Sentry UDFWhiteList bug分析
1 简介
此手册应用于row_number、unbase64、windowingtablefunction在开启sentry后不能执行的bug分析。
2 准备
2.1 环境说明
Sentry版本: sentry-1.4.0-cdh5.3.3
注:核对了最新版Sentry(sentry-1.5.1-cdh5.7.0)已无此问题.
前同事已经在jira里报告此bug
[SENTRY-770] When use sentry to configuration hive,to ensure safety of data access.The functions(row_number and unbase64) can't be used.The Problem caused by a sentry bug. I have already found a way to solve the problem,except to modify the sentry source code. - ASF JIRA
#别人提出的类似报告
[SENTRY-717] Fix the UDF whitelist format for functions row_number and unbase64 - ASF JIRA
patch地址:
https://issues.apache.org/jira/secure/attachment/12730680/SENTRY-717.001.patch
3 问题分析
3.1 问题说明
1) 问题再现
#在配置了sentry的hive里执行访问unbase64自定义函数时报错
select unbase64(url) from test limit 10;
错误见下: 初步定位问题在 The UDF unbase64 is not found in the list of allowed UDFs
Caused by: org.apache.hadoop.hive.ql.metadata.AuthorizationException: The UDF unbase64 is not found in the list of allowed UDFs
at org.apache.sentry.binding.hive.HiveAuthzBindingHook.checkUDFWhiteList(HiveAuthzBindingHook.java:556)
at org.apache.sentry.binding.hive.HiveAuthzBindingHook.authorizeWithHiveBindings(HiveAuthzBindingHook.java:454)
at org.apache.sentry.binding.hive.HiveAuthzBindingHook.postAnalyze(HiveAuthzBindingHook.java:332)
... 33 more
.
2) 通过报错不难分析是和UDFWhiteList有关,通过google检索定位到org.apache.sentry.binding.hive.conf.HiveAuthzConf类
3) 仔细查看HiveAuthzConf类发现字符串HIVE_UDF_WHITE_LIST在拼接时少了个逗号(,)
4 解决方案
4.1 问题说明
方法一)在sentry安装依赖的sentry-site.xml里配置hive.sentry.udf.whitelist参数,将HIVE_UDF_WHITE_LIST的值拷贝到该参数的value内.
方法二)修改org.apache.sentry.binding.hive.conf.HiveAuthzConf源码,重新打成sentry-binding-hive-1.4.0-cdh5.3.3.jar
注:建议采用第一种方法
5 总结
暂无.