Uploaded image for project: 'Sentry (Retired)'
  1. Sentry (Retired)
  2. SENTRY-2415

Suppress "SentryNoSuchObjectException: nonexistent group" exceptions from Sentry

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Patch Available
    • Trivial
    • Resolution: Unresolved
    • 1.5.1
    • 1.5.1
    • Sentry
    • None

    Description

      We integrated Presto with Sentry authorization.

      During the execution when the object does not exists we get SentryNoSuchObjectException, and the meantime the whole stack exception is logged into a log file. It looks like this logging is not needed as exception is raised to the client and client can decide if they like to log it on their own or not.

      Also I noticed that it is a general practice in Sentry project log and just after to re-throw the exception. This mostly pollute the log files and does not bring much value because exception is already thrown and can be caught and handled by client code.

      2018-09-20T16:27:09.719-0400 ERROR Query-20180920_202709_00011_t5wat-671 org.apache.sentry.core.common.transport.RetryClientInvocationHandler failed to execute listRolesByGroupName
java.lang.reflect.InvocationTargetException
 at sun.reflect.GeneratedMethodAccessor548.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:498)
 at org.apache.sentry.core.common.transport.RetryClientInvocationHandler.invokeImpl(RetryClientInvocationHandler.java:95)
 at org.apache.sentry.core.common.transport.SentryClientInvocationHandler.invoke(SentryClientInvocationHandler.java:41)
 at com.sun.proxy.$Proxy167.listRolesByGroupName(Unknown Source)
 at com.facebook.presto.hive.security.sentry.NativeSentryEndpoint.lambda$listGroupRoles$2(NativeSentryEndpoint.java:107)
 at com.facebook.presto.hive.security.sentry.NativeSentryEndpoint.lambda$call$18(NativeSentryEndpoint.java:359)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.Subject.doAs(Subject.java:360)
 at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1726)
 at com.facebook.presto.hive.security.SentrySecurityModule$1.call(SentrySecurityModule.java:156)
 at com.facebook.presto.hive.security.sentry.NativeSentryEndpoint.call(NativeSentryEndpoint.java:357)
 at com.facebook.presto.hive.security.sentry.NativeSentryEndpoint.listGroupRoles(NativeSentryEndpoint.java:105)
 at com.facebook.presto.hive.security.sentry.StatsCollectingSentryEndpoint.lambda$listGroupRoles$1(StatsCollectingSentryEndpoint.java:66)
 at com.facebook.presto.hive.security.sentry.InvocationStats.call(InvocationStats.java:34)
 at com.facebook.presto.hive.security.sentry.StatsCollectingSentryEndpoint.listGroupRoles(StatsCollectingSentryEndpoint.java:66)
 at com.google.common.cache.CacheLoader$FunctionToCacheLoader.load(CacheLoader.java:165)
 at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3524)
 at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2273)
 at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2156)
 at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2046)
 at com.google.common.cache.LocalCache.get(LocalCache.java:3943)
 at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3967)
 at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4952)
 at com.google.common.cache.LocalCache$LocalLoadingCache.getUnchecked(LocalCache.java:4958)
 at com.facebook.presto.hive.security.sentry.CachingSentryEndpoint.get(CachingSentryEndpoint.java:131)
 at com.facebook.presto.hive.security.sentry.CachingSentryEndpoint.listGroupRoles(CachingSentryEndpoint.java:97)
 at com.facebook.presto.hive.security.sentry.SentryClient.listGroupRoles(SentryClient.java:148)
 at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:267)
 at java.util.HashMap$KeySpliterator.forEachRemaining(HashMap.java:1553)
 at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
 at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
 at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
 at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
 at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
 at com.facebook.presto.hive.security.sentry.SentryClient.hasAccess(SentryClient.java:97)
 at com.facebook.presto.hive.security.sentry.SentryClient.lambda$hasAccess$0(SentryClient.java:86)
 at java.util.stream.MatchOps$1MatchSink.accept(MatchOps.java:90)
 at java.util.Spliterators$ArraySpliterator.tryAdvance(Spliterators.java:958)
 at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
 at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
 at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
 at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
 at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:230)
 at java.util.stream.MatchOps$MatchOp.evaluateSequential(MatchOps.java:196)
 at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
 at java.util.stream.ReferencePipeline.allMatch(ReferencePipeline.java:454)
 at com.facebook.presto.hive.security.sentry.SentryClient.hasAccess(SentryClient.java:86)
 at com.facebook.presto.hive.security.sentry.SentryAccessControl.checkCanSelectFromColumns(SentryAccessControl.java:166)
 at com.facebook.presto.hive.security.PartitionsAwareAccessControl.checkCanSelectFromColumns(PartitionsAwareAccessControl.java:124)
 at com.facebook.presto.security.AccessControlManager.lambda$checkCanSelectFromColumns$77(AccessControlManager.java:645)
 at com.facebook.presto.security.AccessControlManager.authorizationCheck(AccessControlManager.java:821)
 at com.facebook.presto.security.AccessControlManager.checkCanSelectFromColumns(AccessControlManager.java:645)
 at com.facebook.presto.sql.analyzer.Analyzer.lambda$analyze$0(Analyzer.java:78)
 at java.util.LinkedHashMap.forEach(LinkedHashMap.java:684)
 at com.facebook.presto.sql.analyzer.Analyzer.analyze(Analyzer.java:77)
 at com.facebook.presto.sql.analyzer.Analyzer.analyze(Analyzer.java:65)
 at com.facebook.presto.execution.SqlQueryExecution.<init>(SqlQueryExecution.java:169)
 at com.facebook.presto.execution.SqlQueryExecution$SqlQueryExecutionFactory.createQueryExecution(SqlQueryExecution.java:660)
 at com.facebook.presto.execution.SqlQueryExecution$SqlQueryExecutionFactory.createQueryExecution(SqlQueryExecution.java:582)
 at com.facebook.presto.execution.SqlQueryManager.createQueryInternal(SqlQueryManager.java:439)
 at com.facebook.presto.execution.SqlQueryManager.lambda$createQuery$3(SqlQueryManager.java:372)
 at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
 at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.sentry.provider.db.SentryNoSuchObjectException: Role: TListSentryRolesRequest(protocol_version:2, requestorUserName:srcprestobthts, groupName:bdkfkadmt) couldn't be retrieved.. Server Stacktrace: org.apache.sentry.provider.db.SentryNoSuchObjectException: nonexistent group + bdkfkadmt
 at org.apache.sentry.provider.db.service.persistent.SentryStore.noSuchGroup(SentryStore.java:1961)
 at org.apache.sentry.provider.db.service.persistent.SentryStore.access$1400(SentryStore.java:89)
 at org.apache.sentry.provider.db.service.persistent.SentryStore$18.execute(SentryStore.java:1186)
 at org.apache.sentry.provider.db.service.persistent.SentryStore$18.execute(SentryStore.java:1175)
 at org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransaction(TransactionManager.java:111)
 at org.apache.sentry.provider.db.service.persistent.SentryStore.getMSentryRolesByGroupName(SentryStore.java:1174)
 at org.apache.sentry.provider.db.service.persistent.SentryStore.getTSentryRolesByGroupName(SentryStore.java:1210)
 at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.list_sentry_roles_by_group(SentryPolicyStoreProcessor.java:555)
 at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$list_sentry_roles_by_group.getResult(SentryPolicyService.java:1017)
 at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$list_sentry_roles_by_group.getResult(SentryPolicyService.java:1002)
 at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
 at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
 at org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:35)
 at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
 at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
 at java.lang.Thread.run(Thread.java:748)

at org.apache.sentry.service.thrift.Status.throwIfNotOk(Status.java:107)
 at org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClientDefaultImpl.listRolesByGroupName(SentryPolicyServiceClientDefaultImpl.java:161)
 ... 68 more

      Attachments

        1. SENTRY-2415.patch
          3 kB
          Grzegorz Kokosinski

        Activity

          People

            Unassigned Unassigned
            kokosing Grzegorz Kokosinski
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: