[jira] [Commented] (SENTRY-947) Improve error message in HDFS NN Plugin when unable to connect to Sentry
[ https://issues.apache.org/jira/browse/SENTRY-947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15313080#comment-15313080 ] Sravya Tirukkovalur commented on SENTRY-947: Thanks for your contribution [~vramasamy]! +1. LGTM. Pending precommit run. > Improve error message in HDFS NN Plugin when unable to connect to Sentry > > > Key: SENTRY-947 > URL: https://issues.apache.org/jira/browse/SENTRY-947 > Project: Sentry > Issue Type: Bug > Components: Hdfs Plugin >Affects Versions: 1.6.0 >Reporter: Lenni Kuff >Assignee: Venkatesh Ramasamy > Attachments: SENTRY-947.patch > > > The error we currently get is: > {code} > ERROR org.apache.sentry.hdfs.SentryUpdater: Error connecting to Sentry > ['null'] !! > {code} > This isn't very useful and we should include more information in the error or > drop the 'null' part. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-918) Upgrade hive version 1.1.0 to the recent ones to include hive side fixes.
[ https://issues.apache.org/jira/browse/SENTRY-918?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15313051#comment-15313051 ] Sravya Tirukkovalur commented on SENTRY-918: We already on 1.1.0, can we close this jira? > Upgrade hive version 1.1.0 to the recent ones to include hive side fixes. > - > > Key: SENTRY-918 > URL: https://issues.apache.org/jira/browse/SENTRY-918 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 1.5.1, 1.6.0 >Reporter: Anne Yu > > We recently found some sentry bugs because of older Hive version. For > example, SENTRY-745, we could bump up Hive version to include the most recent > fixes, for example, HIVE-10875. > [~lskuff], [~sravya], [~guoquan], [~colin_mjj], file a jira here to track > this issue. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Resolved] (SENTRY-975) [Unit test failure] Investigate failure and re-enable TestConnectionWithTicketTimeout.testConnectionAfterTicketTimeout
[ https://issues.apache.org/jira/browse/SENTRY-975?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur resolved SENTRY-975. Resolution: Cannot Reproduce Assignee: Sravya Tirukkovalur It was disabled in the test runs as it sleeps for 5 minutes to be able to check ticket expiration. Let me know if you all think 5 mins is fine and would prefer enabling the test. I just ran this test locally as I was working on a kerberos related item and test passes. > [Unit test failure] Investigate failure and re-enable > TestConnectionWithTicketTimeout.testConnectionAfterTicketTimeout > -- > > Key: SENTRY-975 > URL: https://issues.apache.org/jira/browse/SENTRY-975 > Project: Sentry > Issue Type: Bug > Components: Test >Affects Versions: 1.7.0 >Reporter: Lenni Kuff >Assignee: Sravya Tirukkovalur > > In SENTRY-515 > TestConnectionWithTicketTimeout.testConnectionAfterTicketTimeout was disabled > because it was causing test failures. We should investigate this further to > understand the root cause and fix the problem. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-947) Improve error message in HDFS NN Plugin when unable to connect to Sentry
[ https://issues.apache.org/jira/browse/SENTRY-947?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-947: --- Status: Patch Available (was: Open) > Improve error message in HDFS NN Plugin when unable to connect to Sentry > > > Key: SENTRY-947 > URL: https://issues.apache.org/jira/browse/SENTRY-947 > Project: Sentry > Issue Type: Bug > Components: Hdfs Plugin >Affects Versions: 1.6.0 >Reporter: Lenni Kuff >Assignee: Venkatesh Ramasamy > Attachments: SENTRY-947.patch > > > The error we currently get is: > {code} > ERROR org.apache.sentry.hdfs.SentryUpdater: Error connecting to Sentry > ['null'] !! > {code} > This isn't very useful and we should include more information in the error or > drop the 'null' part. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-853) Handle show grant on failure correctly
[ https://issues.apache.org/jira/browse/SENTRY-853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-853: --- Issue Type: Improvement (was: Bug) > Handle show grant on failure correctly > - > > Key: SENTRY-853 > URL: https://issues.apache.org/jira/browse/SENTRY-853 > Project: Sentry > Issue Type: Improvement >Reporter: Sravya Tirukkovalur > > {noformat} > 0: jdbc:hive2://a2110.halxg.cloudera.com:1000> show grant on table pageviews; > Error: Error while compiling statement: FAILED: SemanticException Sentry does > not allow privileges to be granted/revoked to/from: USER > (state=42000,code=4) > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-351) Hive bindings should use the Database entity to extract database name
[ https://issues.apache.org/jira/browse/SENTRY-351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15313092#comment-15313092 ] Sravya Tirukkovalur commented on SENTRY-351: [~vspector] will you be interested in picking this up? > Hive bindings should use the Database entity to extract database name > - > > Key: SENTRY-351 > URL: https://issues.apache.org/jira/browse/SENTRY-351 > Project: Sentry > Issue Type: Improvement >Affects Versions: 1.4.0 >Reporter: Prasad Mujumdar > Attachments: SENTRY-351.001.patch > > > Hive bindings with Hive 0.13 should use the Database entity to extract > database name instead of extracting the database from compiler structure. > This will simplify the binding code that's currently tied to Hive compiler > internals. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-947) Improve error message in HDFS NN Plugin when unable to connect to Sentry
[ https://issues.apache.org/jira/browse/SENTRY-947?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-947: --- Assignee: Venkatesh Ramasamy > Improve error message in HDFS NN Plugin when unable to connect to Sentry > > > Key: SENTRY-947 > URL: https://issues.apache.org/jira/browse/SENTRY-947 > Project: Sentry > Issue Type: Bug > Components: Hdfs Plugin >Affects Versions: 1.6.0 >Reporter: Lenni Kuff >Assignee: Venkatesh Ramasamy > Attachments: SENTRY-947.patch > > > The error we currently get is: > {code} > ERROR org.apache.sentry.hdfs.SentryUpdater: Error connecting to Sentry > ['null'] !! > {code} > This isn't very useful and we should include more information in the error or > drop the 'null' part. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-462) Unable to get exception when sentry service down after initialize HadoopGroupResourceAuthorization
[ https://issues.apache.org/jira/browse/SENTRY-462?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-462: --- Issue Type: Improvement (was: Bug) > Unable to get exception when sentry service down after initialize > HadoopGroupResourceAuthorization > -- > > Key: SENTRY-462 > URL: https://issues.apache.org/jira/browse/SENTRY-462 > Project: Sentry > Issue Type: Improvement >Affects Versions: 1.4.0 >Reporter: Johnson Lin > > Our project is integrating sentry and we find a problem when we stop sentry > service(or make the sentry service crashed) after initialize > HadoopGroupResourceAuthorizationProvider. That is to say > SimpleDBProviderBackend can't throw exception and only return an ImmutableSet > which size is 0 when sentry service down. We found that the method > getPrivileges in SimpleDBProviderBackend catch the exception and just print > the message like "Unable to obtain privileges from server: ". Is that make > sense. The problem is the module which use sentry cannot get clearly reason > that sentry service crash or use has not permission to some hive table. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1232) Evaluate SKEWED_COL_VALUE_LOC_MAP for Sentry HDFS sync
[ https://issues.apache.org/jira/browse/SENTRY-1232?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1232: Issue Type: Task (was: Improvement) > Evaluate SKEWED_COL_VALUE_LOC_MAP for Sentry HDFS sync > -- > > Key: SENTRY-1232 > URL: https://issues.apache.org/jira/browse/SENTRY-1232 > Project: Sentry > Issue Type: Task >Reporter: Sravya Tirukkovalur > > Permissions for all locations that map to a Hive Object are synced by the > hdfs sentry plugin. Seems like we may need to evaluate and confirm we are > handling the locations in SKEWED_COL_VALUE_LOC_MAP table in HMS. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-947) Improve error message in HDFS NN Plugin when unable to connect to Sentry
[ https://issues.apache.org/jira/browse/SENTRY-947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15313084#comment-15313084 ] Sravya Tirukkovalur commented on SENTRY-947: Can you change the status to "patch available" so that precommit build will be triggered? Although this is a comment only change, we usually only commit changes after regression tests pass. > Improve error message in HDFS NN Plugin when unable to connect to Sentry > > > Key: SENTRY-947 > URL: https://issues.apache.org/jira/browse/SENTRY-947 > Project: Sentry > Issue Type: Bug > Components: Hdfs Plugin >Affects Versions: 1.6.0 >Reporter: Lenni Kuff >Assignee: Venkatesh Ramasamy > Attachments: SENTRY-947.patch > > > The error we currently get is: > {code} > ERROR org.apache.sentry.hdfs.SentryUpdater: Error connecting to Sentry > ['null'] !! > {code} > This isn't very useful and we should include more information in the error or > drop the 'null' part. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-947) Improve error message in HDFS NN Plugin when unable to connect to Sentry
[ https://issues.apache.org/jira/browse/SENTRY-947?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-947: --- Resolution: Fixed Fix Version/s: 1.8.0 Status: Resolved (was: Patch Available) Committed to master. Thank you for your first contribution [~vramasamy]! > Improve error message in HDFS NN Plugin when unable to connect to Sentry > > > Key: SENTRY-947 > URL: https://issues.apache.org/jira/browse/SENTRY-947 > Project: Sentry > Issue Type: Bug > Components: Hdfs Plugin >Affects Versions: 1.6.0 >Reporter: Lenni Kuff >Assignee: Venkatesh Ramasamy > Fix For: 1.8.0 > > Attachments: SENTRY-947.patch > > > The error we currently get is: > {code} > ERROR org.apache.sentry.hdfs.SentryUpdater: Error connecting to Sentry > ['null'] !! > {code} > This isn't very useful and we should include more information in the error or > drop the 'null' part. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1295) Investigate malformed paths in HMS db
[ https://issues.apache.org/jira/browse/SENTRY-1295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15319239#comment-15319239 ] Sravya Tirukkovalur commented on SENTRY-1295: - Another data point: null location for partition. > Investigate malformed paths in HMS db > - > > Key: SENTRY-1295 > URL: https://issues.apache.org/jira/browse/SENTRY-1295 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur > > Paths in HMS are expected to be in one of these forms: > * hdfs://hostname:port/path > * hdfs:///path > * /path, in which case, scheme will be constructed from > FileSystem.getDefaultURI > * URIs with non hdfs scheme will just be ignored > I came across atleast 2 sentry users where HMS did have paths which do not > comply with above rules and hence HMS plugin initialization for pathupdates > failed. See sentry-1260 and sentry-1270 for details on how these errors > surface. > With 1260 and 1270 we should have more information on what these malformed > paths were. But we should continue to investigate and fix the root cause, It > would most likely be in HMS code base. Until then, here is how you can > diagnose and fix it manually: > *Look for malformed paths in HMS* : Look in DBS as well as SDS tables. > {code} > SELECT "NAME", "DB_LOCATION_URI" FROM "DBS" WHERE NOT "DB_LOCATION_URI" LIKE > 'hdfs://%/%'; > NAME | DB_LOCATION_URI > ---+ > db_name | hdfs://nameservice1 > (1 row) > {code} > *Fix it manually updating the HMS location* > {code} > UPDATE DBS > SET DB_LOCATION_URI='hdfs://nameservice1/user/hive/warehouse/db_name.db' > WHERE DB_ID=12345; > {code} > Lets track occurrences of these malformed paths here: > * hdfs://nameservice1 : Not sure why would any one create a db/table in root > directory? Should we accept this in Sentry? > What does SKEWED_COL_VALUE_LOC_MAP.location in HMS correspond to? Double > check if there are any malformed paths here? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1316) Implement Sentry leadership election
Sravya Tirukkovalur created SENTRY-1316: --- Summary: Implement Sentry leadership election Key: SENTRY-1316 URL: https://issues.apache.org/jira/browse/SENTRY-1316 Project: Sentry Issue Type: Sub-task Reporter: Sravya Tirukkovalur -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1315) Add an interface in WebUI to request for a Sentry full update
[ https://issues.apache.org/jira/browse/SENTRY-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1315: Component/s: (was: Hdfs Plugin) > Add an interface in WebUI to request for a Sentry full update > - > > Key: SENTRY-1315 > URL: https://issues.apache.org/jira/browse/SENTRY-1315 > Project: Sentry > Issue Type: Task >Reporter: Hao Hao >Assignee: Hao Hao > > It would be benefit for debuggability and supportability to have a use > interface for requesting a full Sentry update for HDFS sync feature. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1318) Persist HMS DDL changes to NotificationLog
Sravya Tirukkovalur created SENTRY-1318: --- Summary: Persist HMS DDL changes to NotificationLog Key: SENTRY-1318 URL: https://issues.apache.org/jira/browse/SENTRY-1318 Project: Sentry Issue Type: Sub-task Reporter: Sravya Tirukkovalur -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1318) Persist HMS DDL changes to NotificationLog and use HMS API to get recent notifications
[ https://issues.apache.org/jira/browse/SENTRY-1318?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1318: Summary: Persist HMS DDL changes to NotificationLog and use HMS API to get recent notifications (was: Persist HMS DDL changes to NotificationLog) > Persist HMS DDL changes to NotificationLog and use HMS API to get recent > notifications > -- > > Key: SENTRY-1318 > URL: https://issues.apache.org/jira/browse/SENTRY-1318 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur > Fix For: 1.8.0 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-709) Refactor Sentry HDFS Namenode Plugin to use HDFS INodeAttributesProvider
[ https://issues.apache.org/jira/browse/SENTRY-709?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-709: --- Priority: Critical (was: Major) > Refactor Sentry HDFS Namenode Plugin to use HDFS INodeAttributesProvider > > > Key: SENTRY-709 > URL: https://issues.apache.org/jira/browse/SENTRY-709 > Project: Sentry > Issue Type: Improvement > Components: Hdfs Plugin >Reporter: Arun Suresh >Assignee: Sravya Tirukkovalur >Priority: Critical > Labels: integration, roadmap > Attachments: SENTRY-709.1.patch, SENTRY-709.2.patch, > SENTRY-709.2.patch > > > Sentry HDFS namenode plugin uses a pre-committed version of the HDFS > AuthorizationProvider interface. HADOOP 2.7.0 will ship with the new > INodeAttributesProvider interface. > The Namenode plugin has to be refactored to use this new interface. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-709) Refactor Sentry HDFS Namenode Plugin to use HDFS INodeAttributesProvider
[ https://issues.apache.org/jira/browse/SENTRY-709?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-709: --- Component/s: Hdfs Plugin > Refactor Sentry HDFS Namenode Plugin to use HDFS INodeAttributesProvider > > > Key: SENTRY-709 > URL: https://issues.apache.org/jira/browse/SENTRY-709 > Project: Sentry > Issue Type: Improvement > Components: Hdfs Plugin >Reporter: Arun Suresh >Assignee: Sravya Tirukkovalur > Labels: integration, roadmap > Attachments: SENTRY-709.1.patch, SENTRY-709.2.patch, > SENTRY-709.2.patch > > > Sentry HDFS namenode plugin uses a pre-committed version of the HDFS > AuthorizationProvider interface. HADOOP 2.7.0 will ship with the new > INodeAttributesProvider interface. > The Namenode plugin has to be refactored to use this new interface. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1317) Implement fencing required for active/passive
Sravya Tirukkovalur created SENTRY-1317: --- Summary: Implement fencing required for active/passive Key: SENTRY-1317 URL: https://issues.apache.org/jira/browse/SENTRY-1317 Project: Sentry Issue Type: Sub-task Reporter: Sravya Tirukkovalur -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1316) Implement Sentry leadership election
[ https://issues.apache.org/jira/browse/SENTRY-1316?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1316: Component/s: (was: Hdfs Plugin) > Implement Sentry leadership election > > > Key: SENTRY-1316 > URL: https://issues.apache.org/jira/browse/SENTRY-1316 > Project: Sentry > Issue Type: Sub-task >Reporter: Sravya Tirukkovalur > Fix For: 1.8.0 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1317) Implement fencing required for active/passive
[ https://issues.apache.org/jira/browse/SENTRY-1317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1317: Component/s: (was: Hdfs Plugin) > Implement fencing required for active/passive > - > > Key: SENTRY-1317 > URL: https://issues.apache.org/jira/browse/SENTRY-1317 > Project: Sentry > Issue Type: Sub-task >Reporter: Sravya Tirukkovalur > Fix For: 1.8.0 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-876) Handle path updates when Sentry HA + HDFS sync - Send updates to all sentry instances
[ https://issues.apache.org/jira/browse/SENTRY-876?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-876: --- Resolution: Invalid Status: Resolved (was: Patch Available) Closing the old Sentry HA items, as we are redesigning it. Feel free to reopen if needed. > Handle path updates when Sentry HA + HDFS sync - Send updates to all sentry > instances > - > > Key: SENTRY-876 > URL: https://issues.apache.org/jira/browse/SENTRY-876 > Project: Sentry > Issue Type: New Feature >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Attachments: SENTRY-876.0.patch > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Resolved] (SENTRY-877) Recreate the metastore cache if ZK connection is lost.
[ https://issues.apache.org/jira/browse/SENTRY-877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur resolved SENTRY-877. Resolution: Invalid Closing the old Sentry HA items, as we are redesigning it. Feel free to reopen if needed. > Recreate the metastore cache if ZK connection is lost. > -- > > Key: SENTRY-877 > URL: https://issues.apache.org/jira/browse/SENTRY-877 > Project: Sentry > Issue Type: Task >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur >Priority: Minor > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-879) Add metrics for HDFS Sync when Sentry HA and HMS HA
[ https://issues.apache.org/jira/browse/SENTRY-879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-879: --- Issue Type: Sub-task (was: New Feature) Parent: SENTRY-872 > Add metrics for HDFS Sync when Sentry HA and HMS HA > --- > > Key: SENTRY-879 > URL: https://issues.apache.org/jira/browse/SENTRY-879 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Resolved] (SENTRY-795) HDFS permissions do not sync when Sentry restarts in HA mode.
[ https://issues.apache.org/jira/browse/SENTRY-795?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur resolved SENTRY-795. Resolution: Invalid Closing the old Sentry HA items, as we are redesigning it. > HDFS permissions do not sync when Sentry restarts in HA mode. > - > > Key: SENTRY-795 > URL: https://issues.apache.org/jira/browse/SENTRY-795 > Project: Sentry > Issue Type: Bug >Affects Versions: 1.5.0 >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-871) Refactor HA components based on Sentry-852
[ https://issues.apache.org/jira/browse/SENTRY-871?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-871: --- Summary: Refactor HA components based on Sentry-852 (was: Refactor HA components based on Sentry-870) > Refactor HA components based on Sentry-852 > -- > > Key: SENTRY-871 > URL: https://issues.apache.org/jira/browse/SENTRY-871 > Project: Sentry > Issue Type: Improvement > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Resolved] (SENTRY-873) [HMS HA] Have a HMS leader which would be responsible for sending path updates to Sentry
[ https://issues.apache.org/jira/browse/SENTRY-873?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur resolved SENTRY-873. Resolution: Invalid > [HMS HA] Have a HMS leader which would be responsible for sending path > updates to Sentry > > > Key: SENTRY-873 > URL: https://issues.apache.org/jira/browse/SENTRY-873 > Project: Sentry > Issue Type: Improvement >Affects Versions: 1.5.0 >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: 1.8.0 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-873) [HMS HA] Have a HMS leader which would be responsible for sending path updates to Sentry
[ https://issues.apache.org/jira/browse/SENTRY-873?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15319496#comment-15319496 ] Sravya Tirukkovalur commented on SENTRY-873: Closing the old Sentry HA items, as we are redesigning it. Feel free to reopen it if you disagree. > [HMS HA] Have a HMS leader which would be responsible for sending path > updates to Sentry > > > Key: SENTRY-873 > URL: https://issues.apache.org/jira/browse/SENTRY-873 > Project: Sentry > Issue Type: Improvement >Affects Versions: 1.5.0 >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: 1.8.0 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Assigned] (SENTRY-662) SentryServiceIntegrationBase should use UGI based login
[ https://issues.apache.org/jira/browse/SENTRY-662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur reassigned SENTRY-662: -- Assignee: Sravya Tirukkovalur (was: Prasad Mujumdar) > SentryServiceIntegrationBase should use UGI based login > --- > > Key: SENTRY-662 > URL: https://issues.apache.org/jira/browse/SENTRY-662 > Project: Sentry > Issue Type: Improvement >Affects Versions: 1.5.1 >Reporter: Prasad Mujumdar >Assignee: Sravya Tirukkovalur > Fix For: 1.8.0 > > Attachments: SENTRY-662.1.patch > > > With Sentry HA the service client makes the service connection on the first > client api. This is done in order to propagate the exception cleanly to the > caller. > The SentryServiceIntegrationBase currently performs direct Jaas login and > passes the subject to transport open only. Now that any API can open the > connection, this is not sufficient. > We should use the UGI login for the tests as well which handles passing the > right subject to transport level open. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Resolved] (SENTRY-882) HMS leader should handle out of order updates when HA
[ https://issues.apache.org/jira/browse/SENTRY-882?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur resolved SENTRY-882. Resolution: Invalid Closing the old Sentry HA items, as we are redesigning it. Feel free to reopen if needed. > HMS leader should handle out of order updates when HA > - > > Key: SENTRY-882 > URL: https://issues.apache.org/jira/browse/SENTRY-882 > Project: Sentry > Issue Type: Task > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-872) Uber jira for HMS HA + Sentry HA redesign
[ https://issues.apache.org/jira/browse/SENTRY-872?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-872: --- Summary: Uber jira for HMS HA + Sentry HA redesign (was: Uber jira for HMS HA + Sentry HA with HDFS plugin improvements) > Uber jira for HMS HA + Sentry HA redesign > - > > Key: SENTRY-872 > URL: https://issues.apache.org/jira/browse/SENTRY-872 > Project: Sentry > Issue Type: Improvement > Components: Hdfs Plugin >Affects Versions: 1.5.0 >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: 1.8.0 > > Attachments: SENTRY-872.0.patch, SENTRY-872.pdf, SENTRY-872_design.pdf > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-840) Do not allow async initial updater of MetaStore cache
[ https://issues.apache.org/jira/browse/SENTRY-840?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-840: --- Issue Type: Sub-task (was: Improvement) Parent: SENTRY-1314 > Do not allow async initial updater of MetaStore cache > - > > Key: SENTRY-840 > URL: https://issues.apache.org/jira/browse/SENTRY-840 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > > Allowing metastore cache to be initialized asynchronously can be very fragile > and should be recommended against. We should either > 1. Make it strictly synchronous > 2. Or add more testing around async path if there is enough request. > If we take route 1, we can get rid of the updateQueue and syncsent in > MetaStorePlugin. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-874) Handle HMS updates correctly while full update is being built
[ https://issues.apache.org/jira/browse/SENTRY-874?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-874: --- Issue Type: Sub-task (was: Improvement) Parent: SENTRY-1314 > Handle HMS updates correctly while full update is being built > - > > Key: SENTRY-874 > URL: https://issues.apache.org/jira/browse/SENTRY-874 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Affects Versions: 1.5.0 >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: 1.8.0 > > > We have two options here: > 1. Have a lock for path update + notify sentry. So that a partial update > would just block until the full update completes building and notifying > Sentry. > 2. Make sure path update duplicates are handled well in HMSPaths and > SentryPlugin -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-872) Uber jira for HMS HA + Sentry HA redesign
[ https://issues.apache.org/jira/browse/SENTRY-872?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15319571#comment-15319571 ] Sravya Tirukkovalur commented on SENTRY-872: Moving the HDFS Sync implementation improvements jiras to https://issues.apache.org/jira/browse/SENTRY-1314, so that we can continue focusing on HA redesign here. > Uber jira for HMS HA + Sentry HA redesign > - > > Key: SENTRY-872 > URL: https://issues.apache.org/jira/browse/SENTRY-872 > Project: Sentry > Issue Type: Improvement > Components: Hdfs Plugin >Affects Versions: 1.5.0 >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: 1.8.0 > > Attachments: SENTRY-872.0.patch, SENTRY-872.pdf, SENTRY-872_design.pdf > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-879) Add metrics for HDFS Sync when Sentry HA and HMS HA
[ https://issues.apache.org/jira/browse/SENTRY-879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15319581#comment-15319581 ] Sravya Tirukkovalur commented on SENTRY-879: Need to update this list of metrics based on the new design. > Add metrics for HDFS Sync when Sentry HA and HMS HA > --- > > Key: SENTRY-879 > URL: https://issues.apache.org/jira/browse/SENTRY-879 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-851) UpdateForwarder does not have to implement Updateable
[ https://issues.apache.org/jira/browse/SENTRY-851?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-851: --- Component/s: Hdfs Plugin > UpdateForwarder does not have to implement Updateable > - > > Key: SENTRY-851 > URL: https://issues.apache.org/jira/browse/SENTRY-851 > Project: Sentry > Issue Type: Improvement > Components: Hdfs Plugin >Affects Versions: 1.4.0 >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > > I see no reason why UpdateForwarder is implementing Updateable. I think we > should clean up this code. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-852) Create PathUpdateForwarder and PermUpdateForwarder
[ https://issues.apache.org/jira/browse/SENTRY-852?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-852: --- Component/s: Hdfs Plugin > Create PathUpdateForwarder and PermUpdateForwarder > -- > > Key: SENTRY-852 > URL: https://issues.apache.org/jira/browse/SENTRY-852 > Project: Sentry > Issue Type: Improvement > Components: Hdfs Plugin >Affects Versions: 1.4.0 >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > > Updateforwarder is used for maintaining updatelog for both path updates and > perm updates today. This is resulting in code being hard to follow as there > are many perm specific and path specific stuff. Lots of if else caused by > over generalization. I think we should split it up for better code > maintainability. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Resolved] (SENTRY-880) Delete the path cache children as soon as it is processed.
[ https://issues.apache.org/jira/browse/SENTRY-880?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur resolved SENTRY-880. Resolution: Invalid > Delete the path cache children as soon as it is processed. > -- > > Key: SENTRY-880 > URL: https://issues.apache.org/jira/browse/SENTRY-880 > Project: Sentry > Issue Type: Bug > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-880) Delete the path cache children as soon as it is processed.
[ https://issues.apache.org/jira/browse/SENTRY-880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15319505#comment-15319505 ] Sravya Tirukkovalur commented on SENTRY-880: Closing the old Sentry HA items, as we are redesigning it. Feel free to reopen if needed. > Delete the path cache children as soon as it is processed. > -- > > Key: SENTRY-880 > URL: https://issues.apache.org/jira/browse/SENTRY-880 > Project: Sentry > Issue Type: Bug > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-875) Make update log size configurable in UpdateForwarder
[ https://issues.apache.org/jira/browse/SENTRY-875?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-875: --- Issue Type: Sub-task (was: Bug) Parent: SENTRY-1314 > Make update log size configurable in UpdateForwarder > > > Key: SENTRY-875 > URL: https://issues.apache.org/jira/browse/SENTRY-875 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Affects Versions: 1.5.0 >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: 1.8.0 > > > It is currently 100, making this configurable might be useful to tune > performance versus size requirements. It will also be helpful for end to end > testing corner cases where we can set this to a smaller number. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-858) Add a test case for - Database prefix is not honoured when executing grant statementÂ
[ https://issues.apache.org/jira/browse/SENTRY-858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15316766#comment-15316766 ] Sravya Tirukkovalur commented on SENTRY-858: Creating to SENTRY-1313 to actually fix this bug. > Add a test case for - Database prefix is not honoured when executing grant > statement > - > > Key: SENTRY-858 > URL: https://issues.apache.org/jira/browse/SENTRY-858 > Project: Sentry > Issue Type: Bug > Components: Hive Plugin, Sentry >Affects Versions: 1.4.0 >Reporter: Subroto Sanyal >Assignee: Rahul Sharma >Priority: Critical > Attachments: SENTRY-858.patch > > > h5. Steps to reproduce > # Sentry enabled secured hive environment > # Create a database _newdb_ and a table _smallairport_ in it (expecting > _default_ db to be available) > # Create a role _grp2_role_ and grant _select_ privilege to the same role for > table _smallairport_ in _newdb_. > # Check the granted role on console and log. The role is granted to a table > _smallairport_ in *default* database > {noformat}beeline> !connect > jdbc:hive2://ip-10-87-39-41.eu-west-1.compute.internal:10004/;principal=hive/ip-10-87-39-41.eu-west-1.compute.internal@EC2.INTERNAL > Connecting to > jdbc:hive2://ip-10-87-39-41.eu-west-1.compute.internal:10004/;principal=hive/ip-10-87-39-41.eu-west-1.compute.internal@EC2.INTERNAL > Enter username for > jdbc:hive2://ip-10-87-39-41.eu-west-1.compute.internal:10004/;principal=hive/ip-10-87-39-41.eu-west-1.compute.internal@EC2.INTERNAL: > > Enter password for > jdbc:hive2://ip-10-87-39-41.eu-west-1.compute.internal:10004/;principal=hive/ip-10-87-39-41.eu-west-1.compute.internal@EC2.INTERNAL: > > Connected to: Apache Hive (version 1.1.0-cdh5.4.0) > Driver: Hive JDBC (version 1.1.0-cdh5.4.0) > Transaction isolation: TRANSACTION_REPEATABLE_READ > 0: jdbc:hive2://ip-10-87-39-41.eu-west-1.comp> GRANT SELECT ON TABLE > `newdb.smallairport` TO ROLE grp2_role; > Getting log thread is interrupted, since query is done! > No rows affected (0.074 seconds) > 0: jdbc:hive2://ip-10-87-39-41.eu-west-1.comp> GRANT INSERT ON TABLE > `newdb.smallairport` TO ROLE grp2_role; > Getting log thread is interrupted, since query is done! > No rows affected (0.067 seconds) > 0: jdbc:hive2://ip-10-87-39-41.eu-west-1.comp> show grant role grp2_role; > Getting log thread is interrupted, since query is done! > +---+---++-+-+-++---+---+--+--+ > | database | table | partition | column | principal_name | > principal_type | privilege | grant_option |grant_time | grantor | > +---+---++-+-+-++---+---+--+--+ > | default | smallairport || | grp2_role | ROLE > | select | false | 144016784913 | -- | > | default | smallairport || | grp2_role | ROLE > | insert | false | 1440168392394000 | -- | > +---+---++-+-+-++---+---+--+--+ > 2 rows selected (0.085 seconds) > {noformat} > h6. Logs on Sentry side: > {noformat}15/08/25 08:47:40 INFO ddl.logger: > {"serviceName":"Sentry-Service","userName":"hive","impersonator":"hive/ip-10-87-39-41.eu-west-1.compute.internal@EC2.INTERNAL","ipAddress":"/10.87.39.41","operation":"GRANT_PRIVILEGE","eventTime":"1440506860675","operationText":"GRANT > SELECT ON TABLE smallairport TO ROLE > grp2_role","allowed":"true","databaseName":"default","tableName":"smallairport","resourcePath":"","objectType":"PRINCIPAL"}{noformat} > h6. Logs on Hive side: > {noformat}2015-08-25 08:47:40,428 WARN [pool-6-thread-1]: > hdfs.MetastorePlugin (MetastorePlugin.java:run(74)) - Synced Sentry with > update [5] > 2015-08-25 08:47:40,613 DEBUG [HiveServer2-Handler-Pool: Thread-1038]: > transport.TSaslTransport (TSaslTransport.java:readFrame(459)) - SERVER: > reading data length: 167 > 2015-08-25 08:47:40,613 DEBUG [HiveServer2-Handler-Pool: Thread-1038]: > parse.VariableSubstitution (VariableSubstitution.java:substitute(53)) - > Substitution is on: GRANT SELECT ON TABLE `newdb.smallairport` TO ROLE > grp2_role > 2015-08-25 08:47:40,614 INFO [HiveServer2-Handler-Pool: Thread-1038]: > log.PerfLogger (PerfLogger.java:PerfLogBegin(121)) - from=org.apache.hadoop.hive.ql.Driver> > 2015-08-25 08:47:40,614 DEBUG [HiveServer2-Handler-Pool: Thread-1038]: > parse.VariableSubstitution (VariableSubstitution.java:substitute(53)) - > Substitution
[jira] [Updated] (SENTRY-858) Add a test case for - Database prefix is not honoured when executing grant statementÂ
[ https://issues.apache.org/jira/browse/SENTRY-858?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-858: --- Issue Type: Test (was: Bug) > Add a test case for - Database prefix is not honoured when executing grant > statement > - > > Key: SENTRY-858 > URL: https://issues.apache.org/jira/browse/SENTRY-858 > Project: Sentry > Issue Type: Test > Components: Hive Plugin, Sentry >Affects Versions: 1.4.0 >Reporter: Subroto Sanyal >Assignee: Rahul Sharma >Priority: Critical > Attachments: SENTRY-858.patch > > > h5. Steps to reproduce > # Sentry enabled secured hive environment > # Create a database _newdb_ and a table _smallairport_ in it (expecting > _default_ db to be available) > # Create a role _grp2_role_ and grant _select_ privilege to the same role for > table _smallairport_ in _newdb_. > # Check the granted role on console and log. The role is granted to a table > _smallairport_ in *default* database > {noformat}beeline> !connect > jdbc:hive2://ip-10-87-39-41.eu-west-1.compute.internal:10004/;principal=hive/ip-10-87-39-41.eu-west-1.compute.internal@EC2.INTERNAL > Connecting to > jdbc:hive2://ip-10-87-39-41.eu-west-1.compute.internal:10004/;principal=hive/ip-10-87-39-41.eu-west-1.compute.internal@EC2.INTERNAL > Enter username for > jdbc:hive2://ip-10-87-39-41.eu-west-1.compute.internal:10004/;principal=hive/ip-10-87-39-41.eu-west-1.compute.internal@EC2.INTERNAL: > > Enter password for > jdbc:hive2://ip-10-87-39-41.eu-west-1.compute.internal:10004/;principal=hive/ip-10-87-39-41.eu-west-1.compute.internal@EC2.INTERNAL: > > Connected to: Apache Hive (version 1.1.0-cdh5.4.0) > Driver: Hive JDBC (version 1.1.0-cdh5.4.0) > Transaction isolation: TRANSACTION_REPEATABLE_READ > 0: jdbc:hive2://ip-10-87-39-41.eu-west-1.comp> GRANT SELECT ON TABLE > `newdb.smallairport` TO ROLE grp2_role; > Getting log thread is interrupted, since query is done! > No rows affected (0.074 seconds) > 0: jdbc:hive2://ip-10-87-39-41.eu-west-1.comp> GRANT INSERT ON TABLE > `newdb.smallairport` TO ROLE grp2_role; > Getting log thread is interrupted, since query is done! > No rows affected (0.067 seconds) > 0: jdbc:hive2://ip-10-87-39-41.eu-west-1.comp> show grant role grp2_role; > Getting log thread is interrupted, since query is done! > +---+---++-+-+-++---+---+--+--+ > | database | table | partition | column | principal_name | > principal_type | privilege | grant_option |grant_time | grantor | > +---+---++-+-+-++---+---+--+--+ > | default | smallairport || | grp2_role | ROLE > | select | false | 144016784913 | -- | > | default | smallairport || | grp2_role | ROLE > | insert | false | 1440168392394000 | -- | > +---+---++-+-+-++---+---+--+--+ > 2 rows selected (0.085 seconds) > {noformat} > h6. Logs on Sentry side: > {noformat}15/08/25 08:47:40 INFO ddl.logger: > {"serviceName":"Sentry-Service","userName":"hive","impersonator":"hive/ip-10-87-39-41.eu-west-1.compute.internal@EC2.INTERNAL","ipAddress":"/10.87.39.41","operation":"GRANT_PRIVILEGE","eventTime":"1440506860675","operationText":"GRANT > SELECT ON TABLE smallairport TO ROLE > grp2_role","allowed":"true","databaseName":"default","tableName":"smallairport","resourcePath":"","objectType":"PRINCIPAL"}{noformat} > h6. Logs on Hive side: > {noformat}2015-08-25 08:47:40,428 WARN [pool-6-thread-1]: > hdfs.MetastorePlugin (MetastorePlugin.java:run(74)) - Synced Sentry with > update [5] > 2015-08-25 08:47:40,613 DEBUG [HiveServer2-Handler-Pool: Thread-1038]: > transport.TSaslTransport (TSaslTransport.java:readFrame(459)) - SERVER: > reading data length: 167 > 2015-08-25 08:47:40,613 DEBUG [HiveServer2-Handler-Pool: Thread-1038]: > parse.VariableSubstitution (VariableSubstitution.java:substitute(53)) - > Substitution is on: GRANT SELECT ON TABLE `newdb.smallairport` TO ROLE > grp2_role > 2015-08-25 08:47:40,614 INFO [HiveServer2-Handler-Pool: Thread-1038]: > log.PerfLogger (PerfLogger.java:PerfLogBegin(121)) - from=org.apache.hadoop.hive.ql.Driver> > 2015-08-25 08:47:40,614 DEBUG [HiveServer2-Handler-Pool: Thread-1038]: > parse.VariableSubstitution (VariableSubstitution.java:substitute(53)) - > Substitution is on: GRANT SELECT ON TABLE `newdb.smallairport` TO
[jira] [Updated] (SENTRY-1323) Bump the hive version to 1.2.0
[ https://issues.apache.org/jira/browse/SENTRY-1323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1323: Fix Version/s: (was: 1.8.0) sentry-ha-redesign > Bump the hive version to 1.2.0 > -- > > Key: SENTRY-1323 > URL: https://issues.apache.org/jira/browse/SENTRY-1323 > Project: Sentry > Issue Type: Sub-task >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: sentry-ha-redesign > > > Deserializer as part of Hive-7973 work has some bugs in 1.1.0. For example: > deserializer.getAlterTableMessage fails with JsonMappingException > After some debugging, I confirmed that it is due to the fact that > JSONAlterTableMessage does not have a default constructor. > Seems like this is fixed as part of HIVE-10227 (1.2.0). So would be best to > move to hive 1.2.0. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1324) Add sentry specific test cases to use NotificationLog
Sravya Tirukkovalur created SENTRY-1324: --- Summary: Add sentry specific test cases to use NotificationLog Key: SENTRY-1324 URL: https://issues.apache.org/jira/browse/SENTRY-1324 Project: Sentry Issue Type: Sub-task Reporter: Sravya Tirukkovalur Assignee: Sravya Tirukkovalur -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1324) Add sentry specific test cases to use NotificationLog
[ https://issues.apache.org/jira/browse/SENTRY-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1324: Attachment: SENTRY-1324.patch Adding tests to make sure NotificationLog is capturing the information correctly for the commands which changemapping. This exercise is mainly to understand if NotificationLog works for us. I did hit some bugs, but seems like some of them are fixed in Hive 1.2.0. Will bump up Hive in jira SENTRY-1323 as I see there are more changes we need to make as part of hive dependency change. > Add sentry specific test cases to use NotificationLog > - > > Key: SENTRY-1324 > URL: https://issues.apache.org/jira/browse/SENTRY-1324 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: sentry-ha-redesign > > Attachments: SENTRY-1324.patch > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1324) Add sentry specific test cases to use NotificationLog
[ https://issues.apache.org/jira/browse/SENTRY-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1324: Attachment: SENTRY-1324.0.patch > Add sentry specific test cases to use NotificationLog > - > > Key: SENTRY-1324 > URL: https://issues.apache.org/jira/browse/SENTRY-1324 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: sentry-ha-redesign > > Attachments: SENTRY-1324.0.patch > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1323) Bump the hive version to 1.2.0
[ https://issues.apache.org/jira/browse/SENTRY-1323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1323: Status: Patch Available (was: Open) > Bump the hive version to 1.2.0 > -- > > Key: SENTRY-1323 > URL: https://issues.apache.org/jira/browse/SENTRY-1323 > Project: Sentry > Issue Type: Sub-task >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: sentry-ha-redesign > > Attachments: SENTRY-1323.0.patch > > > Deserializer as part of Hive-7973 work has some bugs in 1.1.0. For example: > deserializer.getAlterTableMessage fails with JsonMappingException > After some debugging, I confirmed that it is due to the fact that > JSONAlterTableMessage does not have a default constructor. > Seems like this is fixed as part of HIVE-10227 (1.2.0). So would be best to > move to hive 1.2.0. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1324) Add sentry specific test cases to use NotificationLog
[ https://issues.apache.org/jira/browse/SENTRY-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1324: Status: Patch Available (was: Open) > Add sentry specific test cases to use NotificationLog > - > > Key: SENTRY-1324 > URL: https://issues.apache.org/jira/browse/SENTRY-1324 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: sentry-ha-redesign > > Attachments: SENTRY-1324.0.patch > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1323) Bump the hive version to 1.2.0
[ https://issues.apache.org/jira/browse/SENTRY-1323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15325562#comment-15325562 ] Sravya Tirukkovalur commented on SENTRY-1323: - getPartition() api seems to have been changed in 1.2.0 > Bump the hive version to 1.2.0 > -- > > Key: SENTRY-1323 > URL: https://issues.apache.org/jira/browse/SENTRY-1323 > Project: Sentry > Issue Type: Sub-task >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: sentry-ha-redesign > > Attachments: SENTRY-1323.0.patch > > > Deserializer as part of Hive-7973 work has some bugs in 1.1.0. For example: > deserializer.getAlterTableMessage fails with JsonMappingException > After some debugging, I confirmed that it is due to the fact that > JSONAlterTableMessage does not have a default constructor. > Seems like this is fixed as part of HIVE-10227 (1.2.0). So would be best to > move to hive 1.2.0. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1323) Bump the hive version to 1.2.0
[ https://issues.apache.org/jira/browse/SENTRY-1323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1323: Attachment: SENTRY-1323.0.patch > Bump the hive version to 1.2.0 > -- > > Key: SENTRY-1323 > URL: https://issues.apache.org/jira/browse/SENTRY-1323 > Project: Sentry > Issue Type: Sub-task >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: sentry-ha-redesign > > Attachments: SENTRY-1323.0.patch > > > Deserializer as part of Hive-7973 work has some bugs in 1.1.0. For example: > deserializer.getAlterTableMessage fails with JsonMappingException > After some debugging, I confirmed that it is due to the fact that > JSONAlterTableMessage does not have a default constructor. > Seems like this is fixed as part of HIVE-10227 (1.2.0). So would be best to > move to hive 1.2.0. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1321) Use DbNotificationListener and poll the notifications from Sentry service
Sravya Tirukkovalur created SENTRY-1321: --- Summary: Use DbNotificationListener and poll the notifications from Sentry service Key: SENTRY-1321 URL: https://issues.apache.org/jira/browse/SENTRY-1321 Project: Sentry Issue Type: Sub-task Reporter: Sravya Tirukkovalur Assignee: Sravya Tirukkovalur -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1321) Use DbNotificationListener and poll the HMS notifications from Sentry service
[ https://issues.apache.org/jira/browse/SENTRY-1321?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1321: Summary: Use DbNotificationListener and poll the HMS notifications from Sentry service (was: Use DbNotificationListener and poll the notifications from Sentry service) > Use DbNotificationListener and poll the HMS notifications from Sentry service > - > > Key: SENTRY-1321 > URL: https://issues.apache.org/jira/browse/SENTRY-1321 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: 1.8.0 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1320) truncate table db_name.table_name fails
[ https://issues.apache.org/jira/browse/SENTRY-1320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15323431#comment-15323431 ] Sravya Tirukkovalur commented on SENTRY-1320: - +1, pending QA run. Thanks for the patch [~vihangk1]! > truncate table db_name.table_name fails > --- > > Key: SENTRY-1320 > URL: https://issues.apache.org/jira/browse/SENTRY-1320 > Project: Sentry > Issue Type: Bug >Reporter: Vihang Karajgaonkar >Assignee: Vihang Karajgaonkar >Priority: Minor > Attachments: SENTRY-1320.01.patch > > > On a cluster with Sentry enabled using Kerberos (MIT) > Steps to reproduce: > create database temp; > use temp; > create table a(b int); > use default; > truncate table temp.a; > Error: Error while compiling statement: FAILED: IllegalArgumentException null > (state=42000,code=4) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1323) Bump the hive version to 1.2.0
Sravya Tirukkovalur created SENTRY-1323: --- Summary: Bump the hive version to 1.2.0 Key: SENTRY-1323 URL: https://issues.apache.org/jira/browse/SENTRY-1323 Project: Sentry Issue Type: Sub-task Reporter: Sravya Tirukkovalur Assignee: Sravya Tirukkovalur Deserializer as part of Hive-7973 work has some bugs in 1.1.0. For example: deserializer.getAlterTableMessage fails with JsonMappingException After some debugging, I confirmed that it is due to the fact that JSONAlterTableMessage does not have a default constructor. Seems like this is fixed as part of HIVE-10227 (1.2.0). So would be best to move to hive 1.2.0. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1295) Investigate malformed paths in HMS db
[ https://issues.apache.org/jira/browse/SENTRY-1295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15300510#comment-15300510 ] Sravya Tirukkovalur commented on SENTRY-1295: - Another data point, this time default db location was on root: SELECT "NAME", "DB_LOCATION_URI" FROM "DBS" WHERE NOT "DB_LOCATION_URI" LIKE 'hdfs://%/%'; default hdfs://namespace > Investigate malformed paths in HMS db > - > > Key: SENTRY-1295 > URL: https://issues.apache.org/jira/browse/SENTRY-1295 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur > > Paths in HMS are expected to be in one of these forms: > * hdfs://hostname:port/path > * hdfs:///path > * /path, in which case, scheme will be constructed from > FileSystem.getDefaultURI > * URIs with non hdfs scheme will just be ignored > I came across atleast 2 sentry users where HMS did have paths which do not > comply with above rules and hence HMS plugin initialization for pathupdates > failed. See sentry-1260 and sentry-1270 for details on how these errors > surface. > With 1260 and 1270 we should have more information on what these malformed > paths were. But we should continue to investigate and fix the root cause, It > would most likely be in HMS code base. Until then, here is how you can > diagnose and fix it manually: > *Look for malformed paths in HMS* : Look in DBS as well as SDS tables. > {code} > SELECT "NAME", "DB_LOCATION_URI" FROM "DBS" WHERE NOT "DB_LOCATION_URI" LIKE > 'hdfs://%/%'; > NAME | DB_LOCATION_URI > ---+ > db_name | hdfs://nameservice1 > (1 row) > {code} > *Fix it manually updating the HMS location* > {code} > UPDATE DBS > SET DB_LOCATION_URI='hdfs://nameservice1/user/hive/warehouse/db_name.db' > WHERE DB_ID=12345; > {code} > Lets track occurrences of these malformed paths here: > * hdfs://nameservice1 : Not sure why would any one create a db/table in root > directory? Should we accept this in Sentry? > What does SKEWED_COL_VALUE_LOC_MAP.location in HMS correspond to? Double > check if there are any malformed paths here? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1323) Bump the hive version to 1.2.0
[ https://issues.apache.org/jira/browse/SENTRY-1323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15328310#comment-15328310 ] Sravya Tirukkovalur commented on SENTRY-1323: - Looking into the test failures. I see some test failures around "show tables"/"show databases". Seems like it is due to the Hive fix: https://issues.apache.org/jira/browse/HIVE-9350 . Taking a closer look at Hive-9350 to see how to make Sentry compatible with Hive 1.2.0. > Bump the hive version to 1.2.0 > -- > > Key: SENTRY-1323 > URL: https://issues.apache.org/jira/browse/SENTRY-1323 > Project: Sentry > Issue Type: Sub-task >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: sentry-ha-redesign > > Attachments: SENTRY-1323.0.patch > > > Deserializer as part of Hive-7973 work has some bugs in 1.1.0. For example: > deserializer.getAlterTableMessage fails with JsonMappingException > After some debugging, I confirmed that it is due to the fact that > JSONAlterTableMessage does not have a default constructor. > Seems like this is fixed as part of HIVE-10227 (1.2.0). So would be best to > move to hive 1.2.0. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-872) Uber jira for HMS HA + Sentry HA with HDFS plugin improvements
[ https://issues.apache.org/jira/browse/SENTRY-872?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15308437#comment-15308437 ] Sravya Tirukkovalur commented on SENTRY-872: Thanks for uploading the updated deisgn doc [~cmccabe]! Some comments: 1. In Section "HIVEÂ7973: Hive Replication Support ", seems like there is some text missing at the end. 2. In Section "Future work", "The HDFS Plugin Should Use Update Log IDs". In current design, we apply deltas in the NN plugin. I do not believe we necessarily buffer deltas in NN, as there is no reason. So we may want to remove this section. 3. We might want to add a section about "Sentry passive" which follows active versus "Sentry standby" which warms up only when it acquires leadership? I think we are inclining towards a passive which can serve requests with minimal downtime, that is acquiring leadership should not take too long. But might be better if we state it explicitly, so that we evaluate the alternatives thoroughly? 4. There are some slight alternatives we might want to consider in the path of propagating HMS updates to Sentry and NN. In the proposed design, we will need to replicate HMSinformation as well as delta changes of it(add/delete ) in Sentry db for the passive to follow. Other option is for passive to directly talk to HMS to get these deltas. If the only motivation for replicating this in sentry db is bringing passive upto speed, I think the later approach is preferable as there is no real need to replicate both info and deltas? But, other parameter to consider is around full update. That is, when Sentry restarts in the later approach, we will have to trigger a full update from HMS. But without a proper snapshot solution in HMS, this would mean we will have to lock HMS writes for this period, which means HMS is not available for writes for this period. 5. Would be useful to have a detailed protocol description especially around what happens when different services restart, and what in memory state does each service rely on. Let me know what you think and we can update the doc accordingly. Thanks! > Uber jira for HMS HA + Sentry HA with HDFS plugin improvements > -- > > Key: SENTRY-872 > URL: https://issues.apache.org/jira/browse/SENTRY-872 > Project: Sentry > Issue Type: Improvement > Components: Hdfs Plugin >Affects Versions: 1.5.0 >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: 1.8.0 > > Attachments: SENTRY-872.0.patch, SENTRY-872.pdf, SENTRY-872_design.pdf > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1298) Create index location should require URI
Sravya Tirukkovalur created SENTRY-1298: --- Summary: Create index location should require URI Key: SENTRY-1298 URL: https://issues.apache.org/jira/browse/SENTRY-1298 Project: Sentry Issue Type: Bug Reporter: Sravya Tirukkovalur Priority: Blocker -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1231) Sentry doesn't secure index location uri, when do "CREATE INDEX LOCATION ''/uri"
[ https://issues.apache.org/jira/browse/SENTRY-1231?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1231: Priority: Blocker (was: Major) > Sentry doesn't secure index location uri, when do "CREATE INDEX LOCATION > ''/uri" > > > Key: SENTRY-1231 > URL: https://issues.apache.org/jira/browse/SENTRY-1231 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 1.8.0 >Reporter: Anne Yu >Priority: Blocker > > Sentry doesn't check the uri privilege of command, CREATE INDEX LOCATION > '/path'. For example, > {code} > [root@ay-s3-1 ~]# sudo -u hdfs hdfs dfs -getfacl -R /data/testindex > # file: /data/testindex > # owner: hdfs > # group: hive > user::rwx > group::r-x > other::r-x > use systest> CREATE INDEX my_hdfs_table_index ON TABLE my_hdfs_table > (viewtime) AS 'compact' WITH DEFERRED REBUILD LOCATION '/data/testindex'; > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Resolved] (SENTRY-1298) Create index location should require URI
[ https://issues.apache.org/jira/browse/SENTRY-1298?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur resolved SENTRY-1298. - Resolution: Duplicate > Create index location should require URI > > > Key: SENTRY-1298 > URL: https://issues.apache.org/jira/browse/SENTRY-1298 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur >Priority: Blocker > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1231) Sentry doesn't secure index location uri, when do "CREATE INDEX LOCATION ''/uri"
[ https://issues.apache.org/jira/browse/SENTRY-1231?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1231: Attachment: SENTRY-1231.1.patch > Sentry doesn't secure index location uri, when do "CREATE INDEX LOCATION > ''/uri" > > > Key: SENTRY-1231 > URL: https://issues.apache.org/jira/browse/SENTRY-1231 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 1.8.0 >Reporter: Anne Yu >Assignee: Sravya Tirukkovalur >Priority: Blocker > Attachments: SENTRY-1231.0.patch, SENTRY-1231.1.patch > > > Sentry doesn't check the uri privilege of command, CREATE INDEX LOCATION > '/path'. For example, > {code} > [root@ay-s3-1 ~]# sudo -u hdfs hdfs dfs -getfacl -R /data/testindex > # file: /data/testindex > # owner: hdfs > # group: hive > user::rwx > group::r-x > other::r-x > use systest> CREATE INDEX my_hdfs_table_index ON TABLE my_hdfs_table > (viewtime) AS 'compact' WITH DEFERRED REBUILD LOCATION '/data/testindex'; > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Assigned] (SENTRY-1231) Sentry doesn't secure index location uri, when do "CREATE INDEX LOCATION ''/uri"
[ https://issues.apache.org/jira/browse/SENTRY-1231?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur reassigned SENTRY-1231: --- Assignee: Sravya Tirukkovalur > Sentry doesn't secure index location uri, when do "CREATE INDEX LOCATION > ''/uri" > > > Key: SENTRY-1231 > URL: https://issues.apache.org/jira/browse/SENTRY-1231 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 1.8.0 >Reporter: Anne Yu >Assignee: Sravya Tirukkovalur >Priority: Blocker > > Sentry doesn't check the uri privilege of command, CREATE INDEX LOCATION > '/path'. For example, > {code} > [root@ay-s3-1 ~]# sudo -u hdfs hdfs dfs -getfacl -R /data/testindex > # file: /data/testindex > # owner: hdfs > # group: hive > user::rwx > group::r-x > other::r-x > use systest> CREATE INDEX my_hdfs_table_index ON TABLE my_hdfs_table > (viewtime) AS 'compact' WITH DEFERRED REBUILD LOCATION '/data/testindex'; > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1231) Sentry doesn't secure index location uri, when do "CREATE INDEX LOCATION ''/uri"
[ https://issues.apache.org/jira/browse/SENTRY-1231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15302845#comment-15302845 ] Sravya Tirukkovalur commented on SENTRY-1231: - Here is the current ast: TOK_CREATEINDEX table01_index 'COMPACT' TOK_TABNAME tb1 TOK_TABCOLNAME a TOK_DEFERRED_REBUILDINDEX > Sentry doesn't secure index location uri, when do "CREATE INDEX LOCATION > ''/uri" > > > Key: SENTRY-1231 > URL: https://issues.apache.org/jira/browse/SENTRY-1231 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 1.8.0 >Reporter: Anne Yu >Assignee: Sravya Tirukkovalur >Priority: Blocker > Attachments: SENTRY-1231.0.patch > > > Sentry doesn't check the uri privilege of command, CREATE INDEX LOCATION > '/path'. For example, > {code} > [root@ay-s3-1 ~]# sudo -u hdfs hdfs dfs -getfacl -R /data/testindex > # file: /data/testindex > # owner: hdfs > # group: hive > user::rwx > group::r-x > other::r-x > use systest> CREATE INDEX my_hdfs_table_index ON TABLE my_hdfs_table > (viewtime) AS 'compact' WITH DEFERRED REBUILD LOCATION '/data/testindex'; > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-666) Grant assumes Table object when not passed both an object and a name
[ https://issues.apache.org/jira/browse/SENTRY-666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15303147#comment-15303147 ] Sravya Tirukkovalur commented on SENTRY-666: This seems to be just for convenience. [~anneyu], can you add this to our documentation and close the ticket? > Grant assumes Table object when not passed both an object and a name > > > Key: SENTRY-666 > URL: https://issues.apache.org/jira/browse/SENTRY-666 > Project: Sentry > Issue Type: Bug >Affects Versions: 1.4.0 >Reporter: Ryan P >Priority: Minor > Labels: Docs > > If you pass only one argument to the grant statement it assumes you are > setting privileges for the table object. > 0: jdbc:hive2://ryan-p-2.ent.cloudera.com:100> grant all on server1 to role > test; > No rows affected (0.198 seconds) > 0: jdbc:hive2://ryan-p-2.ent.cloudera.com:100> show grant role test; > +---+++-+-+-++---+---+--+--+ > | database | table| partition | column | principal_name | > principal_type | privilege | grant_option |grant_time | grantor | > +---+++-+-+-++---+---+--+--+ > | default | test || | test| ROLE > | * | false | 1425774500157000 | -- | > | /tmp ||| | test| ROLE > | * | false | 1425775719259000 | -- | > | default | ta || | test| ROLE > | * | false | 142521565000 | -- | > | default | server1|| | test| ROLE > | * | false | 1421854212609000 | -- | > | default | testpatch || | test| ROLE > | select | false | 1425774558034000 | -- | > +---+++-+-+-++---+---+--+--+ > 5 rows selected (0.217 seconds) > I understand this was probably done for convenience but it can cause > confusion for first-time users. At a quick glance it would appear as if I am > granting all on server server1 to role test. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1209) Sentry does not block Hive's cross-schema table renames
[ https://issues.apache.org/jira/browse/SENTRY-1209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15303158#comment-15303158 ] Sravya Tirukkovalur commented on SENTRY-1209: - Would be good to fix this. [~colinma] will you be interested in picking this up? > Sentry does not block Hive's cross-schema table renames > --- > > Key: SENTRY-1209 > URL: https://issues.apache.org/jira/browse/SENTRY-1209 > Project: Sentry > Issue Type: Bug > Components: Core, Hive Binding, Hive Plugin, Sentry >Affects Versions: 1.5.1 > Environment: CDH 5.5.2 >Reporter: Ruslan Dautkhanov >Priority: Critical > Labels: security > > User Pete > has read-write access to schema A > has read-only access to schema B > User Pete nevertheless was able to rename/move Hive table > from schema A to schema B (where he has read-only access): > {quote} > use A; > alter table table_a rename to B.table_a; > {quote} > Hive allows to use rename table syntax to move tables across schemas, not > just rename. > Sentry does not check security boundaries in this case. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1275) if drop external partition fails at the step of move external dir to the trash, but partition gets dropped successfully, sentry acls are still applied to the dir
[ https://issues.apache.org/jira/browse/SENTRY-1275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15303151#comment-15303151 ] Sravya Tirukkovalur commented on SENTRY-1275: - Interesting. [~anneyu] do you know if we can reproduce this in junit? (That is cause the move dir to trash to fail?) > if drop external partition fails at the step of move external dir to the > trash, but partition gets dropped successfully, sentry acls are still applied > to the dir > - > > Key: SENTRY-1275 > URL: https://issues.apache.org/jira/browse/SENTRY-1275 > Project: Sentry > Issue Type: Bug >Affects Versions: 1.8.0 >Reporter: Anne Yu > > Found out there is an issue when drop external partition fails at the last > step of move dir to trash, partition gets successfully dropped, but sentry > acls still applied to the dir. > {code} > alter table 1008_tbl add partition (i=3) location '/data/test1/1008_par1'; > alter table 1008_tbl drop partition (i=3); > Error: Error while processing statement: FAILED: Execution Error, return code > 1 from org.apache.hadoop.hive.ql.exec.SentryFilterDDLTask. Got exception: > java.io.IOException Failed to move to trash: > hdfs://nameservice1/data/test1/1008_par1 (state=08S01,code=1) > show partitions 1008_tbl; (i=3 not shown) > sudo -u hdfs hdfs dfs -getfacl -R /data/test1/1008_par1 > # file: /data/test1/1008_par1 > # owner: hive > # group: hive > user::rwx > user:hive:rwx > group:hbase:rwx (sentry applied extended acls) > group::--- > group:hive:rwx > mask::rwx > other::--x > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-666) Grant assumes Table object when not passed both an object and a name
[ https://issues.apache.org/jira/browse/SENTRY-666?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-666: --- Labels: Docs (was: ) > Grant assumes Table object when not passed both an object and a name > > > Key: SENTRY-666 > URL: https://issues.apache.org/jira/browse/SENTRY-666 > Project: Sentry > Issue Type: Bug >Affects Versions: 1.4.0 >Reporter: Ryan P >Priority: Minor > Labels: Docs > > If you pass only one argument to the grant statement it assumes you are > setting privileges for the table object. > 0: jdbc:hive2://ryan-p-2.ent.cloudera.com:100> grant all on server1 to role > test; > No rows affected (0.198 seconds) > 0: jdbc:hive2://ryan-p-2.ent.cloudera.com:100> show grant role test; > +---+++-+-+-++---+---+--+--+ > | database | table| partition | column | principal_name | > principal_type | privilege | grant_option |grant_time | grantor | > +---+++-+-+-++---+---+--+--+ > | default | test || | test| ROLE > | * | false | 1425774500157000 | -- | > | /tmp ||| | test| ROLE > | * | false | 1425775719259000 | -- | > | default | ta || | test| ROLE > | * | false | 142521565000 | -- | > | default | server1|| | test| ROLE > | * | false | 1421854212609000 | -- | > | default | testpatch || | test| ROLE > | select | false | 1425774558034000 | -- | > +---+++-+-+-++---+---+--+--+ > 5 rows selected (0.217 seconds) > I understand this was probably done for convenience but it can cause > confusion for first-time users. At a quick glance it would appear as if I am > granting all on server server1 to role test. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1171) Please delete old releases from mirroring system
[ https://issues.apache.org/jira/browse/SENTRY-1171?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1171: Issue Type: Task (was: Bug) > Please delete old releases from mirroring system > > > Key: SENTRY-1171 > URL: https://issues.apache.org/jira/browse/SENTRY-1171 > Project: Sentry > Issue Type: Task >Reporter: Sebb > > To reduce the load on the ASF mirrors, projects are required to delete old > releases [1] > Please can you remove all non-current releases? > i.e. all but 1.6.0-incubating/ > Thanks! > [1] http://www.apache.org/dev/release.html#when-to-archive -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1182) [Failure recovery] NN should prompt a full Path update from sentry if X number of retries fail
[ https://issues.apache.org/jira/browse/SENTRY-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1182: Issue Type: New Feature (was: Bug) > [Failure recovery] NN should prompt a full Path update from sentry if X > number of retries fail > -- > > Key: SENTRY-1182 > URL: https://issues.apache.org/jira/browse/SENTRY-1182 > Project: Sentry > Issue Type: New Feature >Reporter: Sravya Tirukkovalur > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1165) add clover plugin to maven to get code coverage report
[ https://issues.apache.org/jira/browse/SENTRY-1165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1165: Issue Type: Test (was: Bug) > add clover plugin to maven to get code coverage report > -- > > Key: SENTRY-1165 > URL: https://issues.apache.org/jira/browse/SENTRY-1165 > Project: Sentry > Issue Type: Test > Components: Sentry >Affects Versions: 1.8.0 >Reporter: Anne Yu > > https://issues.apache.org/jira/browse/SOLR-479?jql=summary%20~%20%27code%20coverage%27 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1236) Bump thrift version to 0.9.3
[ https://issues.apache.org/jira/browse/SENTRY-1236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15311228#comment-15311228 ] Sravya Tirukkovalur commented on SENTRY-1236: - I just committed this to the master [~hahao], thanks for the reminder! > Bump thrift version to 0.9.3 > > > Key: SENTRY-1236 > URL: https://issues.apache.org/jira/browse/SENTRY-1236 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur >Priority: Minor > Fix For: 1.8.0 > > Attachments: SENTRY-1236.1.patch, SENTRY-1236.2.patch, > SENTRY-1236.patch > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1236) Bump thrift version to 0.9.3
[ https://issues.apache.org/jira/browse/SENTRY-1236?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1236: Resolution: Fixed Fix Version/s: (was: 1.7.0) 1.8.0 Status: Resolved (was: Patch Available) > Bump thrift version to 0.9.3 > > > Key: SENTRY-1236 > URL: https://issues.apache.org/jira/browse/SENTRY-1236 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur >Priority: Minor > Fix For: 1.8.0 > > Attachments: SENTRY-1236.1.patch, SENTRY-1236.2.patch, > SENTRY-1236.patch > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1356) Evaluate the current approach of updates from HMS
Sravya Tirukkovalur created SENTRY-1356: --- Summary: Evaluate the current approach of updates from HMS Key: SENTRY-1356 URL: https://issues.apache.org/jira/browse/SENTRY-1356 Project: Sentry Issue Type: Bug Reporter: Sravya Tirukkovalur Would be good to reevaluate the current approach of HMS updates. Currently, update contains a list of addPaths and delPaths. Some concerns we need to evaluate: 1. Hard to capture order in this model. 2. In UpdateatableAuthzPaths.applyPartialUpdate we seem to be adding the newPaths first and removing the delPaths. One caveat here is: if the newPath and oldPath are same, we end up deleting the path. See SENTRY-1346 for one such example. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1345) ACLS on table folder disappear after insert for unpartitioned tables
[ https://issues.apache.org/jira/browse/SENTRY-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1345: Description: This seems to be due to the fact that onAlterTableEvent is being trigged for this operation of "INSERT on a unpartitioned table" in Hive. And sentry- hive plugin thinks this is an alter table location command, and we add the new path and delete the old path for this Hive object. As add happens first and then the delete on the same path in this case, the path is lost resulting in no acls on this path. Workaround: This gets corrected at the next HMS restart. We can fix on Sentry side to not do add/delete if oldPath == newPath. But we also need to understand the Hive behavior. Not exactly sure when this regressed as we dont seem to have coverage for it. Also adding a test case as part of the patch which can be used against older versions. > ACLS on table folder disappear after insert for unpartitioned tables > > > Key: SENTRY-1345 > URL: https://issues.apache.org/jira/browse/SENTRY-1345 > Project: Sentry > Issue Type: Bug >Affects Versions: 1.7.0 >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: 1.8.0 > > Attachments: SENTRY-1345.patch > > > This seems to be due to the fact that onAlterTableEvent is being trigged for > this operation of "INSERT on a unpartitioned table" in Hive. And sentry- hive > plugin thinks this is an alter table location command, and we add the new > path and delete the old path for this Hive object. As add happens first and > then the delete on the same path in this case, the path is lost resulting in > no acls on this path. > Workaround: This gets corrected at the next HMS restart. > We can fix on Sentry side to not do add/delete if oldPath == newPath. But we > also need to understand the Hive behavior. > Not exactly sure when this regressed as we dont seem to have coverage for it. > Also adding a test case as part of the patch which can be used against older > versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1356) Evaluate the current approach of updates from HMS
[ https://issues.apache.org/jira/browse/SENTRY-1356?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1356: Issue Type: Sub-task (was: Bug) Parent: SENTRY-1314 > Evaluate the current approach of updates from HMS > - > > Key: SENTRY-1356 > URL: https://issues.apache.org/jira/browse/SENTRY-1356 > Project: Sentry > Issue Type: Sub-task >Reporter: Sravya Tirukkovalur > > Would be good to reevaluate the current approach of HMS updates. Currently, > update contains a list of addPaths and delPaths. Some concerns we need to > evaluate: > 1. Hard to capture order in this model. > 2. In UpdateatableAuthzPaths.applyPartialUpdate we seem to be adding the > newPaths first and removing the delPaths. One caveat here is: if the newPath > and oldPath are same, we end up deleting the path. See SENTRY-1346 for one > such example. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1345) ACLS on table folder disappear after insert for unpartitioned tables
[ https://issues.apache.org/jira/browse/SENTRY-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15341539#comment-15341539 ] Sravya Tirukkovalur commented on SENTRY-1345: - [~hahao] Good point, added more details on the problem to the jira. Regarding opening a new connection in the test, I do not think it is necessary as all hive commands in the test are being run as the same user. > ACLS on table folder disappear after insert for unpartitioned tables > > > Key: SENTRY-1345 > URL: https://issues.apache.org/jira/browse/SENTRY-1345 > Project: Sentry > Issue Type: Bug >Affects Versions: 1.7.0 >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: 1.8.0 > > Attachments: SENTRY-1345.patch > > > This seems to be due to the fact that onAlterTableEvent is being trigged for > this operation of "INSERT on a unpartitioned table" in Hive. And sentry- hive > plugin thinks this is an alter table location command, and we add the new > path and delete the old path for this Hive object. As add happens first and > then the delete on the same path in this case, the path is lost resulting in > no acls on this path. > Workaround: This gets corrected at the next HMS restart. > We can fix on Sentry side to not do add/delete if oldPath == newPath. But we > also need to understand the Hive behavior. > Not exactly sure when this regressed as we dont seem to have coverage for it. > Also adding a test case as part of the patch which can be used against older > versions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1209) Sentry does not block Hive's cross-schema table renames
[ https://issues.apache.org/jira/browse/SENTRY-1209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15341556#comment-15341556 ] Sravya Tirukkovalur commented on SENTRY-1209: - Reposting my comment from RB Thanks for the change! The more I think about it, I feel we should be double careful when making auth model change. I am trying to think what the user behavior change would be for: Alter table rename db1.tb1 to db1.tb2: We are essentially dropping db1.tb1 and creating db1.tb2. So at minimum create and drop on db1 are required. Would requiring all cause any inflexibility? Alter table rename db1.tb1 to db2.tb2: At a minimum, user needs drop on db1 and create on db2. Would requiring all cause any inflexibility? And also what should our upgrade recommendation be? > Sentry does not block Hive's cross-schema table renames > --- > > Key: SENTRY-1209 > URL: https://issues.apache.org/jira/browse/SENTRY-1209 > Project: Sentry > Issue Type: Bug > Components: Core, Hive Binding, Hive Plugin, Sentry >Affects Versions: 1.5.1 > Environment: CDH 5.5.2 >Reporter: Ruslan Dautkhanov >Assignee: Colin Ma >Priority: Critical > Labels: security > Attachments: SENTRY-1209.001.patch, SENTRY-1209.002.patch, > SENTRY-1209.003.patch, SENTRY-1209.004.patch, SENTRY-1209.005.patch > > > User Pete > has read-write access to schema A > has read-only access to schema B > User Pete nevertheless was able to rename/move Hive table > from schema A to schema B (where he has read-only access): > {quote} > use A; > alter table table_a rename to B.table_a; > {quote} > Hive allows to use rename table syntax to move tables across schemas, not > just rename. > Sentry does not check security boundaries in this case. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1330) Notify Sentry about HMS new notifications if low delay is desired
[ https://issues.apache.org/jira/browse/SENTRY-1330?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1330: Summary: Notify Sentry about HMS new notifications if low delay is desired (was: Notify Sentry about new notifications if low delay is desired) > Notify Sentry about HMS new notifications if low delay is desired > - > > Key: SENTRY-1330 > URL: https://issues.apache.org/jira/browse/SENTRY-1330 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur > Fix For: sentry-ha-redesign > > > Filing this to track this idea, we can close if it is not required. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1317) Implement fencing required for active/passive
[ https://issues.apache.org/jira/browse/SENTRY-1317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1317: Fix Version/s: (was: 1.8.0) sentry-ha-redesign > Implement fencing required for active/passive > - > > Key: SENTRY-1317 > URL: https://issues.apache.org/jira/browse/SENTRY-1317 > Project: Sentry > Issue Type: Sub-task >Reporter: Sravya Tirukkovalur >Assignee: Colin Patrick McCabe > Fix For: sentry-ha-redesign > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1319) Add metrics for isActive and isHA
[ https://issues.apache.org/jira/browse/SENTRY-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15332320#comment-15332320 ] Sravya Tirukkovalur commented on SENTRY-1319: - +1. Reposting it from RB: As a follow on - Would be good to add a kerberos end to end test to access metrics, as sentry's clients (kerberos clients) would be accessing it now. See TestSentryServiceWithKerberos.java for a trivial example. > Add metrics for isActive and isHA > - > > Key: SENTRY-1319 > URL: https://issues.apache.org/jira/browse/SENTRY-1319 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Colin Patrick McCabe >Assignee: Rahul Sharma > Fix For: 1.8.0 > > Attachments: SENTRY-1319.1.patch, SENTRY-1319.2.patch > > > Add metrics for isActive and isHA, so that admins and monitoring systems can > know which sentry daemon is active, and whether HA is enabled. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1324) Add sentry specific test cases to use NotificationLog
[ https://issues.apache.org/jira/browse/SENTRY-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1324: Attachment: SENTRY-1324.2.patch Fixing PMD failures. > Add sentry specific test cases to use NotificationLog > - > > Key: SENTRY-1324 > URL: https://issues.apache.org/jira/browse/SENTRY-1324 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: sentry-ha-redesign > > Attachments: SENTRY-1324.0.patch, SENTRY-1324.1.patch, > SENTRY-1324.2.patch > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1316) Implement Sentry leadership election
[ https://issues.apache.org/jira/browse/SENTRY-1316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15332266#comment-15332266 ] Sravya Tirukkovalur commented on SENTRY-1316: - Thanks for your patch [~colinmccabe]! Overall looks good to me. Can you add a RB link when the patch is ready for review? > Implement Sentry leadership election > > > Key: SENTRY-1316 > URL: https://issues.apache.org/jira/browse/SENTRY-1316 > Project: Sentry > Issue Type: Sub-task >Affects Versions: 1.8.0 >Reporter: Sravya Tirukkovalur >Assignee: Colin Patrick McCabe > Fix For: 1.8.0 > > Attachments: SENTRY-1316.001.patch, SENTRY-1316.002.patch > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1329) Add additional information in the NotificationLog entry
Sravya Tirukkovalur created SENTRY-1329: --- Summary: Add additional information in the NotificationLog entry Key: SENTRY-1329 URL: https://issues.apache.org/jira/browse/SENTRY-1329 Project: Sentry Issue Type: Sub-task Reporter: Sravya Tirukkovalur Assignee: Sravya Tirukkovalur -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1324) Add sentry specific test cases to use NotificationLog
[ https://issues.apache.org/jira/browse/SENTRY-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15330859#comment-15330859 ] Sravya Tirukkovalur commented on SENTRY-1324: - We should be able to commit this without having to move hive dependency to >= 1.2.0. Also, as you can see in the tests, there is some information missing in the notification event log. Some of these can be obtained by doing another getTable()/getDatabase() call to HMS. But some of these are permanently lost if we do not capture them during the event. For example, for the command "Alter table location", we need the old location in Sentry to make sure we revoke the table related grants on this old location. We cannot jut delete all paths corresponding to this table in Sentry, as there might be some partitions which point to this table and henceis a many-many in Sentry. Also, capturing the location would allow to see have the entire context in notification log entry without having to do another HMS RPC to get missing information. Hence, I propose adding additional info in the notification log entry. Thoughts? > Add sentry specific test cases to use NotificationLog > - > > Key: SENTRY-1324 > URL: https://issues.apache.org/jira/browse/SENTRY-1324 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: sentry-ha-redesign > > Attachments: SENTRY-1324.0.patch, SENTRY-1324.1.patch > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1329) Add additional information in the NotificationLog entry
[ https://issues.apache.org/jira/browse/SENTRY-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1329: Description: After some preliminary testing of HMS NotificationLog in Sentry (SENTRY-1324), we see that NotificationLog does not capture some information today. See this [comment| https://issues.apache.org/jira/browse/SENTRY-1324?focusedCommentId=15330859=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15330859] for more information. So with respect to capturing this information, the minimally invasive approach is to just implement a custom MessageFactory (hcatalog.message.factory.impl.json), which takes care of the serialization and deseriazation of the message. We can just add additional information without causing disruption to other clients. As I was implementing this, I encountered the problem that there is a small bug(in Hive trunk) which makes the MessageFactory not truly pluggable (HIVE-14011 - Attached a fix). But it would be a while before Hive can make a release with this fix and Sentry can move to this fixed version. So in the interim, we can implement the Listener in Sentry and use custom MessageFactory as well. I have done some testing on my side to make sure it does not break other clients. was: After some preliminary testing of HMS NotificationLog in Sentry (SENTRY-1324), we see that NotificationLog does not capture some information today. See this [comment| ] for more information. Some of these, we might get by doing another getTable() call, but some of these are lost - For example in "alter table location", the only way to capture old location information is at the notification log. And we need this in Sentry to be able to properly revoke privileges on the old location. We might be able to relax this requirement if we make some architectural changes on how we store this HMS info in Sentry, but for now we need this information. Also, having this information will avoid the round trip. So with respect to capturing this information, the minimally invasive approach is to just implement a custom MessageFactory (hcatalog.message.factory.impl.json), which takes care of the serialization and deseriazation of the message. We can just add additional information without causing disruption to other clients(BDR) As I was implementing this, I encountered the problem that there is a small bug(in Hive trunk) which makes the MessageFactory not truly pluggable (HIVE-14011 - Attached a fix). But it would be while before Hive can make a release and Sentry can move to this fixed version. We need a backup plan. So the next back plan is to implement the Listener in Sentry and use custom MessageFactory as well. I have done some testing on my side to make sure it does not break BDR- you should still be able to access the notification log and fields in the original message as is. But would be great if you (BDR folks) can give it a shot as well. > Add additional information in the NotificationLog entry > --- > > Key: SENTRY-1329 > URL: https://issues.apache.org/jira/browse/SENTRY-1329 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: sentry-ha-redesign > > Attachments: SENTRY-1329.0.patch > > > After some preliminary testing of HMS NotificationLog in Sentry > (SENTRY-1324), we see that NotificationLog does not capture some information > today. See this [comment| > https://issues.apache.org/jira/browse/SENTRY-1324?focusedCommentId=15330859=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15330859] > for more information. > So with respect to capturing this information, the minimally invasive > approach is to just implement a custom MessageFactory > (hcatalog.message.factory.impl.json), which takes care of the serialization > and deseriazation of the message. We can just add additional information > without causing disruption to other clients. > As I was implementing this, I encountered the problem that there is a small > bug(in Hive trunk) which makes the MessageFactory not truly pluggable > (HIVE-14011 - Attached a fix). But it would be a while before Hive can make a > release with this fix and Sentry can move to this fixed version. > So in the interim, we can implement the Listener in Sentry and use custom > MessageFactory as well. I have done some testing on my side to make sure it > does not break other clients. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1324) Add sentry specific test cases to use NotificationLog
[ https://issues.apache.org/jira/browse/SENTRY-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1324: Attachment: SENTRY-1324.1.patch Thanks for the review [~cmccabe]! Made the following changes: 1. Added more tests and comments. 2. Disabled tests which need hive >= 1.2.0 3. Renamed the class to be more descriptive. 4. Added tests to make sure id is monotonically increasing. > Add sentry specific test cases to use NotificationLog > - > > Key: SENTRY-1324 > URL: https://issues.apache.org/jira/browse/SENTRY-1324 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: sentry-ha-redesign > > Attachments: SENTRY-1324.0.patch, SENTRY-1324.1.patch > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1295) Investigate malformed paths in HMS db
[ https://issues.apache.org/jira/browse/SENTRY-1295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1295: Priority: Critical (was: Major) > Investigate malformed paths in HMS db > - > > Key: SENTRY-1295 > URL: https://issues.apache.org/jira/browse/SENTRY-1295 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur >Priority: Critical > > Paths in HMS are expected to be in one of these forms: > * hdfs://hostname:port/path > * hdfs:///path > * /path, in which case, scheme will be constructed from > FileSystem.getDefaultURI > * URIs with non hdfs scheme will just be ignored > I came across atleast 2 sentry users where HMS did have paths which do not > comply with above rules and hence HMS plugin initialization for pathupdates > failed. See sentry-1260 and sentry-1270 for details on how these errors > surface. > With 1260 and 1270 we should have more information on what these malformed > paths were. But we should continue to investigate and fix the root cause, It > would most likely be in HMS code base. Until then, here is how you can > diagnose and fix it manually: > *Look for malformed paths in HMS* : Look in DBS as well as SDS tables. > {code} > SELECT "NAME", "DB_LOCATION_URI" FROM "DBS" WHERE NOT "DB_LOCATION_URI" LIKE > 'hdfs://%/%'; > NAME | DB_LOCATION_URI > ---+ > db_name | hdfs://nameservice1 > (1 row) > {code} > *Fix it manually updating the HMS location* > {code} > UPDATE DBS > SET DB_LOCATION_URI='hdfs://nameservice1/user/hive/warehouse/db_name.db' > WHERE DB_ID=12345; > {code} > Lets track occurrences of these malformed paths here: > * hdfs://nameservice1 : Not sure why would any one create a db/table in root > directory? Should we accept this in Sentry? > What does SKEWED_COL_VALUE_LOC_MAP.location in HMS correspond to? Double > check if there are any malformed paths here? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-961) Remove fb303.thrift reference from thrift definitions
[ https://issues.apache.org/jira/browse/SENTRY-961?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-961: --- Labels: newbie (was: ) > Remove fb303.thrift reference from thrift definitions > - > > Key: SENTRY-961 > URL: https://issues.apache.org/jira/browse/SENTRY-961 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Labels: newbie > > Looks like we do not require fb303.thrift but include it in our thrift > definitions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1316) Implement Sentry leadership election
[ https://issues.apache.org/jira/browse/SENTRY-1316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15345150#comment-15345150 ] Sravya Tirukkovalur commented on SENTRY-1316: - +1 pending QA. Seems like TestPluginCacheSync should also be removed as it is related to old design. > Implement Sentry leadership election > > > Key: SENTRY-1316 > URL: https://issues.apache.org/jira/browse/SENTRY-1316 > Project: Sentry > Issue Type: Sub-task >Affects Versions: 1.8.0 >Reporter: Sravya Tirukkovalur >Assignee: Colin Patrick McCabe > Fix For: 1.8.0 > > Attachments: SENTRY-1316.001.patch, SENTRY-1316.002.patch, > SENTRY-1316.003.patch, SENTRY-1316.004-sentry-ha-redesign.patch, > SENTRY-1316.005-sentry-ha-redesign.patch, > SENTRY-1316.006-sentry-ha-redesign.patch, > SENTRY-1316.007-sentry-ha-redesign.patch > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1321) Use DbNotificationListener and poll the HMS notifications from Sentry service
[ https://issues.apache.org/jira/browse/SENTRY-1321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15345200#comment-15345200 ] Sravya Tirukkovalur commented on SENTRY-1321: - This is creating a maven circular dependency between sentry-provider-db and sentry-binding-hive. Any ideas on what is the preferable way to resolve this? > Use DbNotificationListener and poll the HMS notifications from Sentry service > - > > Key: SENTRY-1321 > URL: https://issues.apache.org/jira/browse/SENTRY-1321 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: 1.8.0 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1321) Use DbNotificationListener and poll the HMS notifications from Sentry service
[ https://issues.apache.org/jira/browse/SENTRY-1321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15345206#comment-15345206 ] Sravya Tirukkovalur commented on SENTRY-1321: - I am thinking of creating a separate module sentry-binding-hive-follower and let sentry-provider-db use this. Any thoughts? > Use DbNotificationListener and poll the HMS notifications from Sentry service > - > > Key: SENTRY-1321 > URL: https://issues.apache.org/jira/browse/SENTRY-1321 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Sravya Tirukkovalur >Assignee: Sravya Tirukkovalur > Fix For: 1.8.0 > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1316) Implement Sentry leadership election
[ https://issues.apache.org/jira/browse/SENTRY-1316?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1316: Resolution: Fixed Fix Version/s: (was: 1.8.0) sentry-ha-redesign Status: Resolved (was: Patch Available) [~haohao] comitted this to the feature branch, thanks for the nice work [~cmccabe]! > Implement Sentry leadership election > > > Key: SENTRY-1316 > URL: https://issues.apache.org/jira/browse/SENTRY-1316 > Project: Sentry > Issue Type: Sub-task >Affects Versions: 1.8.0 >Reporter: Sravya Tirukkovalur >Assignee: Colin Patrick McCabe > Fix For: sentry-ha-redesign > > Attachments: SENTRY-1316.001.patch, SENTRY-1316.002.patch, > SENTRY-1316.003.patch, SENTRY-1316.004-sentry-ha-redesign.patch, > SENTRY-1316.005-sentry-ha-redesign.patch, > SENTRY-1316.006-sentry-ha-redesign.patch, > SENTRY-1316.007-sentry-ha-redesign.patch, > SENTRY-1316.008-sentry-ha-redesign.patch, > SENTRY-1316.008-sentry-ha-redesign.patch > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1364) Add tests for "Alter table" which do not change location
Sravya Tirukkovalur created SENTRY-1364: --- Summary: Add tests for "Alter table" which do not change location Key: SENTRY-1364 URL: https://issues.apache.org/jira/browse/SENTRY-1364 Project: Sentry Issue Type: Test Reporter: Sravya Tirukkovalur Attachments: SENTRY-1364.patch -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1364) Add tests for "Alter table" which do not change location
[ https://issues.apache.org/jira/browse/SENTRY-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1364: Attachment: SENTRY-1364.patch > Add tests for "Alter table" which do not change location > > > Key: SENTRY-1364 > URL: https://issues.apache.org/jira/browse/SENTRY-1364 > Project: Sentry > Issue Type: Test >Reporter: Sravya Tirukkovalur > Attachments: SENTRY-1364.patch > > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1231) Sentry doesn't secure index location uri, when do "CREATE INDEX LOCATION ''/uri"
[ https://issues.apache.org/jira/browse/SENTRY-1231?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15347365#comment-15347365 ] Sravya Tirukkovalur commented on SENTRY-1231: - Seems like newer Hive captures in AST, We can resolve this once we move to a newer Hive version. > Sentry doesn't secure index location uri, when do "CREATE INDEX LOCATION > ''/uri" > > > Key: SENTRY-1231 > URL: https://issues.apache.org/jira/browse/SENTRY-1231 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 1.8.0 >Reporter: Anne Yu >Assignee: Sravya Tirukkovalur >Priority: Blocker > Attachments: SENTRY-1231.0.patch, SENTRY-1231.1.patch > > > Sentry doesn't check the uri privilege of command, CREATE INDEX LOCATION > '/path'. For example, > {code} > [root@ay-s3-1 ~]# sudo -u hdfs hdfs dfs -getfacl -R /data/testindex > # file: /data/testindex > # owner: hdfs > # group: hive > user::rwx > group::r-x > other::r-x > use systest> CREATE INDEX my_hdfs_table_index ON TABLE my_hdfs_table > (viewtime) AS 'compact' WITH DEFERRED REBUILD LOCATION '/data/testindex'; > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1373) Alter table location on a managed/unmanaged partitioned table, ACLS on oldTable location remain
[ https://issues.apache.org/jira/browse/SENTRY-1373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1373: Summary: Alter table location on a managed/unmanaged partitioned table, ACLS on oldTable location remain (was: Alter table location on a managed partitioned table, ACLS on oldTable location remain) > Alter table location on a managed/unmanaged partitioned table, ACLS on > oldTable location remain > --- > > Key: SENTRY-1373 > URL: https://issues.apache.org/jira/browse/SENTRY-1373 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1374) Add alter table test cases for HDFS sync for managed/unmanaged table, with/without partitions
[ https://issues.apache.org/jira/browse/SENTRY-1374?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sravya Tirukkovalur updated SENTRY-1374: Summary: Add alter table test cases for HDFS sync for managed/unmanaged table, with/without partitions (was: Add alter table test cases for HDFS sync) > Add alter table test cases for HDFS sync for managed/unmanaged table, > with/without partitions > - > > Key: SENTRY-1374 > URL: https://issues.apache.org/jira/browse/SENTRY-1374 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur > -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1374) Add alter table test cases for HDFS sync
Sravya Tirukkovalur created SENTRY-1374: --- Summary: Add alter table test cases for HDFS sync Key: SENTRY-1374 URL: https://issues.apache.org/jira/browse/SENTRY-1374 Project: Sentry Issue Type: Bug Reporter: Sravya Tirukkovalur -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1372) set location of managed table -> drop table does not remove ACLS on tableLocation
Sravya Tirukkovalur created SENTRY-1372: --- Summary: set location of managed table -> drop table does not remove ACLS on tableLocation Key: SENTRY-1372 URL: https://issues.apache.org/jira/browse/SENTRY-1372 Project: Sentry Issue Type: Bug Reporter: Sravya Tirukkovalur -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1372) set location of managed table -> drop table does not remove ACLS on tableLocation
[ https://issues.apache.org/jira/browse/SENTRY-1372?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15352174#comment-15352174 ] Sravya Tirukkovalur commented on SENTRY-1372: - Resolving as it was a test issue. > set location of managed table -> drop table does not remove ACLS on > tableLocation > - > > Key: SENTRY-1372 > URL: https://issues.apache.org/jira/browse/SENTRY-1372 > Project: Sentry > Issue Type: Bug >Reporter: Sravya Tirukkovalur > -- This message was sent by Atlassian JIRA (v6.3.4#6332)