[jira] [Commented] (SENTRY-2329) Integrate sentry with Hadoop 3.1.1
[
https://issues.apache.org/jira/browse/SENTRY-2329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16665287#comment-16665287
]
Hadoop QA commented on SENTRY-2329:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12945784/SENTRY-2329.4.patch
against master.
{color:red}Overall:{color} -1 due to 6 errors
{color:red}ERROR:{color} mvn test exited 1
{color:red}ERROR:{color} Failed:
org.apache.sentry.policy.solr.TestSolrPolicyEngineDFS
{color:red}ERROR:{color} Failed:
org.apache.sentry.binding.solr.TestSolrAuthzBinding
{color:red}ERROR:{color} Failed:
org.apache.sentry.api.service.thrift.TestSentryWebServerWithKerberos
{color:red}ERROR:{color} Failed:
org.apache.sentry.api.service.thrift.TestSentryWebServerWithKerberos
{color:red}ERROR:{color} Failed:
org.apache.sentry.api.service.thrift.TestSentryWebServerWithKerberos
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/4203/console
This message is automatically generated.
> Integrate sentry with Hadoop 3.1.1
> --
>
> Key: SENTRY-2329
> URL: https://issues.apache.org/jira/browse/SENTRY-2329
> Project: Sentry
> Issue Type: Improvement
> Components: Sentry
>Affects Versions: 2.1.0
>Reporter: kalyan kumar kalvagadda
>Assignee: Sergio Peña
>Priority: Major
> Attachments: SENTRY-2329.001.patch, SENTRY-2329.2.patch,
> SENTRY-2329.3.patch, SENTRY-2329.4.patch
>
>
> Change the sentry dependency of hadoop to 3.1.1 so that sentry can integrate
> with hadoop 3.1.1
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Created] (SENTRY-2436) Add annotations for classes that are used in binding as public
Xinran Tinney created SENTRY-2436: - Summary: Add annotations for classes that are used in binding as public Key: SENTRY-2436 URL: https://issues.apache.org/jira/browse/SENTRY-2436 Project: Sentry Issue Type: Task Reporter: Xinran Tinney Some classes e.g. PolicyEngine etc are used in the bindings. These classes should be annotated as public. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (SENTRY-2436) Add annotations for classes that are used in binding as public
[ https://issues.apache.org/jira/browse/SENTRY-2436?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xinran Tinney reassigned SENTRY-2436: - Assignee: Xinran Tinney > Add annotations for classes that are used in binding as public > -- > > Key: SENTRY-2436 > URL: https://issues.apache.org/jira/browse/SENTRY-2436 > Project: Sentry > Issue Type: Task >Reporter: Xinran Tinney >Assignee: Xinran Tinney >Priority: Minor > > Some classes e.g. PolicyEngine etc are used in the bindings. These classes > should be annotated as public. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2372) SentryStore should not implement grantOptionCheck
[
https://issues.apache.org/jira/browse/SENTRY-2372?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergio Peña updated SENTRY-2372:
Attachment: SENTRY-2372.7.patch
> SentryStore should not implement grantOptionCheck
> -
>
> Key: SENTRY-2372
> URL: https://issues.apache.org/jira/browse/SENTRY-2372
> Project: Sentry
> Issue Type: Improvement
> Components: Sentry, sentrystore
>Affects Versions: 2.1.0
>Reporter: Sergio Peña
>Assignee: Sergio Peña
>Priority: Major
> Attachments: SENTRY-2372.1.patch, SENTRY-2372.2.patch,
> SENTRY-2372.3.patch, SENTRY-2372.4.patch, SENTRY-2372.5.patch,
> SENTRY-2372.6.patch, SENTRY-2372.7.patch
>
>
> During functional testing it was found that SentryStore implementation
> contains logic that enforces sentry rights and depends on cluster-specific
> context. Specifically grantOptionCheck needs to be able to resolve hadoop
> user's groups and sentry admin groups configured on the cluster.
> There are two problems with this:
> # Some backends use SentryStore in a multi-tenant way and does have the
> context that SentryStore expects when it is used in cluster.
> # Security enforcement logic shouldn't be in SentryStore if it is to be
> trusted. Since the backends Sentry API may be stateless the caller has to
> pass request context to such implementation backend together with the
> explicit SentryStore arguments. If the context (e.g. groups) is passed with
> the request the checks become unenforceable since caller controls variables
> on both sides of the comparison.
> The recommendation is to remove {{grantOptionCheck}} and {{SentryStore}} and
> to implement equivalent logic in {{SentryPolicyStoreProcessor}}.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (SENTRY-2433) Dropping object privileges does not include update of dropping user privileges
[
https://issues.apache.org/jira/browse/SENTRY-2433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16665738#comment-16665738
]
Hadoop QA commented on SENTRY-2433:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12945819/SENTRY-2433.001.patch
against master.
{color:green}Overall:{color} +1 all checks pass
{color:green}SUCCESS:{color} all tests passed
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/4205/console
This message is automatically generated.
> Dropping object privileges does not include update of dropping user privileges
> --
>
> Key: SENTRY-2433
> URL: https://issues.apache.org/jira/browse/SENTRY-2433
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
>Affects Versions: 2.1.0, 2.2.0
>Reporter: Na Li
>Assignee: Na Li
>Priority: Major
> Attachments: SENTRY-2433.001.patch, SENTRY-2433.001.patch
>
>
> When dropping privileges of an object, the update of this processing only
> includes dropping role based privileges, and does not includes dropping user
> based privileges.
> If the to-be-dropped object is an external table, the path at HDFS still
> exists, and the user access wills till be there even after sentry privileges
> associated with that external table is dropped.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
