Critical Description
Sasha helped in finding this bug. Looks like dropping a database/table does no longer clean up the privileges associated with it.
This problem is because of:
https://github.com/apache/sentry/blob/sentry-ha-redesign/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java#L126-L127
final HiveConf hiveConf = new HiveConf(); hiveInstance = hiveConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar());
With the latest redesign, we are only setting this property on Hive's (sentry-site.xml) and not on Sentry's (sentry-site.xml).
So during permission grants, Hive ensures to supply the server1 for permission updates. But when we drop the table/database that has the perms attached, it goes through HMSFollower and this code sets the property as NULL as sentry-site.xml doesn't have this set. So it attempts to remove permissions with NULL server setting and this always returns without deleting anything.
We need to ensure that the corresponding property is set on both (Sentry, Hive) sentry-site.xml to ensure referring to proper privileges.
Attachments
Attachments
Issue Links
- is blocked by
-
SENTRY-1769 Refactor HMSFollower Class
-
- Resolved
-
- links to
