Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
2.0.0
-
None
Description
SENTRY-1480 implemented a command-line tool to migrate Sentry permissions from 1.x to 2.x. During upgrade testing I found a bug in the migration process where the pre-upgrade permissions are deleted. Specifically following permission was configured on Sentry v1
collection=*->action=*
After the migration, following permissions were available on Sentry service
admin=collections->action=* admin=cores->action=*
Note that the original permission is missing. From the following log snippet of Sentry service, it looks like the original permission was incorrectly revoked.
2018-03-08 21:40:20,856 INFO DataNucleus.Datastore: Collection field "org.apache.sentry.provider.db.service.model.MSentryRole.gmPrivileges" of "org.apache.sentry.provider.db.service.model.MSentryRole@4dc76fa5" was asked to add element "MSentryGMPrivilege [serverName=service1, componentName=solr, authorizables=Admin=collections, scope=Admin, action=*, roles=[...], createTime=1520574020823, grantOption=false]" to the M-N bidirectional relation but the element already has this field in its collection (maybe added from the other side)
2018-03-08 21:40:20,997 INFO sentry.generic.authorization.ddl.logger: \{"serviceName":"Sentry-Service","userName":"solr","impersonator":"solr@GCE.CLOUDERA.COM","ipAddress":"/172.31.117.188","operation":"GRANT_PRIVILEGE","eventTime":"1520574020991","operationText":"GRANT ALL ON Admin collections TO ROLE solr-admin ON COMPONENT SOLR","allowed":"true","databaseName":null,"tableName":null,"column":null,"resourcePath":null,"objectType":"PRINCIPAL"}
2018-03-08 21:40:21,015 INFO DataNucleus.Datastore: Collection field "org.apache.sentry.provider.db.service.model.MSentryRole.gmPrivileges" of "org.apache.sentry.provider.db.service.model.MSentryRole@46f3fe41" was asked to add element "MSentryGMPrivilege [serverName=service1, componentName=solr, authorizables=Admin=cores, scope=Admin, action=*, roles=[...], createTime=1520574021011, grantOption=false]" to the M-N bidirectional relation but the element already has this field in its collection (maybe added from the other side)
2018-03-08 21:40:21,022 INFO sentry.generic.authorization.ddl.logger: \{"serviceName":"Sentry-Service","userName":"solr","impersonator":"solr@GCE.CLOUDERA.COM","ipAddress":"/172.31.117.188","operation":"GRANT_PRIVILEGE","eventTime":"1520574021022","operationText":"GRANT ALL ON Admin cores TO ROLE solr-admin ON COMPONENT SOLR","allowed":"true","databaseName":null,"tableName":null,"column":null,"resourcePath":null,"objectType":"PRINCIPAL"}
2018-03-08 21:40:21,035 INFO sentry.generic.authorization.ddl.logger: \{"serviceName":"Sentry-Service","userName":"solr","impersonator":"solr@GCE.CLOUDERA.COM","ipAddress":"/172.31.117.188","operation":"GRANT_PRIVILEGE","eventTime":"1520574021035","operationText":"GRANT ALL ON Collection * TO ROLE solr-admin ON COMPONENT SOLR","allowed":"true","databaseName":null,"tableName":null,"column":null,"resourcePath":null,"objectType":"PRINCIPAL"}
2018-03-08 21:40:21,080 INFO sentry.generic.authorization.ddl.logger: \{"serviceName":"Sentry-Service","userName":"solr","impersonator":"solr@GCE.CLOUDERA.COM","ipAddress":"/172.31.117.188","operation":"REVOKE_PRIVILEGE","eventTime":"1520574021080","operationText":"REVOKE ALL ON Collection * FROM ROLE solr-admin ON COMPONENT SOLR","allowed":"true","databaseName":null,"tableName":null,"column":null,"resourcePath":null,"objectType":"PRINCIPAL"}