Adam Holley has uploaded this change for review. ( http://gerrit.cloudera.org:8080/11595
Change subject: IMPALA-7633: count_user_privilege isn't 0 at the end of test_owner ...................................................................... IMPALA-7633: count_user_privilege isn't 0 at the end of test_owner This patch adds a retry loop to validate the count of user privileges in a SHOW GRANT USER statement after a DDL operation. The core of the problem is cache consistency. When a DDL operation is executing, like drop database, HMS is updated with the correct metadata, and Sentry is updated to remove privileges from HMS. However, if a Sentry Refresh happens between when HMS is updated CatalogOpExecutor:1322, and when the local catalog privileges are updated CatalogOpExecutor:1341, then the remove privilege call will fail and a log entry with "User does not exist: foo_user" will be written to the log. The result is that the response back to impalad with catalog updates will not contain the user and privilege updates. Ultimately, when the "SHOW GRANT USER" statement is run, it uses the local Impalad catalog which still contains the privlege because it has not yet been updated from statestore. This is not a security problem because the privilege exists for a maximum of 2s by default, for an object that does not exist. This is the same result as if the database was dropped from Hive, except in that case it can be up to 62s by default that the privilege exists for no object. Testing: - After retry was added, ran tests until log entry appeared and validate test did not fail. Change-Id: Ifbba0fbd0e24a24b3f2af82ad5209f3fb7fb387b --- M tests/authorization/test_owner_privileges.py 1 file changed, 23 insertions(+), 18 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/95/11595/1 -- To view, visit http://gerrit.cloudera.org:8080/11595 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: Ifbba0fbd0e24a24b3f2af82ad5209f3fb7fb387b Gerrit-Change-Number: 11595 Gerrit-PatchSet: 1 Gerrit-Owner: Adam Holley <ahol...@cloudera.com>
