[RS-124] Add validation for serverName when sentry authorization is enabled - Cloudera Open Source

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 0.2.0
Fix Version/s: 0.3.0
Component/s: Server
Labels:
None

Description

Right now, if we enabled sentry authorization, but not set the serverName (hive.sentry.server), recordservice cannot get the privileges for users, and the query will fail.

Here is a sample error:

I0303 10:21:35.093722 20664 jni-util.cc:177] com.cloudera.impala.catalog.AuthorizationException: User 'impala/instance@REALM' does not have privileges to execute 'SELECT' on: default.sample_07
	at com.cloudera.impala.analysis.AnalysisContext.authorizeTableAccess(AnalysisContext.java:488)
	at com.cloudera.impala.analysis.AnalysisContext.authorize(AnalysisContext.java:413)
	at com.cloudera.impala.service.Frontend.analyzeStmt(Frontend.java:831)
	at com.cloudera.impala.service.Frontend.createExecRequest(Frontend.java:910)
	at com.cloudera.impala.service.Frontend.createRecordServiceExecRequest(Frontend.java:856)
	at com.cloudera.impala.service.JniFrontend.createRecordServiceExecRequest(JniFrontend.java:253)
I0303 10:21:35.186741 20664 status.cc:112] AuthorizationException: User 'impala/instance@REALM' does not have privileges to execute 'SELECT' on: default.sample_07
    @           0x82a3d9  impala::Status::Status()
    @           0xb8dc30  impala::JniUtil::GetJniExceptionMsg()
    @           0xa7ed83  impala::JniUtil::CallJniMethod<>()
    @           0xa75cc0  impala::Frontend::GetRecordServiceExecRequest()
    @           0xaed4a3  impala::ImpalaServer::PlanRecordServiceRequest()
    @           0xaf27a3  impala::ImpalaServer::PlanRequest()
    @           0xe0bf02  recordservice::RecordServicePlannerProcessor::process_PlanRequest()
    @           0xe08604  recordservice::RecordServicePlannerProcessor::dispatchCall()
    @           0xaa403c  apache::thrift::TDispatchProcessor::process()
    @          0x179bffb  apache::thrift::server::TThreadPoolServer::Task::run()
    @          0x1783e19  apache::thrift::concurrency::ThreadManager::Worker::run()
    @           0x9fe5e9  impala::ThriftThread::RunRunnable()
    @           0x9ff0f2  boost::detail::function::void_function_obj_invoker0<>::invoke()
    @           0xbe8f1f  impala::Thread::SuperviseThread()
    @           0xbe9e64  boost::detail::thread_data<>::run()
    @           0xe59a5a  thread_proxy
    @     0x7f2a22e7faa1  start_thread
    @     0x7f2a220e393d  clone
I0303 10:21:35.186770 20664 impala-recordservice-server.cc:104] RecordService request failed. code=0 msg=Could not plan request. detail=AuthorizationException: User 'impala/instance@REALM' does not have privileges to execute 'SELECT' on: default.sample_07

We should have a validation for hive.sentry.server, and recordservice should throw an exception earlier when startup.

Attachments

Activity

People

Assignee:

Li Li

Reporter:

Li Li

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

03/Mar/16 11:15 PM

Updated:

14/Mar/16 6:11 PM

Resolved:

14/Mar/16 6:11 PM