sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anne Yu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SENTRY-985) sentry config-tool fails to import Solr sentry-provider.ini
Date Fri, 11 Dec 2015 05:30:11 GMT

    [ https://issues.apache.org/jira/browse/SENTRY-985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15052201#comment-15052201
] 

Anne Yu commented on SENTRY-985:
--------------------------------

fyi. [~dapengsun] and [~haohao]. When we consider client integration and generic policy support,
can consider solr.

> sentry config-tool fails to import Solr sentry-provider.ini
> -----------------------------------------------------------
>
>                 Key: SENTRY-985
>                 URL: https://issues.apache.org/jira/browse/SENTRY-985
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 1.6.0
>            Reporter: Anne Yu
>
> The Hadoop Security book introduces the tool as a good way to check policy files for
errors and to verify privileges for a given user.  You can also use it to import policies
from policy files to the Sentry Service.  In the quote below it implies that you should use
it for Solr policy files to avoid syntax errors.
> From O'Reilly Hadoop Security book:
> "It is important to point out that while SQL policy files allow for separate policy files
per database, Solr does not.  This means that Solr policy administrators need to be extra
careful when modifying the policies because, as with the SQL policy files, a syntax error
invalidates the entire policy file, thus inadvertently denying access to everyone.  A nice
feature to help combat typos and mistakes is to validate the policy file using the config-tool,
which leads us into the next section."
> However, as I've dug into it I see that config-tool does not support of AuthorizableType
of "collection", which is the "authorizable" used in Solr Sentry policy files.
> [nwhite@host-10-17-80-38 ~]$ sentry --command config-tool -l -u nwhite -i file:///home/nwhite/sentry-provider.ini
-s file:///etc/sentry/conf/sentry-site.xml -d
> Configuration:
> Sentry package jar: file:/opt/cloudera/parcels/CDH-5.4.8-1.cdh5.4.8.p0.4/jars/sentry-binding-hive-1.4.0-cdh5.4.8.jar
> Hive config: file:/etc/hive/conf.cloudera.hive/hive-site.xml
> 15/12/10 06:58:54 INFO conf.HiveAuthzConf: DefaultFS: hdfs://host-10-17-80-38.coe.cloudera.com:8020
> 15/12/10 06:58:54 INFO conf.HiveAuthzConf: DefaultFS: hdfs://host-10-17-80-38.coe.cloudera.com:8020
> Sentry config: file:/etc/sentry/conf/sentry-site.xml
> Sentry Policy: file:///home/nwhite/sentry-provider.ini
> Sentry server: HS2
> 15/12/10 06:58:55 INFO file.SimpleFileProviderBackend: Parsing file:/home/nwhite/sentry-provider.ini
> 15/12/10 06:58:55 INFO file.SimpleFileProviderBackend: Filesystem: file:///
> 15/12/10 06:58:55 INFO file.PolicyFiles: Opening file:/home/nwhite/sentry-provider.ini
> 15/12/10 06:58:55 ERROR file.SimpleFileProviderBackend: Error processing file, ignoring
file:/home/nwhite/sentry-provider.ini
> org.apache.shiro.config.ConfigurationException: No authorizable found for collection=employees
> 	at org.apache.sentry.policy.db.AbstractDBPrivilegeValidator.parsePrivilege(AbstractDBPrivilegeValidator.java:42)
> 	at org.apache.sentry.policy.db.ServersAllIsInvalid.validate(ServersAllIsInvalid.java:29)
> From org.apache.sentry.core.model.db.DBModelAuthorizable:
> public enum More ...AuthorizableType {
> 24    Server,
> 25    Db,
> 26    Table,
> 27    View,
> 28    URI
> 29  };



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message