[
https://issues.apache.org/jira/browse/SENTRY-985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15052201#comment-15052201
]
Anne Yu commented on SENTRY-985:
--------------------------------
fyi. [~dapengsun] and [~haohao]. When we consider client integration and
generic policy support, can consider solr.
> sentry config-tool fails to import Solr sentry-provider.ini
> -----------------------------------------------------------
>
> Key: SENTRY-985
> URL: https://issues.apache.org/jira/browse/SENTRY-985
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
> Affects Versions: 1.6.0
> Reporter: Anne Yu
>
> The Hadoop Security book introduces the tool as a good way to check policy
> files for errors and to verify privileges for a given user. You can also use
> it to import policies from policy files to the Sentry Service. In the quote
> below it implies that you should use it for Solr policy files to avoid syntax
> errors.
> From O'Reilly Hadoop Security book:
> "It is important to point out that while SQL policy files allow for separate
> policy files per database, Solr does not. This means that Solr policy
> administrators need to be extra careful when modifying the policies because,
> as with the SQL policy files, a syntax error invalidates the entire policy
> file, thus inadvertently denying access to everyone. A nice feature to help
> combat typos and mistakes is to validate the policy file using the
> config-tool, which leads us into the next section."
> However, as I've dug into it I see that config-tool does not support of
> AuthorizableType of "collection", which is the "authorizable" used in Solr
> Sentry policy files.
> [nwhite@host-10-17-80-38 ~]$ sentry --command config-tool -l -u nwhite -i
> file:///home/nwhite/sentry-provider.ini -s
> file:///etc/sentry/conf/sentry-site.xml -d
> Configuration:
> Sentry package jar:
> file:/opt/cloudera/parcels/CDH-5.4.8-1.cdh5.4.8.p0.4/jars/sentry-binding-hive-1.4.0-cdh5.4.8.jar
> Hive config: file:/etc/hive/conf.cloudera.hive/hive-site.xml
> 15/12/10 06:58:54 INFO conf.HiveAuthzConf: DefaultFS:
> hdfs://host-10-17-80-38.coe.cloudera.com:8020
> 15/12/10 06:58:54 INFO conf.HiveAuthzConf: DefaultFS:
> hdfs://host-10-17-80-38.coe.cloudera.com:8020
> Sentry config: file:/etc/sentry/conf/sentry-site.xml
> Sentry Policy: file:///home/nwhite/sentry-provider.ini
> Sentry server: HS2
> 15/12/10 06:58:55 INFO file.SimpleFileProviderBackend: Parsing
> file:/home/nwhite/sentry-provider.ini
> 15/12/10 06:58:55 INFO file.SimpleFileProviderBackend: Filesystem: file:///
> 15/12/10 06:58:55 INFO file.PolicyFiles: Opening
> file:/home/nwhite/sentry-provider.ini
> 15/12/10 06:58:55 ERROR file.SimpleFileProviderBackend: Error processing
> file, ignoring file:/home/nwhite/sentry-provider.ini
> org.apache.shiro.config.ConfigurationException: No authorizable found for
> collection=employees
> at
> org.apache.sentry.policy.db.AbstractDBPrivilegeValidator.parsePrivilege(AbstractDBPrivilegeValidator.java:42)
> at
> org.apache.sentry.policy.db.ServersAllIsInvalid.validate(ServersAllIsInvalid.java:29)
> From org.apache.sentry.core.model.db.DBModelAuthorizable:
> public enum More ...AuthorizableType {
> 24 Server,
> 25 Db,
> 26 Table,
> 27 View,
> 28 URI
> 29 };
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
