[SENTRY-2497] show grant role results in NPE when URI does not have scheme - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.0.0
Fix Version/s: 2.2.0
Component/s: None
Labels:
None

Description

Sentry throws a NullPointerException when trying to run "show grant role" on a URI with no scheme associated with it. You can see the stacktrace in the HS2 logs:

HS2 logs are showing the stacktrace:
2019-02-08 05:53:58,650 INFO org.apache.hadoop.hive.ql.Driver: [HiveServer2-Background-Pool: Thread-84]: Executing command(queryId=hive_20190208
055358_a283626f-c906-4bd1-be50-43e2e9a6949b): show grant role uritest
2019-02-08 05:53:58,651 INFO org.apache.hadoop.hive.ql.Driver: [HiveServer2-Background-Pool: Thread-84]: Starting task [Stage-0:DDL] in serial m
ode
2019-02-08 05:53:58,661 ERROR hive.ql.exec.DDLTask: [HiveServer2-Background-Pool: Thread-84]: java.lang.NullPointerException
        at org.apache.sentry.binding.util.SentryAuthorizerUtil.isLocalUri(SentryAuthorizerUtil.java:283)
        at org.apache.sentry.binding.util.SentryAuthorizerUtil.convert2HivePrivilegeObject(SentryAuthorizerUtil.java:267)
        at org.apache.sentry.binding.util.SentryAuthorizerUtil.convert2HivePrivilegeInfo(SentryAuthorizerUtil.java:220)
        at org.apache.sentry.binding.hive.authz.DefaultSentryAccessController.showPrivilegesByPrincipal(DefaultSentryAccessController.java:279)
        at org.apache.sentry.binding.hive.authz.DefaultSentryAccessController.showPrivileges(DefaultSentryAccessController.java:213)
        at org.apache.sentry.binding.hive.authz.SentryHiveAuthorizerImpl.showPrivileges(SentryHiveAuthorizerImpl.java:146)
        at org.apache.hadoop.hive.ql.exec.DDLTask.showGrants(DDLTask.java:746)
        at org.apache.hadoop.hive.ql.exec.DDLTask.execute(DDLTask.java:527)
        at org.apache.hadoop.hive.ql.exec.Task.executeTask(Task.java:199)
        at org.apache.hadoop.hive.ql.exec.TaskRunner.runSequential(TaskRunner.java:97)
        at org.apache.hadoop.hive.ql.Driver.launchTask(Driver.java:2250)
        at org.apache.hadoop.hive.ql.Driver.execute(Driver.java:1893)
        at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:1613)
        at org.apache.hadoop.hive.ql.Driver.run(Driver.java:1332)
...
2019-02-08 05:53:58,663 ERROR org.apache.hadoop.hive.ql.Driver: [HiveServer2-Background-Pool: Thread-84]: FAILED: Execution Error, return code 1
from org.apache.hadoop.hive.ql.exec.DDLTask. null

This appears to be happening because the show grant role logic is trying to construct a HivePrivilegeObject, which it wasn't doing in 1.8.0, and assumes the URI will have a scheme. See:

  public static boolean isLocalUri(String uriString) throws URISyntaxException {
    URI uri = new URI(uriString);
    if (uri.getScheme().equalsIgnoreCase("file")) {
      return true;
    }

    return false;
  }

Because uri.getScheme() can return null, the equalsIgnoreCase() can result in an NPE.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

sentry-2497.1.patch
22/Feb/19 16:11
1 kB
Haley Reeve
sentry-2497.01.patch
22/Feb/19 19:15
1 kB
Haley Reeve
sentry-2497.001.patch
22/Feb/19 20:48
1 kB
Haley Reeve
sentry-2497.0001.patch
25/Feb/19 15:24
1 kB
Haley Reeve
sentry-2497.00001.patch
25/Feb/19 17:58
1 kB
Haley Reeve

Issue Links

links to

Review Board Link

Activity

People

Assignee:: Haley Reeve

Reporter:: Haley Reeve

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 13/Feb/19 19:11

Updated:: 25/Feb/19 21:20

Resolved:: 25/Feb/19 21:20