[jira] [Updated] (SENTRY-1476) SentryStore is subject to JDQL injection
[ https://issues.apache.org/jira/browse/SENTRY-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vamsee Yarlagadda updated SENTRY-1476: -- Fix Version/s: sentry-ha-redesign 1.8.0 > SentryStore is subject to JDQL injection > > > Key: SENTRY-1476 > URL: https://issues.apache.org/jira/browse/SENTRY-1476 > Project: Sentry > Issue Type: Bug > Components: Core >Affects Versions: 1.7.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Fix For: 1.8.0, sentry-ha-redesign > > Attachments: SENTRY-1476.001.patch, SENTRY-1476.002.patch, > SENTRY-1476.003.patch > > > SentryStore.java has a bunch of places where the query is constructed by > concatenating strings rather than using JDQL parameters. This is subject to > JDQL injection since some of the parameters come from Thrift. > All strings from Thrift should be passed as parameters, not as string > concatenation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1476) SentryStore is subject to JDQL injection
[ https://issues.apache.org/jira/browse/SENTRY-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vamsee Yarlagadda updated SENTRY-1476: -- Resolution: Fixed Status: Resolved (was: Patch Available) master: f48da48f4a1cab221a9ddb81b701114af8c681f7 sentry-ha-redesign: 2a812120c88e99964b1166626ebfab55a16db91c Thanks Sasha. > SentryStore is subject to JDQL injection > > > Key: SENTRY-1476 > URL: https://issues.apache.org/jira/browse/SENTRY-1476 > Project: Sentry > Issue Type: Bug > Components: Core >Affects Versions: 1.7.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1476.001.patch, SENTRY-1476.002.patch, > SENTRY-1476.003.patch > > > SentryStore.java has a bunch of places where the query is constructed by > concatenating strings rather than using JDQL parameters. This is subject to > JDQL injection since some of the parameters come from Thrift. > All strings from Thrift should be passed as parameters, not as string > concatenation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1476) SentryStore is subject to JDQL injection
[
https://issues.apache.org/jira/browse/SENTRY-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15750092#comment-15750092
]
Hadoop QA commented on SENTRY-1476:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12843329/SENTRY-1476.003.patch
against master.
{color:green}Overall:{color} +1 all checks pass
{color:green}SUCCESS:{color} all tests passed
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/2206/console
This message is automatically generated.
> SentryStore is subject to JDQL injection
>
>
> Key: SENTRY-1476
> URL: https://issues.apache.org/jira/browse/SENTRY-1476
> Project: Sentry
> Issue Type: Bug
> Components: Core
>Affects Versions: 1.7.0, sentry-ha-redesign
>Reporter: Alexander Kolbasov
>Assignee: Alexander Kolbasov
> Attachments: SENTRY-1476.001.patch, SENTRY-1476.002.patch,
> SENTRY-1476.003.patch
>
>
> SentryStore.java has a bunch of places where the query is constructed by
> concatenating strings rather than using JDQL parameters. This is subject to
> JDQL injection since some of the parameters come from Thrift.
> All strings from Thrift should be passed as parameters, not as string
> concatenation.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Assigned] (SENTRY-1566) Make full Perm/Path snapshot available for NN plugin
[ https://issues.apache.org/jira/browse/SENTRY-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao reassigned SENTRY-1566: --- Assignee: Hao Hao > Make full Perm/Path snapshot available for NN plugin > > > Key: SENTRY-1566 > URL: https://issues.apache.org/jira/browse/SENTRY-1566 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Hao Hao >Assignee: Hao Hao > Labels: hdfs-sync > Fix For: sentry-ha-redesign > > > Read full permission and path snapshot from SentryDB and make the update > available for NN plugin upon requests. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1515) Cleanup exception handling in SentryStore
[
https://issues.apache.org/jira/browse/SENTRY-1515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15750062#comment-15750062
]
Hadoop QA commented on SENTRY-1515:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12843322/SENTRY-1515.003.patch
against master.
{color:green}Overall:{color} +1 all checks pass
{color:green}SUCCESS:{color} all tests passed
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/2205/console
This message is automatically generated.
> Cleanup exception handling in SentryStore
> -
>
> Key: SENTRY-1515
> URL: https://issues.apache.org/jira/browse/SENTRY-1515
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
>Affects Versions: sentry-ha-redesign
>Reporter: Alexander Kolbasov
>Assignee: Alexander Kolbasov
> Attachments: SENTRY-1515.001.patch, SENTRY-1515.002.patch,
> SENTRY-1515.003.patch
>
>
> The changes to SENTRY-1422 and SENTRY-1512 changed the semantics of several
> API calls:
> - hasAnyServerPrivileges
> - getMSentryPrivileges
> - getMSentryPrivilegesByAuth
> - getRoleNamesForGroups
> - retrieveFullPrivilegeImage
> - retrieveFullRoleImage
> - retrieveFullPathsImage
> - getAllRoleNames
> Previously they were not marked as throwing Exception, but they still could
> do it. With the change they now ignore exceptions and just log them which may
> not be the right thing to do.
> Instead they should be marked as throwing exceptions which has consequence
> for broader APIs which should be marked as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (SENTRY-1569) Upgrading SQL scripts for persist Perm/Path change
[ https://issues.apache.org/jira/browse/SENTRY-1569?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1569: Labels: hdfs-sync (was: ) > Upgrading SQL scripts for persist Perm/Path change > -- > > Key: SENTRY-1569 > URL: https://issues.apache.org/jira/browse/SENTRY-1569 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Hao Hao > Labels: hdfs-sync > Fix For: sentry-ha-redesign > > > Upgrading SQL script for Sentry permission and HMS path change. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1569) Upgrading SQL scripts for persist Perm/Path change
Hao Hao created SENTRY-1569: --- Summary: Upgrading SQL scripts for persist Perm/Path change Key: SENTRY-1569 URL: https://issues.apache.org/jira/browse/SENTRY-1569 Project: Sentry Issue Type: Sub-task Reporter: Hao Hao Upgrading SQL script for Sentry permission and HMS path change. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1546) Generic Policy provides bad error messages for Sentry exceptions
[
https://issues.apache.org/jira/browse/SENTRY-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15749961#comment-15749961
]
Alexander Kolbasov commented on SENTRY-1546:
Note that the code and decorations are different dependent on the model.
> Generic Policy provides bad error messages for Sentry exceptions
>
>
> Key: SENTRY-1546
> URL: https://issues.apache.org/jira/browse/SENTRY-1546
> Project: Sentry
> Issue Type: Bug
>Affects Versions: 1.8.0
>Reporter: Alexander Kolbasov
>Assignee: kalyan kumar kalvagadda
>Priority: Minor
> Labels: bite-sized
>
> I discovered that when you attempt to create a role that already exists the
> error message you get back from Thrift i just 'Role: foo' which is very
> confusing.
> The reason is that the SentryStore throws
> {code}SentryAlreadyExistsException("Role: " + trimmedRoleName);{code}
> and the generic policy processor passes the message as is:
> {code}
> public TCreateSentryRoleResponse create_sentry_role(
> final TCreateSentryRoleRequest request) throws TException {
> Response respose = requestHandle(new RequestHandler() {
> @Override
> public Response handle() throws Exception {
> validateClientVersion(request.getProtocol_version());
> authorize(request.getRequestorUserName(),
> getRequestorGroups(conf, request.getRequestorUserName()));
> store.createRole(request.getComponent(), request.getRoleName(),
> request.getRequestorUserName());
> return new Response(Status.OK());
> }
> });
> ...
> {code}
> The similar thing is happening for other requests and other Sentry-specific
> exceptions.
> The legacy policy processor does decorate the error a bit:
> {code}
> public TCreateSentryRoleResponse create_sentry_role(
> TCreateSentryRoleRequest request) throws TException {
> final Timer.Context timerContext = sentryMetrics.createRoleTimer.time();
> TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
> try {
> validateClientVersion(request.getProtocol_version());
> authorize(request.getRequestorUserName(),
> getRequestorGroups(request.getRequestorUserName()));
> sentryStore.createSentryRole(request.getRoleName());
> response.setStatus(Status.OK());
> notificationHandlerInvoker.create_sentry_role(request, response);
> } catch (SentryAlreadyExistsException e) {
> String msg = "Role: " + request + " already exists.";
> LOGGER.error(msg, e);
> response.setStatus(Status.AlreadyExists(msg, e));
> } catch (SentryAccessDeniedException e) {
> LOGGER.error(e.getMessage(), e);
> response.setStatus(Status.AccessDenied(e.getMessage(), e));
> } catch (SentryThriftAPIMismatchException e) {
> LOGGER.error(e.getMessage(), e);
> response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
> } catch (Exception e) {
> String msg = "Unknown error for request: " + request + ", message: " +
> e.getMessage();
> LOGGER.error(msg, e);
> response.setStatus(Status.RuntimeError(msg, e));
> } finally {
> ...
> {code}
> I think that it is better to just put the right message in the exception
> itself and do not decorate it later.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (SENTRY-1476) SentryStore is subject to JDQL injection
[ https://issues.apache.org/jira/browse/SENTRY-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Kolbasov updated SENTRY-1476: --- Status: Patch Available (was: Open) > SentryStore is subject to JDQL injection > > > Key: SENTRY-1476 > URL: https://issues.apache.org/jira/browse/SENTRY-1476 > Project: Sentry > Issue Type: Bug > Components: Core >Affects Versions: 1.7.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1476.001.patch, SENTRY-1476.002.patch, > SENTRY-1476.003.patch > > > SentryStore.java has a bunch of places where the query is constructed by > concatenating strings rather than using JDQL parameters. This is subject to > JDQL injection since some of the parameters come from Thrift. > All strings from Thrift should be passed as parameters, not as string > concatenation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1476) SentryStore is subject to JDQL injection
[ https://issues.apache.org/jira/browse/SENTRY-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Kolbasov updated SENTRY-1476: --- Attachment: SENTRY-1476.003.patch Removed debug logging. > SentryStore is subject to JDQL injection > > > Key: SENTRY-1476 > URL: https://issues.apache.org/jira/browse/SENTRY-1476 > Project: Sentry > Issue Type: Bug > Components: Core >Affects Versions: 1.7.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1476.001.patch, SENTRY-1476.002.patch, > SENTRY-1476.003.patch > > > SentryStore.java has a bunch of places where the query is constructed by > concatenating strings rather than using JDQL parameters. This is subject to > JDQL injection since some of the parameters come from Thrift. > All strings from Thrift should be passed as parameters, not as string > concatenation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1476) SentryStore is subject to JDQL injection
[ https://issues.apache.org/jira/browse/SENTRY-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Kolbasov updated SENTRY-1476: --- Status: Open (was: Patch Available) > SentryStore is subject to JDQL injection > > > Key: SENTRY-1476 > URL: https://issues.apache.org/jira/browse/SENTRY-1476 > Project: Sentry > Issue Type: Bug > Components: Core >Affects Versions: 1.7.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1476.001.patch, SENTRY-1476.002.patch > > > SentryStore.java has a bunch of places where the query is constructed by > concatenating strings rather than using JDQL parameters. This is subject to > JDQL injection since some of the parameters come from Thrift. > All strings from Thrift should be passed as parameters, not as string > concatenation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Assigned] (SENTRY-1476) SentryStore is subject to JDQL injection
[ https://issues.apache.org/jira/browse/SENTRY-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Kolbasov reassigned SENTRY-1476: -- Assignee: Alexander Kolbasov > SentryStore is subject to JDQL injection > > > Key: SENTRY-1476 > URL: https://issues.apache.org/jira/browse/SENTRY-1476 > Project: Sentry > Issue Type: Bug > Components: Core >Affects Versions: 1.7.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1476.001.patch, SENTRY-1476.002.patch > > > SentryStore.java has a bunch of places where the query is constructed by > concatenating strings rather than using JDQL parameters. This is subject to > JDQL injection since some of the parameters come from Thrift. > All strings from Thrift should be passed as parameters, not as string > concatenation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1515) Cleanup exception handling in SentryStore
[ https://issues.apache.org/jira/browse/SENTRY-1515?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Kolbasov updated SENTRY-1515: --- Status: Patch Available (was: In Progress) > Cleanup exception handling in SentryStore > - > > Key: SENTRY-1515 > URL: https://issues.apache.org/jira/browse/SENTRY-1515 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1515.001.patch, SENTRY-1515.002.patch, > SENTRY-1515.003.patch > > > The changes to SENTRY-1422 and SENTRY-1512 changed the semantics of several > API calls: > - hasAnyServerPrivileges > - getMSentryPrivileges > - getMSentryPrivilegesByAuth > - getRoleNamesForGroups > - retrieveFullPrivilegeImage > - retrieveFullRoleImage > - retrieveFullPathsImage > - getAllRoleNames > Previously they were not marked as throwing Exception, but they still could > do it. With the change they now ignore exceptions and just log them which may > not be the right thing to do. > Instead they should be marked as throwing exceptions which has consequence > for broader APIs which should be marked as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1515) Cleanup exception handling in SentryStore
[ https://issues.apache.org/jira/browse/SENTRY-1515?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Kolbasov updated SENTRY-1515: --- Status: In Progress (was: Patch Available) > Cleanup exception handling in SentryStore > - > > Key: SENTRY-1515 > URL: https://issues.apache.org/jira/browse/SENTRY-1515 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1515.001.patch, SENTRY-1515.002.patch, > SENTRY-1515.003.patch > > > The changes to SENTRY-1422 and SENTRY-1512 changed the semantics of several > API calls: > - hasAnyServerPrivileges > - getMSentryPrivileges > - getMSentryPrivilegesByAuth > - getRoleNamesForGroups > - retrieveFullPrivilegeImage > - retrieveFullRoleImage > - retrieveFullPathsImage > - getAllRoleNames > Previously they were not marked as throwing Exception, but they still could > do it. With the change they now ignore exceptions and just log them which may > not be the right thing to do. > Instead they should be marked as throwing exceptions which has consequence > for broader APIs which should be marked as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1515) Cleanup exception handling in SentryStore
[ https://issues.apache.org/jira/browse/SENTRY-1515?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Kolbasov updated SENTRY-1515: --- Attachment: SENTRY-1515.003.patch Addressed code review comments > Cleanup exception handling in SentryStore > - > > Key: SENTRY-1515 > URL: https://issues.apache.org/jira/browse/SENTRY-1515 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1515.001.patch, SENTRY-1515.002.patch, > SENTRY-1515.003.patch > > > The changes to SENTRY-1422 and SENTRY-1512 changed the semantics of several > API calls: > - hasAnyServerPrivileges > - getMSentryPrivileges > - getMSentryPrivilegesByAuth > - getRoleNamesForGroups > - retrieveFullPrivilegeImage > - retrieveFullRoleImage > - retrieveFullPathsImage > - getAllRoleNames > Previously they were not marked as throwing Exception, but they still could > do it. With the change they now ignore exceptions and just log them which may > not be the right thing to do. > Instead they should be marked as throwing exceptions which has consequence > for broader APIs which should be marked as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1548) Setting GrantOption to UNSET upsets Sentry
[
https://issues.apache.org/jira/browse/SENTRY-1548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15749762#comment-15749762
]
Alexander Kolbasov commented on SENTRY-1548:
[~kkalyan] Please add code reviewboard link to the JIRA.
> Setting GrantOption to UNSET upsets Sentry
> --
>
> Key: SENTRY-1548
> URL: https://issues.apache.org/jira/browse/SENTRY-1548
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
>Reporter: Alexander Kolbasov
>Assignee: kalyan kumar kalvagadda
>Priority: Minor
> Labels: bite-sized
> Attachments: SENTRY-1548.001.patch, SENTRY-1548.002.patch
>
>
> If we send a Thrift request to sentry (using regular api) with GrantOption
> set to UNSET (-1) we get the following error:
> {code}
> TransactionManager.executeTransactionWithRetry(TransactionManager.java:102)]
> The transaction has reac
> hed max retry number, will not retry again.
> javax.jdo.JDODataStoreException: Insert of object
> "org.apache.sentry.provider.db.service.model.MSentryPrivilege@6bbfd4c9" using
> statement "INSERT INTO `SENTRY_DB_PRIVILEGE`
> (`DB_PRIVILEGE_ID`,`SERVER_NAME`,`WITH_GRANT_OPTION`,`CREATE_TIME`,`TABLE_NAME`,`URI`,`ACTION`,`COLUMN_NAME`,`DB_NAME`,`PRIVILEGE_SCOPE`)
> VALUES (?,?,?,?,?,?,?,?,?,?)" failed : Column 'WITH_GRANT_OPTION' cannot be
> null
> at
> org.datanucleus.api.jdo.NucleusJDOHelper.getJDOExceptionForNucleusException(NucleusJDOHelper.java:451)
> at
> org.datanucleus.api.jdo.JDOPersistenceManager.jdoMakePersistent(JDOPersistenceManager.java:732)
> at
> org.datanucleus.api.jdo.JDOPersistenceManager.makePersistent(JDOPersistenceManager.java:752)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleGrantPrivilegeCore(SentryStore.java:438)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.access$500(SentryStore.java:95)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore$8.execute(SentryStore.java:374)
> at
> org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransaction(TransactionManager.java:72)
> at
> org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransactionWithRetry(TransactionManager.java:93)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleGrantPrivileges(SentryStore.java:367)
> at
> org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_grant_privilege(SentryPolicyStoreProcessor.java:280)
> at
> org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1237)
> at
> org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1222)
> at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
> at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
> at
> org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:35)
> at
> org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> NestedThrowablesStackTrace:
> com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException:
> Column 'WITH_GRANT_OPTION' cannot be null
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at com.mysql.jdbc.Util.handleNewInstance(Util.java:404)
> at com.mysql.jdbc.Util.getInstance(Util.java:387)
> at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:934)
> at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3966)
> at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3902)
> at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2526)
> at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2673)
> at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2549)
> at
>
[jira] [Commented] (SENTRY-1547) It is possible to create a privilege with all empty fields
[
https://issues.apache.org/jira/browse/SENTRY-1547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15749739#comment-15749739
]
Hadoop QA commented on SENTRY-1547:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12843302/SENTRY-1547.002.patch
against master.
{color:red}Overall:{color} -1 due to 27 errors
{color:red}ERROR:{color} mvn test exited 1
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServerForHaWithoutKerberos
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServerForHaWithoutKerberos
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServerForHaWithoutKerberos
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServerWithoutKerberos
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServerWithoutKerberos
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServerWithoutKerberos
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestAuthorizingDDLAuditLogWithKerberos
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.tools.TestSentryShellHive
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServerForPoolWithoutKerberos
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServerForPoolWithoutKerberos
{color:red}ERROR:{color} Failed:
org.apache.sentry.provider.db.service.thrift.TestSentryServerForPoolWithoutKerberos
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/2204/console
This message is automatically generated.
> It is possible to create a privilege with all empty fields
> --
>
> Key: SENTRY-1547
> URL: https://issues.apache.org/jira/browse/SENTRY-1547
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
>Affects Versions: 1.8.0, sentry-ha-redesign
>Reporter: Alexander Kolbasov
>Assignee: kalyan kumar kalvagadda
>Priority: Minor
> Labels: bite-sized
> Attachments: SENTRY-1547.001.patch, SENTRY-1547.002.patch
>
>
> It is possible (at least by sending Thrift message) to create privilege with
> everything set to __NULL__ which is a pretty useless privilege. We should
> check that at least some fields are set.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (SENTRY-1548) Setting GrantOption to UNSET upsets Sentry
[
https://issues.apache.org/jira/browse/SENTRY-1548?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
kalyan kumar kalvagadda updated SENTRY-1548:
Attachment: SENTRY-1548.002.patch
UNSET option for grant is valid is only valid while revoking the privileges.
Added code changes to Sentry Policy Processor to handle the same.
> Setting GrantOption to UNSET upsets Sentry
> --
>
> Key: SENTRY-1548
> URL: https://issues.apache.org/jira/browse/SENTRY-1548
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
>Reporter: Alexander Kolbasov
>Assignee: kalyan kumar kalvagadda
>Priority: Minor
> Labels: bite-sized
> Attachments: SENTRY-1548.001.patch, SENTRY-1548.002.patch
>
>
> If we send a Thrift request to sentry (using regular api) with GrantOption
> set to UNSET (-1) we get the following error:
> {code}
> TransactionManager.executeTransactionWithRetry(TransactionManager.java:102)]
> The transaction has reac
> hed max retry number, will not retry again.
> javax.jdo.JDODataStoreException: Insert of object
> "org.apache.sentry.provider.db.service.model.MSentryPrivilege@6bbfd4c9" using
> statement "INSERT INTO `SENTRY_DB_PRIVILEGE`
> (`DB_PRIVILEGE_ID`,`SERVER_NAME`,`WITH_GRANT_OPTION`,`CREATE_TIME`,`TABLE_NAME`,`URI`,`ACTION`,`COLUMN_NAME`,`DB_NAME`,`PRIVILEGE_SCOPE`)
> VALUES (?,?,?,?,?,?,?,?,?,?)" failed : Column 'WITH_GRANT_OPTION' cannot be
> null
> at
> org.datanucleus.api.jdo.NucleusJDOHelper.getJDOExceptionForNucleusException(NucleusJDOHelper.java:451)
> at
> org.datanucleus.api.jdo.JDOPersistenceManager.jdoMakePersistent(JDOPersistenceManager.java:732)
> at
> org.datanucleus.api.jdo.JDOPersistenceManager.makePersistent(JDOPersistenceManager.java:752)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleGrantPrivilegeCore(SentryStore.java:438)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.access$500(SentryStore.java:95)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore$8.execute(SentryStore.java:374)
> at
> org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransaction(TransactionManager.java:72)
> at
> org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransactionWithRetry(TransactionManager.java:93)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleGrantPrivileges(SentryStore.java:367)
> at
> org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_grant_privilege(SentryPolicyStoreProcessor.java:280)
> at
> org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1237)
> at
> org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1222)
> at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
> at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
> at
> org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:35)
> at
> org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> NestedThrowablesStackTrace:
> com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException:
> Column 'WITH_GRANT_OPTION' cannot be null
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at com.mysql.jdbc.Util.handleNewInstance(Util.java:404)
> at com.mysql.jdbc.Util.getInstance(Util.java:387)
> at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:934)
> at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3966)
> at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3902)
> at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2526)
> at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2673)
> at
[jira] [Updated] (SENTRY-1548) Setting GrantOption to UNSET upsets Sentry
[
https://issues.apache.org/jira/browse/SENTRY-1548?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
kalyan kumar kalvagadda updated SENTRY-1548:
Status: Open (was: Patch Available)
Reverting the patch based on the review comments received.
> Setting GrantOption to UNSET upsets Sentry
> --
>
> Key: SENTRY-1548
> URL: https://issues.apache.org/jira/browse/SENTRY-1548
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
>Reporter: Alexander Kolbasov
>Assignee: kalyan kumar kalvagadda
>Priority: Minor
> Labels: bite-sized
> Attachments: SENTRY-1548.001.patch
>
>
> If we send a Thrift request to sentry (using regular api) with GrantOption
> set to UNSET (-1) we get the following error:
> {code}
> TransactionManager.executeTransactionWithRetry(TransactionManager.java:102)]
> The transaction has reac
> hed max retry number, will not retry again.
> javax.jdo.JDODataStoreException: Insert of object
> "org.apache.sentry.provider.db.service.model.MSentryPrivilege@6bbfd4c9" using
> statement "INSERT INTO `SENTRY_DB_PRIVILEGE`
> (`DB_PRIVILEGE_ID`,`SERVER_NAME`,`WITH_GRANT_OPTION`,`CREATE_TIME`,`TABLE_NAME`,`URI`,`ACTION`,`COLUMN_NAME`,`DB_NAME`,`PRIVILEGE_SCOPE`)
> VALUES (?,?,?,?,?,?,?,?,?,?)" failed : Column 'WITH_GRANT_OPTION' cannot be
> null
> at
> org.datanucleus.api.jdo.NucleusJDOHelper.getJDOExceptionForNucleusException(NucleusJDOHelper.java:451)
> at
> org.datanucleus.api.jdo.JDOPersistenceManager.jdoMakePersistent(JDOPersistenceManager.java:732)
> at
> org.datanucleus.api.jdo.JDOPersistenceManager.makePersistent(JDOPersistenceManager.java:752)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleGrantPrivilegeCore(SentryStore.java:438)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.access$500(SentryStore.java:95)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore$8.execute(SentryStore.java:374)
> at
> org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransaction(TransactionManager.java:72)
> at
> org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransactionWithRetry(TransactionManager.java:93)
> at
> org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleGrantPrivileges(SentryStore.java:367)
> at
> org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_grant_privilege(SentryPolicyStoreProcessor.java:280)
> at
> org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1237)
> at
> org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1222)
> at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
> at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
> at
> org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:35)
> at
> org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> NestedThrowablesStackTrace:
> com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException:
> Column 'WITH_GRANT_OPTION' cannot be null
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at com.mysql.jdbc.Util.handleNewInstance(Util.java:404)
> at com.mysql.jdbc.Util.getInstance(Util.java:387)
> at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:934)
> at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3966)
> at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3902)
> at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2526)
> at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2673)
> at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2549)
> at
>
[jira] [Created] (SENTRY-1568) Develop automated test for client failover
Alexander Kolbasov created SENTRY-1568: -- Summary: Develop automated test for client failover Key: SENTRY-1568 URL: https://issues.apache.org/jira/browse/SENTRY-1568 Project: Sentry Issue Type: Sub-task Components: Sentry Affects Versions: sentry-ha-redesign Reporter: Alexander Kolbasov We need a automated test for SENTRY-1477. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Comment Edited] (SENTRY-1547) It is possible to create a privilege with all empty fields
[ https://issues.apache.org/jira/browse/SENTRY-1547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15749648#comment-15749648 ] kalyan kumar kalvagadda edited comment on SENTRY-1547 at 12/14/16 10:07 PM: SENTRY-1547.001.patch I had to take a different approach in solving the issue based on the review comments. I have added validation logic in SentryPolicyStoreProcessor enforcing the mandatory fields like server_name and action to be present in privilege/privileges added. was (Author: kkalyan): SENTRY-1547.001.patch > It is possible to create a privilege with all empty fields > -- > > Key: SENTRY-1547 > URL: https://issues.apache.org/jira/browse/SENTRY-1547 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 1.8.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: kalyan kumar kalvagadda >Priority: Minor > Labels: bite-sized > Attachments: SENTRY-1547.001.patch, SENTRY-1547.002.patch > > > It is possible (at least by sending Thrift message) to create privilege with > everything set to __NULL__ which is a pretty useless privilege. We should > check that at least some fields are set. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1547) It is possible to create a privilege with all empty fields
[ https://issues.apache.org/jira/browse/SENTRY-1547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-1547: Status: Patch Available (was: In Progress) SENTRY-1547.001.patch > It is possible to create a privilege with all empty fields > -- > > Key: SENTRY-1547 > URL: https://issues.apache.org/jira/browse/SENTRY-1547 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 1.8.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: kalyan kumar kalvagadda >Priority: Minor > Labels: bite-sized > Attachments: SENTRY-1547.001.patch, SENTRY-1547.002.patch > > > It is possible (at least by sending Thrift message) to create privilege with > everything set to __NULL__ which is a pretty useless privilege. We should > check that at least some fields are set. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1547) It is possible to create a privilege with all empty fields
[ https://issues.apache.org/jira/browse/SENTRY-1547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-1547: Status: Open (was: Patch Available) Reverting the patch based on review comments. > It is possible to create a privilege with all empty fields > -- > > Key: SENTRY-1547 > URL: https://issues.apache.org/jira/browse/SENTRY-1547 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 1.8.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: kalyan kumar kalvagadda >Priority: Minor > Labels: bite-sized > Attachments: SENTRY-1547.001.patch > > > It is possible (at least by sending Thrift message) to create privilege with > everything set to __NULL__ which is a pretty useless privilege. We should > check that at least some fields are set. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1547) It is possible to create a privilege with all empty fields
[ https://issues.apache.org/jira/browse/SENTRY-1547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15749635#comment-15749635 ] kalyan kumar kalvagadda commented on SENTRY-1547: - SENTRY-1547.002.patch I had to take a different approach in solving the issue based on the review comments. I have added validation logic in SentryPolicyStoreProcessor enforcing the mandatory fields like server_name and action to be present in privilege/privileges added. > It is possible to create a privilege with all empty fields > -- > > Key: SENTRY-1547 > URL: https://issues.apache.org/jira/browse/SENTRY-1547 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 1.8.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: kalyan kumar kalvagadda >Priority: Minor > Labels: bite-sized > Attachments: SENTRY-1547.001.patch > > > It is possible (at least by sending Thrift message) to create privilege with > everything set to __NULL__ which is a pretty useless privilege. We should > check that at least some fields are set. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1539) HMS Follower should store arriving HMS notifications
[ https://issues.apache.org/jira/browse/SENTRY-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1539: Labels: hdfs-sync-hmsfollower (was: ) > HMS Follower should store arriving HMS notifications > > > Key: SENTRY-1539 > URL: https://issues.apache.org/jira/browse/SENTRY-1539 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: sentry-ha-redesign > Environment: HMS Follower should save arriving HMS notifications in > the DB. >Reporter: Alexander Kolbasov > Labels: hdfs-sync-hmsfollower > Fix For: sentry-ha-redesign > > > Once HMS receives a notification from HMS it should store in in Sentry DB. > The addition of the notification event should be bundled in the same > transaction that handles the event, so the whole event is either processed or > not. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1546) Generic Policy provides bad error messages for Sentry exceptions
[
https://issues.apache.org/jira/browse/SENTRY-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15749560#comment-15749560
]
kalyan kumar kalvagadda commented on SENTRY-1546:
-
I see that exception is decorated with more information. I need to test to see
why is not applied.
> Generic Policy provides bad error messages for Sentry exceptions
>
>
> Key: SENTRY-1546
> URL: https://issues.apache.org/jira/browse/SENTRY-1546
> Project: Sentry
> Issue Type: Bug
>Affects Versions: 1.8.0
>Reporter: Alexander Kolbasov
>Assignee: kalyan kumar kalvagadda
>Priority: Minor
> Labels: bite-sized
>
> I discovered that when you attempt to create a role that already exists the
> error message you get back from Thrift i just 'Role: foo' which is very
> confusing.
> The reason is that the SentryStore throws
> {code}SentryAlreadyExistsException("Role: " + trimmedRoleName);{code}
> and the generic policy processor passes the message as is:
> {code}
> public TCreateSentryRoleResponse create_sentry_role(
> final TCreateSentryRoleRequest request) throws TException {
> Response respose = requestHandle(new RequestHandler() {
> @Override
> public Response handle() throws Exception {
> validateClientVersion(request.getProtocol_version());
> authorize(request.getRequestorUserName(),
> getRequestorGroups(conf, request.getRequestorUserName()));
> store.createRole(request.getComponent(), request.getRoleName(),
> request.getRequestorUserName());
> return new Response(Status.OK());
> }
> });
> ...
> {code}
> The similar thing is happening for other requests and other Sentry-specific
> exceptions.
> The legacy policy processor does decorate the error a bit:
> {code}
> public TCreateSentryRoleResponse create_sentry_role(
> TCreateSentryRoleRequest request) throws TException {
> final Timer.Context timerContext = sentryMetrics.createRoleTimer.time();
> TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
> try {
> validateClientVersion(request.getProtocol_version());
> authorize(request.getRequestorUserName(),
> getRequestorGroups(request.getRequestorUserName()));
> sentryStore.createSentryRole(request.getRoleName());
> response.setStatus(Status.OK());
> notificationHandlerInvoker.create_sentry_role(request, response);
> } catch (SentryAlreadyExistsException e) {
> String msg = "Role: " + request + " already exists.";
> LOGGER.error(msg, e);
> response.setStatus(Status.AlreadyExists(msg, e));
> } catch (SentryAccessDeniedException e) {
> LOGGER.error(e.getMessage(), e);
> response.setStatus(Status.AccessDenied(e.getMessage(), e));
> } catch (SentryThriftAPIMismatchException e) {
> LOGGER.error(e.getMessage(), e);
> response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
> } catch (Exception e) {
> String msg = "Unknown error for request: " + request + ", message: " +
> e.getMessage();
> LOGGER.error(msg, e);
> response.setStatus(Status.RuntimeError(msg, e));
> } finally {
> ...
> {code}
> I think that it is better to just put the right message in the exception
> itself and do not decorate it later.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (SENTRY-1567) Refactor propagating logic for Perm/Path delta to NN plugin
[ https://issues.apache.org/jira/browse/SENTRY-1567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1567: Labels: hdfs-sync (was: ) > Refactor propagating logic for Perm/Path delta to NN plugin > --- > > Key: SENTRY-1567 > URL: https://issues.apache.org/jira/browse/SENTRY-1567 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Hao Hao > Labels: hdfs-sync > Fix For: sentry-ha-redesign > > > Refactor the propagating logic for Perm/Path delta to NN plugin to remove > caching logic. Instead read Perm/Path delta from SentryDB. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1567) Refactor propagating logic for Perm/Path delta to NN plugin
Hao Hao created SENTRY-1567: --- Summary: Refactor propagating logic for Perm/Path delta to NN plugin Key: SENTRY-1567 URL: https://issues.apache.org/jira/browse/SENTRY-1567 Project: Sentry Issue Type: Sub-task Reporter: Hao Hao Refactor the propagating logic for Perm/Path delta to NN plugin to remove caching logic. Instead read Perm/Path delta from SentryDB. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1566) Make full Perm/Path snapshot available for NN plugin
[ https://issues.apache.org/jira/browse/SENTRY-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1566: Labels: hdfs-sync (was: ) > Make full Perm/Path snapshot available for NN plugin > > > Key: SENTRY-1566 > URL: https://issues.apache.org/jira/browse/SENTRY-1566 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Hao Hao > Labels: hdfs-sync > Fix For: sentry-ha-redesign > > > Read full permission and path snapshot from SentryDB and make the update > available for NN plugin upon requests. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1566) Make full Perm/Path snapshot available for NN plugin
Hao Hao created SENTRY-1566: --- Summary: Make full Perm/Path snapshot available for NN plugin Key: SENTRY-1566 URL: https://issues.apache.org/jira/browse/SENTRY-1566 Project: Sentry Issue Type: Sub-task Reporter: Hao Hao Read full permission and path snapshot from SentryDB and make the update available for NN plugin upon requests. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1536) Refactor SentryStore transaction management to allow for extra transactions
[ https://issues.apache.org/jira/browse/SENTRY-1536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1536: Labels: hdfs-sync (was: ) > Refactor SentryStore transaction management to allow for extra transactions > --- > > Key: SENTRY-1536 > URL: https://issues.apache.org/jira/browse/SENTRY-1536 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Hao Hao > Labels: hdfs-sync > Fix For: sentry-ha-redesign > > > HMSFollower needs to combine multiple things in a single transaction: > * Doing the actual operation (priv change) > * Updating notification ID. > It is important to do this in a single transaction to guarantee that > notificationID handling is atomic. Current code structure doesn't allow for > that. > So we need to pass extra transaction code to SentryStore functions or figure > out a generic way to do this. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1538) Create schema for storing HMS path change and Sentry permission change.
[ https://issues.apache.org/jira/browse/SENTRY-1538?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1538: Labels: hdfs-sync (was: ) > Create schema for storing HMS path change and Sentry permission change. > --- > > Key: SENTRY-1538 > URL: https://issues.apache.org/jira/browse/SENTRY-1538 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Hao Hao > Labels: hdfs-sync > Fix For: sentry-ha-redesign > > Attachments: SENTRY-1538.001-sentry-ha-redesign.patch > > > As HMS Follower processes HMS notifications, they should be stored in Sentry > DB. At a minimum we can only store notification ID, but for > debugging/troubleshooting it is better to store actual JSON notification > events as well. > So this task about adding a schema for storing notifications. It its simplest > form it will contain just notification ID as the primary key, possibly > timestamp and the JSON notification event. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1536) Refactor SentryStore transaction management to allow for extra transactions
[ https://issues.apache.org/jira/browse/SENTRY-1536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1536: Description: To persist single permission/path change, it needs to combine multiple things in a single transaction: * Doing the actual operation (priv change) * Updating notification ID. It is important to do this in a single transaction to guarantee that notificationID handling is atomic. Current code structure doesn't allow for that. So we need to pass extra transaction code to SentryStore functions or figure out a generic way to do this. was: HMSFollower needs to combine multiple things in a single transaction: * Doing the actual operation (priv change) * Updating notification ID. It is important to do this in a single transaction to guarantee that notificationID handling is atomic. Current code structure doesn't allow for that. So we need to pass extra transaction code to SentryStore functions or figure out a generic way to do this. > Refactor SentryStore transaction management to allow for extra transactions > --- > > Key: SENTRY-1536 > URL: https://issues.apache.org/jira/browse/SENTRY-1536 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Hao Hao > Labels: hdfs-sync > Fix For: sentry-ha-redesign > > > To persist single permission/path change, it needs to combine multiple things > in a single transaction: > * Doing the actual operation (priv change) > * Updating notification ID. > It is important to do this in a single transaction to guarantee that > notificationID handling is atomic. Current code structure doesn't allow for > that. > So we need to pass extra transaction code to SentryStore functions or figure > out a generic way to do this. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1535) HMS Follower should update HDFS plugin paths
[ https://issues.apache.org/jira/browse/SENTRY-1535?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1535: Labels: hdfs-sync-hmsfollower (was: hdfs-sync-hmsfoll) > HMS Follower should update HDFS plugin paths > > > Key: SENTRY-1535 > URL: https://issues.apache.org/jira/browse/SENTRY-1535 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: sentry-ha-redesign >Reporter: Alexander Kolbasov > Labels: hdfs-sync-hmsfollower > Fix For: sentry-ha-redesign > > > HMS Follower currently doesn't update any path information in the HDFS > plugin. It should be extended to update HDFS plugin info. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1535) HMS Follower should update HDFS plugin paths
[ https://issues.apache.org/jira/browse/SENTRY-1535?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1535: Labels: hdfs-sync-hmsfoll (was: ) > HMS Follower should update HDFS plugin paths > > > Key: SENTRY-1535 > URL: https://issues.apache.org/jira/browse/SENTRY-1535 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: sentry-ha-redesign >Reporter: Alexander Kolbasov > Labels: hdfs-sync-hmsfoll > Fix For: sentry-ha-redesign > > > HMS Follower currently doesn't update any path information in the HDFS > plugin. It should be extended to update HDFS plugin info. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1539) HMS Follower should store arriving HMS notifications
[ https://issues.apache.org/jira/browse/SENTRY-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1539: Labels: hdfs-sync-hmsfollower (was: ) > HMS Follower should store arriving HMS notifications > > > Key: SENTRY-1539 > URL: https://issues.apache.org/jira/browse/SENTRY-1539 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: sentry-ha-redesign > Environment: HMS Follower should save arriving HMS notifications in > the DB. >Reporter: Alexander Kolbasov > Fix For: sentry-ha-redesign > > > Once HMS receives a notification from HMS it should store in in Sentry DB. > The addition of the notification event should be bundled in the same > transaction that handles the event, so the whole event is either processed or > not. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
