| Release Notes - Sentry - Version 1.4.0 |
| |
| ** Sub-task |
| * [SENTRY-97] - Create service configuration properties |
| * [SENTRY-129] - Implement Hive Sentry Authz DDL Task Factory |
| * [SENTRY-134] - Use BoneCP, add unique constraint to GROUP_NAME, and expose jdo/datanucleus properties |
| * [SENTRY-137] - Validate privilege scope in sentry service |
| * [SENTRY-138] - Use server timestamp for createTime for role, privilege and group |
| * [SENTRY-142] - Create database backed ProviderBackend |
| * [SENTRY-143] - Merge db_policy_store branch into master |
| * [SENTRY-153] - Add Hive e2e test with grant/revoke statements |
| * [SENTRY-156] - Support local privilege validation APIs |
| * [SENTRY-160] - Class to table mapping in package.jdo is incorrect |
| * [SENTRY-364] - Bump up hive and hadoop versions from SNAPSHOT to released bits |
| * [SENTRY-365] - Create release branch for 1.4.0 |
| * [SENTRY-369] - Update changelog.txt, notice.txt, etc... for 1.4.0 release |
| |
| |
| |
| ** Bug |
| * [SENTRY-118] - cast udf should be added to sentry udf whitelist for hive |
| * [SENTRY-131] - bin/sentry script doesn't find config-tool.sh under some circumstances |
| * [SENTRY-133] - Alter table create partition if not exists - results in error |
| * [SENTRY-161] - Sentry master branch is trying to download Hadoop tarball from nonexisting URL |
| * [SENTRY-162] - Cleanup DB store privilege metadata on Hive DDL statements |
| * [SENTRY-166] - Sentry does not accept URIs with an equals sign (=) in path. Fails with llegalArgumentException: Invalid key value |
| * [SENTRY-169] - JAAS login options not compatible with IBM JDK |
| * [SENTRY-172] - config-tool.sh is missing from master branch |
| * [SENTRY-174] - Sentry should not package hadoop, hive and other jars |
| * [SENTRY-175] - sentry script throws error for the dbstore service invocation |
| * [SENTRY-176] - Not able to read policy files on HDFS (Regression) |
| * [SENTRY-177] - Sentry Policy Service does not treat role names as case insensitive |
| * [SENTRY-178] - Poor performance for Sentry Policy Service as #of privileges is scaled up |
| * [SENTRY-181] - Add a test case for duplicate privileges |
| * [SENTRY-182] - Granting ALL privileges to table does not seem to do the right thing when using the SimpleDbPolicyProvider |
| * [SENTRY-183] - Sentry Policy Service goes into an unusable state when granting privileges. Subsequent access fail with a DataNucleusException: "Iteration request failed: SELECT ..." |
| * [SENTRY-186] - e2e tests for solr document-level security |
| * [SENTRY-187] - Use invariants rather than default for specification of update index level authorization |
| * [SENTRY-188] - Reduce the logging level during per-db policy loading |
| * [SENTRY-190] - Support for getting set of roles from ProviderBackend |
| * [SENTRY-191] - Sentry Policy Service should not require passing the RPC requestor's user/group information |
| * [SENTRY-192] - Convert solr doc-level e2e test to be based on roles rather than groups |
| * [SENTRY-194] - Sentry script should note use Hive script by default for service and tool execution |
| * [SENTRY-195] - Sentry schema tool can't process comments inside statement |
| * [SENTRY-200] - Remove sentry-provider dependencies on hive |
| * [SENTRY-201] - TestDatabaseProvider tests fail after Sentry schema tool was added. |
| * [SENTRY-202] - Sentry end to end tests which use ClusterDFS will need to explicitly add the policy file to HDFS |
| * [SENTRY-203] - Column name mismatch causes DataNucleus to throw exceptions |
| * [SENTRY-204] - Test cases extending SentryServiceIntegrationBase are failing |
| * [SENTRY-205] - Sentry throws Exception when trying to revoke Table level privileges |
| * [SENTRY-206] - Sentry distribution should include a template config file for the service |
| * [SENTRY-207] - Sentry script should return non-zero exist status in error conditions |
| * [SENTRY-209] - Empty list returned when calling listPrivilegesByRoleName |
| * [SENTRY-210] - Exception Thrown When Trying to grantRoleToGroup |
| * [SENTRY-212] - Restrict access to hive config property hive.sentry.active.role.set which is set by Sentry Hive binding |
| * [SENTRY-213] - Sentry schema tool doesn't handle sentry.javax.jdo.* properties |
| * [SENTRY-214] - Sentry Service does not allow the same Privilege to be associated to multiple Roles |
| * [SENTRY-217] - Add Insert and URI tests for Sentry DB provider |
| * [SENTRY-218] - Use defaults for user, password and driver in SchemaTool |
| * [SENTRY-219] - Sentry Cache Backend Provider initialization does not work as expected |
| * [SENTRY-220] - Trivial fix to SentrySchemaTool to set default driver |
| * [SENTRY-221] - Privilege scope is case sensitive |
| * [SENTRY-222] - Privileges are sometimes granted to the wrong roles |
| * [SENTRY-224] - Provider resource should not be required for DB provider backend |
| * [SENTRY-229] - SentrySchemaTool initSchema does not work with postgres 8.1and oracle |
| * [SENTRY-231] - Fix JDK 6 build |
| * [SENTRY-235] - Change tests in TestSentryServerWithoutKerberos to use new Sentry service APIs |
| * [SENTRY-236] - Sentry PolicyFile provider incorrectly logs error messages when reading policy file |
| * [SENTRY-237] - Support log4j configuration for Sentry service |
| * [SENTRY-238] - Denied Show roles and show role grant throw thrift exception |
| * [SENTRY-239] - Setup in TestDatabaseProvider is flaky |
| * [SENTRY-241] - Sentry GrantRevokeTask should fire the sentry failure look |
| * [SENTRY-243] - The operation type needs to be set in the grant/revoke task context for the failure hook |
| * [SENTRY-244] - Sentry deprecated properties do not work |
| * [SENTRY-245] - Fix failing db provider tests |
| * [SENTRY-246] - Load command does not seem to work with filter push down |
| * [SENTRY-247] - Go back to using filter push down once the bugs are fixed |
| * [SENTRY-248] - The sentry-provider-cache dependency is not correctly set |
| * [SENTRY-249] - "Use default" should be allowed for all the users even when using filter push down |
| * [SENTRY-250] - Create external table fails with filter push down |
| * [SENTRY-251] - PolicyProviderForTest.addPrivilege breaks in some cases |
| * [SENTRY-252] - Per db policy files based tests should be updated for dbprovider usage |
| * [SENTRY-253] - Creating external table seems to be failing when using provider db. |
| * [SENTRY-254] - Privilege name in provider db has a limit of length 128 which might be very low for long uris. |
| * [SENTRY-255] - Revoke on Server privilege fails |
| * [SENTRY-256] - Fix TestDbEndToEnd.testEndToEnd1 |
| * [SENTRY-257] - Upgrade master to use version 1.4.0-incubating-SNAPSHOT |
| * [SENTRY-259] - Implement Hive metastore plugin |
| * [SENTRY-260] - Add support to use DB2 as database for sentry metastore |
| * [SENTRY-262] - Updating patch for SENTRY-178 |
| * [SENTRY-263] - Remove usage of getHostString() from AbstractTestWithStaticConfiguration |
| * [SENTRY-266] - Implement _HOST substitution in principal |
| * [SENTRY-268] - Allow only granted roles to be set in "SET ROLE <roleName>" |
| * [SENTRY-269] - Add a test case for Denied Alter table, should fire SentryOnFailureHook |
| * [SENTRY-271] - Test TestSentryServiceIntegration is flaky |
| * [SENTRY-272] - Test TestSentryStoreToAuthorizable.testUri is failing on comparing URI string |
| * [SENTRY-273] - org.apache.sentry.tests.e2e.dbprovider.TestDbUriPermissions is failing |
| * [SENTRY-274] - MySQL init scripts contains invalid comments |
| * [SENTRY-275] - Fix compilation error in SentryService |
| * [SENTRY-276] - SentryService tests are currently timing out |
| * [SENTRY-277] - Add Pig+HCat test for Metastore auth plugin |
| * [SENTRY-278] - TestSearchModelAuthorizables.testTooManyKV and TestDBModelAuthorizables.testTooManyKV fail |
| * [SENTRY-279] - Revert back using lowercase for uri label |
| * [SENTRY-280] - Sentry-202 missing changes |
| * [SENTRY-281] - Revoking a parent privilege should revoke all child privileges |
| * [SENTRY-282] - Select on DB should give privileges to query tables within it. |
| * [SENTRY-283] - Secure connection from HS2 to Sentry service fails |
| * [SENTRY-284] - Create test for creating external partition |
| * [SENTRY-285] - privilege->action=all is not same as privilege |
| * [SENTRY-288] - Dissable MetastoreBinding for test cases that do not require it |
| * [SENTRY-289] - Kerberos based connection from HS2 and Metastore to Sentry service fails |
| * [SENTRY-290] - Handle null pointer in SentryPolicyProcessor |
| * [SENTRY-294] - The Sentry service client should execute UGI privilege action by default |
| * [SENTRY-297] - Increase privilege_name to 4000 in mysql to be consistent with other dbs |
| * [SENTRY-299] - Partial Revoke Fails under certain conditions |
| * [SENTRY-300] - HiveAuthzBinding checks for Hive server2 config which is not available when using Sentry with Hive meta store server |
| * [SENTRY-301] - Sentry plugin fails access service from secure Hive Metastore |
| * [SENTRY-302] - Partial revoke on Table fails if both ALL and a SELECT/INSERT grant exists |
| * [SENTRY-304] - Limit on index key in MYSQL (innoDB ) is 767 bytes |
| * [SENTRY-305] - SHOW CURRENT ROLES shouldn't require admin privileges |
| * [SENTRY-306] - Fix grant all on table in db based provider |
| * [SENTRY-307] - Unqualified URIs should be reconstructed in a standard way |
| * [SENTRY-309] - Metastore binding should use fully qualified URI for validating alter table operations |
| * [SENTRY-310] - Make Hive operation to required privileges more granular |
| * [SENTRY-311] - Metastore plugin needs to be changed to updated privilege model |
| * [SENTRY-312] - Add 'decimal' and 'date' to default UDF whitelist |
| * [SENTRY-313] - Fix some uri failing tests |
| * [SENTRY-314] - Metastore plugin should verify the storage descriptor before referencing |
| * [SENTRY-315] - SHOW CURRENT ROLE fails if the one of the groups doesn't have any roles granted |
| * [SENTRY-317] - Fix TestDbOperations.testLoad test |
| * [SENTRY-319] - group names should be case sensitive. |
| * [SENTRY-321] - SentryMetastorePostEventListener should use sentry config to create SentryClient |
| * [SENTRY-332] - A role may got empty privilege, although the role have some privileges |
| * [SENTRY-336] - Fix test failures on real cluster |
| * [SENTRY-337] - When the parameter sentry.metastore.service.users isn't set or set empty, starting metastore will throw java.lang.NullPointerException |
| * [SENTRY-363] - CTAS from view is requiring select on underlying table |
| |
| |
| |
| |
| ** Improvement |
| * [SENTRY-106] - Make solr testing work against apache 4.7 version |
| * [SENTRY-193] - Add schematool for creating Sentry store schema from the SQL scripts |
| * [SENTRY-211] - Do the user: group lookup in the Sentry db policy server |
| * [SENTRY-258] - Increase field PRIVILEGE_NAME to 4000 characters to enable long URIs |
| * [SENTRY-293] - Create a new mvn cluster test profile for provider db tests |
| * [SENTRY-303] - Allow users to grant/revoke SELECT/INSERT to ALL tables in a Database |
| * [SENTRY-333] - Add conf directory to sentry distribution |
| * [SENTRY-361] - Sentry server should use sentry-site.xml in conf directory by default |
| |
| ** New Feature |
| * [SENTRY-3] - Create a diagnostics tool for configuration validation |
| * [SENTRY-37] - Implement a DB backed policy store |
| * [SENTRY-115] - Give bindings the ability to access the group mappings |
| * [SENTRY-157] - Support filter pushdown in DB Store client to reduce data transfer from DB Store service |
| * [SENTRY-158] - Hive bindings should enable MR level ACLs for session user |
| * [SENTRY-165] - Implement createShowRolesTask() in SentryHiveAuthorizationTaskFactoryImpl |
| * [SENTRY-184] - Add Sentry service APIs to query roles and privileges |
| * [SENTRY-199] - Create tool that will convert policy file into into DB store |
| * [SENTRY-215] - SHOW GRANT ROLE xxx ON [SERVER, DATABASE, TABLE, URI] xxx |
| * [SENTRY-216] - Support SHOW CURRENT ROLES |
| |
| |
| |
| |
| ** Task |
| * [SENTRY-159] - Convert AbstractSolrSentryTestBase to use MiniSolrCloudCluster rather than Lucene test hierarchy |
| * [SENTRY-164] - Missing implementation for HiveAuthorizationTaskFactory: createShowRolesTask() |
| * [SENTRY-230] - e2e test for doc level security to cover failure scenarios around Index level auth |
| * [SENTRY-356] - Apache Sentry 1.4.0 Release |
| |
| |
| ** Test |
| * [SENTRY-223] - Add a test for updates with doc-level security |
| * [SENTRY-233] - Disable hdfs blockcache during solr e2e tests |
| * [SENTRY-261] - Improve test coverage for grant/revoke statements in Hive e2e tests |
| * [SENTRY-287] - Add test case for giving select privieleges on a table in a non default database |
| * [SENTRY-291] - Remove duplicate testSameGrantTwice |
| |
| |
| |