Uploaded image for project: 'Sentry'
  1. Sentry
  2. SENTRY-872 Uber jira for HMS HA + Sentry HA redesign
  3. SENTRY-1825

Dropping a Hive database/table doesn't cleanup the permissions associated with it

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0.0
    • Fix Version/s: 2.0.0
    • Component/s: None
    • Labels:

      Description

      Sasha helped in finding this bug. Looks like dropping a database/table does no longer clean up the privileges associated with it.

      This problem is because of:
      https://github.com/apache/sentry/blob/sentry-ha-redesign/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/HMSFollower.java#L126-L127

      final HiveConf hiveConf = new HiveConf();
          hiveInstance = hiveConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar());
      

      With the latest redesign, we are only setting this property on Hive's (sentry-site.xml) and not on Sentry's (sentry-site.xml).

      So during permission grants, Hive ensures to supply the server1 for permission updates. But when we drop the table/database that has the perms attached, it goes through HMSFollower and this code sets the property as NULL as sentry-site.xml doesn't have this set. So it attempts to remove permissions with NULL server setting and this always returns without deleting anything.

      We need to ensure that the corresponding property is set on both (Sentry, Hive) sentry-site.xml to ensure referring to proper privileges.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                linaataustin Na Li
                Reporter:
                vamsee Vamsee K. Yarlagadda
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: