Anne Yu created SENTRY-985:
------------------------------
Summary: sentry config-tool fails to import Solr
sentry-provider.ini
Key: SENTRY-985
URL: https://issues.apache.org/jira/browse/SENTRY-985
Project: Sentry
Issue Type: Bug
Components: Sentry
Affects Versions: 1.6.0
Reporter: Anne Yu
The Hadoop Security book introduces the tool as a good way to check policy
files for errors and to verify privileges for a given user. You can also use
it to import policies from policy files to the Sentry Service. In the quote
below it implies that you should use it for Solr policy files to avoid syntax
errors.
>From O'Reilly Hadoop Security book:
"It is important to point out that while SQL policy files allow for separate
policy files per database, Solr does not. This means that Solr policy
administrators need to be extra careful when modifying the policies because, as
with the SQL policy files, a syntax error invalidates the entire policy file,
thus inadvertently denying access to everyone. A nice feature to help combat
typos and mistakes is to validate the policy file using the config-tool, which
leads us into the next section."
However, as I've dug into it I see that config-tool does not support of
AuthorizableType of "collection", which is the "authorizable" used in Solr
Sentry policy files.
[nwhite@host-10-17-80-38 ~]$ sentry --command config-tool -l -u nwhite -i
file:///home/nwhite/sentry-provider.ini -s
file:///etc/sentry/conf/sentry-site.xml -d
Configuration:
Sentry package jar:
file:/opt/cloudera/parcels/CDH-5.4.8-1.cdh5.4.8.p0.4/jars/sentry-binding-hive-1.4.0-cdh5.4.8.jar
Hive config: file:/etc/hive/conf.cloudera.hive/hive-site.xml
15/12/10 06:58:54 INFO conf.HiveAuthzConf: DefaultFS:
hdfs://host-10-17-80-38.coe.cloudera.com:8020
15/12/10 06:58:54 INFO conf.HiveAuthzConf: DefaultFS:
hdfs://host-10-17-80-38.coe.cloudera.com:8020
Sentry config: file:/etc/sentry/conf/sentry-site.xml
Sentry Policy: file:///home/nwhite/sentry-provider.ini
Sentry server: HS2
15/12/10 06:58:55 INFO file.SimpleFileProviderBackend: Parsing
file:/home/nwhite/sentry-provider.ini
15/12/10 06:58:55 INFO file.SimpleFileProviderBackend: Filesystem: file:///
15/12/10 06:58:55 INFO file.PolicyFiles: Opening
file:/home/nwhite/sentry-provider.ini
15/12/10 06:58:55 ERROR file.SimpleFileProviderBackend: Error processing file,
ignoring file:/home/nwhite/sentry-provider.ini
org.apache.shiro.config.ConfigurationException: No authorizable found for
collection=employees
at
org.apache.sentry.policy.db.AbstractDBPrivilegeValidator.parsePrivilege(AbstractDBPrivilegeValidator.java:42)
at
org.apache.sentry.policy.db.ServersAllIsInvalid.validate(ServersAllIsInvalid.java:29)
>From org.apache.sentry.core.model.db.DBModelAuthorizable:
public enum More ...AuthorizableType {
24 Server,
25 Db,
26 Table,
27 View,
28 URI
29 };
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
