[ https://issues.apache.org/jira/browse/SENTRY-1610?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexander Kolbasov resolved SENTRY-1610. ---------------------------------------- Resolution: Not A Problem Apparently this isn't a bug, although this is rather strange behavior. > list_sentry_roles_by_group() semantics for Generic model is broken > ------------------------------------------------------------------ > > Key: SENTRY-1610 > URL: https://issues.apache.org/jira/browse/SENTRY-1610 > Project: Sentry > Issue Type: Bug > Components: Sentry > Affects Versions: 1.8.0, sentry-ha-redesign > Reporter: Alexander Kolbasov > Assignee: Alexander Kolbasov > > Looking at SentryGenericPolicyProcessor: > {code} > @Override > public TListSentryRolesResponse list_sentry_roles_by_group( > final TListSentryRolesRequest request) throws TException { > Response<Set<TSentryRole>> respose = requestHandle(new > RequestHandler<Set<TSentryRole>>() { > @Override > public Response<Set<TSentryRole>> handle() throws Exception { > validateClientVersion(request.getProtocol_version()); > // Here we assign groups to the requestor's Unix groups! > Set<String> groups = getRequestorGroups(conf, > request.getRequestorUserName()); > if (!AccessConstants.ALL.equalsIgnoreCase(request.getGroupName())) { > boolean admin = inAdminGroups(groups); > // Only admin users can list all roles in the system ( groupname = > null) > // Non admin users are only allowed to list only groups which they > belong to > if(!admin && (request.getGroupName() == null || > !groups.contains(request.getGroupName()))) { > throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + > request.getRequestorUserName()); > } > groups.clear(); > groups.add(request.getGroupName()); > } > // And here we use Unix groups if the group is "*" > Set<String> roleNames = > store.getRolesByGroups(request.getComponent(), groups); > ... > {code} > What happens here is weird - when the group in the request is ALL ("*"), we > attempt to return roles for Unix groups that the requestor belongs to, not > Sentry groups. The problem is that Sentry groups and User groups have nothing > in common, so this is completely wrong. -- This message was sent by Atlassian JIRA (v6.3.15#6346)