[jira] [Commented] (SENTRY-2270) Illegal privileges on columns can be granted on Hive
[ https://issues.apache.org/jira/browse/SENTRY-2270?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16511873#comment-16511873 ] Hadoop QA commented on SENTRY-2270: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12927732/SENTRY-2270.1.patch against master. {color:green}Overall:{color} +1 all checks pass {color:green}SUCCESS:{color} all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/3884/console This message is automatically generated. > Illegal privileges on columns can be granted on Hive > > > Key: SENTRY-2270 > URL: https://issues.apache.org/jira/browse/SENTRY-2270 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.0.0 >Reporter: Sergio Peña >Assignee: Sergio Peña >Priority: Major > Attachments: SENTRY-2270.1.patch > > > It is possible to grant the following privileges on columns in beeline: > ALTER, CREATE, DROP. However, these privileges have no semantics for a column. > For ALL, and INSERT, beeline raises an error if the user tries to grant the > privilege to a column, e.g.: > {noformat} > beeline> grant all(fn) on table tbl1 to role r1; > Error: Error while compiling statement: FAILED: SemanticException Sentry does > not support privilege: All on Column (state=42000,code=4) > beeline> grant insert(fn) on table tbl1 to role r1; > Error: Error while compiling statement: FAILED: SemanticException Sentry does > not support privilege: Insert on Column (state=42000,code=4) > {noformat} > A similar error should be created when granting CREATE, ALTER, and DROP on > column. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2269) Make SentryStore pluggable
[ https://issues.apache.org/jira/browse/SENTRY-2269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16511809#comment-16511809 ] Fahd Siddiqui commented on SENTRY-2269: --- [~akolb] - Basically, there are no backward compatibility guarantees on this interface. The external pluggable implementations of this interface have to deal with this reality. This is basically the same as HMS's RawStore pattern. This doesn't mean it can't be better in a follow on change. We should think about looking at the interface and breaking it up in some fashion that makes sense for maintainability. But, that is a design exercise of its own, and should be done separate to this change (hopefully soon). Just to be sure, I am assuming when you say "modify the API", you mean modify the SentryStoreInterface. Sure, devs will want to do that, and as I said there is no backward compatibility guarantee to this interface. The pluggable implementations would have to upgrade with each breaking version. > Make SentryStore pluggable > -- > > Key: SENTRY-2269 > URL: https://issues.apache.org/jira/browse/SENTRY-2269 > Project: Sentry > Issue Type: Improvement > Components: sentrystore >Affects Versions: 2.1.0 >Reporter: Fahd Siddiqui >Assignee: Fahd Siddiqui >Priority: Major > Attachments: SENTRY-2269.1.patch > > > Make SentryStore pluggable so a different implementation can be plugged in at > run-time using a config property ("sentry.service.sentrystore"), similar to > what we have for processor factories. > This would entail extracting all public methods of SentryStore to a > SentryStoreInterface and converting all call sites to program to the > interface. > It will default to the existing SentryStore. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2224) Support SHOW GRANT on HIVE_OBJECT
[ https://issues.apache.org/jira/browse/SENTRY-2224?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16511802#comment-16511802 ] Hadoop QA commented on SENTRY-2224: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12927728/SENTRY-2224.04.patch against master. {color:red}Overall:{color} -1 due to 2 errors {color:red}ERROR:{color} mvn test exited 1 {color:red}ERROR:{color} Failed: org.apache.sentry.api.service.thrift.TestSentryWebServiceForAuthTypeNone Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/3885/console This message is automatically generated. > Support SHOW GRANT on HIVE_OBJECT > - > > Key: SENTRY-2224 > URL: https://issues.apache.org/jira/browse/SENTRY-2224 > Project: Sentry > Issue Type: Sub-task >Reporter: Arjun Mishra >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2224.002.patch, SENTRY-2224.01.patch, > SENTRY-2224.02.patch, SENTRY-2224.03.patch, SENTRY-2224.04.patch > > > Currently Sentry doesn't support Hive command to show privileges on > authorizables without mentioning any role or user name -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2269) Make SentryStore pluggable
[ https://issues.apache.org/jira/browse/SENTRY-2269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16511764#comment-16511764 ] Hadoop QA commented on SENTRY-2269: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12927716/SENTRY-2269.1.patch against master. {color:green}Overall:{color} +1 all checks pass {color:green}SUCCESS:{color} all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/3883/console This message is automatically generated. > Make SentryStore pluggable > -- > > Key: SENTRY-2269 > URL: https://issues.apache.org/jira/browse/SENTRY-2269 > Project: Sentry > Issue Type: Improvement > Components: sentrystore >Affects Versions: 2.1.0 >Reporter: Fahd Siddiqui >Assignee: Fahd Siddiqui >Priority: Major > Attachments: SENTRY-2269.1.patch > > > Make SentryStore pluggable so a different implementation can be plugged in at > run-time using a config property ("sentry.service.sentrystore"), similar to > what we have for processor factories. > This would entail extracting all public methods of SentryStore to a > SentryStoreInterface and converting all call sites to program to the > interface. > It will default to the existing SentryStore. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2224) Support SHOW GRANT on HIVE_OBJECT
[ https://issues.apache.org/jira/browse/SENTRY-2224?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16511749#comment-16511749 ] Arjun Mishra commented on SENTRY-2224: -- Yeah a new SENTRY-2224.04 patch has been attached > Support SHOW GRANT on HIVE_OBJECT > - > > Key: SENTRY-2224 > URL: https://issues.apache.org/jira/browse/SENTRY-2224 > Project: Sentry > Issue Type: Sub-task >Reporter: Arjun Mishra >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2224.002.patch, SENTRY-2224.01.patch, > SENTRY-2224.02.patch, SENTRY-2224.03.patch, SENTRY-2224.04.patch > > > Currently Sentry doesn't support Hive command to show privileges on > authorizables without mentioning any role or user name -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (SENTRY-2224) Support SHOW GRANT on HIVE_OBJECT
[ https://issues.apache.org/jira/browse/SENTRY-2224?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16511749#comment-16511749 ] Arjun Mishra edited comment on SENTRY-2224 at 6/13/18 10:51 PM: [~spena] Yeah a new SENTRY-2224.04 patch has been attached was (Author: arjunmishra13): Yeah a new SENTRY-2224.04 patch has been attached > Support SHOW GRANT on HIVE_OBJECT > - > > Key: SENTRY-2224 > URL: https://issues.apache.org/jira/browse/SENTRY-2224 > Project: Sentry > Issue Type: Sub-task >Reporter: Arjun Mishra >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2224.002.patch, SENTRY-2224.01.patch, > SENTRY-2224.02.patch, SENTRY-2224.03.patch, SENTRY-2224.04.patch > > > Currently Sentry doesn't support Hive command to show privileges on > authorizables without mentioning any role or user name -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2270) Illegal privileges on columns can be granted on Hive
[ https://issues.apache.org/jira/browse/SENTRY-2270?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergio Peña updated SENTRY-2270: Attachment: SENTRY-2270.1.patch > Illegal privileges on columns can be granted on Hive > > > Key: SENTRY-2270 > URL: https://issues.apache.org/jira/browse/SENTRY-2270 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.0.0 >Reporter: Sergio Peña >Priority: Major > Attachments: SENTRY-2270.1.patch > > > It is possible to grant the following privileges on columns in beeline: > ALTER, CREATE, DROP. However, these privileges have no semantics for a column. > For ALL, and INSERT, beeline raises an error if the user tries to grant the > privilege to a column, e.g.: > {noformat} > beeline> grant all(fn) on table tbl1 to role r1; > Error: Error while compiling statement: FAILED: SemanticException Sentry does > not support privilege: All on Column (state=42000,code=4) > beeline> grant insert(fn) on table tbl1 to role r1; > Error: Error while compiling statement: FAILED: SemanticException Sentry does > not support privilege: Insert on Column (state=42000,code=4) > {noformat} > A similar error should be created when granting CREATE, ALTER, and DROP on > column. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2270) Illegal privileges on columns can be granted on Hive
[ https://issues.apache.org/jira/browse/SENTRY-2270?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergio Peña updated SENTRY-2270: Assignee: Sergio Peña Status: Patch Available (was: Open) > Illegal privileges on columns can be granted on Hive > > > Key: SENTRY-2270 > URL: https://issues.apache.org/jira/browse/SENTRY-2270 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.0.0 >Reporter: Sergio Peña >Assignee: Sergio Peña >Priority: Major > Attachments: SENTRY-2270.1.patch > > > It is possible to grant the following privileges on columns in beeline: > ALTER, CREATE, DROP. However, these privileges have no semantics for a column. > For ALL, and INSERT, beeline raises an error if the user tries to grant the > privilege to a column, e.g.: > {noformat} > beeline> grant all(fn) on table tbl1 to role r1; > Error: Error while compiling statement: FAILED: SemanticException Sentry does > not support privilege: All on Column (state=42000,code=4) > beeline> grant insert(fn) on table tbl1 to role r1; > Error: Error while compiling statement: FAILED: SemanticException Sentry does > not support privilege: Insert on Column (state=42000,code=4) > {noformat} > A similar error should be created when granting CREATE, ALTER, and DROP on > column. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (SENTRY-2270) Illegal privileges on columns can be granted on Hive
Sergio Peña created SENTRY-2270: --- Summary: Illegal privileges on columns can be granted on Hive Key: SENTRY-2270 URL: https://issues.apache.org/jira/browse/SENTRY-2270 Project: Sentry Issue Type: Bug Components: Sentry Affects Versions: 2.0.0 Reporter: Sergio Peña It is possible to grant the following privileges on columns in beeline: ALTER, CREATE, DROP. However, these privileges have no semantics for a column. For ALL, and INSERT, beeline raises an error if the user tries to grant the privilege to a column, e.g.: {noformat} beeline> grant all(fn) on table tbl1 to role r1; Error: Error while compiling statement: FAILED: SemanticException Sentry does not support privilege: All on Column (state=42000,code=4) beeline> grant insert(fn) on table tbl1 to role r1; Error: Error while compiling statement: FAILED: SemanticException Sentry does not support privilege: Insert on Column (state=42000,code=4) {noformat} A similar error should be created when granting CREATE, ALTER, and DROP on column. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2269) Make SentryStore pluggable
[ https://issues.apache.org/jira/browse/SENTRY-2269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16511732#comment-16511732 ] Fahd Siddiqui commented on SENTRY-2269: --- [~akolb] cc. [~spena] - The use case is that one may want to have an implementation of SentryStore to store the data in a shared environment or proxy the calls to a cloud service instead of a database for persistence. I don't have a use case for other components, but they can. Can you explain "stability levels of SentryStore interfaces"? If you mean pinning it down, then this change doesn't make any claims about that. It only concerns itself by making it a pluggable interface. SentryStoreInterface can be refactored later if it is deemed necessary. I don't intend to include an alternative implementation to Sentry, since it will be a pluggable implementation separate from Sentry code base. > Make SentryStore pluggable > -- > > Key: SENTRY-2269 > URL: https://issues.apache.org/jira/browse/SENTRY-2269 > Project: Sentry > Issue Type: Improvement > Components: sentrystore >Affects Versions: 2.1.0 >Reporter: Fahd Siddiqui >Assignee: Fahd Siddiqui >Priority: Major > Attachments: SENTRY-2269.1.patch > > > Make SentryStore pluggable so a different implementation can be plugged in at > run-time using a config property ("sentry.service.sentrystore"), similar to > what we have for processor factories. > This would entail extracting all public methods of SentryStore to a > SentryStoreInterface and converting all call sites to program to the > interface. > It will default to the existing SentryStore. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2224) Support SHOW GRANT on HIVE_OBJECT
[ https://issues.apache.org/jira/browse/SENTRY-2224?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Arjun Mishra updated SENTRY-2224: - Attachment: SENTRY-2224.04.patch > Support SHOW GRANT on HIVE_OBJECT > - > > Key: SENTRY-2224 > URL: https://issues.apache.org/jira/browse/SENTRY-2224 > Project: Sentry > Issue Type: Sub-task >Reporter: Arjun Mishra >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2224.002.patch, SENTRY-2224.01.patch, > SENTRY-2224.02.patch, SENTRY-2224.03.patch, SENTRY-2224.04.patch > > > Currently Sentry doesn't support Hive command to show privileges on > authorizables without mentioning any role or user name -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2269) Make SentryStore pluggable
[ https://issues.apache.org/jira/browse/SENTRY-2269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16511717#comment-16511717 ] kalyan kumar kalvagadda commented on SENTRY-2269: - [~akolb] Currently SentryStore is the only backend store implementation for sentry server but making it configurable might be good idea and would open options for implementing alternate implementations in future. > Make SentryStore pluggable > -- > > Key: SENTRY-2269 > URL: https://issues.apache.org/jira/browse/SENTRY-2269 > Project: Sentry > Issue Type: Improvement > Components: sentrystore >Affects Versions: 2.1.0 >Reporter: Fahd Siddiqui >Assignee: Fahd Siddiqui >Priority: Major > Attachments: SENTRY-2269.1.patch > > > Make SentryStore pluggable so a different implementation can be plugged in at > run-time using a config property ("sentry.service.sentrystore"), similar to > what we have for processor factories. > This would entail extracting all public methods of SentryStore to a > SentryStoreInterface and converting all call sites to program to the > interface. > It will default to the existing SentryStore. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2269) Make SentryStore pluggable
[ https://issues.apache.org/jira/browse/SENTRY-2269?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Fahd Siddiqui updated SENTRY-2269: -- Attachment: SENTRY-2269.1.patch Status: Patch Available (was: Open) > Make SentryStore pluggable > -- > > Key: SENTRY-2269 > URL: https://issues.apache.org/jira/browse/SENTRY-2269 > Project: Sentry > Issue Type: Improvement > Components: sentrystore >Affects Versions: 2.1.0 >Reporter: Fahd Siddiqui >Assignee: Fahd Siddiqui >Priority: Major > Attachments: SENTRY-2269.1.patch > > > Make SentryStore pluggable so a different implementation can be plugged in at > run-time using a config property ("sentry.service.sentrystore"), similar to > what we have for processor factories. > This would entail extracting all public methods of SentryStore to a > SentryStoreInterface and converting all call sites to program to the > interface. > It will default to the existing SentryStore. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2269) Make SentryStore pluggable
[ https://issues.apache.org/jira/browse/SENTRY-2269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16511669#comment-16511669 ] Alexander Kolbasov commented on SENTRY-2269: Can you explain why this is a useful feature? What is the use case? Do you envision other components writing different implementations? Does this affect stability levels of SentryStore interfaces? Do you intend to include alternative implementation in a later commit? > Make SentryStore pluggable > -- > > Key: SENTRY-2269 > URL: https://issues.apache.org/jira/browse/SENTRY-2269 > Project: Sentry > Issue Type: Improvement > Components: sentrystore >Affects Versions: 2.1.0 >Reporter: Fahd Siddiqui >Assignee: Fahd Siddiqui >Priority: Major > Attachments: SENTRY-2269.1.patch > > > Make SentryStore pluggable so a different implementation can be plugged in at > run-time using a config property ("sentry.service.sentrystore"), similar to > what we have for processor factories. > This would entail extracting all public methods of SentryStore to a > SentryStoreInterface and converting all call sites to program to the > interface. > It will default to the existing SentryStore. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2269) Make SentryStore pluggable
[ https://issues.apache.org/jira/browse/SENTRY-2269?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Fahd Siddiqui updated SENTRY-2269: -- Attachment: (was: SENTRY-2269.1.patch) > Make SentryStore pluggable > -- > > Key: SENTRY-2269 > URL: https://issues.apache.org/jira/browse/SENTRY-2269 > Project: Sentry > Issue Type: Improvement > Components: sentrystore >Affects Versions: 2.1.0 >Reporter: Fahd Siddiqui >Assignee: Fahd Siddiqui >Priority: Major > > Make SentryStore pluggable so a different implementation can be plugged in at > run-time using a config property ("sentry.service.sentrystore"), similar to > what we have for processor factories. > This would entail extracting all public methods of SentryStore to a > SentryStoreInterface and converting all call sites to program to the > interface. > It will default to the existing SentryStore. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2269) Make SentryStore pluggable
[ https://issues.apache.org/jira/browse/SENTRY-2269?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Fahd Siddiqui updated SENTRY-2269: -- Attachment: SENTRY-2269.1.patch > Make SentryStore pluggable > -- > > Key: SENTRY-2269 > URL: https://issues.apache.org/jira/browse/SENTRY-2269 > Project: Sentry > Issue Type: Improvement > Components: sentrystore >Affects Versions: 2.1.0 >Reporter: Fahd Siddiqui >Assignee: Fahd Siddiqui >Priority: Major > > Make SentryStore pluggable so a different implementation can be plugged in at > run-time using a config property ("sentry.service.sentrystore"), similar to > what we have for processor factories. > This would entail extracting all public methods of SentryStore to a > SentryStoreInterface and converting all call sites to program to the > interface. > It will default to the existing SentryStore. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2269) Make SentryStore pluggable
[ https://issues.apache.org/jira/browse/SENTRY-2269?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Fahd Siddiqui updated SENTRY-2269: -- Attachment: (was: SENTRY-2269.1.patch) > Make SentryStore pluggable > -- > > Key: SENTRY-2269 > URL: https://issues.apache.org/jira/browse/SENTRY-2269 > Project: Sentry > Issue Type: Improvement > Components: sentrystore >Affects Versions: 2.1.0 >Reporter: Fahd Siddiqui >Assignee: Fahd Siddiqui >Priority: Major > > Make SentryStore pluggable so a different implementation can be plugged in at > run-time using a config property ("sentry.service.sentrystore"), similar to > what we have for processor factories. > This would entail extracting all public methods of SentryStore to a > SentryStoreInterface and converting all call sites to program to the > interface. > It will default to the existing SentryStore. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2269) Make SentryStore pluggable
[ https://issues.apache.org/jira/browse/SENTRY-2269?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Fahd Siddiqui updated SENTRY-2269: -- Status: Open (was: Patch Available) > Make SentryStore pluggable > -- > > Key: SENTRY-2269 > URL: https://issues.apache.org/jira/browse/SENTRY-2269 > Project: Sentry > Issue Type: Improvement > Components: sentrystore >Affects Versions: 2.1.0 >Reporter: Fahd Siddiqui >Assignee: Fahd Siddiqui >Priority: Major > > Make SentryStore pluggable so a different implementation can be plugged in at > run-time using a config property ("sentry.service.sentrystore"), similar to > what we have for processor factories. > This would entail extracting all public methods of SentryStore to a > SentryStoreInterface and converting all call sites to program to the > interface. > It will default to the existing SentryStore. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2269) Make SentryStore pluggable
[ https://issues.apache.org/jira/browse/SENTRY-2269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16511649#comment-16511649 ] Hadoop QA commented on SENTRY-2269: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12927684/SENTRY-2269.1.patch against master. {color:red}Overall:{color} -1 due to 7 errors {color:red}ERROR:{color} mvn test exited 1 {color:red}ERROR:{color} Failed: org.apache.sentry.tests.e2e.dbprovider.TestHmsNotificationProcessingWithOutHdfsSync {color:red}ERROR:{color} Failed: org.apache.sentry.tests.e2e.dbprovider.TestHmsNotificationProcessingWithOutHdfsSync {color:red}ERROR:{color} Failed: org.apache.sentry.tests.e2e.dbprovider.TestDbPrivilegeCleanupOnDrop {color:red}ERROR:{color} Failed: org.apache.sentry.tests.e2e.dbprovider.TestHmsNotificationProcessingWithOutSyncOnDrop {color:red}ERROR:{color} Failed: org.apache.sentry.tests.e2e.hdfs.TestHDFSIntegrationTogglingConf {color:red}ERROR:{color} Failed: org.apache.sentry.tests.e2e.dbprovider.TestHmsNotificationProcessingWithOutSyncOnCreate Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/3882/console This message is automatically generated. > Make SentryStore pluggable > -- > > Key: SENTRY-2269 > URL: https://issues.apache.org/jira/browse/SENTRY-2269 > Project: Sentry > Issue Type: Improvement > Components: sentrystore >Affects Versions: 2.1.0 >Reporter: Fahd Siddiqui >Assignee: Fahd Siddiqui >Priority: Major > Attachments: SENTRY-2269.1.patch > > > Make SentryStore pluggable so a different implementation can be plugged in at > run-time using a config property ("sentry.service.sentrystore"), similar to > what we have for processor factories. > This would entail extracting all public methods of SentryStore to a > SentryStoreInterface and converting all call sites to program to the > interface. > It will default to the existing SentryStore. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2224) Support SHOW GRANT on HIVE_OBJECT
[ https://issues.apache.org/jira/browse/SENTRY-2224?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16511596#comment-16511596 ] Sergio Peña commented on SENTRY-2224: - [~arjunmishra13] I think you should rebase this patch. I tried to apply it but it fails. > Support SHOW GRANT on HIVE_OBJECT > - > > Key: SENTRY-2224 > URL: https://issues.apache.org/jira/browse/SENTRY-2224 > Project: Sentry > Issue Type: Sub-task >Reporter: Arjun Mishra >Assignee: Arjun Mishra >Priority: Major > Attachments: SENTRY-2224.002.patch, SENTRY-2224.01.patch, > SENTRY-2224.02.patch, SENTRY-2224.03.patch > > > Currently Sentry doesn't support Hive command to show privileges on > authorizables without mentioning any role or user name -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2269) Make SentryStore pluggable
[ https://issues.apache.org/jira/browse/SENTRY-2269?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Fahd Siddiqui updated SENTRY-2269: -- Fix Version/s: (was: 2.1.0) Affects Version/s: (was: 1.8.0) 2.1.0 Attachment: SENTRY-2269.1.patch Status: Patch Available (was: In Progress) > Make SentryStore pluggable > -- > > Key: SENTRY-2269 > URL: https://issues.apache.org/jira/browse/SENTRY-2269 > Project: Sentry > Issue Type: Improvement > Components: sentrystore >Affects Versions: 2.1.0 >Reporter: Fahd Siddiqui >Assignee: Fahd Siddiqui >Priority: Major > Attachments: SENTRY-2269.1.patch > > > Make SentryStore pluggable so a different implementation can be plugged in at > run-time using a config property ("sentry.service.sentrystore"), similar to > what we have for processor factories. > This would entail extracting all public methods of SentryStore to a > SentryStoreInterface and converting all call sites to program to the > interface. > It will default to the existing SentryStore. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2264) It is possible to elevate privileges from DROP using alter table rename
[ https://issues.apache.org/jira/browse/SENTRY-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16511447#comment-16511447 ] Sergio Peña commented on SENTRY-2264: - The ALTER privilege is also required in the source table as it is the action the user is doing ALTER TABLE. We don't have a DELETE privilege yet, so should we treat this case as the user requires ALL privileges in the source table instead? Why is the ALTER privilege required on the destination? Is the INSERT on the database needed? This means the user won't be able to move tables between databases they have CREATE privileges. The CREATE comes with OWNER privileges, so the user will end up having ALL privileges in the table anyway. Which brings an interesting question, if I have ALL privileges (but not ownership) and I move the table, then I will transfer the ownership to me. We need to check if HMS generates only an ALTER operation in this cases of if it generates DROP and CREATE events which will complicate things. If ownership is disabled, then If the user has ALL privileges in the source table, then when moving the table those privileges will be moved so the user will have ALL privileges in the destination table. > It is possible to elevate privileges from DROP using alter table rename > --- > > Key: SENTRY-2264 > URL: https://issues.apache.org/jira/browse/SENTRY-2264 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Na Li >Assignee: Na Li >Priority: Major > Attachments: SENTRY-2264.001.patch, SENTRY-2264.002.patch > > > After introducing FGP, a user with only DROP on a database db1 and at least > CREATE on db2 can run ALTER TABLE RENAME db1.table1 db2.table2, and thus > elevate their privileges. > To reproduce: > As admin (e.g. hive): > 1. Create db1, db1.table1, db2, role r1. > 2. Grant DROP on db1 to role r1. > 3. Grant ALL on db2 to role r1 > 4. Grant role r1 to user testuser1. > As testuser1: > 1. use db1; alter table db1.table1 rename to db2.table1 > 2. select * from db2. table1 > Result: the select command succeeds. > Desired behavior: > we should at least require following privileges to execute the table rename > command: > table level "SELECT" and database level "DELECT" at source > database level "CREATE" at destination. > The reason we don't require "alter, insert" for destination DB is that > "alter" and "insert" is table level privileges and when "alter table rename" > command is executed, there is no table in destination DB. So we cannot > enforce these table level privileges. Therefore the only change is add > table-level "select" privilege in required input privileges -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (SENTRY-2269) Make SentryStore pluggable
Fahd Siddiqui created SENTRY-2269: - Summary: Make SentryStore pluggable Key: SENTRY-2269 URL: https://issues.apache.org/jira/browse/SENTRY-2269 Project: Sentry Issue Type: Improvement Components: sentrystore Affects Versions: 1.8.0 Reporter: Fahd Siddiqui Assignee: Fahd Siddiqui Fix For: 2.1.0 Make SentryStore pluggable so a different implementation can be plugged in at run-time using a config property ("sentry.service.sentrystore"), similar to what we have for processor factories. This would entail extracting all public methods of SentryStore to a SentryStoreInterface and converting all call sites to program to the interface. It will default to the existing SentryStore. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (SENTRY-2241) Extend the Sync Listener to pass owner information to sentry server.
[ https://issues.apache.org/jira/browse/SENTRY-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16511435#comment-16511435 ] Hadoop QA commented on SENTRY-2241: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12927668/SENTRY-2241.004.patch against master. {color:green}Overall:{color} +1 all checks pass {color:green}SUCCESS:{color} all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/3881/console This message is automatically generated. > Extend the Sync Listener to pass owner information to sentry server. > > > Key: SENTRY-2241 > URL: https://issues.apache.org/jira/browse/SENTRY-2241 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: kalyan kumar kalvagadda >Assignee: kalyan kumar kalvagadda >Priority: Major > Attachments: SENTRY-2241.001.patch, SENTRY-2241.004.patch > > > Sentry has SentrySyncHMSNotificationsPostEventListener which is added a post > listener in HMS. This listener should be extended to get the owner > information of tables and databases. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2241) Extend the Sync Listener to pass owner information to sentry server.
[ https://issues.apache.org/jira/browse/SENTRY-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-2241: Attachment: SENTRY-2241.004.patch > Extend the Sync Listener to pass owner information to sentry server. > > > Key: SENTRY-2241 > URL: https://issues.apache.org/jira/browse/SENTRY-2241 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: kalyan kumar kalvagadda >Assignee: kalyan kumar kalvagadda >Priority: Major > Attachments: SENTRY-2241.001.patch, SENTRY-2241.004.patch > > > Sentry has SentrySyncHMSNotificationsPostEventListener which is added a post > listener in HMS. This listener should be extended to get the owner > information of tables and databases. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2241) Extend the Sync Listener to pass owner information to sentry server.
[ https://issues.apache.org/jira/browse/SENTRY-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-2241: Attachment: (was: SENTRY-2241.004.patch) > Extend the Sync Listener to pass owner information to sentry server. > > > Key: SENTRY-2241 > URL: https://issues.apache.org/jira/browse/SENTRY-2241 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: kalyan kumar kalvagadda >Assignee: kalyan kumar kalvagadda >Priority: Major > Attachments: SENTRY-2241.001.patch, SENTRY-2241.004.patch > > > Sentry has SentrySyncHMSNotificationsPostEventListener which is added a post > listener in HMS. This listener should be extended to get the owner > information of tables and databases. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (SENTRY-2267) Listing user privileges fails because roleName field is required on Thrift
[ https://issues.apache.org/jira/browse/SENTRY-2267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergio Peña updated SENTRY-2267: Resolution: Fixed Fix Version/s: 2.1.0 Status: Resolved (was: Patch Available) > Listing user privileges fails because roleName field is required on Thrift > -- > > Key: SENTRY-2267 > URL: https://issues.apache.org/jira/browse/SENTRY-2267 > Project: Sentry > Issue Type: Bug > Components: Sentry >Reporter: Sergio Peña >Assignee: Sergio Peña >Priority: Major > Fix For: 2.1.0 > > Attachments: SENTRY-2267.1.patch > > > The SHOW GRANT USER is failing because the Thrift API requires the roleName > field. -- This message was sent by Atlassian JIRA (v7.6.3#76005)