Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
Description
Currently SentryAuthorizationProvider rejects setter calls to Sentry-managed paths, and issue an error message when enabled.
There are two issues:
1. When creating a file or dir, the parent dir's group will be set to the newly created file/dir, this is supposed to be logged to fsimage in-memory representation, but because the rejection of Sentry, it's not.
2. (as an example) When user issue a setOwner call via the following RPC:
@Override // ClientProtocol public void setOwner(String src, String username, String groupname) throws IOException { checkNNStartup(); namesystem.setOwner(src, username, groupname); }
Two calls are executed in the deep stack:
a. dir.setOwner(src, username, group); b. getEditLog().logSetOwner(src, username, group);
The first call is the one gets rejected by Sentry, however, the second one still updates the entry to Edit log. This would indicate an inconsistency between in-memory representation of the attribute and what's recorded on edit log.
Creating this jira to make SentryAuthorizationProvider always fallthrough to write to HDFS, and issue a warning msg when it "rejects" (for Sentry-managed paths).
Attachments
Attachments
Issue Links
- relates to
-
SENTRY-954 HDFS ACLs are not correctly managed for paths under prefix but not hive objects.
- Resolved