[
https://issues.apache.org/jira/browse/IMPALA-10399?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17652344#comment-17652344
]
ASF subversion and git services commented on IMPALA-10399:
----------------------------------------------------------
Commit db1cac2a495fa393f407d72775c072551a43dab4 in impala's branch
refs/heads/master from Fang-Yu Rao
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=db1cac2a4 ]
IMPALA-10399, IMPALA-11060, IMPALA-11788: Reset Ranger policy repository in an
E2E test
test_show_grant_hive_privilege() uses Ranger's REST API to get all the
existing policies from the Ranger server after creating a policy that
grants the LOCK and SELECT privileges on all the tables and columns in
the unique database in order to verify the granted privileges indeed
exist in Ranger's policy repository.
The way we download all the policies from the Ranger server in
test_show_grant_hive_privilege(), however, did not
always work. Specifically, when there were already a lot of existing
policies in Ranger, the policy that granted the LOCK and SELECT
privileges would not be included in the result returned via one single
GET request. We found that to reproduce the issue it suffices to add 300
Ranger policies before adding the policy granting those 2 privileges.
Moreover, we found that even we set the argument 'stream' of
requests.get() to True and used iter_content() to read the response in
chunks, we still could not retrieve the policy added in
test_show_grant_hive_privilege().
As a workaround, instead of changing how we download all the policies
from the Ranger server, this patch resets Ranger's policy repository for
Impala before we create the policy granting those 2 privileges so that
this test will be more resilient to the number of existing policies in
the repository.
Change-Id: Iff56ec03ceeb2912039241ea302f4bb8948d61f8
Reviewed-on: http://gerrit.cloudera.org:8080/19373
Tested-by: Impala Public Jenkins <[email protected]>
Reviewed-by: Quanlong Huang <[email protected]>
> test_show_grant_hive_privilege() fails in the exhaustive tests if being
> executed after test_grant_revoke_with_role()
> --------------------------------------------------------------------------------------------------------------------
>
> Key: IMPALA-10399
> URL: https://issues.apache.org/jira/browse/IMPALA-10399
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
>
> We found that after part 1 of IMPALA-10222, if
> {{test_show_grant_hive_privilege()}} at
> https://github.com/apache/impala/blob/aeeff53e884a67ee7f5980654a1d394c6e3e34ac/tests/authorization/test_ranger.py#L532-L578
> is run after {{test_grant_revoke_with_role()}} at
> https://gerrit.cloudera.org/c/16837/6/tests/authorization/test_ranger.py#129
> in the exhaustive tests, {{test_show_grant_hive_privilege()}} could fail due
> to an empty list returned from the first call to
> {{_get_ranger_privileges_db()}} although a list consisting of "{{lock}}" and
> "{{select}}" is expected.
> We suspect there might be something wrong with the underlying Ranger API but
> it requires more thorough investigation.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
