[jira] [Updated] (SENTRY-2241) Extend the Sync Listener to pass owner information to sentry server.
[ https://issues.apache.org/jira/browse/SENTRY-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-2241: Attachment: SENTRY-2241.004.patch > Extend the Sync Listener to pass owner information to sentry server. > > > Key: SENTRY-2241 > URL: https://issues.apache.org/jira/browse/SENTRY-2241 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: kalyan kumar kalvagadda >Assignee: kalyan kumar kalvagadda >Priority: Major > Attachments: SENTRY-2241.001.patch, SENTRY-2241.004.patch > > > Sentry has SentrySyncHMSNotificationsPostEventListener which is added a post > listener in HMS. This listener should be extended to get the owner > information of tables and databases. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2241) Extend the Sync Listener to pass owner information to sentry server.
[ https://issues.apache.org/jira/browse/SENTRY-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-2241: Attachment: (was: SENTRY-2056.003.patch) > Extend the Sync Listener to pass owner information to sentry server. > > > Key: SENTRY-2241 > URL: https://issues.apache.org/jira/browse/SENTRY-2241 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: kalyan kumar kalvagadda >Assignee: kalyan kumar kalvagadda >Priority: Major > Attachments: SENTRY-2241.001.patch, SENTRY-2241.004.patch > > > Sentry has SentrySyncHMSNotificationsPostEventListener which is added a post > listener in HMS. This listener should be extended to get the owner > information of tables and databases. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2241) Extend the Sync Listener to pass owner information to sentry server.
[ https://issues.apache.org/jira/browse/SENTRY-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-2241: Attachment: (was: SENTRY-2241.002.patch) > Extend the Sync Listener to pass owner information to sentry server. > > > Key: SENTRY-2241 > URL: https://issues.apache.org/jira/browse/SENTRY-2241 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: kalyan kumar kalvagadda >Assignee: kalyan kumar kalvagadda >Priority: Major > Attachments: SENTRY-2241.001.patch, SENTRY-2241.004.patch > > > Sentry has SentrySyncHMSNotificationsPostEventListener which is added a post > listener in HMS. This listener should be extended to get the owner > information of tables and databases. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2241) Extend the Sync Listener to pass owner information to sentry server.
[ https://issues.apache.org/jira/browse/SENTRY-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-2241: Attachment: (was: SENTRY-2241.003.patch) > Extend the Sync Listener to pass owner information to sentry server. > > > Key: SENTRY-2241 > URL: https://issues.apache.org/jira/browse/SENTRY-2241 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: kalyan kumar kalvagadda >Assignee: kalyan kumar kalvagadda >Priority: Major > Attachments: SENTRY-2056.003.patch, SENTRY-2241.001.patch, > SENTRY-2241.002.patch > > > Sentry has SentrySyncHMSNotificationsPostEventListener which is added a post > listener in HMS. This listener should be extended to get the owner > information of tables and databases. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2241) Extend the Sync Listener to pass owner information to sentry server.
[ https://issues.apache.org/jira/browse/SENTRY-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-2241: Attachment: SENTRY-2056.003.patch > Extend the Sync Listener to pass owner information to sentry server. > > > Key: SENTRY-2241 > URL: https://issues.apache.org/jira/browse/SENTRY-2241 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: kalyan kumar kalvagadda >Assignee: kalyan kumar kalvagadda >Priority: Major > Attachments: SENTRY-2056.003.patch, SENTRY-2241.001.patch, > SENTRY-2241.002.patch > > > Sentry has SentrySyncHMSNotificationsPostEventListener which is added a post > listener in HMS. This listener should be extended to get the owner > information of tables and databases. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2267) Listing user privileges fails because roleName field is required on Thrift
[
https://issues.apache.org/jira/browse/SENTRY-2267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16510313#comment-16510313
]
Hadoop QA commented on SENTRY-2267:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12927521/SENTRY-2267.1.patch
against master.
{color:green}Overall:{color} +1 all checks pass
{color:green}SUCCESS:{color} all tests passed
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/3875/console
This message is automatically generated.
> Listing user privileges fails because roleName field is required on Thrift
> --
>
> Key: SENTRY-2267
> URL: https://issues.apache.org/jira/browse/SENTRY-2267
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
>Reporter: Sergio Peña
>Assignee: Sergio Peña
>Priority: Major
> Attachments: SENTRY-2267.1.patch
>
>
> The SHOW GRANT USER is failing because the Thrift API requires the roleName
> field.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (SENTRY-2241) Extend the Sync Listener to pass owner information to sentry server.
[
https://issues.apache.org/jira/browse/SENTRY-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16510202#comment-16510202
]
Hadoop QA commented on SENTRY-2241:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12927534/SENTRY-2241.003.patch
against master.
{color:red}Overall:{color} -1 due to an error
{color:red}ERROR:{color} failed to build with patch (exit code 1)
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/3879/console
This message is automatically generated.
> Extend the Sync Listener to pass owner information to sentry server.
>
>
> Key: SENTRY-2241
> URL: https://issues.apache.org/jira/browse/SENTRY-2241
> Project: Sentry
> Issue Type: Sub-task
> Components: Sentry
>Affects Versions: 2.1.0
>Reporter: kalyan kumar kalvagadda
>Assignee: kalyan kumar kalvagadda
>Priority: Major
> Attachments: SENTRY-2241.001.patch, SENTRY-2241.002.patch,
> SENTRY-2241.003.patch
>
>
> Sentry has SentrySyncHMSNotificationsPostEventListener which is added a post
> listener in HMS. This listener should be extended to get the owner
> information of tables and databases.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (SENTRY-2241) Extend the Sync Listener to pass owner information to sentry server.
[ https://issues.apache.org/jira/browse/SENTRY-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-2241: Attachment: SENTRY-2241.003.patch > Extend the Sync Listener to pass owner information to sentry server. > > > Key: SENTRY-2241 > URL: https://issues.apache.org/jira/browse/SENTRY-2241 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: kalyan kumar kalvagadda >Assignee: kalyan kumar kalvagadda >Priority: Major > Attachments: SENTRY-2241.001.patch, SENTRY-2241.002.patch, > SENTRY-2241.003.patch > > > Sentry has SentrySyncHMSNotificationsPostEventListener which is added a post > listener in HMS. This listener should be extended to get the owner > information of tables and databases. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2241) Extend the Sync Listener to pass owner information to sentry server.
[ https://issues.apache.org/jira/browse/SENTRY-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-2241: Attachment: (was: SENTRY-2241.002.patch) > Extend the Sync Listener to pass owner information to sentry server. > > > Key: SENTRY-2241 > URL: https://issues.apache.org/jira/browse/SENTRY-2241 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: kalyan kumar kalvagadda >Assignee: kalyan kumar kalvagadda >Priority: Major > Attachments: SENTRY-2241.001.patch, SENTRY-2241.002.patch > > > Sentry has SentrySyncHMSNotificationsPostEventListener which is added a post > listener in HMS. This listener should be extended to get the owner > information of tables and databases. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2241) Extend the Sync Listener to pass owner information to sentry server.
[ https://issues.apache.org/jira/browse/SENTRY-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-2241: Attachment: SENTRY-2241.002.patch > Extend the Sync Listener to pass owner information to sentry server. > > > Key: SENTRY-2241 > URL: https://issues.apache.org/jira/browse/SENTRY-2241 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: kalyan kumar kalvagadda >Assignee: kalyan kumar kalvagadda >Priority: Major > Attachments: SENTRY-2241.001.patch, SENTRY-2241.002.patch > > > Sentry has SentrySyncHMSNotificationsPostEventListener which is added a post > listener in HMS. This listener should be extended to get the owner > information of tables and databases. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2268) Review the required privileges for DDL commands
[
https://issues.apache.org/jira/browse/SENTRY-2268?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Na Li updated SENTRY-2268:
--
Description:
The privileges required for DDL commands are listed in HiveAuthzPrivilegesMap.
{code}
addOutputObjectPriviledge(AuthorizableType.Table,
EnumSet.of(DBModelAction.INSERT, DBModelAction.ALTER))
{code}
means the required output privileges is table level insert OR alter.
{code}
addOutputObjectPriviledge(AuthorizableType.Table,
EnumSet.of(DBModelAction.INSERT)).
addOutputObjectPriviledge(AuthorizableType.Table,
EnumSet.of(DBModelAction.ALTER))
{code}
means the required output privileges is table level insert AND alter.
We need to review the privileges to see if they are defined correctly. I
suspect multiple definitions want to have privileges with AND, but end up
getting privileges with OR.
We should also check if the privilege level is correct. for example, "insert"
is table level privilege. It does not make sense to require database level
"insert".
was:
The privileges required for DDL commands are listed in HiveAuthzPrivilegesMap.
{code}
addOutputObjectPriviledge(AuthorizableType.Table,
EnumSet.of(DBModelAction.INSERT, DBModelAction.ALTER))
{code}
means the required output privileges is table level insert OR alter.
{code}
addOutputObjectPriviledge(AuthorizableType.Table,
EnumSet.of(DBModelAction.INSERT)).
addOutputObjectPriviledge(AuthorizableType.Table,
EnumSet.of(DBModelAction.ALTER))
{code}
means the required output privileges is table level insert AND alter.
We need to review the privileges to see if they are defined correctly. I
suspect multiple definitions want to have privileges with AND, but end up
getting privileges with OR.
> Review the required privileges for DDL commands
> ---
>
> Key: SENTRY-2268
> URL: https://issues.apache.org/jira/browse/SENTRY-2268
> Project: Sentry
> Issue Type: Task
>Reporter: Na Li
>Priority: Major
>
> The privileges required for DDL commands are listed in
> HiveAuthzPrivilegesMap.
> {code}
> addOutputObjectPriviledge(AuthorizableType.Table,
> EnumSet.of(DBModelAction.INSERT, DBModelAction.ALTER))
> {code}
> means the required output privileges is table level insert OR alter.
> {code}
> addOutputObjectPriviledge(AuthorizableType.Table,
> EnumSet.of(DBModelAction.INSERT)).
> addOutputObjectPriviledge(AuthorizableType.Table,
> EnumSet.of(DBModelAction.ALTER))
> {code}
> means the required output privileges is table level insert AND alter.
> We need to review the privileges to see if they are defined correctly. I
> suspect multiple definitions want to have privileges with AND, but end up
> getting privileges with OR.
> We should also check if the privilege level is correct. for example, "insert"
> is table level privilege. It does not make sense to require database level
> "insert".
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (SENTRY-2264) It is possible to elevate privileges from DROP using alter table rename
[ https://issues.apache.org/jira/browse/SENTRY-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Na Li updated SENTRY-2264: -- Description: After introducing FGP, a user with only DROP on a database db1 and at least CREATE on db2 can run ALTER TABLE RENAME db1.table1 db2.table2, and thus elevate their privileges. To reproduce: As admin (e.g. hive): 1. Create db1, db1.table1, db2, role r1. 2. Grant DROP on db1 to role r1. 3. Grant ALL on db2 to role r1 4. Grant role r1 to user testuser1. As testuser1: 1. use db1; alter table db1.table1 rename to db2.table1 2. select * from db2. table1 Result: the select command succeeds. Desired behavior: we should at least require following privileges to execute the table rename command: table level "SELECT" and database level "DELECT" at source database level "CREATE" at destination. The reason we don't require "alter, insert" for destination DB is that "alter" and "insert" is table level privileges and when "alter table rename" command is executed, there is no table in destination DB. So we cannot enforce these table level privileges. Therefore the only change is add table-level "select" privilege in required input privileges was: After introducing FGP, a user with only DROP on a database db1 and at least CREATE on db2 can run ALTER TABLE RENAME db1.table1 db2.table2, and thus elevate their privileges. To reproduce: As admin (e.g. hive): 1. Create db1, db1.table1, db2, role r1. 2. Grant DROP on db1 to role r1. 3. Grant ALL on db2 to role r1 4. Grant role r1 to user testuser1. As testuser1: 1. use db1; alter table db1.table1 rename to db2.table1 2. select * from db2. table1 Result: the select command succeeds. Desired behavior: we should at least require following privileges to execute the table rename command: table level "SELECT" and database level "DELECT" at source database level "CREATE, INSERT, ALTER" at destination. > It is possible to elevate privileges from DROP using alter table rename > --- > > Key: SENTRY-2264 > URL: https://issues.apache.org/jira/browse/SENTRY-2264 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Na Li >Assignee: Na Li >Priority: Major > Attachments: SENTRY-2264.001.patch, SENTRY-2264.002.patch > > > After introducing FGP, a user with only DROP on a database db1 and at least > CREATE on db2 can run ALTER TABLE RENAME db1.table1 db2.table2, and thus > elevate their privileges. > To reproduce: > As admin (e.g. hive): > 1. Create db1, db1.table1, db2, role r1. > 2. Grant DROP on db1 to role r1. > 3. Grant ALL on db2 to role r1 > 4. Grant role r1 to user testuser1. > As testuser1: > 1. use db1; alter table db1.table1 rename to db2.table1 > 2. select * from db2. table1 > Result: the select command succeeds. > Desired behavior: > we should at least require following privileges to execute the table rename > command: > table level "SELECT" and database level "DELECT" at source > database level "CREATE" at destination. > The reason we don't require "alter, insert" for destination DB is that > "alter" and "insert" is table level privileges and when "alter table rename" > command is executed, there is no table in destination DB. So we cannot > enforce these table level privileges. Therefore the only change is add > table-level "select" privilege in required input privileges -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2264) It is possible to elevate privileges from DROP using alter table rename
[ https://issues.apache.org/jira/browse/SENTRY-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Na Li updated SENTRY-2264: -- Attachment: SENTRY-2264.002.patch > It is possible to elevate privileges from DROP using alter table rename > --- > > Key: SENTRY-2264 > URL: https://issues.apache.org/jira/browse/SENTRY-2264 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Na Li >Assignee: Na Li >Priority: Major > Attachments: SENTRY-2264.001.patch, SENTRY-2264.002.patch > > > After introducing FGP, a user with only DROP on a database db1 and at least > CREATE on db2 can run ALTER TABLE RENAME db1.table1 db2.table2, and thus > elevate their privileges. > To reproduce: > As admin (e.g. hive): > 1. Create db1, db1.table1, db2, role r1. > 2. Grant DROP on db1 to role r1. > 3. Grant ALL on db2 to role r1 > 4. Grant role r1 to user testuser1. > As testuser1: > 1. use db1; alter table db1.table1 rename to db2.table1 > 2. select * from db2. table1 > Result: the select command succeeds. > Desired behavior: > we should at least require following privileges to execute the table rename > command: > table level "SELECT" and database level "DELECT" at source > database level "CREATE, INSERT, ALTER" at destination. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2241) Extend the Sync Listener to pass owner information to sentry server.
[ https://issues.apache.org/jira/browse/SENTRY-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-2241: Attachment: SENTRY-2241.002.patch > Extend the Sync Listener to pass owner information to sentry server. > > > Key: SENTRY-2241 > URL: https://issues.apache.org/jira/browse/SENTRY-2241 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: kalyan kumar kalvagadda >Assignee: kalyan kumar kalvagadda >Priority: Major > Attachments: SENTRY-2241.001.patch, SENTRY-2241.002.patch > > > Sentry has SentrySyncHMSNotificationsPostEventListener which is added a post > listener in HMS. This listener should be extended to get the owner > information of tables and databases. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2241) Extend the Sync Listener to pass owner information to sentry server.
[ https://issues.apache.org/jira/browse/SENTRY-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-2241: Attachment: (was: SENTRY-2241.002.patch) > Extend the Sync Listener to pass owner information to sentry server. > > > Key: SENTRY-2241 > URL: https://issues.apache.org/jira/browse/SENTRY-2241 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: kalyan kumar kalvagadda >Assignee: kalyan kumar kalvagadda >Priority: Major > Attachments: SENTRY-2241.001.patch, SENTRY-2241.002.patch > > > Sentry has SentrySyncHMSNotificationsPostEventListener which is added a post > listener in HMS. This listener should be extended to get the owner > information of tables and databases. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2241) Extend the Sync Listener to pass owner information to sentry server.
[
https://issues.apache.org/jira/browse/SENTRY-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16510132#comment-16510132
]
Hadoop QA commented on SENTRY-2241:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12927529/SENTRY-2241.002.patch
against master.
{color:red}Overall:{color} -1 due to an error
{color:red}ERROR:{color} failed to build with patch (exit code 1)
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/3876/console
This message is automatically generated.
> Extend the Sync Listener to pass owner information to sentry server.
>
>
> Key: SENTRY-2241
> URL: https://issues.apache.org/jira/browse/SENTRY-2241
> Project: Sentry
> Issue Type: Sub-task
> Components: Sentry
>Affects Versions: 2.1.0
>Reporter: kalyan kumar kalvagadda
>Assignee: kalyan kumar kalvagadda
>Priority: Major
> Attachments: SENTRY-2241.001.patch, SENTRY-2241.002.patch
>
>
> Sentry has SentrySyncHMSNotificationsPostEventListener which is added a post
> listener in HMS. This listener should be extended to get the owner
> information of tables and databases.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (SENTRY-2241) Extend the Sync Listener to pass owner information to sentry server.
[ https://issues.apache.org/jira/browse/SENTRY-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-2241: Attachment: SENTRY-2241.002.patch > Extend the Sync Listener to pass owner information to sentry server. > > > Key: SENTRY-2241 > URL: https://issues.apache.org/jira/browse/SENTRY-2241 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: kalyan kumar kalvagadda >Assignee: kalyan kumar kalvagadda >Priority: Major > Attachments: SENTRY-2241.001.patch, SENTRY-2241.002.patch > > > Sentry has SentrySyncHMSNotificationsPostEventListener which is added a post > listener in HMS. This listener should be extended to get the owner > information of tables and databases. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2268) Review the required privileges for DDL commands
[
https://issues.apache.org/jira/browse/SENTRY-2268?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergio Peña updated SENTRY-2268:
Issue Type: Task (was: Bug)
> Review the required privileges for DDL commands
> ---
>
> Key: SENTRY-2268
> URL: https://issues.apache.org/jira/browse/SENTRY-2268
> Project: Sentry
> Issue Type: Task
>Reporter: Na Li
>Priority: Major
>
> The privileges required for DDL commands are listed in
> HiveAuthzPrivilegesMap.
> {code}
> addOutputObjectPriviledge(AuthorizableType.Table,
> EnumSet.of(DBModelAction.INSERT, DBModelAction.ALTER))
> {code}
> means the required output privileges is table level insert OR alter.
> {code}
> addOutputObjectPriviledge(AuthorizableType.Table,
> EnumSet.of(DBModelAction.INSERT)).
> addOutputObjectPriviledge(AuthorizableType.Table,
> EnumSet.of(DBModelAction.ALTER))
> {code}
> means the required output privileges is table level insert AND alter.
> We need to review the privileges to see if they are defined correctly. I
> suspect multiple definitions want to have privileges with AND, but end up
> getting privileges with OR.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Created] (SENTRY-2268) Review the required privileges for DDL commands
Na Li created SENTRY-2268:
-
Summary: Review the required privileges for DDL commands
Key: SENTRY-2268
URL: https://issues.apache.org/jira/browse/SENTRY-2268
Project: Sentry
Issue Type: Bug
Reporter: Na Li
The privileges required for DDL commands are listed in HiveAuthzPrivilegesMap.
{code}
addOutputObjectPriviledge(AuthorizableType.Table,
EnumSet.of(DBModelAction.INSERT, DBModelAction.ALTER))
{code}
means the required output privileges is table level insert OR alter.
{code}
addOutputObjectPriviledge(AuthorizableType.Table,
EnumSet.of(DBModelAction.INSERT)).
addOutputObjectPriviledge(AuthorizableType.Table,
EnumSet.of(DBModelAction.ALTER))
{code}
means the required output privileges is table level insert AND alter.
We need to review the privileges to see if they are defined correctly. I
suspect multiple definitions want to have privileges with AND, but end up
getting privileges with OR.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (SENTRY-2267) Listing user privileges fails because roleName field is required on Thrift
[ https://issues.apache.org/jira/browse/SENTRY-2267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergio Peña updated SENTRY-2267: Assignee: Sergio Peña Status: Patch Available (was: Open) > Listing user privileges fails because roleName field is required on Thrift > -- > > Key: SENTRY-2267 > URL: https://issues.apache.org/jira/browse/SENTRY-2267 > Project: Sentry > Issue Type: Bug > Components: Sentry >Reporter: Sergio Peña >Assignee: Sergio Peña >Priority: Major > Attachments: SENTRY-2267.1.patch > > > The SHOW GRANT USER is failing because the Thrift API requires the roleName > field. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2267) Listing user privileges fails because roleName field is required on Thrift
[ https://issues.apache.org/jira/browse/SENTRY-2267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergio Peña updated SENTRY-2267: Attachment: SENTRY-2267.1.patch > Listing user privileges fails because roleName field is required on Thrift > -- > > Key: SENTRY-2267 > URL: https://issues.apache.org/jira/browse/SENTRY-2267 > Project: Sentry > Issue Type: Bug > Components: Sentry >Reporter: Sergio Peña >Priority: Major > Attachments: SENTRY-2267.1.patch > > > The SHOW GRANT USER is failing because the Thrift API requires the roleName > field. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (SENTRY-2267) Listing user privileges fails because roleName field is required on Thrift
Sergio Peña created SENTRY-2267: --- Summary: Listing user privileges fails because roleName field is required on Thrift Key: SENTRY-2267 URL: https://issues.apache.org/jira/browse/SENTRY-2267 Project: Sentry Issue Type: Bug Components: Sentry Reporter: Sergio Peña Attachments: SENTRY-2267.1.patch The SHOW GRANT USER is failing because the Thrift API requires the roleName field. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Resolved] (SENTRY-2262) Sentry client is not compatible when connecting to Sentry 2.0
[ https://issues.apache.org/jira/browse/SENTRY-2262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergio Peña resolved SENTRY-2262. - Resolution: Fixed Fix Version/s: 2.1.0 > Sentry client is not compatible when connecting to Sentry 2.0 > - > > Key: SENTRY-2262 > URL: https://issues.apache.org/jira/browse/SENTRY-2262 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Sergio Peña >Priority: Major > Fix For: 2.1.0 > > Attachments: SENTRY-2262.1.patch, SENTRY-2262.2.patch > > > SENTRY-2162 added a new parameter 'entityName' in > list_sentry_privileges_by_role() to replace the 'roleName' parameter. The > change was propagated to the SentryPolicyServiceClientDefaultImpl to use the > setEntityName(), but this is causing an incompatibility when connecting to a > previous version of Sentry 2.0. > The reason is that Sentry 2.0 does not accept an empty role name and it does > not understand what entity name. To keep this compatibility, we need to still > use the role name as a parameter in the client code for the rest of 2.x > version until the roleName is removed in a major version of Sentry. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (SENTRY-2266) When running unit tests, metastore_db and derby.log get dumped to root directories
Steve Moist created SENTRY-2266: --- Summary: When running unit tests, metastore_db and derby.log get dumped to root directories Key: SENTRY-2266 URL: https://issues.apache.org/jira/browse/SENTRY-2266 Project: Sentry Issue Type: Bug Affects Versions: 2.0.0 Reporter: Steve Moist When I run the unit tests in sentry, metastore_db and derby.log get created in git tracked directories. They are ignored by a .gitignore setting. However, when something changes (such as the refactor of service) the metastore_db files our "out of date" and unit tests fail. Metastore_db and derby.logs created during unit test runs should be dumped to the target directories where they can be cleaned up and not persisted across multiple runs skewing unit test results. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2262) Sentry client is not compatible when connecting to Sentry 2.0
[ https://issues.apache.org/jira/browse/SENTRY-2262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergio Peña updated SENTRY-2262: Status: Open (was: Patch Available) > Sentry client is not compatible when connecting to Sentry 2.0 > - > > Key: SENTRY-2262 > URL: https://issues.apache.org/jira/browse/SENTRY-2262 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Sergio Peña >Priority: Major > Attachments: SENTRY-2262.1.patch, SENTRY-2262.2.patch > > > SENTRY-2162 added a new parameter 'entityName' in > list_sentry_privileges_by_role() to replace the 'roleName' parameter. The > change was propagated to the SentryPolicyServiceClientDefaultImpl to use the > setEntityName(), but this is causing an incompatibility when connecting to a > previous version of Sentry 2.0. > The reason is that Sentry 2.0 does not accept an empty role name and it does > not understand what entity name. To keep this compatibility, we need to still > use the role name as a parameter in the client code for the rest of 2.x > version until the roleName is removed in a major version of Sentry. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2262) Sentry client is not compatible when connecting to Sentry 2.0
[ https://issues.apache.org/jira/browse/SENTRY-2262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergio Peña updated SENTRY-2262: Attachment: SENTRY-2262.2.patch > Sentry client is not compatible when connecting to Sentry 2.0 > - > > Key: SENTRY-2262 > URL: https://issues.apache.org/jira/browse/SENTRY-2262 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Sergio Peña >Assignee: Sergio Peña >Priority: Major > Attachments: SENTRY-2262.1.patch, SENTRY-2262.2.patch > > > SENTRY-2162 added a new parameter 'entityName' in > list_sentry_privileges_by_role() to replace the 'roleName' parameter. The > change was propagated to the SentryPolicyServiceClientDefaultImpl to use the > setEntityName(), but this is causing an incompatibility when connecting to a > previous version of Sentry 2.0. > The reason is that Sentry 2.0 does not accept an empty role name and it does > not understand what entity name. To keep this compatibility, we need to still > use the role name as a parameter in the client code for the rest of 2.x > version until the roleName is removed in a major version of Sentry. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
