Support Questions

Find answers, ask questions, and share your expertise

Sentry ACLs are not being applied

avatar
Guru

Hi,

 

I enabled Kerberos and Sentry for Search in the CDH5.8 sandbox. I created users+groups on Linux, as well as roles in Sentry, and linked them together. e.g. sentry-role 'demo-query' links to linux-group 'selectors' where user 'reader' is a member of. This role was granted 'query' privilege on my collection 'acltest'.

In addition to that, there is user 'writer', member of 'inserters' which maps to sentry-role 'demo-update' and privilege 'update' on the collection 'acltest'.

And there is one more user, called 'testuser', who is **not** part of any of the above mentioned Linux groups

 

My expectation is/was, that user 'testuser' fails at querying collection 'acltest', but wrong. This user can query the collection without problem, but I didn't grant him any privileges ?!?!

 

Why is he able to query the collection ?

 

Details:

[testuser@quickstart ~]$ curl --negotiate -u : 'http://quickstart.cloudera:8983/solr/acltest/select?q=*'
<?xml version="1.0" encoding="UTF-8"?>
<response>
<lst name="responseHeader"><int name="status">0</int><int name="QTime">0</int><lst name="params"><str name="q">*</str></lst></lst><result name="response" numFound="2" start="0"><doc><int name="my_id">1</int><long name="my_somecode">55508</long><str name="cust_plz">0815</str><str name="cust_hausnr">111</str><str name="cust_strasse">hauptstr</str><str name="cust_ort">nirvana</str><str name="bank_account">746757583873</str><long name="_version_">1564414881528020992</long></doc><doc><int name="my_id">2</int><long name="my_somecode">22208</long><str name="cust_plz">4711</str><str name="cust_hausnr">666</str><str name="cust_strasse">highway-to-hell</str><str name="cust_ort">nirvana</str><str name="bank_account">9958575488</str><long name="_version_">1564414881580449792</long></doc></result>
</response>
[testuser@quickstart ~]$ id testuser
uid=502(testuser) gid=504(testuser) groups=504(testuser)

I did all the Sentry related steps (role creation, group assignment and privilege granting) via the command line, not using Hue.

 

What am I missing, so that the ACLs are getting applied as expected (in this particular case, user 'testuser' isn't able to query the collection) ?

 

Thanks for any hint...

 

1 ACCEPTED SOLUTION

avatar
Guru

sorry for any confusion, in parallel "Sentry Service" got disabled for SOLR because of the issue posted here

I will close this issue, since the linked issue is the real one 😉

 

View solution in original post

3 REPLIES 3

avatar
Champion

@geko

 

1. Are you applying Sentry on the file in local (or) HDFS? if it is local, it will not work (as per my understanding) because Sentry currently works out of the box with Apache Hive, Hive Metastore/HCatalog, Apache Solr, Impala and HDFS (limited to Hive table data).

 

https://cwiki.apache.org/confluence/display/SENTRY/Sentry+Tutorial

 

2. If you are referring to HDFS, please ignore my above point and confirm the follows, have you done with your HDFS & Sentry synchronization? 

 

https://www.cloudera.com/documentation/enterprise/5-6-x/topics/sg_hdfs_sentry_sync.html

avatar
Guru

Hello @saranvisa ,

thanks for replying quickly.

I am not testing Sentry-HDFS permissions, I am working on Sentry-SOLR. The scenario I described relates to permissions of querying a SOLR collection, not accessing HDFS files.

 

- Kerberos is enabled

- SOLR collection has been created

- Sentry roles have been created

- Linux groups have been mapped to Sentry roles

- Privileges to access the SOLR collection has been granted via ```solrctl sentry .. ``` commandline call

 

available sentry roles:

[cloudera@quickstart hue]$ solrctl sentry --list-roles
demo-update
sentry_admin
demo-query

...and privileges:

[cloudera@quickstart hue]$ solrctl sentry --list-privileges demo-query
Collection=acltest->action=query
[cloudera@quickstart hue]$ solrctl sentry --list-privileges demo-update
Collection=acltest->action=update
[cloudera@quickstart hue]$ 

 

 

OS user 'testuser' is **NOT** part of any of those groups, but he can nevertheless query the collection 'acltest'

 

[testuser@quickstart ~]$ curl --negotiate -u : 'http://quickstart.cloudera:8983/solr/acltest/select?q=*'
<?xml version="1.0" encoding="UTF-8"?>
<response>
<lst name="responseHeader"><int name="status">0</int><int name="QTime">0</int><lst name="params"><str name="q">*</str></lst></lst><result name="response" numFound="2" start="0"><doc><int name="my_id">1</int><long name="my_somecode">55508</long><str name="cust_plz">0815</str><str name="cust_hausnr">111</str><str name="cust_strasse">hauptstr</str><str name="cust_ort">nirvana</str><str name="bank_account">746757583873</str><long name="_version_">1564414881528020992</long></doc><doc><int name="my_id">2</int><long name="my_somecode">22208</long><str name="cust_plz">4711</str><str name="cust_hausnr">666</str><str name="cust_strasse">highway-to-hell</str><str name="cust_ort">nirvana</str><str name="bank_account">9958575488</str><long name="_version_">1564414881580449792</long></doc></result>
</response>

 

I now also tried to set the privileges via Hue=>Security plugin, but this does not work. I am able to define the role and privilege, but after clicking the blue "Update" button I just see in the top right corner the hint "Privileges has been updated", but in the overview there is no privilege displayed for that collection.....strange....

 

 

 

 

 

avatar
Guru

sorry for any confusion, in parallel "Sentry Service" got disabled for SOLR because of the issue posted here

I will close this issue, since the linked issue is the real one 😉