Description
Hey guys, we have an impala - hdfs - sentry architecture.
We're using scripts to create roles
CREATE ROLE role1
GRANT ALL ON DATABASE db1 TO ROLE role1
GRANT ALL ON URI hdfs://uri/db1 TO ROLE role1
GRANT ROLE role1 to GROUP role1
Using the same connection, I run:
CREATE ROLE role2
GRANT ALL ON DATABASE db2 TO ROLE role2
GRANT ALL ON URI hdfs://uri/db2 TO ROLE role2
GRANT ROLE role2 to GROUP role2
And do this for N users.
After executing these operations, the backend sentry policy DB shows that the roleN privileges were actually granted to role(N-1).
Just before this happened we switch impala to local catalog mode (it might or might not be related, but it did occur at the same time). Config change was in impala to:
--catalog_topic_mode=minimal
and
--use_local_catalog=true
Then the impala query showed that roleN has permissions to N-1 database. It only happened for one of ~30 roles:
[dn0.datanode.dp.svc.cluster.local:21000] default> SHOW GRANT ROLE roleN; Query: SHOW GRANT ROLE roleN +----------+-----------+-------+--------+-------------------------------+-----------+--------------+-------------------------------+ | scope | database | table | column | uri | privilege | grant_option | create_time | +----------+-----------+-------+--------+-------------------------------+-----------+--------------+-------------------------------+ | database | N-1 | | | | all | false | - | | uri | | | | hdfs://uri/(N-1) | all | false | - | +----------+-----------+-------+--------+-------------------------------+-----------+--------------+-------------------------------+
This is not reproducible at this time (after dropping and recreating roles it looks fine now).