[
https://issues.apache.org/jira/browse/SENTRY-694?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14505009#comment-14505009
]
John commented on SENTRY-694:
-----------------------------
Colin,
Thanks for looking. I have determined the Orphan privilege thing was a red
herring. The actual problem seems to be that in certain scenarios, The query
that checks if a privilege already exists is not finding an existing privilege
in the SENTRY_DB_PRIVILEGE table when one does exist. This is happening in the
1.4.0 release. I have not been able to reproduce in a unit test but I can
consistently reproduce if I GRANT the same privilege to two roles and the
privilege was created using an uppercase table name:
0: jdbc:hive2://localhost:10000/default> GRANT SELECT ON TABLE PATIENT TO ROLE
VIEW_PUBLIC;
No rows affected (0.134 seconds)
0: jdbc:hive2://localhost:10000/default> GRANT SELECT ON TABLE PATIENT TO ROLE
VIEW_PHI;
Error: Error while processing statement: FAILED: Execution Error, return code 1
from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. Unknown error for
request: TAlterSentryRoleGrantPrivilegeRequest(protocol_version:1,
requestorUserName:phidemo, roleName:VIEW_PHI,
privilege:TSentryPrivilege(privilegeScope:TABLE, serverName:server1,
dbName:EMR, tableName:PATIENT, URI:, action:SELECT, createTime:1429503138784,
grantOption:FALSE)), message: Insert of object
"org.apache.sentry.provider.db.service.model.MSentryPrivilege@3fca079c" using
statement "INSERT INTO `SENTRY_DB_PRIVILEGE`
(`DB_PRIVILEGE_ID`,`PRIVILEGE_SCOPE`,`WITH_GRANT_OPTION`,`CREATE_TIME`,`TABLE_NAME`,`URI`,`DB_NAME`,`SERVER_NAME`,`ACTION`)
VALUES (?,?,?,?,?,?,?,?,?)" failed : Duplicate entry
'server1-emr-patient-__NULL__-select-N' for key
'SENTRY_DB_PRIV_PRIV_NAME_UNIQ'. Server Stacktrace:
javax.jdo.JDODataStoreException: Insert of object
"org.apache.sentry.provider.db.service.model.MSentryPrivilege@3fca079c" using
statement "INSERT INTO `SENTRY_DB_PRIVILEGE`
(`DB_PRIVILEGE_ID`,`PRIVILEGE_SCOPE`,`WITH_GRANT_OPTION`,`CREATE_TIME`,`TABLE_NAME`,`URI`,`DB_NAME`,`SERVER_NAME`,`ACTION`)
VALUES (?,?,?,?,?,?,?,?,?)" failed : Duplicate entry
'server1-emr-patient-__NULL__-select-N' for key 'SENTRY_DB_PRIV_PRIV_NAME_UNIQ'
I will close this ticket and open a new one with the proper description of the
problem.
Thanks,
John
> Sentry leaving orphan rows in SENTRY_DB_PRIVILEGE
> -------------------------------------------------
>
> Key: SENTRY-694
> URL: https://issues.apache.org/jira/browse/SENTRY-694
> Project: Sentry
> Issue Type: Bug
> Affects Versions: 1.4.0
> Environment: CentOS 6.6
> Reporter: John
>
> It appears that when a role is dropped the privileges granted to that role
> remain in SENTRY_DB_PRIVILEGE
> 0: jdbc:hive2://localhost:10000/default> CREATE ROLE FOO;
> No rows affected (0.102 seconds)
> 0: jdbc:hive2://localhost:10000/default> GRANT ALL ON DATABASE EMR TO ROLE
> FOO;
> No rows affected (0.129 seconds)
> 0: jdbc:hive2://localhost:10000/default> DROP ROLE FOO;
> No rows affected (0.129 seconds)
> 0: jdbc:hive2://localhost:10000/default> CREATE ROLE FOO;
> No rows affected (0.105 seconds)
> 0: jdbc:hive2://localhost:10000/default> GRANT ALL ON DATABASE EMR TO FOO;
> Error: Error while compiling statement: FAILED: ParseException line 1:29
> cannot recognize input near 'FOO' '<EOF>' '<EOF>' in user|group|role name
> (state=42000,code=40000)
> 0: jdbc:hive2://localhost:10000/default> GRANT ALL ON DATABASE EMR TO ROLE
> FOO;
> Error: Error while processing statement: FAILED: Execution Error, return code
> 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. Unknown error
> for request: TAlterSentryRoleGrantPrivilegeRequest(protocol_version:1,
> requestorUserName:phidemo, roleName:FOO,
> privilege:TSentryPrivilege(privilegeScope:DATABASE, serverName:server1,
> dbName:EMR, tableName:, URI:, action:*, createTime:1428717194418,
> grantOption:FALSE)), message: Insert of object
> "org.apache.sentry.provider.db.service.model.MSentryPrivilege@7ecb6306" using
> statement "INSERT INTO `SENTRY_DB_PRIVILEGE`
> (`DB_PRIVILEGE_ID`,`SERVER_NAME`,`URI`,`PRIVILEGE_SCOPE`,`WITH_GRANT_OPTION`,`DB_NAME`,`TABLE_NAME`,`ACTION`,`CREATE_TIME`)
> VALUES (?,?,?,?,?,?,?,?,?)" failed : Duplicate entry
> 'server1-emr-__NULL__-__NULL__-*-N' for key 'SENTRY_DB_PRIV_PRIV_NAME_UNIQ'.
> Server Stacktrace: javax.jdo.JDODataStoreException: Insert of object
> "org.apache.sentry.provider.db.service.model.MSentryPrivilege@7ecb6306" using
> statement "INSERT INTO `SENTRY_DB_PRIVILEGE`
> (`DB_PRIVILEGE_ID`,`SERVER_NAME`,`URI`,`PRIVILEGE_SCOPE`,`WITH_GRANT_OPTION`,`DB_NAME`,`TABLE_NAME`,`ACTION`,`CREATE_TIME`)
> VALUES (?,?,?,?,?,?,?,?,?)" failed : Duplicate entry
> 'server1-emr-__NULL__-__NULL__-*-N' for key 'SENTRY_DB_PRIV_PRIV_NAME_UNIQ'
> at
> org.datanucleus.api.jdo.NucleusJDOHelper.getJDOExceptionForNucleusException(NucleusJDOHelper.java:451)
> at
> org.datanucleus.api.jdo.JDOPersistenceManager.jdoMakePersistent(JDOPersistenceManager.java:732)
> at
> org.datanucleus.api.jdo.JDOPersistenceManager.makePersistent(JDOPersistenceManager.java:752)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleGrantPrivilegeCore(SentryStore.java:389)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleGrantPrivilege(SentryStore.java:329)
> at
> org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_grant_privilege(SentryPolicyStoreProcessor.java:249)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
