[ https://issues.apache.org/jira/browse/SENTRY-1825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Na Li updated SENTRY-1825: -------------------------- Attachment: SENTRY-1825.005-sentry-ha-redesign.patch v5. update base on Kalyan's code review > Dropping a Hive database/table doesn't cleanup the permissions associated > with it > ---------------------------------------------------------------------------------- > > Key: SENTRY-1825 > URL: https://issues.apache.org/jira/browse/SENTRY-1825 > Project: Sentry > Issue Type: Sub-task > Affects Versions: sentry-ha-redesign > Reporter: Vamsee Yarlagadda > Assignee: Na Li > Priority: Critical > Labels: sentry-ha > Attachments: SENTRY-1825.001-sentry-ha-redesign.patch, > SENTRY-1825.002-sentry-ha-redesign.patch, > SENTRY-1825.003-sentry-ha-redesign.patch, > SENTRY-1825.004-sentry-ha-redesign.patch, > SENTRY-1825.005-sentry-ha-redesign.patch > > > Sasha helped in finding this bug. Looks like dropping a database/table does > no longer clean up the privileges associated with it. > This problem is because of: > https://github.com/apache/sentry/blob/sentry-ha-redesign/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java#L126-L127 > {code} > final HiveConf hiveConf = new HiveConf(); > hiveInstance = > hiveConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar()); > {code} > With the latest redesign, we are only setting this property on Hive's > (sentry-site.xml) and not on Sentry's (sentry-site.xml). > So during permission grants, Hive ensures to supply the *server1* for > permission updates. But when we drop the table/database that has the perms > attached, it goes through HMSFollower and this code sets the property as NULL > as sentry-site.xml doesn't have this set. So it attempts to remove > permissions with NULL server setting and this always returns without deleting > anything. > We need to ensure that the corresponding property is set on both (Sentry, > Hive) sentry-site.xml to ensure referring to proper privileges. -- This message was sent by Atlassian JIRA (v6.4.14#64029)