CDH 5.3.2 Release Notes

The following lists all Cloudera authorization component Jiras included in CDH 5.3.2 that are not included in the Cloudera authorization component base version 1.4.0. The sentry-1.4.0-cdh5.3.2.CHANGES.txt file lists all changes included in CDH 5.3.2. The patch for each change can be found in the cloudera/patches directory in the release tarball.

Changes Not In Cloudera authorization component 1.4.0

Sentry

Bug

[SENTRY-575] - Table GRANTS should not Override Database GRANT in the Sentry HDFS plugin
[SENTRY-573] - Fix NPE caused when rename op is applied on authzObject with no explicit permissions
[SENTRY-564] - Sentry metastore upgrade order is computed incorrectly
[SENTRY-544] - Do not add non HDFS path updates in Hive meta store Sentry plugin for HDFS sync
[SENTRY-552] - Sentry Store recursive revoke of privilege levels < ALL does not properly downgrade child privileges
[SENTRY-536] - Disable TestDPrivilegesAtFunctionScope from the cluster run profile
[SENTRY-534] - TestRuntimeMetadataRetrieval fails intermittently
[SENTRY-517] - MSCK REPAIR TABLE statements are not authorized
[SENTRY-515] - [Unit test failure] TestConnectionWithTicketTimeout.testConnectionAfterTicketTimeout
[SENTRY-513] - Sentry web service may not be stoped completely
[SENTRY-496] - Sentry 1.5 postgres upgrade script has contains incorrect upgrade file name
[SENTRY-511] - Always enable metric collection and do not fail when all metric reporters are disabled
[SENTRY-500] - 1.4 to 1.5 upgrade needs to handle empty strings with __NULL__
[SENTRY-489] - Sentry DB upgrade fails on Oracle with "ORA-00905: missing keyword"
[SENTRY-488] - Sentry list_sentry_privileges_by_authorizable API does not filter out roles/privileges for some cases.
[SENTRY-484] - Sentry Service has does not audit ip address in secure environments
[SENTRY-482] - Fix typo in Sentry audit logs
[SENTRY-487] - TestPrivilegesAtFunctionScope fails on the real cluster
[SENTRY-483] - The schema upgrade script for oracle missing terminating char for nested script
[SENTRY-445] - WITH GRANT OPTION does not allow delegated user to grant less permissive privileges
[SENTRY-475] - SHOW GRANT ROLE from Hive always report with grant option as false
[SENTRY-472] - Hive binding should validate URI privileges on permenant function resource URI
[SENTRY-469] - TListSentryPrivilegesByAuthRequest API should support impersonation
[SENTRY-466] - Return failure code when SentryClient was not successfully instantiated
[SENTRY-447] - Fix thrift generated code related to grantor principal cleanup
[SENTRY-396] - The logic of Thrift multiplexedProcessor registers mutil processor isn't correct
[SENTRY-409] - Do not print stack traces for SentryUserExceptions in Hive
[SENTRY-444] - Update the schema upgrade scripts per the grantor principal changes
[SENTRY-455] - Fixed Unit Tests: TestDbOperations#testIndexTable
[SENTRY-454] - Hive metadata changes syncup with Sentry store should not run in error cases
[SENTRY-452] - Uri tests failing on real cluster
[SENTRY-450] - Add new Hive UDFs to the whitelist
[SENTRY-118] - cast udf should be added to sentry udf whitelist for hive
[SENTRY-430] - Sentry Service does not use correct classpath when HIVE_HOME environment var is defined
[SENTRY-423] - Hive command "SHOW TABLE EXTENDED LIKE... " failed with NPE
[SENTRY-446] - Missing comma in mysql 1.5 script
[SENTRY-441] - Improve the message for SemanticException
[SENTRY-443] - "Show roles" regressed after Sentry-417
[SENTRY-380] - Clean up some grantorPrincipal semantics
[SENTRY-417] - Allow all users "Show role GRANT" as long as they belong to that group
[SENTRY-421] - Metastore binding is not constructing in fully qualified URI sentry recognizable format
[SENTRY-424] - Rat check occasionally failing after derby upgrade
[SENTRY-425] - Reduce logging verbosity in SentryPolicyServiceClient when creating new connections
[SENTRY-412] - Sentry script should support an option to print product version
[SENTRY-431] - Sentry db provider client should attempt to refresh kerberos ticket before connection
[SENTRY-428] - Sentry service should periodically renew the server kerberos ticket
[SENTRY-407] - Add schema upgrade script to handle schema changes in 1.5
[SENTRY-416] - TestConfigTool.testQueryPermissions regressed
[SENTRY-318] - Allow all users "Show GRANT" as long as they have the grant on that role.
[SENTRY-208] - [flaky tests] Tests in TestSentryServiceIntegration and TestSentryStore often fail with "No current connection"
[SENTRY-368] - Remove unused field in SentryPolicyServiceClient.java
[SENTRY-381] - Define jackson.version
[SENTRY-338] - Sentry policy import tool adds non-compatible comments to grant privilege statements
[SENTRY-411] - Alter table set location does not strictly check for URI privileges
[SENTRY-388] - Solr Binding initKerberos should use supplied Configuration
[SENTRY-362] - When sentry integrate into solr, the create instance of backend needs configure parameters from solrAuthzConf not hadoopConf
[SENTRY-339] - Remove PrivilegeName column and constructPrivilegeName() function

Improvement

[SENTRY-359] - Support Sentry service API to retrieve applicable privileges for a given authorizable object
[SENTRY-420] - TestMovingtoProduction fails on real cluster
[SENTRY-406] - Support "WITH GRANT OPTION" for the audit log
[SENTRY-327] - Support auth admin delegation via SQL construct 'with grant option'
[SENTRY-367] - Add end to end tests for audit log
[SENTRY-346] - Create new FileAppender used in log4j to keep all the logs
[SENTRY-347] - Generate the audit log in Json format
[SENTRY-326] - Add support for Hive 0.13

New Feature

[SENTRY-477] - Sentry service should expose metrics

Task

[SENTRY-230] - e2e test for doc level security to cover failure scenarios around Index level auth
[SENTRY-354] - Test for update.distrib phase overriding