[jira] [Updated] (SENTRY-1476) SentryStore is subject to JDQL injection
[ https://issues.apache.org/jira/browse/SENTRY-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vamsee Yarlagadda updated SENTRY-1476: -- Fix Version/s: sentry-ha-redesign 1.8.0 > SentryStore is subject to JDQL injection > > > Key: SENTRY-1476 > URL: https://issues.apache.org/jira/browse/SENTRY-1476 > Project: Sentry > Issue Type: Bug > Components: Core >Affects Versions: 1.7.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Fix For: 1.8.0, sentry-ha-redesign > > Attachments: SENTRY-1476.001.patch, SENTRY-1476.002.patch, > SENTRY-1476.003.patch > > > SentryStore.java has a bunch of places where the query is constructed by > concatenating strings rather than using JDQL parameters. This is subject to > JDQL injection since some of the parameters come from Thrift. > All strings from Thrift should be passed as parameters, not as string > concatenation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1476) SentryStore is subject to JDQL injection
[ https://issues.apache.org/jira/browse/SENTRY-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vamsee Yarlagadda updated SENTRY-1476: -- Resolution: Fixed Status: Resolved (was: Patch Available) master: f48da48f4a1cab221a9ddb81b701114af8c681f7 sentry-ha-redesign: 2a812120c88e99964b1166626ebfab55a16db91c Thanks Sasha. > SentryStore is subject to JDQL injection > > > Key: SENTRY-1476 > URL: https://issues.apache.org/jira/browse/SENTRY-1476 > Project: Sentry > Issue Type: Bug > Components: Core >Affects Versions: 1.7.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1476.001.patch, SENTRY-1476.002.patch, > SENTRY-1476.003.patch > > > SentryStore.java has a bunch of places where the query is constructed by > concatenating strings rather than using JDQL parameters. This is subject to > JDQL injection since some of the parameters come from Thrift. > All strings from Thrift should be passed as parameters, not as string > concatenation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1476) SentryStore is subject to JDQL injection
[ https://issues.apache.org/jira/browse/SENTRY-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15750092#comment-15750092 ] Hadoop QA commented on SENTRY-1476: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12843329/SENTRY-1476.003.patch against master. {color:green}Overall:{color} +1 all checks pass {color:green}SUCCESS:{color} all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/2206/console This message is automatically generated. > SentryStore is subject to JDQL injection > > > Key: SENTRY-1476 > URL: https://issues.apache.org/jira/browse/SENTRY-1476 > Project: Sentry > Issue Type: Bug > Components: Core >Affects Versions: 1.7.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1476.001.patch, SENTRY-1476.002.patch, > SENTRY-1476.003.patch > > > SentryStore.java has a bunch of places where the query is constructed by > concatenating strings rather than using JDQL parameters. This is subject to > JDQL injection since some of the parameters come from Thrift. > All strings from Thrift should be passed as parameters, not as string > concatenation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Assigned] (SENTRY-1566) Make full Perm/Path snapshot available for NN plugin
[ https://issues.apache.org/jira/browse/SENTRY-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao reassigned SENTRY-1566: --- Assignee: Hao Hao > Make full Perm/Path snapshot available for NN plugin > > > Key: SENTRY-1566 > URL: https://issues.apache.org/jira/browse/SENTRY-1566 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Hao Hao >Assignee: Hao Hao > Labels: hdfs-sync > Fix For: sentry-ha-redesign > > > Read full permission and path snapshot from SentryDB and make the update > available for NN plugin upon requests. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1515) Cleanup exception handling in SentryStore
[ https://issues.apache.org/jira/browse/SENTRY-1515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15750062#comment-15750062 ] Hadoop QA commented on SENTRY-1515: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12843322/SENTRY-1515.003.patch against master. {color:green}Overall:{color} +1 all checks pass {color:green}SUCCESS:{color} all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/2205/console This message is automatically generated. > Cleanup exception handling in SentryStore > - > > Key: SENTRY-1515 > URL: https://issues.apache.org/jira/browse/SENTRY-1515 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1515.001.patch, SENTRY-1515.002.patch, > SENTRY-1515.003.patch > > > The changes to SENTRY-1422 and SENTRY-1512 changed the semantics of several > API calls: > - hasAnyServerPrivileges > - getMSentryPrivileges > - getMSentryPrivilegesByAuth > - getRoleNamesForGroups > - retrieveFullPrivilegeImage > - retrieveFullRoleImage > - retrieveFullPathsImage > - getAllRoleNames > Previously they were not marked as throwing Exception, but they still could > do it. With the change they now ignore exceptions and just log them which may > not be the right thing to do. > Instead they should be marked as throwing exceptions which has consequence > for broader APIs which should be marked as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1569) Upgrading SQL scripts for persist Perm/Path change
[ https://issues.apache.org/jira/browse/SENTRY-1569?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1569: Labels: hdfs-sync (was: ) > Upgrading SQL scripts for persist Perm/Path change > -- > > Key: SENTRY-1569 > URL: https://issues.apache.org/jira/browse/SENTRY-1569 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Hao Hao > Labels: hdfs-sync > Fix For: sentry-ha-redesign > > > Upgrading SQL script for Sentry permission and HMS path change. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1569) Upgrading SQL scripts for persist Perm/Path change
Hao Hao created SENTRY-1569: --- Summary: Upgrading SQL scripts for persist Perm/Path change Key: SENTRY-1569 URL: https://issues.apache.org/jira/browse/SENTRY-1569 Project: Sentry Issue Type: Sub-task Reporter: Hao Hao Upgrading SQL script for Sentry permission and HMS path change. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1546) Generic Policy provides bad error messages for Sentry exceptions
[ https://issues.apache.org/jira/browse/SENTRY-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15749961#comment-15749961 ] Alexander Kolbasov commented on SENTRY-1546: Note that the code and decorations are different dependent on the model. > Generic Policy provides bad error messages for Sentry exceptions > > > Key: SENTRY-1546 > URL: https://issues.apache.org/jira/browse/SENTRY-1546 > Project: Sentry > Issue Type: Bug >Affects Versions: 1.8.0 >Reporter: Alexander Kolbasov >Assignee: kalyan kumar kalvagadda >Priority: Minor > Labels: bite-sized > > I discovered that when you attempt to create a role that already exists the > error message you get back from Thrift i just 'Role: foo' which is very > confusing. > The reason is that the SentryStore throws > {code}SentryAlreadyExistsException("Role: " + trimmedRoleName);{code} > and the generic policy processor passes the message as is: > {code} > public TCreateSentryRoleResponse create_sentry_role( > final TCreateSentryRoleRequest request) throws TException { > Response respose = requestHandle(new RequestHandler() { > @Override > public Response handle() throws Exception { > validateClientVersion(request.getProtocol_version()); > authorize(request.getRequestorUserName(), > getRequestorGroups(conf, request.getRequestorUserName())); > store.createRole(request.getComponent(), request.getRoleName(), > request.getRequestorUserName()); > return new Response(Status.OK()); > } > }); > ... > {code} > The similar thing is happening for other requests and other Sentry-specific > exceptions. > The legacy policy processor does decorate the error a bit: > {code} > public TCreateSentryRoleResponse create_sentry_role( > TCreateSentryRoleRequest request) throws TException { > final Timer.Context timerContext = sentryMetrics.createRoleTimer.time(); > TCreateSentryRoleResponse response = new TCreateSentryRoleResponse(); > try { > validateClientVersion(request.getProtocol_version()); > authorize(request.getRequestorUserName(), > getRequestorGroups(request.getRequestorUserName())); > sentryStore.createSentryRole(request.getRoleName()); > response.setStatus(Status.OK()); > notificationHandlerInvoker.create_sentry_role(request, response); > } catch (SentryAlreadyExistsException e) { > String msg = "Role: " + request + " already exists."; > LOGGER.error(msg, e); > response.setStatus(Status.AlreadyExists(msg, e)); > } catch (SentryAccessDeniedException e) { > LOGGER.error(e.getMessage(), e); > response.setStatus(Status.AccessDenied(e.getMessage(), e)); > } catch (SentryThriftAPIMismatchException e) { > LOGGER.error(e.getMessage(), e); > response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); > } catch (Exception e) { > String msg = "Unknown error for request: " + request + ", message: " + > e.getMessage(); > LOGGER.error(msg, e); > response.setStatus(Status.RuntimeError(msg, e)); > } finally { > ... > {code} > I think that it is better to just put the right message in the exception > itself and do not decorate it later. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1476) SentryStore is subject to JDQL injection
[ https://issues.apache.org/jira/browse/SENTRY-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Kolbasov updated SENTRY-1476: --- Status: Patch Available (was: Open) > SentryStore is subject to JDQL injection > > > Key: SENTRY-1476 > URL: https://issues.apache.org/jira/browse/SENTRY-1476 > Project: Sentry > Issue Type: Bug > Components: Core >Affects Versions: 1.7.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1476.001.patch, SENTRY-1476.002.patch, > SENTRY-1476.003.patch > > > SentryStore.java has a bunch of places where the query is constructed by > concatenating strings rather than using JDQL parameters. This is subject to > JDQL injection since some of the parameters come from Thrift. > All strings from Thrift should be passed as parameters, not as string > concatenation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1476) SentryStore is subject to JDQL injection
[ https://issues.apache.org/jira/browse/SENTRY-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Kolbasov updated SENTRY-1476: --- Attachment: SENTRY-1476.003.patch Removed debug logging. > SentryStore is subject to JDQL injection > > > Key: SENTRY-1476 > URL: https://issues.apache.org/jira/browse/SENTRY-1476 > Project: Sentry > Issue Type: Bug > Components: Core >Affects Versions: 1.7.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1476.001.patch, SENTRY-1476.002.patch, > SENTRY-1476.003.patch > > > SentryStore.java has a bunch of places where the query is constructed by > concatenating strings rather than using JDQL parameters. This is subject to > JDQL injection since some of the parameters come from Thrift. > All strings from Thrift should be passed as parameters, not as string > concatenation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1476) SentryStore is subject to JDQL injection
[ https://issues.apache.org/jira/browse/SENTRY-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Kolbasov updated SENTRY-1476: --- Status: Open (was: Patch Available) > SentryStore is subject to JDQL injection > > > Key: SENTRY-1476 > URL: https://issues.apache.org/jira/browse/SENTRY-1476 > Project: Sentry > Issue Type: Bug > Components: Core >Affects Versions: 1.7.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1476.001.patch, SENTRY-1476.002.patch > > > SentryStore.java has a bunch of places where the query is constructed by > concatenating strings rather than using JDQL parameters. This is subject to > JDQL injection since some of the parameters come from Thrift. > All strings from Thrift should be passed as parameters, not as string > concatenation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Assigned] (SENTRY-1476) SentryStore is subject to JDQL injection
[ https://issues.apache.org/jira/browse/SENTRY-1476?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Kolbasov reassigned SENTRY-1476: -- Assignee: Alexander Kolbasov > SentryStore is subject to JDQL injection > > > Key: SENTRY-1476 > URL: https://issues.apache.org/jira/browse/SENTRY-1476 > Project: Sentry > Issue Type: Bug > Components: Core >Affects Versions: 1.7.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1476.001.patch, SENTRY-1476.002.patch > > > SentryStore.java has a bunch of places where the query is constructed by > concatenating strings rather than using JDQL parameters. This is subject to > JDQL injection since some of the parameters come from Thrift. > All strings from Thrift should be passed as parameters, not as string > concatenation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1515) Cleanup exception handling in SentryStore
[ https://issues.apache.org/jira/browse/SENTRY-1515?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Kolbasov updated SENTRY-1515: --- Status: Patch Available (was: In Progress) > Cleanup exception handling in SentryStore > - > > Key: SENTRY-1515 > URL: https://issues.apache.org/jira/browse/SENTRY-1515 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1515.001.patch, SENTRY-1515.002.patch, > SENTRY-1515.003.patch > > > The changes to SENTRY-1422 and SENTRY-1512 changed the semantics of several > API calls: > - hasAnyServerPrivileges > - getMSentryPrivileges > - getMSentryPrivilegesByAuth > - getRoleNamesForGroups > - retrieveFullPrivilegeImage > - retrieveFullRoleImage > - retrieveFullPathsImage > - getAllRoleNames > Previously they were not marked as throwing Exception, but they still could > do it. With the change they now ignore exceptions and just log them which may > not be the right thing to do. > Instead they should be marked as throwing exceptions which has consequence > for broader APIs which should be marked as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1515) Cleanup exception handling in SentryStore
[ https://issues.apache.org/jira/browse/SENTRY-1515?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Kolbasov updated SENTRY-1515: --- Status: In Progress (was: Patch Available) > Cleanup exception handling in SentryStore > - > > Key: SENTRY-1515 > URL: https://issues.apache.org/jira/browse/SENTRY-1515 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1515.001.patch, SENTRY-1515.002.patch, > SENTRY-1515.003.patch > > > The changes to SENTRY-1422 and SENTRY-1512 changed the semantics of several > API calls: > - hasAnyServerPrivileges > - getMSentryPrivileges > - getMSentryPrivilegesByAuth > - getRoleNamesForGroups > - retrieveFullPrivilegeImage > - retrieveFullRoleImage > - retrieveFullPathsImage > - getAllRoleNames > Previously they were not marked as throwing Exception, but they still could > do it. With the change they now ignore exceptions and just log them which may > not be the right thing to do. > Instead they should be marked as throwing exceptions which has consequence > for broader APIs which should be marked as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1515) Cleanup exception handling in SentryStore
[ https://issues.apache.org/jira/browse/SENTRY-1515?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexander Kolbasov updated SENTRY-1515: --- Attachment: SENTRY-1515.003.patch Addressed code review comments > Cleanup exception handling in SentryStore > - > > Key: SENTRY-1515 > URL: https://issues.apache.org/jira/browse/SENTRY-1515 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Alexander Kolbasov > Attachments: SENTRY-1515.001.patch, SENTRY-1515.002.patch, > SENTRY-1515.003.patch > > > The changes to SENTRY-1422 and SENTRY-1512 changed the semantics of several > API calls: > - hasAnyServerPrivileges > - getMSentryPrivileges > - getMSentryPrivilegesByAuth > - getRoleNamesForGroups > - retrieveFullPrivilegeImage > - retrieveFullRoleImage > - retrieveFullPathsImage > - getAllRoleNames > Previously they were not marked as throwing Exception, but they still could > do it. With the change they now ignore exceptions and just log them which may > not be the right thing to do. > Instead they should be marked as throwing exceptions which has consequence > for broader APIs which should be marked as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1548) Setting GrantOption to UNSET upsets Sentry
[ https://issues.apache.org/jira/browse/SENTRY-1548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15749762#comment-15749762 ] Alexander Kolbasov commented on SENTRY-1548: [~kkalyan] Please add code reviewboard link to the JIRA. > Setting GrantOption to UNSET upsets Sentry > -- > > Key: SENTRY-1548 > URL: https://issues.apache.org/jira/browse/SENTRY-1548 > Project: Sentry > Issue Type: Bug > Components: Sentry >Reporter: Alexander Kolbasov >Assignee: kalyan kumar kalvagadda >Priority: Minor > Labels: bite-sized > Attachments: SENTRY-1548.001.patch, SENTRY-1548.002.patch > > > If we send a Thrift request to sentry (using regular api) with GrantOption > set to UNSET (-1) we get the following error: > {code} > TransactionManager.executeTransactionWithRetry(TransactionManager.java:102)] > The transaction has reac > hed max retry number, will not retry again. > javax.jdo.JDODataStoreException: Insert of object > "org.apache.sentry.provider.db.service.model.MSentryPrivilege@6bbfd4c9" using > statement "INSERT INTO `SENTRY_DB_PRIVILEGE` > (`DB_PRIVILEGE_ID`,`SERVER_NAME`,`WITH_GRANT_OPTION`,`CREATE_TIME`,`TABLE_NAME`,`URI`,`ACTION`,`COLUMN_NAME`,`DB_NAME`,`PRIVILEGE_SCOPE`) > VALUES (?,?,?,?,?,?,?,?,?,?)" failed : Column 'WITH_GRANT_OPTION' cannot be > null > at > org.datanucleus.api.jdo.NucleusJDOHelper.getJDOExceptionForNucleusException(NucleusJDOHelper.java:451) > at > org.datanucleus.api.jdo.JDOPersistenceManager.jdoMakePersistent(JDOPersistenceManager.java:732) > at > org.datanucleus.api.jdo.JDOPersistenceManager.makePersistent(JDOPersistenceManager.java:752) > at > org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleGrantPrivilegeCore(SentryStore.java:438) > at > org.apache.sentry.provider.db.service.persistent.SentryStore.access$500(SentryStore.java:95) > at > org.apache.sentry.provider.db.service.persistent.SentryStore$8.execute(SentryStore.java:374) > at > org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransaction(TransactionManager.java:72) > at > org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransactionWithRetry(TransactionManager.java:93) > at > org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleGrantPrivileges(SentryStore.java:367) > at > org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_grant_privilege(SentryPolicyStoreProcessor.java:280) > at > org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1237) > at > org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1222) > at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) > at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) > at > org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:35) > at > org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > NestedThrowablesStackTrace: > com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException: > Column 'WITH_GRANT_OPTION' cannot be null > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at com.mysql.jdbc.Util.handleNewInstance(Util.java:404) > at com.mysql.jdbc.Util.getInstance(Util.java:387) > at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:934) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3966) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3902) > at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2526) > at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2673) > at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2549) > at >
[jira] [Commented] (SENTRY-1547) It is possible to create a privilege with all empty fields
[ https://issues.apache.org/jira/browse/SENTRY-1547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15749739#comment-15749739 ] Hadoop QA commented on SENTRY-1547: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12843302/SENTRY-1547.002.patch against master. {color:red}Overall:{color} -1 due to 27 errors {color:red}ERROR:{color} mvn test exited 1 {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServerForHaWithoutKerberos {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServerForHaWithoutKerberos {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServerForHaWithoutKerberos {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServerWithoutKerberos {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServerWithoutKerberos {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServerWithoutKerberos {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestAuthorizingDDLAuditLogWithKerberos {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.tools.TestSentryShellHive {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServiceIntegration {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServerForPoolWithoutKerberos {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServerForPoolWithoutKerberos {color:red}ERROR:{color} Failed: org.apache.sentry.provider.db.service.thrift.TestSentryServerForPoolWithoutKerberos Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/2204/console This message is automatically generated. > It is possible to create a privilege with all empty fields > -- > > Key: SENTRY-1547 > URL: https://issues.apache.org/jira/browse/SENTRY-1547 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 1.8.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: kalyan kumar kalvagadda >Priority: Minor > Labels: bite-sized > Attachments: SENTRY-1547.001.patch, SENTRY-1547.002.patch > > > It is possible (at least by sending Thrift message) to create privilege with > everything set to __NULL__ which is a pretty useless privilege. We should > check that at least some fields are set. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1548) Setting GrantOption to UNSET upsets Sentry
[ https://issues.apache.org/jira/browse/SENTRY-1548?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-1548: Attachment: SENTRY-1548.002.patch UNSET option for grant is valid is only valid while revoking the privileges. Added code changes to Sentry Policy Processor to handle the same. > Setting GrantOption to UNSET upsets Sentry > -- > > Key: SENTRY-1548 > URL: https://issues.apache.org/jira/browse/SENTRY-1548 > Project: Sentry > Issue Type: Bug > Components: Sentry >Reporter: Alexander Kolbasov >Assignee: kalyan kumar kalvagadda >Priority: Minor > Labels: bite-sized > Attachments: SENTRY-1548.001.patch, SENTRY-1548.002.patch > > > If we send a Thrift request to sentry (using regular api) with GrantOption > set to UNSET (-1) we get the following error: > {code} > TransactionManager.executeTransactionWithRetry(TransactionManager.java:102)] > The transaction has reac > hed max retry number, will not retry again. > javax.jdo.JDODataStoreException: Insert of object > "org.apache.sentry.provider.db.service.model.MSentryPrivilege@6bbfd4c9" using > statement "INSERT INTO `SENTRY_DB_PRIVILEGE` > (`DB_PRIVILEGE_ID`,`SERVER_NAME`,`WITH_GRANT_OPTION`,`CREATE_TIME`,`TABLE_NAME`,`URI`,`ACTION`,`COLUMN_NAME`,`DB_NAME`,`PRIVILEGE_SCOPE`) > VALUES (?,?,?,?,?,?,?,?,?,?)" failed : Column 'WITH_GRANT_OPTION' cannot be > null > at > org.datanucleus.api.jdo.NucleusJDOHelper.getJDOExceptionForNucleusException(NucleusJDOHelper.java:451) > at > org.datanucleus.api.jdo.JDOPersistenceManager.jdoMakePersistent(JDOPersistenceManager.java:732) > at > org.datanucleus.api.jdo.JDOPersistenceManager.makePersistent(JDOPersistenceManager.java:752) > at > org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleGrantPrivilegeCore(SentryStore.java:438) > at > org.apache.sentry.provider.db.service.persistent.SentryStore.access$500(SentryStore.java:95) > at > org.apache.sentry.provider.db.service.persistent.SentryStore$8.execute(SentryStore.java:374) > at > org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransaction(TransactionManager.java:72) > at > org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransactionWithRetry(TransactionManager.java:93) > at > org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleGrantPrivileges(SentryStore.java:367) > at > org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_grant_privilege(SentryPolicyStoreProcessor.java:280) > at > org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1237) > at > org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1222) > at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) > at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) > at > org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:35) > at > org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > NestedThrowablesStackTrace: > com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException: > Column 'WITH_GRANT_OPTION' cannot be null > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at com.mysql.jdbc.Util.handleNewInstance(Util.java:404) > at com.mysql.jdbc.Util.getInstance(Util.java:387) > at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:934) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3966) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3902) > at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2526) > at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2673) > at
[jira] [Updated] (SENTRY-1548) Setting GrantOption to UNSET upsets Sentry
[ https://issues.apache.org/jira/browse/SENTRY-1548?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-1548: Status: Open (was: Patch Available) Reverting the patch based on the review comments received. > Setting GrantOption to UNSET upsets Sentry > -- > > Key: SENTRY-1548 > URL: https://issues.apache.org/jira/browse/SENTRY-1548 > Project: Sentry > Issue Type: Bug > Components: Sentry >Reporter: Alexander Kolbasov >Assignee: kalyan kumar kalvagadda >Priority: Minor > Labels: bite-sized > Attachments: SENTRY-1548.001.patch > > > If we send a Thrift request to sentry (using regular api) with GrantOption > set to UNSET (-1) we get the following error: > {code} > TransactionManager.executeTransactionWithRetry(TransactionManager.java:102)] > The transaction has reac > hed max retry number, will not retry again. > javax.jdo.JDODataStoreException: Insert of object > "org.apache.sentry.provider.db.service.model.MSentryPrivilege@6bbfd4c9" using > statement "INSERT INTO `SENTRY_DB_PRIVILEGE` > (`DB_PRIVILEGE_ID`,`SERVER_NAME`,`WITH_GRANT_OPTION`,`CREATE_TIME`,`TABLE_NAME`,`URI`,`ACTION`,`COLUMN_NAME`,`DB_NAME`,`PRIVILEGE_SCOPE`) > VALUES (?,?,?,?,?,?,?,?,?,?)" failed : Column 'WITH_GRANT_OPTION' cannot be > null > at > org.datanucleus.api.jdo.NucleusJDOHelper.getJDOExceptionForNucleusException(NucleusJDOHelper.java:451) > at > org.datanucleus.api.jdo.JDOPersistenceManager.jdoMakePersistent(JDOPersistenceManager.java:732) > at > org.datanucleus.api.jdo.JDOPersistenceManager.makePersistent(JDOPersistenceManager.java:752) > at > org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleGrantPrivilegeCore(SentryStore.java:438) > at > org.apache.sentry.provider.db.service.persistent.SentryStore.access$500(SentryStore.java:95) > at > org.apache.sentry.provider.db.service.persistent.SentryStore$8.execute(SentryStore.java:374) > at > org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransaction(TransactionManager.java:72) > at > org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransactionWithRetry(TransactionManager.java:93) > at > org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleGrantPrivileges(SentryStore.java:367) > at > org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_grant_privilege(SentryPolicyStoreProcessor.java:280) > at > org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1237) > at > org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1222) > at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) > at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) > at > org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:35) > at > org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > NestedThrowablesStackTrace: > com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException: > Column 'WITH_GRANT_OPTION' cannot be null > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at com.mysql.jdbc.Util.handleNewInstance(Util.java:404) > at com.mysql.jdbc.Util.getInstance(Util.java:387) > at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:934) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3966) > at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3902) > at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2526) > at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2673) > at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2549) > at >
[jira] [Created] (SENTRY-1568) Develop automated test for client failover
Alexander Kolbasov created SENTRY-1568: -- Summary: Develop automated test for client failover Key: SENTRY-1568 URL: https://issues.apache.org/jira/browse/SENTRY-1568 Project: Sentry Issue Type: Sub-task Components: Sentry Affects Versions: sentry-ha-redesign Reporter: Alexander Kolbasov We need a automated test for SENTRY-1477. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Comment Edited] (SENTRY-1547) It is possible to create a privilege with all empty fields
[ https://issues.apache.org/jira/browse/SENTRY-1547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15749648#comment-15749648 ] kalyan kumar kalvagadda edited comment on SENTRY-1547 at 12/14/16 10:07 PM: SENTRY-1547.001.patch I had to take a different approach in solving the issue based on the review comments. I have added validation logic in SentryPolicyStoreProcessor enforcing the mandatory fields like server_name and action to be present in privilege/privileges added. was (Author: kkalyan): SENTRY-1547.001.patch > It is possible to create a privilege with all empty fields > -- > > Key: SENTRY-1547 > URL: https://issues.apache.org/jira/browse/SENTRY-1547 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 1.8.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: kalyan kumar kalvagadda >Priority: Minor > Labels: bite-sized > Attachments: SENTRY-1547.001.patch, SENTRY-1547.002.patch > > > It is possible (at least by sending Thrift message) to create privilege with > everything set to __NULL__ which is a pretty useless privilege. We should > check that at least some fields are set. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1547) It is possible to create a privilege with all empty fields
[ https://issues.apache.org/jira/browse/SENTRY-1547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-1547: Status: Patch Available (was: In Progress) SENTRY-1547.001.patch > It is possible to create a privilege with all empty fields > -- > > Key: SENTRY-1547 > URL: https://issues.apache.org/jira/browse/SENTRY-1547 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 1.8.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: kalyan kumar kalvagadda >Priority: Minor > Labels: bite-sized > Attachments: SENTRY-1547.001.patch, SENTRY-1547.002.patch > > > It is possible (at least by sending Thrift message) to create privilege with > everything set to __NULL__ which is a pretty useless privilege. We should > check that at least some fields are set. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1547) It is possible to create a privilege with all empty fields
[ https://issues.apache.org/jira/browse/SENTRY-1547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] kalyan kumar kalvagadda updated SENTRY-1547: Status: Open (was: Patch Available) Reverting the patch based on review comments. > It is possible to create a privilege with all empty fields > -- > > Key: SENTRY-1547 > URL: https://issues.apache.org/jira/browse/SENTRY-1547 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 1.8.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: kalyan kumar kalvagadda >Priority: Minor > Labels: bite-sized > Attachments: SENTRY-1547.001.patch > > > It is possible (at least by sending Thrift message) to create privilege with > everything set to __NULL__ which is a pretty useless privilege. We should > check that at least some fields are set. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1547) It is possible to create a privilege with all empty fields
[ https://issues.apache.org/jira/browse/SENTRY-1547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15749635#comment-15749635 ] kalyan kumar kalvagadda commented on SENTRY-1547: - SENTRY-1547.002.patch I had to take a different approach in solving the issue based on the review comments. I have added validation logic in SentryPolicyStoreProcessor enforcing the mandatory fields like server_name and action to be present in privilege/privileges added. > It is possible to create a privilege with all empty fields > -- > > Key: SENTRY-1547 > URL: https://issues.apache.org/jira/browse/SENTRY-1547 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 1.8.0, sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: kalyan kumar kalvagadda >Priority: Minor > Labels: bite-sized > Attachments: SENTRY-1547.001.patch > > > It is possible (at least by sending Thrift message) to create privilege with > everything set to __NULL__ which is a pretty useless privilege. We should > check that at least some fields are set. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1539) HMS Follower should store arriving HMS notifications
[ https://issues.apache.org/jira/browse/SENTRY-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1539: Labels: hdfs-sync-hmsfollower (was: ) > HMS Follower should store arriving HMS notifications > > > Key: SENTRY-1539 > URL: https://issues.apache.org/jira/browse/SENTRY-1539 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: sentry-ha-redesign > Environment: HMS Follower should save arriving HMS notifications in > the DB. >Reporter: Alexander Kolbasov > Labels: hdfs-sync-hmsfollower > Fix For: sentry-ha-redesign > > > Once HMS receives a notification from HMS it should store in in Sentry DB. > The addition of the notification event should be bundled in the same > transaction that handles the event, so the whole event is either processed or > not. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SENTRY-1546) Generic Policy provides bad error messages for Sentry exceptions
[ https://issues.apache.org/jira/browse/SENTRY-1546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15749560#comment-15749560 ] kalyan kumar kalvagadda commented on SENTRY-1546: - I see that exception is decorated with more information. I need to test to see why is not applied. > Generic Policy provides bad error messages for Sentry exceptions > > > Key: SENTRY-1546 > URL: https://issues.apache.org/jira/browse/SENTRY-1546 > Project: Sentry > Issue Type: Bug >Affects Versions: 1.8.0 >Reporter: Alexander Kolbasov >Assignee: kalyan kumar kalvagadda >Priority: Minor > Labels: bite-sized > > I discovered that when you attempt to create a role that already exists the > error message you get back from Thrift i just 'Role: foo' which is very > confusing. > The reason is that the SentryStore throws > {code}SentryAlreadyExistsException("Role: " + trimmedRoleName);{code} > and the generic policy processor passes the message as is: > {code} > public TCreateSentryRoleResponse create_sentry_role( > final TCreateSentryRoleRequest request) throws TException { > Response respose = requestHandle(new RequestHandler() { > @Override > public Response handle() throws Exception { > validateClientVersion(request.getProtocol_version()); > authorize(request.getRequestorUserName(), > getRequestorGroups(conf, request.getRequestorUserName())); > store.createRole(request.getComponent(), request.getRoleName(), > request.getRequestorUserName()); > return new Response(Status.OK()); > } > }); > ... > {code} > The similar thing is happening for other requests and other Sentry-specific > exceptions. > The legacy policy processor does decorate the error a bit: > {code} > public TCreateSentryRoleResponse create_sentry_role( > TCreateSentryRoleRequest request) throws TException { > final Timer.Context timerContext = sentryMetrics.createRoleTimer.time(); > TCreateSentryRoleResponse response = new TCreateSentryRoleResponse(); > try { > validateClientVersion(request.getProtocol_version()); > authorize(request.getRequestorUserName(), > getRequestorGroups(request.getRequestorUserName())); > sentryStore.createSentryRole(request.getRoleName()); > response.setStatus(Status.OK()); > notificationHandlerInvoker.create_sentry_role(request, response); > } catch (SentryAlreadyExistsException e) { > String msg = "Role: " + request + " already exists."; > LOGGER.error(msg, e); > response.setStatus(Status.AlreadyExists(msg, e)); > } catch (SentryAccessDeniedException e) { > LOGGER.error(e.getMessage(), e); > response.setStatus(Status.AccessDenied(e.getMessage(), e)); > } catch (SentryThriftAPIMismatchException e) { > LOGGER.error(e.getMessage(), e); > response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e)); > } catch (Exception e) { > String msg = "Unknown error for request: " + request + ", message: " + > e.getMessage(); > LOGGER.error(msg, e); > response.setStatus(Status.RuntimeError(msg, e)); > } finally { > ... > {code} > I think that it is better to just put the right message in the exception > itself and do not decorate it later. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1567) Refactor propagating logic for Perm/Path delta to NN plugin
[ https://issues.apache.org/jira/browse/SENTRY-1567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1567: Labels: hdfs-sync (was: ) > Refactor propagating logic for Perm/Path delta to NN plugin > --- > > Key: SENTRY-1567 > URL: https://issues.apache.org/jira/browse/SENTRY-1567 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Hao Hao > Labels: hdfs-sync > Fix For: sentry-ha-redesign > > > Refactor the propagating logic for Perm/Path delta to NN plugin to remove > caching logic. Instead read Perm/Path delta from SentryDB. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1567) Refactor propagating logic for Perm/Path delta to NN plugin
Hao Hao created SENTRY-1567: --- Summary: Refactor propagating logic for Perm/Path delta to NN plugin Key: SENTRY-1567 URL: https://issues.apache.org/jira/browse/SENTRY-1567 Project: Sentry Issue Type: Sub-task Reporter: Hao Hao Refactor the propagating logic for Perm/Path delta to NN plugin to remove caching logic. Instead read Perm/Path delta from SentryDB. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1566) Make full Perm/Path snapshot available for NN plugin
[ https://issues.apache.org/jira/browse/SENTRY-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1566: Labels: hdfs-sync (was: ) > Make full Perm/Path snapshot available for NN plugin > > > Key: SENTRY-1566 > URL: https://issues.apache.org/jira/browse/SENTRY-1566 > Project: Sentry > Issue Type: Sub-task > Components: Hdfs Plugin >Reporter: Hao Hao > Labels: hdfs-sync > Fix For: sentry-ha-redesign > > > Read full permission and path snapshot from SentryDB and make the update > available for NN plugin upon requests. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (SENTRY-1566) Make full Perm/Path snapshot available for NN plugin
Hao Hao created SENTRY-1566: --- Summary: Make full Perm/Path snapshot available for NN plugin Key: SENTRY-1566 URL: https://issues.apache.org/jira/browse/SENTRY-1566 Project: Sentry Issue Type: Sub-task Reporter: Hao Hao Read full permission and path snapshot from SentryDB and make the update available for NN plugin upon requests. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1536) Refactor SentryStore transaction management to allow for extra transactions
[ https://issues.apache.org/jira/browse/SENTRY-1536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1536: Labels: hdfs-sync (was: ) > Refactor SentryStore transaction management to allow for extra transactions > --- > > Key: SENTRY-1536 > URL: https://issues.apache.org/jira/browse/SENTRY-1536 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Hao Hao > Labels: hdfs-sync > Fix For: sentry-ha-redesign > > > HMSFollower needs to combine multiple things in a single transaction: > * Doing the actual operation (priv change) > * Updating notification ID. > It is important to do this in a single transaction to guarantee that > notificationID handling is atomic. Current code structure doesn't allow for > that. > So we need to pass extra transaction code to SentryStore functions or figure > out a generic way to do this. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1538) Create schema for storing HMS path change and Sentry permission change.
[ https://issues.apache.org/jira/browse/SENTRY-1538?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1538: Labels: hdfs-sync (was: ) > Create schema for storing HMS path change and Sentry permission change. > --- > > Key: SENTRY-1538 > URL: https://issues.apache.org/jira/browse/SENTRY-1538 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Hao Hao > Labels: hdfs-sync > Fix For: sentry-ha-redesign > > Attachments: SENTRY-1538.001-sentry-ha-redesign.patch > > > As HMS Follower processes HMS notifications, they should be stored in Sentry > DB. At a minimum we can only store notification ID, but for > debugging/troubleshooting it is better to store actual JSON notification > events as well. > So this task about adding a schema for storing notifications. It its simplest > form it will contain just notification ID as the primary key, possibly > timestamp and the JSON notification event. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1536) Refactor SentryStore transaction management to allow for extra transactions
[ https://issues.apache.org/jira/browse/SENTRY-1536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1536: Description: To persist single permission/path change, it needs to combine multiple things in a single transaction: * Doing the actual operation (priv change) * Updating notification ID. It is important to do this in a single transaction to guarantee that notificationID handling is atomic. Current code structure doesn't allow for that. So we need to pass extra transaction code to SentryStore functions or figure out a generic way to do this. was: HMSFollower needs to combine multiple things in a single transaction: * Doing the actual operation (priv change) * Updating notification ID. It is important to do this in a single transaction to guarantee that notificationID handling is atomic. Current code structure doesn't allow for that. So we need to pass extra transaction code to SentryStore functions or figure out a generic way to do this. > Refactor SentryStore transaction management to allow for extra transactions > --- > > Key: SENTRY-1536 > URL: https://issues.apache.org/jira/browse/SENTRY-1536 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: sentry-ha-redesign >Reporter: Alexander Kolbasov >Assignee: Hao Hao > Labels: hdfs-sync > Fix For: sentry-ha-redesign > > > To persist single permission/path change, it needs to combine multiple things > in a single transaction: > * Doing the actual operation (priv change) > * Updating notification ID. > It is important to do this in a single transaction to guarantee that > notificationID handling is atomic. Current code structure doesn't allow for > that. > So we need to pass extra transaction code to SentryStore functions or figure > out a generic way to do this. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1535) HMS Follower should update HDFS plugin paths
[ https://issues.apache.org/jira/browse/SENTRY-1535?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1535: Labels: hdfs-sync-hmsfollower (was: hdfs-sync-hmsfoll) > HMS Follower should update HDFS plugin paths > > > Key: SENTRY-1535 > URL: https://issues.apache.org/jira/browse/SENTRY-1535 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: sentry-ha-redesign >Reporter: Alexander Kolbasov > Labels: hdfs-sync-hmsfollower > Fix For: sentry-ha-redesign > > > HMS Follower currently doesn't update any path information in the HDFS > plugin. It should be extended to update HDFS plugin info. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1535) HMS Follower should update HDFS plugin paths
[ https://issues.apache.org/jira/browse/SENTRY-1535?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1535: Labels: hdfs-sync-hmsfoll (was: ) > HMS Follower should update HDFS plugin paths > > > Key: SENTRY-1535 > URL: https://issues.apache.org/jira/browse/SENTRY-1535 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: sentry-ha-redesign >Reporter: Alexander Kolbasov > Labels: hdfs-sync-hmsfoll > Fix For: sentry-ha-redesign > > > HMS Follower currently doesn't update any path information in the HDFS > plugin. It should be extended to update HDFS plugin info. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (SENTRY-1539) HMS Follower should store arriving HMS notifications
[ https://issues.apache.org/jira/browse/SENTRY-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hao Hao updated SENTRY-1539: Labels: hdfs-sync-hmsfollower (was: ) > HMS Follower should store arriving HMS notifications > > > Key: SENTRY-1539 > URL: https://issues.apache.org/jira/browse/SENTRY-1539 > Project: Sentry > Issue Type: Sub-task > Components: Sentry >Affects Versions: sentry-ha-redesign > Environment: HMS Follower should save arriving HMS notifications in > the DB. >Reporter: Alexander Kolbasov > Fix For: sentry-ha-redesign > > > Once HMS receives a notification from HMS it should store in in Sentry DB. > The addition of the notification event should be bundled in the same > transaction that handles the event, so the whole event is either processed or > not. -- This message was sent by Atlassian JIRA (v6.3.4#6332)