sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Yoder (JIRA)" <>
Subject [jira] [Commented] (SENTRY-415) Add API to Sentry Service that allows clients to read the service's config values
Date Fri, 24 Oct 2014 18:20:34 GMT


Mike Yoder commented on SENTRY-415:

Looking at the Hive Metastore's getConfigVal(), it has restrictions on the config vals that
can be obtained:

        // Allow only keys that start with hive.*, hdfs.*, mapred.* for security
        // i.e. don't allow access to db password
        if (!Pattern.matches("(hive|hdfs|mapred).*", name)) {
          throw new ConfigValSecurityException("For security reasons, the "
              + "config key " + name + " cannot be accessed");

I'm sure we want to do the same for Sentry.  Is the pattern as simple as to allow only "^sentry\..*"?
 Is there anything else we should allow?  Should we explicitly disallow sending the location
of the keytab file?

For your reference, in the test code, I dumped out the config and see
$ cat /tmp/sentry.config.txt | python -m json.tool | grep \""key\""
            "key": "", 
            "key": "", 
            "key": "sentry.service.server.keytab", 
            "key": "sentry.service.server.rpc-address", 
            "key": "sentry.service.allow.connect", 
            "key": "sentry.service.server.principal", 
            "key": "sentry.service.server.rpc-port", 
            "key": "", 
            "key": "sentry.service.client.server.rpc-address", 
            "key": "", 
            "key": "sentry.service.client.server.rpc-port", 
            "key": "sentry.verify.schema.version", 
            "key": "", 

Your thoughts, [~prasadm], [~sravya], [~lskuff], [~asuresh] ?


> Add API to Sentry Service that allows clients to read the service's config values
> ---------------------------------------------------------------------------------
>                 Key: SENTRY-415
>                 URL:
>             Project: Sentry
>          Issue Type: Task
>    Affects Versions: 1.4.0
>            Reporter: Lenni Kuff
>            Assignee: Mike Yoder
> It would be useful to add an API to Sentry Service that allows Sentry Service clients
to read the service's configuration values. The Hive Metastore has a similar API:
> "String getConfigValue(String propertyName, String defaultValue)"
> One specific use case for Sentry is to make it possible for clients that cache policy
metadata (e.g. Impala) to read the admin group(s) so they can also cache this information
and authorize GRANT/REVOKE requests without making an RPC to the Sentry service. The client
could periodically refresh the configuration information to ensure it is up to date.

This message was sent by Atlassian JIRA

View raw message