During functional testing it was found that SentryStore implementation contains logic that enforces sentry rights and depends on cluster-specific context. Specifically grantOptionCheck needs to be able to resolve hadoop user's groups and sentry admin groups configured on the cluster.
There are two problems with this:
- Some backends use SentryStore in a multi-tenant way and does have the context that SentryStore expects when it is used in cluster.
- Security enforcement logic shouldn't be in SentryStore if it is to be trusted. Since the backends Sentry API may be stateless the caller has to pass request context to such implementation backend together with the explicit SentryStore arguments. If the context (e.g. groups) is passed with the request the checks become unenforceable since caller controls variables on both sides of the comparison.
The recommendation is to remove grantOptionCheck and SentryStore and to implement equivalent logic in SentryPolicyStoreProcessor.