Uploaded image for project: 'Sentry (Retired)'
  1. Sentry (Retired)
  2. SENTRY-2372

SentryStore should not implement grantOptionCheck

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.1.0
    • 2.2.0
    • Sentry, sentrystore
    • None

    Description

      During functional testing it was found that SentryStore implementation contains logic that enforces sentry rights and depends on cluster-specific context. Specifically grantOptionCheck needs to be able to resolve hadoop user's groups and sentry admin groups configured on the cluster. 

      There are two problems with this:

      1. Some backends use SentryStore in a multi-tenant way and does have the context that SentryStore expects when it is used in cluster.
      2. Security enforcement logic shouldn't be in SentryStore if it is to be trusted. Since the backends Sentry API may be stateless the caller has to pass request context to such implementation backend together with the explicit SentryStore arguments. If the context (e.g. groups) is passed with the request the checks become unenforceable since caller controls variables on both sides of the comparison.

      The recommendation is to remove grantOptionCheck and SentryStore and to implement equivalent logic in SentryPolicyStoreProcessor.

      Attachments

        1. SENTRY-2372.1.patch
          121 kB
          Sergio Peña
        2. SENTRY-2372.2.patch
          159 kB
          Sergio Peña
        3. SENTRY-2372.3.patch
          157 kB
          Sergio Peña
        4. SENTRY-2372.4.patch
          51 kB
          Sergio Peña
        5. SENTRY-2372.5.patch
          47 kB
          Sergio Peña
        6. SENTRY-2372.6.patch
          143 kB
          Sergio Peña
        7. SENTRY-2372.7.patch
          149 kB
          Sergio Peña

        Issue Links

          Activity

            hadoopqa Hadoop QA added a comment -

            Here are the results of testing the latest attachment
            https://issues.apache.org/jira/secure/attachment/12942569/SENTRY-2372.3.patch against master.

            Overall: -1 due to an error

            ERROR: failed to build with patch (exit code 1)

            Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/4166/console

            This message is automatically generated.

            hadoopqa Hadoop QA added a comment - Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12942569/SENTRY-2372.3.patch against master. Overall: -1 due to an error ERROR: failed to build with patch (exit code 1) Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/4166/console This message is automatically generated.
            hadoopqa Hadoop QA added a comment -

            Here are the results of testing the latest attachment
            https://issues.apache.org/jira/secure/attachment/12942568/SENTRY-2372.2.patch against master.

            Overall: +1 all checks pass

            SUCCESS: all tests passed

            Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/4165/console

            This message is automatically generated.

            hadoopqa Hadoop QA added a comment - Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12942568/SENTRY-2372.2.patch against master. Overall: +1 all checks pass SUCCESS: all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/4165/console This message is automatically generated.
            hadoopqa Hadoop QA added a comment -

            Here are the results of testing the latest attachment
            https://issues.apache.org/jira/secure/attachment/12944840/SENTRY-2372.4.patch against master.

            Overall: -1 due to 5 errors

            ERROR: mvn test exited 1
            ERROR: Failed: org.apache.sentry.api.service.thrift.TestSentryPolicyStoreProcessor
            ERROR: Failed: org.apache.sentry.api.service.thrift.TestSentryPolicyStoreProcessor
            ERROR: Failed: org.apache.sentry.api.service.thrift.TestSentryPolicyStoreProcessor
            ERROR: Failed: org.apache.sentry.api.service.thrift.TestSentryPolicyStoreProcessor

            Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/4191/console

            This message is automatically generated.

            hadoopqa Hadoop QA added a comment - Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12944840/SENTRY-2372.4.patch against master. Overall: -1 due to 5 errors ERROR: mvn test exited 1 ERROR: Failed: org.apache.sentry.api.service.thrift.TestSentryPolicyStoreProcessor ERROR: Failed: org.apache.sentry.api.service.thrift.TestSentryPolicyStoreProcessor ERROR: Failed: org.apache.sentry.api.service.thrift.TestSentryPolicyStoreProcessor ERROR: Failed: org.apache.sentry.api.service.thrift.TestSentryPolicyStoreProcessor Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/4191/console This message is automatically generated.
            hadoopqa Hadoop QA added a comment -

            Here are the results of testing the latest attachment
            https://issues.apache.org/jira/secure/attachment/12944871/SENTRY-2372.5.patch against master.

            Overall: +1 all checks pass

            SUCCESS: all tests passed

            Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/4192/console

            This message is automatically generated.

            hadoopqa Hadoop QA added a comment - Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12944871/SENTRY-2372.5.patch against master. Overall: +1 all checks pass SUCCESS: all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/4192/console This message is automatically generated.
            hadoopqa Hadoop QA added a comment -

            Here are the results of testing the latest attachment
            https://issues.apache.org/jira/secure/attachment/12945092/SENTRY-2372.6.patch against master.

            Overall: +1 all checks pass

            SUCCESS: all tests passed

            Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/4193/console

            This message is automatically generated.

            hadoopqa Hadoop QA added a comment - Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12945092/SENTRY-2372.6.patch against master. Overall: +1 all checks pass SUCCESS: all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/4193/console This message is automatically generated.
            hadoopqa Hadoop QA added a comment -

            Here are the results of testing the latest attachment
            https://issues.apache.org/jira/secure/attachment/12945818/SENTRY-2372.7.patch against master.

            Overall: +1 all checks pass

            SUCCESS: all tests passed

            Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/4204/console

            This message is automatically generated.

            hadoopqa Hadoop QA added a comment - Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12945818/SENTRY-2372.7.patch against master. Overall: +1 all checks pass SUCCESS: all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/4204/console This message is automatically generated.

            People

              spena Sergio Peña
              spena Sergio Peña
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: