[SENTRY-498] Sentry integration with Hive authorization framework V2 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: hive_plugin_v2
Fix Version/s: hive_plugin_v2, 1.7.0
Component/s: None
Labels:
- roadmap

Description

Currently Sentry grant/revoke privileges via hook DDLTask, and do authorization via HiveSemanticAnalyzerHook. Now hive has a pluggable authorization framework via exposing some interfaces HiveAccessController and HiveAuthorizationValidator. HiveAccessController is used to grant/revoke roles and privileges. HiveAuthorizationValidator is used to do fine-grained authorization.

Advantages to use this framework to grant/revoke privileges and do authorization:

This framework is very convenient to use by external authorization system.
Using this framework will be better accepted by community.
We don't need to take efforts to add so many hooks.
Some hooks has limitations. e.g. For column level security, we can't get accessed cloumns from query via HiveSemanticAnalyzerHook, so I extend the readEntity to put accessed columns into it(~~HIVE-7730~~). But if we use this framework, we don't need to extend the readEntity, we can just get accessed columns from ColumnAccessInfo directly.

I will not remove the old sentry authorization framework, I will just add a new authorizationV2 via implement Hive authorization framework. If all the e2e tests passed, we can mark the old authorization deprecated.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SENTRY-498.011.patch
17/Nov/15 07:26
156 kB
Dapeng Sun
SENTRY-498.010-hive_plugin_v2.patch
11/Nov/15 05:38
160 kB
Dapeng Sun
SENTRY-498.009-hive_plugin_v2.patch
06/Nov/15 05:30
161 kB
Dapeng Sun
SENTRY-498.008-hive_plugin_v2.patch
30/Oct/15 03:22
161 kB
Dapeng Sun
SENTRY-498.007-hive_plugin_v2.patch
23/Oct/15 08:52
198 kB
Dapeng Sun
SENTRY-498.005-hive_plugin_v2.patch
13/Aug/15 07:52
238 kB
Dapeng Sun
SENTRY-498.004-hive_plugin_v2.patch
11/Aug/15 02:51
231 kB
Dapeng Sun
SENTRY-498.003.patch
11/Mar/15 02:50
216 kB
Xiaomeng Huang

Issue Links

contains

SENTRY-924 filterIndexNames should return the whole indexList

Resolved

depends upon

HIVE-8611 grant/revoke syntax should support additional objects for authorization plugins

Resolved

HIVE-8612 Support metadata result filter hooks

Resolved

is blocked by

SENTRY-541 Seperate udfuri privilege from anyPrivilege model

Resolved

SENTRY-563 The interface listPrivilegesByRoleName may throw thrift exception if Authorizable is empty

Resolved

SENTRY-591 create table should have output privilege in DB scope

Resolved

SENTRY-594 Alter database should check output privilege instead of input

Resolved

links to

(2 is blocked by, 1 links to)

Sub-Tasks

1.	Change Hive version to Apache Hive 0.15 for authorization V2	Resolved	Prasad Suresh Mujumdar
2.	Add new module for hive plugin v2	Resolved	Dapeng Sun
3.	Sentry Hive authorizer interfaces for authorization V2	Resolved	Dapeng Sun
4.	Add SentryHivePrivilegeObject to enhance hive authorization for Server and URI type	Resolved	shenguoquan
5.	Merge Hive_plugin_v2 with master (2015/11/02)	Resolved	Dapeng Sun
6.	Default implementation of SentryAccessController to do grant/revoke role/privlege	Resolved	Dapeng Sun
7.	Implement taskFactory V2 to handle special privilege for Sentry	Resolved	Dapeng Sun
8.	Default implementation of SentryAuthorizationValidator to do authorization	Resolved	Dapeng Sun
9.	Extend SentryPolicyServiceClient to implement grant wrapped privilege info for V2	Resolved	Dapeng Sun
10.	Add unit tests for DefaultSentryAuthorizationValidator	Resolved	Dapeng Sun
11.	Support column level security for V2	Resolved	Dapeng Sun
12.	Execute on failure hooks for V2	Resolved	Dapeng Sun
13.	Workaround some operations for Authorization V2	Resolved	Dapeng Sun

Activity

People

Assignee:: Dapeng Sun

Reporter:: Xiaomeng Huang

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 21/Oct/14 07:34

Updated:: 15/Apr/16 21:37

Resolved:: 26/Nov/15 03:30