Repository: sentry Updated Branches: refs/heads/master cfd1036fe -> 0397fc5e3
SENTRY-2272: Fix the sentry store logic for listing user privileges (Sergio Pena, reviewed by kalyan kumar kalvagadda) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/0397fc5e Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/0397fc5e Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/0397fc5e Branch: refs/heads/master Commit: 0397fc5e3f6956ff5d56bb32acbb8670c18d0659 Parents: cfd1036 Author: Sergio Pena <sergio.p...@cloudera.com> Authored: Wed Jun 27 11:37:34 2018 -0500 Committer: Sergio Pena <sergio.p...@cloudera.com> Committed: Wed Jun 27 11:37:34 2018 -0500 ---------------------------------------------------------------------- .../authz/DefaultSentryAccessController.java | 30 +++++++++++++++++--- 1 file changed, 26 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/0397fc5e/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java index 318c1e8..beca2f8 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java @@ -51,6 +51,7 @@ import org.apache.sentry.binding.util.SentryAuthorizerUtil; import org.apache.sentry.core.common.ActiveRoleSet; import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.common.exception.SentryAccessDeniedException; +import org.apache.sentry.core.common.exception.SentryNoSuchObjectException; import org.apache.sentry.core.common.exception.SentryUserException; import org.apache.sentry.core.model.db.AccessConstants; import org.apache.sentry.core.model.db.DBModelAuthorizable; @@ -234,8 +235,19 @@ public class DefaultSentryAccessController extends SentryHiveAccessController { principal.getName(), authorizable)); break; case USER: - tPrivilges.addAll(sentryClient.listPrivilegesByUserName(authenticator.getUserName(), - principal.getName(), authorizable)); + try { + tPrivilges.addAll(sentryClient.listPrivilegesByUserName(authenticator.getUserName(), + principal.getName(), authorizable)); + } catch (SentryNoSuchObjectException e) { + // SentryNoSuchObjectException is thrown by Sentry when the user name requested + // is not found in the Sentry database. Sentry only stores user information when + // privileges are granted, and deletes the user when privileges are deleted to avoid + // stale data. + // To avoid throwing a nasty exception in Hive, then we return an empty list instead + // to let Hive execute the SHOW GRANT USER without errors. + LOG.info("User {} requested does not exist in Sentry", authenticator.getUserName()); + } + break; } } @@ -246,8 +258,18 @@ public class DefaultSentryAccessController extends SentryHiveAccessController { principal.getName(), null)); break; case USER: - tPrivilges.addAll(sentryClient.listPrivilegesByUserName(authenticator.getUserName(), - principal.getName(), null)); + try { + tPrivilges.addAll(sentryClient.listPrivilegesByUserName(authenticator.getUserName(), + principal.getName(), null)); + } catch (SentryNoSuchObjectException e) { + // SentryNoSuchObjectException is thrown by Sentry when the user name requested + // is not found in the Sentry database. Sentry only stores user information when + // privileges are granted, and deletes the user when privileges are deleted to avoid + // stale data. + // To avoid throwing a nasty exception in Hive, then we return an empty list instead + // to let Hive execute the SHOW GRANT USER without errors. + LOG.info("User {} requested does not exist in Sentry", authenticator.getUserName()); + } break; } }