[
https://issues.apache.org/jira/browse/SENTRY-988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15060294#comment-15060294
]
Yongjun Zhang commented on SENTRY-988:
--------------------------------------
Hi [~sravya],
I just uploaded a patch. Would you please take a look?
One problem I found is, running the following test locally without any change
would fail:
{code}
-------------------------------------------------------
T E S T S
-------------------------------------------------------
Running org.apache.sentry.hdfs.TestSentryAuthorizationProvider
Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 4.313 sec <<<
FAILURE! - in org.apache.sentry.hdfs.TestSentryAuthorizationProvider
testProvider(org.apache.sentry.hdfs.TestSentryAuthorizationProvider) Time
elapsed: 4.311 sec <<< FAILURE!
org.junit.ComparisonFailure: expected:<[hive]> but was:<[yzhang]>
at org.junit.Assert.assertEquals(Assert.java:125)
at org.junit.Assert.assertEquals(Assert.java:147)
at
org.apache.sentry.hdfs.TestSentryAuthorizationProvider$2.run(TestSentryAuthorizationProvider.java:134)
at
org.apache.sentry.hdfs.TestSentryAuthorizationProvider$2.run(TestSentryAuthorizationProvider.java:82)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1628)
at
org.apache.sentry.hdfs.TestSentryAuthorizationProvider.testProvider(TestSentryAuthorizationProvider.java:82)
Results :
Failed tests:
TestSentryAuthorizationProvider.testProvider:82 expected:<[hive]> but
was:<[yzhang]>
{code}
Wonder if it fails for other people.
Thanks.
> It's better to let SentryAuthorization setter path always fall through and
> update HDFS
> --------------------------------------------------------------------------------------
>
> Key: SENTRY-988
> URL: https://issues.apache.org/jira/browse/SENTRY-988
> Project: Sentry
> Issue Type: Bug
> Components: Hdfs Plugin
> Reporter: Yongjun Zhang
> Assignee: Yongjun Zhang
> Attachments: SENTRY-988.001.patch
>
>
> Currently SentryAuthorizationProvider rejects setter calls to Sentry-managed
> paths, and issue an error message when enabled.
> There are two issues:
> 1. When creating a file or dir, the parent dir's group will be set to the
> newly created file/dir, this is supposed to be logged to fsimage in-memory
> representation, but because the rejection of Sentry, it's not.
> 2. (as an example) When user issue a setOwner call via the following RPC:
> {code}
> @Override // ClientProtocol
> public void setOwner(String src, String username, String groupname)
> throws IOException {
> checkNNStartup();
> namesystem.setOwner(src, username, groupname);
> }
> {code}
> Two calls are executed in the deep stack:
> {code}
> a. dir.setOwner(src, username, group);
> b. getEditLog().logSetOwner(src, username, group);
> {code}
> The first call is the one gets rejected by Sentry, however, the second one
> still updates the entry to Edit log. This would indicate an inconsistency
> between in-memory representation of the attribute and what's recorded on edit
> log.
> Creating this jira to make SentryAuthorizationProvider always fallthrough to
> write to HDFS, and issue a warning msg when it "rejects" (for Sentry-managed
> paths).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
