sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arun Suresh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SENTRY-214) Sentry Service does not allow the same Privilege to be associated to multiple Roles
Date Mon, 19 May 2014 02:18:38 GMT

    [ https://issues.apache.org/jira/browse/SENTRY-214?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14001341#comment-14001341
] 

Arun Suresh commented on SENTRY-214:
------------------------------------

On further investigation, I found that the SentryService was actually throwing the following
error : 

{quote}
2014-05-18 19:15:37,324 (pool-6-thread-1) [WARN - org.datanucleus.util.Log4JLogger.warn(Log4JLogger.java:96)]
Execution of method "add" on field "privileges" caused an error : Insert of object "org.apache.sentry.provider.db.service.model.MSentryPrivilege@3f755bd2"
using statement "INSERT INTO SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID,"ACTION",CREATE_TIME,PRIVILEGE_SCOPE,"TABLE_NAME",PRIVILEGE_NAME,URI,GRANTOR_PRINCIPAL,DB_NAME,"SERVER_NAME")
VALUES (?,?,?,?,?,?,?,?,?,?)" failed : The statement was aborted because it would have caused
a duplicate key value in a unique or primary key constraint or unique index identified by
'SENTRY_PRIVILEGE_NAME' defined on 'SENTRY_DB_PRIVILEGE'.
Insert of object "org.apache.sentry.provider.db.service.model.MSentryPrivilege@3f755bd2" using
statement "INSERT INTO SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID,"ACTION",CREATE_TIME,PRIVILEGE_SCOPE,"TABLE_NAME",PRIVILEGE_NAME,URI,GRANTOR_PRINCIPAL,DB_NAME,"SERVER_NAME")
VALUES (?,?,?,?,?,?,?,?,?,?)" failed : The statement was aborted because it would have caused
a duplicate key value in a unique or primary key constraint or unique index identified by
'SENTRY_PRIVILEGE_NAME' defined on 'SENTRY_DB_PRIVILEGE'.
org.datanucleus.exceptions.NucleusDataStoreException: Insert of object "org.apache.sentry.provider.db.service.model.MSentryPrivilege@3f755bd2"
using statement "INSERT INTO SENTRY_DB_PRIVILEGE (DB_PRIVILEGE_ID,"ACTION",CREATE_TIME,PRIVILEGE_SCOPE,"TABLE_NAME",PRIVILEGE_NAME,URI,GRANTOR_PRINCIPAL,DB_NAME,"SERVER_NAME")
VALUES (?,?,?,?,?,?,?,?,?,?)" failed : The statement was aborted because it would have caused
a duplicate key value in a unique or primary key constraint or unique index identified by
'SENTRY_PRIVILEGE_NAME' defined on 'SENTRY_DB_PRIVILEGE'.
	at org.datanucleus.store.rdbms.request.InsertRequest.execute(InsertRequest.java:504)
	at org.datanucleus.store.rdbms.RDBMSPersistenceHandler.insertTable(RDBMSPersistenceHandler.java:167)
	at org.datanucleus.store.rdbms.RDBMSPersistenceHandler.insertObject(RDBMSPersistenceHandler.java:143)
	at org.datanucleus.state.JDOStateManager.internalMakePersistent(JDOStateManager.java:3777)
	at org.datanucleus.state.JDOStateManager.makePersistent(JDOStateManager.java:3753)
	at org.datanucleus.ExecutionContextImpl.persistObjectInternal(ExecutionContextImpl.java:2124)
	at org.datanucleus.ExecutionContextImpl.persistObjectInternal(ExecutionContextImpl.java:2218)
	at org.datanucleus.store.types.SCOUtils.validateObjectForWriting(SCOUtils.java:1524)
...
{quote}

Looks like the Issue is due to the fact that a check should be made to see if the privilege
already exists, then load it from the db.. and then modify it by appending the role.

Attaching the fix..

> Sentry Service does not allow the same Privilege to be associated to multiple Roles
> -----------------------------------------------------------------------------------
>
>                 Key: SENTRY-214
>                 URL: https://issues.apache.org/jira/browse/SENTRY-214
>             Project: Sentry
>          Issue Type: Bug
>    Affects Versions: db_policy_store, 1.4.0
>            Reporter: Arun Suresh
>         Attachments: SENTRY-214.1.patch, SENTRY-214.2.patch
>
>
> Steps to recreate :
> 1) Create role1
> 2) Create role2
> 3) Grant 'role1' a Privilege(ALL) to a Table t1, Db d1, server S1
> 4) the 'listPrivilegesByRoleName' API applied to 'role1' returns a set of size 1
> 5) Grant 'role2' the same Privilege as role 1..  a Privilege(ALL) to a Table t1, Db d1,
server S1
> 6) the 'listPrivilegesByRoleName' API applied to 'role2' returns a set of size 0



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message