Uploaded image for project: 'Sentry'
  1. Sentry
  2. SENTRY-2497

show grant role results in NPE when URI does not have scheme

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.0
    • Fix Version/s: 2.2.0
    • Component/s: None
    • Labels:
      None

      Description

      Sentry throws a NullPointerException when trying to run "show grant role" on a URI with no scheme associated with it. You can see the stacktrace in the HS2 logs:

      HS2 logs are showing the stacktrace:
      2019-02-08 05:53:58,650 INFO org.apache.hadoop.hive.ql.Driver: [HiveServer2-Background-Pool: Thread-84]: Executing command(queryId=hive_20190208
      055358_a283626f-c906-4bd1-be50-43e2e9a6949b): show grant role uritest
      2019-02-08 05:53:58,651 INFO org.apache.hadoop.hive.ql.Driver: [HiveServer2-Background-Pool: Thread-84]: Starting task [Stage-0:DDL] in serial m
      ode
      2019-02-08 05:53:58,661 ERROR hive.ql.exec.DDLTask: [HiveServer2-Background-Pool: Thread-84]: java.lang.NullPointerException
              at org.apache.sentry.binding.util.SentryAuthorizerUtil.isLocalUri(SentryAuthorizerUtil.java:283)
              at org.apache.sentry.binding.util.SentryAuthorizerUtil.convert2HivePrivilegeObject(SentryAuthorizerUtil.java:267)
              at org.apache.sentry.binding.util.SentryAuthorizerUtil.convert2HivePrivilegeInfo(SentryAuthorizerUtil.java:220)
              at org.apache.sentry.binding.hive.authz.DefaultSentryAccessController.showPrivilegesByPrincipal(DefaultSentryAccessController.java:279)
              at org.apache.sentry.binding.hive.authz.DefaultSentryAccessController.showPrivileges(DefaultSentryAccessController.java:213)
              at org.apache.sentry.binding.hive.authz.SentryHiveAuthorizerImpl.showPrivileges(SentryHiveAuthorizerImpl.java:146)
              at org.apache.hadoop.hive.ql.exec.DDLTask.showGrants(DDLTask.java:746)
              at org.apache.hadoop.hive.ql.exec.DDLTask.execute(DDLTask.java:527)
              at org.apache.hadoop.hive.ql.exec.Task.executeTask(Task.java:199)
              at org.apache.hadoop.hive.ql.exec.TaskRunner.runSequential(TaskRunner.java:97)
              at org.apache.hadoop.hive.ql.Driver.launchTask(Driver.java:2250)
              at org.apache.hadoop.hive.ql.Driver.execute(Driver.java:1893)
              at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:1613)
              at org.apache.hadoop.hive.ql.Driver.run(Driver.java:1332)
      ...
      2019-02-08 05:53:58,663 ERROR org.apache.hadoop.hive.ql.Driver: [HiveServer2-Background-Pool: Thread-84]: FAILED: Execution Error, return code 1
      from org.apache.hadoop.hive.ql.exec.DDLTask. null
      

      This appears to be happening because the show grant role logic is trying to construct a HivePrivilegeObject, which it wasn't doing in 1.8.0, and assumes the URI will have a scheme. See:

        public static boolean isLocalUri(String uriString) throws URISyntaxException {
          URI uri = new URI(uriString);
          if (uri.getScheme().equalsIgnoreCase("file")) {
            return true;
          }
      
          return false;
        }
      

      Because uri.getScheme() can return null, the equalsIgnoreCase() can result in an NPE.

        Attachments

        1. sentry-2497.00001.patch
          1 kB
          Haley Reeve
        2. sentry-2497.0001.patch
          1 kB
          Haley Reeve
        3. sentry-2497.001.patch
          1 kB
          Haley Reeve
        4. sentry-2497.01.patch
          1 kB
          Haley Reeve
        5. sentry-2497.1.patch
          1 kB
          Haley Reeve

          Issue Links

            Activity

              People

              • Assignee:
                hreeve Haley Reeve
                Reporter:
                hreeve Haley Reeve
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: