Support Questions

bene · ‎10-02-2019

In our setup run kafka instances with sentry defining the rules to access the different topics. However I want to revoke a given privilege. Therefor I list the rules with

kafka-sentry -lp -r myrole

I get a list containing

...

HOST=*->CLUSTER=kafka-cluster->action=cluster_action

...

This is the privilege I like to revoke. However by executing

kafka-sentry -rpr -r myrole -p 'HOST=*->CLUSTER=kafka-cluster->action=cluster_action'

I get an error message

ERROR tools.SentryShellKafka: Kafka privilege must end with a valid action.
Invalid Kafka privilege. Kafka privilege must be of the form host=<HOST>-><RESOURCE>=<RESOURCE_NAME>->action=<ACTION>, where <HOST> can be '*' or any valid host name, <RESOURCE> can be one of [CLUSTER, TOPIC, CONSUMERGROUP] <RESOURCE_NAME> is name of the resource, <ACTION> can be one of [READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE, CLUSTER_ACTION, ALL].
org.apache.shiro.config.ConfigurationException: Kafka privilege must end with a valid action.
Invalid Kafka privilege. Kafka privilege must be of the form host=<HOST>-><RESOURCE>=<RESOURCE_NAME>->action=<ACTION>, where <HOST> can be '*' or any valid host name, <RESOURCE> can be one of [CLUSTER, TOPIC, CONSUMERGROUP] <RESOURCE_NAME> is name of the resource, <ACTION> can be one of [READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE, CLUSTER_ACTION, ALL].
at org.apache.sentry.policy.kafka.KafkaPrivilegeValidator.validate(KafkaPrivilegeValidator.java:109)
at org.apache.sentry.provider.db.generic.tools.KafkaTSentryPrivilegeConverter.validatePrivilegeHierarchy(KafkaTSentryPrivilegeConverter.java:119)
at org.apache.sentry.provider.db.generic.tools.KafkaTSentryPrivilegeConverter.fromString(KafkaTSentryPrivilegeConverter.java:60)
at org.apache.sentry.provider.db.generic.tools.command.RevokePrivilegeFromRoleCmd.execute(RevokePrivilegeFromRoleCmd.java:43)
at org.apache.sentry.provider.db.generic.tools.SentryShellKafka.run(SentryShellKafka.java:83)
at org.apache.sentry.provider.db.tools.SentryShellCommon.executeShell(SentryShellCommon.java:262)
at org.apache.sentry.provider.db.generic.tools.SentryShellKafka.main(SentryShellKafka.java:96)
The operation failed. Message: Kafka privilege must end with a valid action.
Invalid Kafka privilege. Kafka privilege must be of the form host=<HOST>-><RESOURCE>=<RESOURCE_NAME>->action=<ACTION>, where <HOST> can be '*' or any valid host name, <RESOURCE> can be one of [CLUSTER, TOPIC, CONSUMERGROUP] <RESOURCE_NAME> is name of the resource, <ACTION> can be one of [READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE, CLUSTER_ACTION, ALL].

So, what is it I am doing wrong?

w@leed · ‎10-02-2019

Hi @bene

It looks okay to me at first glance. In fact, if there was something wrong with the privilege then I wouldn't expect it to be created in the first place.

What version of CDH and Cloudera Kafka do you have running in your environment?

bene · ‎10-02-2019

Hi w@leed ,

we run on

CDH 5 (5.14.4-1.cdh5.14.4.p0.3)

and

Kafka 4.1.0-1.4.1.0.p0.4

Best regards

Bene

EricL · ‎10-04-2019

@bene,

Looks like the valid value should be "clusteraction", not "cluster_action", see below code:

https://github.com/cloudera/sentry/blob/cdh5-1.5.1_5.14.4/sentry-core/sentry-core-model-kafka/src/ma...

I am not sure how it gets in in the first place though.

Cheers
Eric

bene · ‎10-04-2019

Hi, thanks for the hint @EricL . However if I use clusteraction instead, I get another error message:

The operation failed. Message: Unknown error:Can not get BitFieldAction for name: CLUSTER_ACTION. Server Stacktrace: org.apache.sentry.SentryUserException: Can not get BitFieldAction for name: CLUSTER_ACTION
at org.apache.sentry.provider.db.generic.service.persistent.PrivilegeOperatePersistence.getAction(PrivilegeOperatePersistence.java:525)
at org.apache.sentry.provider.db.generic.service.persistent.PrivilegeOperatePersistence.revokeRolePartial(PrivilegeOperatePersistence.java:308)
at org.apache.sentry.provider.db.generic.service.persistent.PrivilegeOperatePersistence.revokePrivilege(PrivilegeOperatePersistence.java:268)
at org.apache.sentry.provider.db.generic.service.persistent.DelegateSentryStore$2.execute(DelegateSentryStore.java:156)
at org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransaction(TransactionManager.java:123)
at org.apache.sentry.provider.db.service.persistent.TransactionManager$1.call(TransactionManager.java:192)
at org.apache.sentry.provider.db.service.persistent.TransactionManager$ExponentialBackoff.execute(TransactionManager.java:233)
at org.apache.sentry.provider.db.service.persistent.TransactionManager.executeTransactionWithRetry(TransactionManager.java:188)
at org.apache.sentry.provider.db.generic.service.persistent.DelegateSentryStore.alterRoleRevokePrivilege(DelegateSentryStore.java:143)
at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor$6.handle(SentryGenericPolicyProcessor.java:466)
at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.requestHandle(SentryGenericPolicyProcessor.java:183)
at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.alter_sentry_role_revoke_privilege(SentryGenericPolicyProcessor.java:462)
at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$alter_sentry_role_revoke_privilege.getResult(SentryGenericPolicyService.java:897)
at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$alter_sentry_role_revoke_privilege.getResult(SentryGenericPolicyService.java:882)
at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessorWrapper.process(SentryGenericPolicyProcessorWrapper.java:37)
at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)

Maybe this is related to the fact, that the rule is not set up with clusteraction but cluster_action? Is there a more general way to revoke a privilige? It looks like the discussed rule is malformed and I would like to get rid of it 😉

EricL · ‎10-04-2019

Hmm, I can now reproduce the issue.

After creating the privilege:

kafka-sentry --config /etc/sentry/conf -gpr -r eric-test -p 'HOST=*->CLUSTER=kafka-cluster->action=clusteraction'

It is stored as "cluster_action":

kafka-sentry --config /etc/sentry/conf -lp -r eric-test
...
HOST=*->CLUSTER=kafka-cluster->action=cluster_action

And when try to drop it, it will fail with the error you are seeing.

Need a bit more time to look into why.