Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-9029

Cannot grant privileges to a role in sentry from cdap

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.1.0, 4.0.0, 3.6.0, 3.5.0
    • Fix Version/s: 4.1.1
    • Component/s: Security
    • Labels:
    • Release Notes:
      Fixed an issue where the CDAP Sentry Extension failed to grant privileges to a role.
    • Rank:
      1|hzzy27:

      Description

      Create a namespace as some user and then do a grant on the created entity to a role. This fails with the following:

      Error: 500: ali has no grant!. Server Stacktrace: org.apache.sentry.provider.db.SentryGrantDeniedException: ali has no grant!
      	at org.apache.sentry.provider.db.generic.service.persistent.DelegateSentryStore.grantOptionCheck(DelegateSentryStore.java:305)
      	at org.apache.sentry.provider.db.generic.service.persistent.DelegateSentryStore.alterRoleGrantPrivilege(DelegateSentryStore.java:176)
      	at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor$5.handle(SentryGenericPolicyProcessor.java:451)
      	at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.requestHandle(SentryGenericPolicyProcessor.java:201)
      	at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.alter_sentry_role_grant_privilege(SentryGenericPolicyProcessor.java:447)
      	at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryGenericPolicyService.java:877)
      	at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryGenericPolicyService.java:862)
      	at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
      	at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
      	at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessorWrapper.process(SentryGenericPolicyProcessorWrapper.java:37)
      	at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
      	at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:745)
      

      This is because when sentry gets a grant request command it checks if the requesting user has the privilege to pass grant or not.

      Granting to user works because when cdap does a grant to a user it sets the requesting users as cdap which is in sentry admin group and sentry does not check whether the requesting user can pass on the privilege or not.

      here is the sentry code snippet which does this

          //admin group check
          if (!Sets.intersection(adminGroups, toTrimedLower(groups)).isEmpty()) {
            return;
          }
          //privilege grant option check
          Set<MSentryRole> mRoles = delegate.getRolesForGroups(pm, groups);
          if (!privilegeOperator.checkPrivilegeOption(mRoles, requestPrivilege, pm)) {
            throw new SentryGrantDeniedException(grantorPrincipal
                + " has no grant!");
          }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rsinha Rohit Sinha
                Reporter:
                rsinha Rohit Sinha
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: