CDH 5.3.2 Release Notes
The following lists all Cloudera authorization component Jiras included in CDH 5.3.2
that are not included in the Cloudera authorization component base version 1.4.0. The
sentry-1.4.0-cdh5.3.2.CHANGES.txt
file lists all changes included in CDH 5.3.2. The patch for each
change can be found in the cloudera/patches directory in the release tarball.
Changes Not In Cloudera authorization component 1.4.0
Sentry
Bug
- [SENTRY-575] - Table GRANTS should not Override Database GRANT in the Sentry HDFS plugin
- [SENTRY-573] - Fix NPE caused when rename op is applied on authzObject with no explicit permissions
- [SENTRY-564] - Sentry metastore upgrade order is computed incorrectly
- [SENTRY-544] - Do not add non HDFS path updates in Hive meta store Sentry plugin for HDFS sync
- [SENTRY-552] - Sentry Store recursive revoke of privilege levels < ALL does not properly downgrade child privileges
- [SENTRY-536] - Disable TestDPrivilegesAtFunctionScope from the cluster run profile
- [SENTRY-534] - TestRuntimeMetadataRetrieval fails intermittently
- [SENTRY-517] - MSCK REPAIR TABLE statements are not authorized
- [SENTRY-515] - [Unit test failure] TestConnectionWithTicketTimeout.testConnectionAfterTicketTimeout
- [SENTRY-513] - Sentry web service may not be stoped completely
- [SENTRY-496] - Sentry 1.5 postgres upgrade script has contains incorrect upgrade file name
- [SENTRY-511] - Always enable metric collection and do not fail when all metric reporters are disabled
- [SENTRY-500] - 1.4 to 1.5 upgrade needs to handle empty strings with __NULL__
- [SENTRY-489] - Sentry DB upgrade fails on Oracle with "ORA-00905: missing keyword"
- [SENTRY-488] - Sentry list_sentry_privileges_by_authorizable API does not filter out roles/privileges for some cases.
- [SENTRY-484] - Sentry Service has does not audit ip address in secure environments
- [SENTRY-482] - Fix typo in Sentry audit logs
- [SENTRY-487] - TestPrivilegesAtFunctionScope fails on the real cluster
- [SENTRY-483] - The schema upgrade script for oracle missing terminating char for nested script
- [SENTRY-445] - WITH GRANT OPTION does not allow delegated user to grant less permissive privileges
- [SENTRY-475] - SHOW GRANT ROLE from Hive always report with grant option as false
- [SENTRY-472] - Hive binding should validate URI privileges on permenant function resource URI
- [SENTRY-469] - TListSentryPrivilegesByAuthRequest API should support impersonation
- [SENTRY-466] - Return failure code when SentryClient was not successfully instantiated
- [SENTRY-447] - Fix thrift generated code related to grantor principal cleanup
- [SENTRY-396] - The logic of Thrift multiplexedProcessor registers mutil processor isn't correct
- [SENTRY-409] - Do not print stack traces for SentryUserExceptions in Hive
- [SENTRY-444] - Update the schema upgrade scripts per the grantor principal changes
- [SENTRY-455] - Fixed Unit Tests: TestDbOperations#testIndexTable
- [SENTRY-454] - Hive metadata changes syncup with Sentry store should not run in error cases
- [SENTRY-452] - Uri tests failing on real cluster
- [SENTRY-450] - Add new Hive UDFs to the whitelist
- [SENTRY-118] - cast udf should be added to sentry udf whitelist for hive
- [SENTRY-430] - Sentry Service does not use correct classpath when HIVE_HOME environment var is defined
- [SENTRY-423] - Hive command "SHOW TABLE EXTENDED LIKE... " failed with NPE
- [SENTRY-446] - Missing comma in mysql 1.5 script
- [SENTRY-441] - Improve the message for SemanticException
- [SENTRY-443] - "Show roles" regressed after Sentry-417
- [SENTRY-380] - Clean up some grantorPrincipal semantics
- [SENTRY-417] - Allow all users "Show role GRANT" as long as they belong to that group
- [SENTRY-421] - Metastore binding is not constructing in fully qualified URI sentry recognizable format
- [SENTRY-424] - Rat check occasionally failing after derby upgrade
- [SENTRY-425] - Reduce logging verbosity in SentryPolicyServiceClient when creating new connections
- [SENTRY-412] - Sentry script should support an option to print product version
- [SENTRY-431] - Sentry db provider client should attempt to refresh kerberos ticket before connection
- [SENTRY-428] - Sentry service should periodically renew the server kerberos ticket
- [SENTRY-407] - Add schema upgrade script to handle schema changes in 1.5
- [SENTRY-416] - TestConfigTool.testQueryPermissions regressed
- [SENTRY-318] - Allow all users "Show GRANT" as long as they have the grant on that role.
- [SENTRY-208] - [flaky tests] Tests in TestSentryServiceIntegration and TestSentryStore often fail with "No current connection"
- [SENTRY-368] - Remove unused field in SentryPolicyServiceClient.java
- [SENTRY-381] - Define jackson.version
- [SENTRY-338] - Sentry policy import tool adds non-compatible comments to grant privilege statements
- [SENTRY-411] - Alter table set location does not strictly check for URI privileges
- [SENTRY-388] - Solr Binding initKerberos should use supplied Configuration
- [SENTRY-362] - When sentry integrate into solr, the create instance of backend needs configure parameters from solrAuthzConf not hadoopConf
- [SENTRY-339] - Remove PrivilegeName column and constructPrivilegeName() function
Improvement
- [SENTRY-359] - Support Sentry service API to retrieve applicable privileges for a given authorizable object
- [SENTRY-420] - TestMovingtoProduction fails on real cluster
- [SENTRY-406] - Support "WITH GRANT OPTION" for the audit log
- [SENTRY-327] - Support auth admin delegation via SQL construct 'with grant option'
- [SENTRY-367] - Add end to end tests for audit log
- [SENTRY-346] - Create new FileAppender used in log4j to keep all the logs
- [SENTRY-347] - Generate the audit log in Json format
- [SENTRY-326] - Add support for Hive 0.13
New Feature
- [SENTRY-477] - Sentry service should expose metrics
Task
- [SENTRY-230] - e2e test for doc level security to cover failure scenarios around Index level auth
- [SENTRY-354] - Test for update.distrib phase overriding
Test
- [SENTRY-383] - Add TestPrivilegeWithGrantOption to cluster test profile
- [SENTRY-47] - Tests need to clean up the databases and tables it creates
Hive
Bug
- [HIVE-8916] - Handle user@domain username under LDAP authentication