Apache Sentry v1.7.0 發布

Apache Sentry是Cloudera公司發布的一個Hadoop開源組件，它提供了細粒度級、基于角色的授權以及多租戶的管理模式。Hadoop在文件系統層面有強安全策略，但缺乏對數據和BI應用細粒度的權限訪問支持。這個問題使得Hadoop使用者面臨兩種抉擇：要么暴露全部數據，要么控制所有數據。大部分情況下，用戶選擇后者，這嚴重約束Hadoop集群上數據的訪問。Sentry提供角色級別的數據權限訪問，可以進行細粒度權限劃分。

Sentry架構圖

更新日志

改進

• [SENTRY-520] - Use the 推ter Bootstrap kit (or similar) to beautify the Sentry Service webpage
• [SENTRY-565] - Improve performance of filtering Hive SHOW commands
• [SENTRY-685] - Refactor Sentry HDFS plugin to work with new Hadoop interface
• [SENTRY-832] - Clean dependences of sentry-provider-db
• [SENTRY-870] - Create UpdateForwarders for paths and permissions
• [SENTRY-913] - Thread safe improvement for sqoop binding singleton
• [SENTRY-934] - Update plugin versions
• [SENTRY-952] - Update source to JDK 7
• [SENTRY-957] - Exceptions in MetastoreCacheInitializer should probably not prevent HMS from starting up
• [SENTRY-970] - Use random free port for Sqoop tests
• [SENTRY-972] - Include sentry-tests-hive hadoop test script in maven project
• [SENTRY-973] - Bump hamcrest version
• [SENTRY-979] - Speed up the build (a bit)
• [SENTRY-986] - Apply PMD plugin to Sentry source
• [SENTRY-993] - list_sentry_privileges_by_authorizable() gone in API v2
• [SENTRY-1006] - Add user manual for simple shell
• [SENTRY-1015] - Improve Sentry + Hive error message when user does not have sufficient privileges to perform an operation
• [SENTRY-1021] - Add PMD to Sentry tests
• [SENTRY-1036] - Move ProviderConstants from sentry-provider-common to sentry-policy-common
• [SENTRY-1048] - Fix "Critical" issues identified by analysis.apache.org
• [SENTRY-1051] - The policy Privilege implementations could be consolidated
• [SENTRY-1052] - Sentry shell should use kerberos requestor and give better error messages for kerberos failures
• [SENTRY-1065] - Make SentryNoSuchObjectException exception error message consistent across all files 
• [SENTRY-1078] - Add servlet for dumping configurations
• [SENTRY-1088] - PathsUpdate should log invalid paths to make troubleshooting easier 
• [SENTRY-1119] - Allow data engines to specify the ActionFactory from configuration
• [SENTRY-1121] - Update Jetty version
• [SENTRY-1135] - Remove deprecated junit.framework dependencies
• [SENTRY-1136] - Remove /Ping and /HealthCheck from Sentry Service Webpage

新功能

• [SENTRY-498] - Sentry integration with Hive authorization framework V2
• [SENTRY-749] - Create simple shell for sentry
• [SENTRY-812] - Generate audit trail for Sentry generic model when authorization metadata change 
• [SENTRY-906] - Add concurrency sentry client tests
• [SENTRY-995] - Simple Solr Shell
• [SENTRY-1130] - Upgrade Hive plugin v2 for hive 2.0.0

Bug修復

• [SENTRY-677] - Make the Sentry DB provider RPC methods synchronized
• [SENTRY-768] - [Improve error handling] Handle cases when getGroups throws an exception
• [SENTRY-769] - [Improve error handling] Make sure groups in list_sentry_privileges_for_provider is not empty
• [SENTRY-826] - TRUNCATE on empty partitioned table in Hive fails
• [SENTRY-835] - Drop table leaves a connection open when using metastorelistener
• [SENTRY-837] - Distributed path update counters in Sentry are indefinitely incremented
• [SENTRY-878] - collect_list missing from HIVE_UDF_WHITE_LIST
• [SENTRY-881] - Allow some metadata operations with column-level privileges
• [SENTRY-884] - Give execute permission by default to paths managed by sentry
• [SENTRY-885] - DB name should be case insensitive in HDFS sync plugin
• [SENTRY-886] - HDFSIntegration test testAccessToTableDirectory should wait for cache refresh before verification
• [SENTRY-888] - Exceptions in Callable tasks in MetaStoreCacheInitializer are being dropped
• [SENTRY-890] - Fix TestDbOperations.testAllOnTable on real clusters
• [SENTRY-892] - parsePath should handle empty paths well
• [SENTRY-893] - Synchronize calls in SentryClient and create sentry client once per request in SimpleDBProvider
• [SENTRY-900] - User could access sentry metric info by curl without authorization
• [SENTRY-904] - Set max message size for thrift messages
• [SENTRY-914] - Sentry default webserver port needs to change out of ephemeral port range
• [SENTRY-922] - INSERT OVERWRITE DIRECTORY permission not working correctly
• [SENTRY-923] - Fix SentryStore getPrivileges when table require "some"
• [SENTRY-932] - TestColumnEndToEnd error check should non-case sensitive
• [SENTRY-936] - getGroup and getUser should always return orginal hdfs values for paths in prefix which are not sentry managed
• [SENTRY-944] - Setting HDFS rules on Sentry managed hdfs paths should not affect original hdfs rules
• [SENTRY-945] - Avoid logging all DataNucleus queries when debug logging is enabled
• [SENTRY-953] - External Partitions which are referenced by more than one table can cause some unexpected behavior with Sentry HDFS sync
• [SENTRY-960] - Use hive.server2.builtin.udf.blacklist
• [SENTRY-962] - Fix SentryStore getPrivileges when column require "some"
• [SENTRY-965] - Solr /terms request handler broken because of components declaration
• [SENTRY-966] - SqoopAuthBindingSingleton uses bad double check locking idiom
• [SENTRY-968] - Uri check needs to be case sensitive
• [SENTRY-971] - Add profile to enable Hive AuthZ v2
• [SENTRY-974] - create a sentry test data dump to facilite sentry scale tests
• [SENTRY-981] - Fix the error in integration tests
• [SENTRY-988] - It's better to let SentryAuthorization setter path always fall through and update HDFS
• [SENTRY-989] - RealTimeGet with explicit ids can bypass document level authorization
• [SENTRY-991] - Roles of Sentry Permission needs to be case insensitive
• [SENTRY-994] - SentryAuthorizationInfoX should override isSentryManaged
• [SENTRY-997] - Update HiveAuthorizer of Sentry after HiveAuthorizer interface changes
• [SENTRY-998] - TestSentryShellHive test failure with JDK 8
• [SENTRY-1002] - PathsUpdate.parsePath(path) will throw an NPE when parsing relative paths
• [SENTRY-1003] - Support "reload" by updating the classpath of Sentry function aux jar path during runtime
• [SENTRY-1007] - Sentry column-level performance for wide tables
• [SENTRY-1008] - Path should be not be updated if the create/drop table/partition event fails
• [SENTRY-1009] - Improve TestDatabaseProvider to validate test object names instead of validating vague numbers.
• [SENTRY-1010] - Sentry column-level performance for wide tables for 1.5.1
• [SENTRY-1018] - HiveServer is not properly shutdown cause BindException in TestServerConfiguration
• [SENTRY-1027] - Fix PMD error for unused field when enable Hive authz V2
• [SENTRY-1035] - Generic service does not handle group name casing correctly
• [SENTRY-1037] - Set "hadoop.security.authentication" to "kerberos" in the Generic Client
• [SENTRY-1039] - Sentry shell tests assume order of option group privileges
• [SENTRY-1044] - Tables with non-hdfs locations breaks HMS startup
• [SENTRY-1046] - Hive Auxiliary JARs Directory is not working when Sentry is enabled: Caused by: java.lang.ClassNotFoundException
• [SENTRY-1050] - Improve clearAll method to avoid throwing exceptions because of deleting objects created outside of tests.
• [SENTRY-1054] - Updated Apache Shiro dependency
• [SENTRY-1055] - Sentry service solr constants refer to clusters rather than services
• [SENTRY-1058] - Duplicate junit versions in the root pom
• [SENTRY-1059] - 'dependencies.dependency.version' for org.apache.sentry:sentry-core-model-kafka:jar is missing. @ line 42, column 17
• [SENTRY-1060] - Improve the SentryAuthFilter error message when authentication failure
• [SENTRY-1064] - Fix TestDbOperations#testCaseSensitivity
• [SENTRY-1066] - Sentry oracle upgrade script failed with ORA-0955 duplicate name issue
• [SENTRY-1071] - Update thrift gen-file with maven plugin
• [SENTRY-1077] - create a wiki to describe how to run scale script to prepare data and how to run sentry hive e2e tests on the cluster
• [SENTRY-1087] - Capture URI when using Hive Serdes
• [SENTRY-1095] - Insert into requires URI privilege on partition location under table.
• [SENTRY-1096] - Fix TestDbOperations#testCaseSensitivity failure on a real cluster
• [SENTRY-1097] - Fix compilation errors from SentryGenericPolicyProcessor
• [SENTRY-1099] - JDK8 autoboxing compilation failure
• [SENTRY-1105] - Fix unittest TestMetastoreEndToEnd.testAddPartion
• [SENTRY-1111] - Apache Sentry should depend on the same version of metrics-core as hadoop
• [SENTRY-1112] - Change default value of "sentry.hive.server" to empty string
• [SENTRY-1114] - Wrong classname and incorrect _CMD_JAR var in sentryShell
• [SENTRY-1116] - Fix PMD violation for Sentry tests after missing commits
• [SENTRY-1122] - Allow Solr Audit Log to Read Impersonator Info
• [SENTRY-1128] - Add metastore_db to .gitignore
• [SENTRY-1155] - Add waiting time for getMetastoreClient for avoiding metastore isn't ready
• [SENTRY-1156] - TestDbColumnLevelMetaDataOps should add `use database` for user session created
• [SENTRY-1157] - Fix Unit Tests TestAclsCrud&TestAuthorize failed
• [SENTRY-1164] - Fix testCaseSensitivity test failure on a real cluster
• [SENTRY-1169] - MetastorePlugin#renameAuthzObject log message prints oldpathname as newpathname
• [SENTRY-1217] - NPE for list_sentry_privileges_by_authorizable when activeRoleSet is not set
• [SENTRY-1234] - JDO exception for list_sentry_privileges_by_authorizable 

更多日志：CHANGELOG.txt

下載

• Source code (zip)
• Source code (tar.gz)
• apache-sentry-1.7.0-src.tar.gz