Hi Lina,
No, I was using V1 - the problem was that I wasn't explicitly setting
"ConfVars.HIVE_STATS_COLLECT_SCANCOLS" to "true". What I meant was that if
I was using the V2 binding (and previously my testcase used the Sentry V2
binding with 1.8.0), then it wasn't necessary to set this configuratio
Colm,
I have created SENTRY-2118 to document this setting.
It is strange that without this setting, you have V2 working. From the
following code, the column info is not set in ReadEntity if
HIVE_STATS_COLLECT_SCANCOLS is false.
if (HiveConf.getBoolVar(this.conf, ConfVars.HIVE_STATS_COLLECT_SCANC
Hi Lina,
> Glad I can help. Do you know what configuration caused the columns not
> parsed by Hive? If it is due to SessionState.get().isAuthorizationModeV2()
> == false?
>
Yes exactly - I'm using the V1 binding.
Colm.
>
> Thanks,
>
> Lina
>
> On Fri, Jan 5, 2018 at 6:12 AM, Colm O hEigeartai
Colm,
Glad I can help. Do you know what configuration caused the columns not
parsed by Hive? If it is due to SessionState.get().isAuthorizationModeV2()
== false?
Thanks,
Lina
On Fri, Jan 5, 2018 at 6:12 AM, Colm O hEigeartaigh
wrote:
> Hi Lina,
>
> Thanks a lot for your help on this! I was ab
Hi Lina,
Thanks a lot for your help on this! I was able to get the test to work by
adding the following config option:
conf.set(HiveConf.ConfVars.HIVE_STATS_COLLECT_SCANCOLS.varname, "true");
Colm.
On Thu, Jan 4, 2018 at 10:06 PM, Na Li wrote:
> Colm,
>
> The following code shows where Hive s
Colm,
The following code shows where Hive sets the column info. You can debug
into hive code and see why AccessedColumns is not set.
The related code is in org.apache.hadoop.hive.ql.parse.SemanticAnalyzer
boolean isColumnInfoNeedForAuth =
SessionState.get().isAuthorizationModeV2(
Colm,
I tried to reproduce your issue using sentry 2.0 (master branch) with Hive
2.3.2.
The test code is
@Test
public void testPositiveOnAll() throws Exception {
Connection connection = context.createConnection(ADMIN1);
Statement statement = context.createStatement(connection);
s
Thanks Kalyan! I was thinking that if the cached privilege part does not
appear in the requested "part", and if is "all", then we should skip that
part and continue on to the next one. But maybe there is a better solution.
Colm.
On Mon, Dec 18, 2017 at 4:06 PM, Kalyan Kumar Kalvagadda <
kkal...@c
Colm,
I will look closer into this today and see If i can help you out.
-Kalyan
On Mon, Dec 18, 2017 at 4:52 AM, Colm O hEigeartaigh
wrote:
> Hi,
>
> I've done some further analysis of the problem, and I think it is not
> directly related to SENTRY-1291. The problem manifests in
> CommonPrivil
Hi,
I've done some further analysis of the problem, and I think it is not
directly related to SENTRY-1291. The problem manifests in
CommonPrivilege.implies(privilege, model). My (cached) privilege looks like:
Server=server1->Db=authz->Table=words->Column=*->action=select
The "privilege" I want t
Sasha,
sentry-1291 is helpful for the problem that sentry privilege checks takes
too long with many explicit grants, which is useful for big customers.
Another approach that can improve the performance is to organize the
privileges according to the authorization hierarchy in a tree structure, so
f
I think that SENTRY-1291 should be just reverted - there are multiple
issues with it and no one is actually using the fix. Anyone wants to do it?
- Alex
On Wed, Dec 13, 2017 at 4:44 AM, Na Li wrote:
> Colm,
>
> Glad you find the cause!
>
> You can revert Sentry-1291, and see if it works. If so,
Colm,
Glad you find the cause!
You can revert Sentry-1291, and see if it works. If so, it is issue at finding
cached privileges.
Cheers,
Lina
Sent from my iPhone
> On Dec 13, 2017, at 4:58 AM, Colm O hEigeartaigh wrote:
>
> Hi,
>
> I can see what the problem is (that the authorization hie
Hi,
I can see what the problem is (that the authorization hierarchy does not
contain the column, and hence doesn't match against the cached privilege),
but I'm not sure about the best way to solve it. Either the way we are
creating the authorization hierarchy is incorrect (e.g. in
HiveAuthzBinding
Colm,
I did not get chance to look into this issue today. Sorry about that.
You can add a e2e test case and set break point at where the authorization
object hierarchy to a list of authorization objects, which is used to do exact
match with cache
Sent from my iPhone
> On Dec 12, 2017, at 11:2
That would be great, thanks!
Colm.
On Tue, Dec 12, 2017 at 4:36 PM, Na Li wrote:
> Colm,
>
> I suspect it is a bug in SENTRY-1291. I can take a look later today.
>
> Thanks,
>
> Lina
>
> On Tue, Dec 12, 2017 at 4:32 AM, Colm O hEigeartaigh
> wrote:
>
> > Hi all,
> >
> > I've updated some local
Colm,
I suspect it is a bug in SENTRY-1291. I can take a look later today.
Thanks,
Lina
On Tue, Dec 12, 2017 at 4:32 AM, Colm O hEigeartaigh
wrote:
> Hi all,
>
> I've updated some local testcases to work with Sentry 2.0.0 and the "v1"
> Hive binding (previously working fine using 1.8.0 and th
Hi all,
I've updated some local testcases to work with Sentry 2.0.0 and the "v1"
Hive binding (previously working fine using 1.8.0 and the "v2" binding).
I have a simple table called "words" (word STRING, count INT). I am making
an SQL call as the user "bob", e.g. "SELECT * FROM words where count
18 matches
Mail list logo
