org.apache.sentry.provider.db.service.model.MSentryPrivilege.dnGetusers(MSentryPrivilege.java) > at > org.apache.sentry.provider.db.service.model.MSentryPrivilege.getUsers(MSentryPrivilege.java:186) > at > org.apache.sentry.provider.db.service.persistent.SentryStore.listSentryPrivilegesByAuthorizableForUser(SentryStore.java:2118) > at > org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor.list_sentry_privileges_by_authorizable(SentryPolicyStoreProcessor.java:1166) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1677) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1662) > at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) > at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) > at > org.apache.sentry.api.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:36) > at > org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149){noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2281) list_privileges_by_user() fails with a JDODetachedFieldAccessException
[ https://issues.apache.org/jira/browse/SENTRY-2281?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Arjun Mishra updated SENTRY-2281: - Attachment: SENTRY-2281.01.patch > list_privileges_by_user() fails with a JDODetachedFieldAccessException > -- > > Key: SENTRY-2281 > URL: https://issues.apache.org/jira/browse/SENTRY-2281 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2281.01.patch > > > {noformat} > Caused by: java.lang.RuntimeException: Unknown error for request: > TListSentryPrivilegesByAuthRequest(protocol_version:2, > requestorUserName:ubuntu, > authorizableSet:[TSentryAuthorizable(server:localhost, db:default, > table:t1)], roleSet:TSentryActiveRoleSet(all:true, roles:[]), > users:[ubuntu]), message: You have just attempted to access field "users" yet > this field was not detached when you detached the object. Either dont access > this field, or detach it when detaching the object.. Server Stacktrace: > javax.jdo.JDODetachedFieldAccessException: You have just attempted to access > field "users" yet this field was not detached when you detached the object. > Either dont access this field, or detach it when detaching the object. > at > org.apache.sentry.provider.db.service.model.MSentryPrivilege.dnGetusers(MSentryPrivilege.java) > at > org.apache.sentry.provider.db.service.model.MSentryPrivilege.getUsers(MSentryPrivilege.java:186) > at > org.apache.sentry.provider.db.service.persistent.SentryStore.listSentryPrivilegesByAuthorizableForUser(SentryStore.java:2118) > at > org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor.list_sentry_privileges_by_authorizable(SentryPolicyStoreProcessor.java:1166) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1677) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1662) > at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) > at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) > at > org.apache.sentry.api.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:36) > at > org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149){noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2273) Create the SHOW GRANT USER task for Hive
[ https://issues.apache.org/jira/browse/SENTRY-2273?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16523981#comment-16523981 ] Hadoop QA commented on SENTRY-2273: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12929202/SENTRY-2273.02.patch against master. {color:green}Overall:{color} +1 all checks pass {color:green}SUCCESS:{color} all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/3925/console This message is automatically generated. > Create the SHOW GRANT USER task for Hive > > > Key: SENTRY-2273 > URL: https://issues.apache.org/jira/browse/SENTRY-2273 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2273.01.patch, SENTRY-2273.02.patch, > SENTRY-2273.03.patch > > > The SentryHiveAuthorizationTaskFactoryImpl class creates all the supported > DDL tasks for authorization in Hive. We need to add the support for the SHOW > GRANT USER as well. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2273) Create the SHOW GRANT USER task for Hive
[ https://issues.apache.org/jira/browse/SENTRY-2273?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Arjun Mishra updated SENTRY-2273: - Attachment: SENTRY-2273.03.patch > Create the SHOW GRANT USER task for Hive > > > Key: SENTRY-2273 > URL: https://issues.apache.org/jira/browse/SENTRY-2273 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2273.01.patch, SENTRY-2273.02.patch, > SENTRY-2273.03.patch > > > The SentryHiveAuthorizationTaskFactoryImpl class creates all the supported > DDL tasks for authorization in Hive. We need to add the support for the SHOW > GRANT USER as well. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (SENTRY-2281) list_privileges_by_user() fails with a JDODetachedFieldAccessException
[ https://issues.apache.org/jira/browse/SENTRY-2281?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergio Peña reassigned SENTRY-2281: --- Assignee: Arjun Mishra (was: Sergio Peña) > list_privileges_by_user() fails with a JDODetachedFieldAccessException > -- > > Key: SENTRY-2281 > URL: https://issues.apache.org/jira/browse/SENTRY-2281 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Arjun Mishra >Priority: Major > > {noformat} > Caused by: java.lang.RuntimeException: Unknown error for request: > TListSentryPrivilegesByAuthRequest(protocol_version:2, > requestorUserName:ubuntu, > authorizableSet:[TSentryAuthorizable(server:localhost, db:default, > table:t1)], roleSet:TSentryActiveRoleSet(all:true, roles:[]), > users:[ubuntu]), message: You have just attempted to access field "users" yet > this field was not detached when you detached the object. Either dont access > this field, or detach it when detaching the object.. Server Stacktrace: > javax.jdo.JDODetachedFieldAccessException: You have just attempted to access > field "users" yet this field was not detached when you detached the object. > Either dont access this field, or detach it when detaching the object. > at > org.apache.sentry.provider.db.service.model.MSentryPrivilege.dnGetusers(MSentryPrivilege.java) > at > org.apache.sentry.provider.db.service.model.MSentryPrivilege.getUsers(MSentryPrivilege.java:186) > at > org.apache.sentry.provider.db.service.persistent.SentryStore.listSentryPrivilegesByAuthorizableForUser(SentryStore.java:2118) > at > org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor.list_sentry_privileges_by_authorizable(SentryPolicyStoreProcessor.java:1166) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1677) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1662) > at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) > at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) > at > org.apache.sentry.api.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:36) > at > org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149){noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (SENTRY-2281) list_privileges_by_user() fails with a JDODetachedFieldAccessException
[ https://issues.apache.org/jira/browse/SENTRY-2281?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergio Peña reassigned SENTRY-2281: --- Assignee: Sergio Peña > list_privileges_by_user() fails with a JDODetachedFieldAccessException > -- > > Key: SENTRY-2281 > URL: https://issues.apache.org/jira/browse/SENTRY-2281 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Sergio Peña >Priority: Major > > {noformat} > Caused by: java.lang.RuntimeException: Unknown error for request: > TListSentryPrivilegesByAuthRequest(protocol_version:2, > requestorUserName:ubuntu, > authorizableSet:[TSentryAuthorizable(server:localhost, db:default, > table:t1)], roleSet:TSentryActiveRoleSet(all:true, roles:[]), > users:[ubuntu]), message: You have just attempted to access field "users" yet > this field was not detached when you detached the object. Either dont access > this field, or detach it when detaching the object.. Server Stacktrace: > javax.jdo.JDODetachedFieldAccessException: You have just attempted to access > field "users" yet this field was not detached when you detached the object. > Either dont access this field, or detach it when detaching the object. > at > org.apache.sentry.provider.db.service.model.MSentryPrivilege.dnGetusers(MSentryPrivilege.java) > at > org.apache.sentry.provider.db.service.model.MSentryPrivilege.getUsers(MSentryPrivilege.java:186) > at > org.apache.sentry.provider.db.service.persistent.SentryStore.listSentryPrivilegesByAuthorizableForUser(SentryStore.java:2118) > at > org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor.list_sentry_privileges_by_authorizable(SentryPolicyStoreProcessor.java:1166) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1677) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1662) > at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) > at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) > at > org.apache.sentry.api.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:36) > at > org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149){noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (SENTRY-2281) list_privileges_by_user() fails with a JDODetachedFieldAccessException
Sergio Peña created SENTRY-2281: --- Summary: list_privileges_by_user() fails with a JDODetachedFieldAccessException Key: SENTRY-2281 URL: https://issues.apache.org/jira/browse/SENTRY-2281 Project: Sentry Issue Type: Sub-task Components: Sentry Affects Versions: 2.1.0 Reporter: Sergio Peña {noformat} Caused by: java.lang.RuntimeException: Unknown error for request: TListSentryPrivilegesByAuthRequest(protocol_version:2, requestorUserName:ubuntu, authorizableSet:[TSentryAuthorizable(server:localhost, db:default, table:t1)], roleSet:TSentryActiveRoleSet(all:true, roles:[]), users:[ubuntu]), message: You have just attempted to access field "users" yet this field was not detached when you detached the object. Either dont access this field, or detach it when detaching the object.. Server Stacktrace: javax.jdo.JDODetachedFieldAccessException: You have just attempted to access field "users" yet this field was not detached when you detached the object. Either dont access this field, or detach it when detaching the object. at org.apache.sentry.provider.db.service.model.MSentryPrivilege.dnGetusers(MSentryPrivilege.java) at org.apache.sentry.provider.db.service.model.MSentryPrivilege.getUsers(MSentryPrivilege.java:186) at org.apache.sentry.provider.db.service.persistent.SentryStore.listSentryPrivilegesByAuthorizableForUser(SentryStore.java:2118) at org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor.list_sentry_privileges_by_authorizable(SentryPolicyStoreProcessor.java:1166) at org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1677) at org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$list_sentry_privileges_by_authorizable.getResult(SentryPolicyService.java:1662) at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) at org.apache.sentry.api.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:36) at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149){noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2273) Create the SHOW GRANT USER task for Hive
[ https://issues.apache.org/jira/browse/SENTRY-2273?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Arjun Mishra updated SENTRY-2273: - Status: Patch Available (was: Open) > Create the SHOW GRANT USER task for Hive > > > Key: SENTRY-2273 > URL: https://issues.apache.org/jira/browse/SENTRY-2273 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2273.01.patch, SENTRY-2273.02.patch > > > The SentryHiveAuthorizationTaskFactoryImpl class creates all the supported > DDL tasks for authorization in Hive. We need to add the support for the SHOW > GRANT USER as well. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2273) Create the SHOW GRANT USER task for Hive
[ https://issues.apache.org/jira/browse/SENTRY-2273?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Arjun Mishra updated SENTRY-2273: - Status: Open (was: Patch Available) > Create the SHOW GRANT USER task for Hive > > > Key: SENTRY-2273 > URL: https://issues.apache.org/jira/browse/SENTRY-2273 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2273.01.patch, SENTRY-2273.02.patch > > > The SentryHiveAuthorizationTaskFactoryImpl class creates all the supported > DDL tasks for authorization in Hive. We need to add the support for the SHOW > GRANT USER as well. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2273) Create the SHOW GRANT USER task for Hive
[ https://issues.apache.org/jira/browse/SENTRY-2273?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Arjun Mishra updated SENTRY-2273: - Attachment: SENTRY-2273.02.patch > Create the SHOW GRANT USER task for Hive > > > Key: SENTRY-2273 > URL: https://issues.apache.org/jira/browse/SENTRY-2273 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2273.01.patch, SENTRY-2273.02.patch > > > The SentryHiveAuthorizationTaskFactoryImpl class creates all the supported > DDL tasks for authorization in Hive. We need to add the support for the SHOW > GRANT USER as well. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2273) Create the SHOW GRANT USER task for Hive
[ https://issues.apache.org/jira/browse/SENTRY-2273?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Arjun Mishra updated SENTRY-2273: - Attachment: SENTRY-2273.01.patch > Create the SHOW GRANT USER task for Hive > > > Key: SENTRY-2273 > URL: https://issues.apache.org/jira/browse/SENTRY-2273 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2273.01.patch > > > The SentryHiveAuthorizationTaskFactoryImpl class creates all the supported > DDL tasks for authorization in Hive. We need to add the support for the SHOW > GRANT USER as well. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2273) Create the SHOW GRANT USER task for Hive
[ https://issues.apache.org/jira/browse/SENTRY-2273?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Arjun Mishra updated SENTRY-2273: - Status: Patch Available (was: Open) > Create the SHOW GRANT USER task for Hive > > > Key: SENTRY-2273 > URL: https://issues.apache.org/jira/browse/SENTRY-2273 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2273.01.patch > > > The SentryHiveAuthorizationTaskFactoryImpl class creates all the supported > DDL tasks for authorization in Hive. We need to add the support for the SHOW > GRANT USER as well. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2238) Explicitly set Database on SentryHivePrivilegeObjectDesc
[ https://issues.apache.org/jira/browse/SENTRY-2238?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergio Peña updated SENTRY-2238: Resolution: Fixed Status: Resolved (was: Patch Available) > Explicitly set Database on SentryHivePrivilegeObjectDesc > - > > Key: SENTRY-2238 > URL: https://issues.apache.org/jira/browse/SENTRY-2238 > Project: Sentry > Issue Type: Bug >Affects Versions: 2.1.0 >Reporter: Arjun Mishra >Assignee: Arjun Mishra >Priority: Major > Fix For: 2.1.0 > > Attachments: SENTRY-2238.001.patch, SENTRY-2238.01.patch, > SENTRY-2238.02.patch > > > Right now database is not supported with command SHOW GRANT ROLE/USER ON > DATABASE -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2264) It is possible to elevate privileges from DROP using alter table rename
[ https://issues.apache.org/jira/browse/SENTRY-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16523381#comment-16523381 ] Hadoop QA commented on SENTRY-2264: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12929144/SENTRY-2264.004.patch against master. {color:green}Overall:{color} +1 all checks pass {color:green}SUCCESS:{color} all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/3924/console This message is automatically generated. > It is possible to elevate privileges from DROP using alter table rename > --- > > Key: SENTRY-2264 > URL: https://issues.apache.org/jira/browse/SENTRY-2264 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Na Li >Assignee: Na Li >Priority: Major > Attachments: SENTRY-2264.001.patch, SENTRY-2264.002.patch, > SENTRY-2264.003.patch, SENTRY-2264.004.patch, SENTRY-2264.004.patch > > > After introducing FGP, a user with only DROP on a database db1 and at least > CREATE on db2 can run ALTER TABLE RENAME db1.table1 db2.table2, and thus > elevate their privileges. > To reproduce: > As admin (e.g. hive): > 1. Create db1, db1.table1, db2, role r1. > 2. Grant DROP on db1 to role r1. > 3. Grant ALL on db2 to role r1 > 4. Grant role r1 to user testuser1. > As testuser1: > 1. use db1; alter table db1.table1 rename to db2.table1 > 2. select * from db2. table1 > Result: the select command succeeds. > Desired behavior: > we should at least require following privileges to execute the table rename > command: > table level "ALL" at source > database level "CREATE" at destination. > The reason we don't require "alter, insert" for destination DB is that > "alter" and "insert" is table level privileges and when "alter table rename" > command is executed, there is no table in destination DB. So we cannot > enforce these table level privileges. Therefore the only change is add > table-level "ALL" privilege in required input privileges to avoid elevate > privilege by moving table cross DB -- This message was sent by Atlassian JIRA (v7.6.3#76005)