sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anne Yu (JIRA)" <>
Subject [jira] [Created] (SENTRY-985) sentry config-tool fails to import Solr sentry-provider.ini
Date Fri, 11 Dec 2015 05:28:11 GMT
Anne Yu created SENTRY-985:

             Summary: sentry config-tool fails to import Solr sentry-provider.ini
                 Key: SENTRY-985
             Project: Sentry
          Issue Type: Bug
          Components: Sentry
    Affects Versions: 1.6.0
            Reporter: Anne Yu

The Hadoop Security book introduces the tool as a good way to check policy files for errors
and to verify privileges for a given user.  You can also use it to import policies from policy
files to the Sentry Service.  In the quote below it implies that you should use it for Solr
policy files to avoid syntax errors.

>From O'Reilly Hadoop Security book:

"It is important to point out that while SQL policy files allow for separate policy files
per database, Solr does not.  This means that Solr policy administrators need to be extra
careful when modifying the policies because, as with the SQL policy files, a syntax error
invalidates the entire policy file, thus inadvertently denying access to everyone.  A nice
feature to help combat typos and mistakes is to validate the policy file using the config-tool,
which leads us into the next section."

However, as I've dug into it I see that config-tool does not support of AuthorizableType of
"collection", which is the "authorizable" used in Solr Sentry policy files.

[nwhite@host-10-17-80-38 ~]$ sentry --command config-tool -l -u nwhite -i file:///home/nwhite/sentry-provider.ini
-s file:///etc/sentry/conf/sentry-site.xml -d
Sentry package jar: file:/opt/cloudera/parcels/CDH-5.4.8-1.cdh5.4.8.p0.4/jars/sentry-binding-hive-1.4.0-cdh5.4.8.jar
Hive config: file:/etc/hive/conf.cloudera.hive/hive-site.xml
15/12/10 06:58:54 INFO conf.HiveAuthzConf: DefaultFS: hdfs://
15/12/10 06:58:54 INFO conf.HiveAuthzConf: DefaultFS: hdfs://
Sentry config: file:/etc/sentry/conf/sentry-site.xml
Sentry Policy: file:///home/nwhite/sentry-provider.ini
Sentry server: HS2
15/12/10 06:58:55 INFO file.SimpleFileProviderBackend: Parsing file:/home/nwhite/sentry-provider.ini
15/12/10 06:58:55 INFO file.SimpleFileProviderBackend: Filesystem: file:///
15/12/10 06:58:55 INFO file.PolicyFiles: Opening file:/home/nwhite/sentry-provider.ini
15/12/10 06:58:55 ERROR file.SimpleFileProviderBackend: Error processing file, ignoring file:/home/nwhite/sentry-provider.ini
org.apache.shiro.config.ConfigurationException: No authorizable found for collection=employees
	at org.apache.sentry.policy.db.AbstractDBPrivilegeValidator.parsePrivilege(
	at org.apache.sentry.policy.db.ServersAllIsInvalid.validate(

>From org.apache.sentry.core.model.db.DBModelAuthorizable:

public enum More ...AuthorizableType {
24    Server,
25    Db,
26    Table,
27    View,
28    URI
29  };

This message was sent by Atlassian JIRA

View raw message