Apache Sentry v1.7.0 发布
jopen 8年前
<p style="text-align: center;"><img alt="" src="https://simg.open-open.com/show/76520c536c3386079d03345ed8068ba2.png" /></p> <p> </p> <p>Apache Sentry是Cloudera公司发布的一个Hadoop开源组件,它提供了细粒度级、基于角色的授权以及多租户的管理模式。Hadoop在文件系统层面有强安全策略,但缺乏对数据和BI应用细粒度的权限访问支持。这个问题使得Hadoop使用者面临两种抉择:要么暴露全部数据,要么控制所有数据。大部分情况下,用户选择后者,这严重约束Hadoop集群上数据的访问。Sentry提供角色级别的数据权限访问,可以进行细粒度权限划分。</p> <p style="text-align: center;"><img alt="" src="https://simg.open-open.com/show/8a04103cded7c54f1d858a0ddb96bcf5.png" /></p> <p style="text-align: center;"><strong>Sentry架构图</strong></p> <h2>更新日志</h2> <h3>改进</h3> <ul> <li>[SENTRY-520] - Use the 推ter Bootstrap kit (or similar) to beautify the Sentry Service webpage</li> <li>[SENTRY-565] - Improve performance of filtering Hive SHOW commands</li> <li>[SENTRY-685] - Refactor Sentry HDFS plugin to work with new Hadoop interface</li> <li>[SENTRY-832] - Clean dependences of sentry-provider-db</li> <li>[SENTRY-870] - Create UpdateForwarders for paths and permissions</li> <li>[SENTRY-913] - Thread safe improvement for sqoop binding singleton</li> <li>[SENTRY-934] - Update plugin versions</li> <li>[SENTRY-952] - Update source to JDK 7</li> <li>[SENTRY-957] - Exceptions in MetastoreCacheInitializer should probably not prevent HMS from starting up</li> <li>[SENTRY-970] - Use random free port for Sqoop tests</li> <li>[SENTRY-972] - Include sentry-tests-hive hadoop test script in maven project</li> <li>[SENTRY-973] - Bump hamcrest version</li> <li>[SENTRY-979] - Speed up the build (a bit)</li> <li>[SENTRY-986] - Apply PMD plugin to Sentry source</li> <li>[SENTRY-993] - list_sentry_privileges_by_authorizable() gone in API v2</li> <li>[SENTRY-1006] - Add user manual for simple shell</li> <li>[SENTRY-1015] - Improve Sentry + Hive error message when user does not have sufficient privileges to perform an operation</li> <li>[SENTRY-1021] - Add PMD to Sentry tests</li> <li>[SENTRY-1036] - Move ProviderConstants from sentry-provider-common to sentry-policy-common</li> <li>[SENTRY-1048] - Fix "Critical" issues identified by analysis.apache.org</li> <li>[SENTRY-1051] - The policy Privilege implementations could be consolidated</li> <li>[SENTRY-1052] - Sentry shell should use kerberos requestor and give better error messages for kerberos failures</li> <li>[SENTRY-1065] - Make SentryNoSuchObjectException exception error message consistent across all files </li> <li>[SENTRY-1078] - Add servlet for dumping configurations</li> <li>[SENTRY-1088] - PathsUpdate should log invalid paths to make troubleshooting easier </li> <li>[SENTRY-1119] - Allow data engines to specify the ActionFactory from configuration</li> <li>[SENTRY-1121] - Update Jetty version</li> <li>[SENTRY-1135] - Remove deprecated junit.framework dependencies</li> <li>[SENTRY-1136] - Remove /Ping and /HealthCheck from Sentry Service Webpage</li> </ul> <h3>新功能</h3> <ul> <li>[SENTRY-498] - Sentry integration with Hive authorization framework V2</li> <li>[SENTRY-749] - Create simple shell for sentry</li> <li>[SENTRY-812] - Generate audit trail for Sentry generic model when authorization metadata change </li> <li>[SENTRY-906] - Add concurrency sentry client tests</li> <li>[SENTRY-995] - Simple Solr Shell</li> <li>[SENTRY-1130] - Upgrade Hive plugin v2 for hive 2.0.0</li> </ul> <p>Bug修复</p> <ul> <li>[SENTRY-677] - Make the Sentry DB provider RPC methods synchronized</li> <li>[SENTRY-768] - [Improve error handling] Handle cases when getGroups throws an exception</li> <li>[SENTRY-769] - [Improve error handling] Make sure groups in list_sentry_privileges_for_provider is not empty</li> <li>[SENTRY-826] - TRUNCATE on empty partitioned table in Hive fails</li> <li>[SENTRY-835] - Drop table leaves a connection open when using metastorelistener</li> <li>[SENTRY-837] - Distributed path update counters in Sentry are indefinitely incremented</li> <li>[SENTRY-878] - collect_list missing from HIVE_UDF_WHITE_LIST</li> <li>[SENTRY-881] - Allow some metadata operations with column-level privileges</li> <li>[SENTRY-884] - Give execute permission by default to paths managed by sentry</li> <li>[SENTRY-885] - DB name should be case insensitive in HDFS sync plugin</li> <li>[SENTRY-886] - HDFSIntegration test testAccessToTableDirectory should wait for cache refresh before verification</li> <li>[SENTRY-888] - Exceptions in Callable tasks in MetaStoreCacheInitializer are being dropped</li> <li>[SENTRY-890] - Fix TestDbOperations.testAllOnTable on real clusters</li> <li>[SENTRY-892] - parsePath should handle empty paths well</li> <li>[SENTRY-893] - Synchronize calls in SentryClient and create sentry client once per request in SimpleDBProvider</li> <li>[SENTRY-900] - User could access sentry metric info by curl without authorization</li> <li>[SENTRY-904] - Set max message size for thrift messages</li> <li>[SENTRY-914] - Sentry default webserver port needs to change out of ephemeral port range</li> <li>[SENTRY-922] - INSERT OVERWRITE DIRECTORY permission not working correctly</li> <li>[SENTRY-923] - Fix SentryStore getPrivileges when table require "some"</li> <li>[SENTRY-932] - TestColumnEndToEnd error check should non-case sensitive</li> <li>[SENTRY-936] - getGroup and getUser should always return orginal hdfs values for paths in prefix which are not sentry managed</li> <li>[SENTRY-944] - Setting HDFS rules on Sentry managed hdfs paths should not affect original hdfs rules</li> <li>[SENTRY-945] - Avoid logging all DataNucleus queries when debug logging is enabled</li> <li>[SENTRY-953] - External Partitions which are referenced by more than one table can cause some unexpected behavior with Sentry HDFS sync</li> <li>[SENTRY-960] - Use hive.server2.builtin.udf.blacklist</li> <li>[SENTRY-962] - Fix SentryStore getPrivileges when column require "some"</li> <li>[SENTRY-965] - Solr /terms request handler broken because of components declaration</li> <li>[SENTRY-966] - SqoopAuthBindingSingleton uses bad double check locking idiom</li> <li>[SENTRY-968] - Uri check needs to be case sensitive</li> <li>[SENTRY-971] - Add profile to enable Hive AuthZ v2</li> <li>[SENTRY-974] - create a sentry test data dump to facilite sentry scale tests</li> <li>[SENTRY-981] - Fix the error in integration tests</li> <li>[SENTRY-988] - It's better to let SentryAuthorization setter path always fall through and update HDFS</li> <li>[SENTRY-989] - RealTimeGet with explicit ids can bypass document level authorization</li> <li>[SENTRY-991] - Roles of Sentry Permission needs to be case insensitive</li> <li>[SENTRY-994] - SentryAuthorizationInfoX should override isSentryManaged</li> <li>[SENTRY-997] - Update HiveAuthorizer of Sentry after HiveAuthorizer interface changes</li> <li>[SENTRY-998] - TestSentryShellHive test failure with JDK 8</li> <li>[SENTRY-1002] - PathsUpdate.parsePath(path) will throw an NPE when parsing relative paths</li> <li>[SENTRY-1003] - Support "reload" by updating the classpath of Sentry function aux jar path during runtime</li> <li>[SENTRY-1007] - Sentry column-level performance for wide tables</li> <li>[SENTRY-1008] - Path should be not be updated if the create/drop table/partition event fails</li> <li>[SENTRY-1009] - Improve TestDatabaseProvider to validate test object names instead of validating vague numbers.</li> <li>[SENTRY-1010] - Sentry column-level performance for wide tables for 1.5.1</li> <li>[SENTRY-1018] - HiveServer is not properly shutdown cause BindException in TestServerConfiguration</li> <li>[SENTRY-1027] - Fix PMD error for unused field when enable Hive authz V2</li> <li>[SENTRY-1035] - Generic service does not handle group name casing correctly</li> <li>[SENTRY-1037] - Set "hadoop.security.authentication" to "kerberos" in the Generic Client</li> <li>[SENTRY-1039] - Sentry shell tests assume order of option group privileges</li> <li>[SENTRY-1044] - Tables with non-hdfs locations breaks HMS startup</li> <li>[SENTRY-1046] - Hive Auxiliary JARs Directory is not working when Sentry is enabled: Caused by: java.lang.ClassNotFoundException</li> <li>[SENTRY-1050] - Improve clearAll method to avoid throwing exceptions because of deleting objects created outside of tests.</li> <li>[SENTRY-1054] - Updated Apache Shiro dependency</li> <li>[SENTRY-1055] - Sentry service solr constants refer to clusters rather than services</li> <li>[SENTRY-1058] - Duplicate junit versions in the root pom</li> <li>[SENTRY-1059] - 'dependencies.dependency.version' for org.apache.sentry:sentry-core-model-kafka:jar is missing. @ line 42, column 17</li> <li>[SENTRY-1060] - Improve the SentryAuthFilter error message when authentication failure</li> <li>[SENTRY-1064] - Fix TestDbOperations#testCaseSensitivity</li> <li>[SENTRY-1066] - Sentry oracle upgrade script failed with ORA-0955 duplicate name issue</li> <li>[SENTRY-1071] - Update thrift gen-file with maven plugin</li> <li>[SENTRY-1077] - create a wiki to describe how to run scale script to prepare data and how to run sentry hive e2e tests on the cluster</li> <li>[SENTRY-1087] - Capture URI when using Hive Serdes</li> <li>[SENTRY-1095] - Insert into requires URI privilege on partition location under table.</li> <li>[SENTRY-1096] - Fix TestDbOperations#testCaseSensitivity failure on a real cluster</li> <li>[SENTRY-1097] - Fix compilation errors from SentryGenericPolicyProcessor</li> <li>[SENTRY-1099] - JDK8 autoboxing compilation failure</li> <li>[SENTRY-1105] - Fix unittest TestMetastoreEndToEnd.testAddPartion</li> <li>[SENTRY-1111] - Apache Sentry should depend on the same version of metrics-core as hadoop</li> <li>[SENTRY-1112] - Change default value of "sentry.hive.server" to empty string</li> <li>[SENTRY-1114] - Wrong classname and incorrect _CMD_JAR var in sentryShell</li> <li>[SENTRY-1116] - Fix PMD violation for Sentry tests after missing commits</li> <li>[SENTRY-1122] - Allow Solr Audit Log to Read Impersonator Info</li> <li>[SENTRY-1128] - Add metastore_db to .gitignore</li> <li>[SENTRY-1155] - Add waiting time for getMetastoreClient for avoiding metastore isn't ready</li> <li>[SENTRY-1156] - TestDbColumnLevelMetaDataOps should add `use database` for user session created</li> <li>[SENTRY-1157] - Fix Unit Tests TestAclsCrud&TestAuthorize failed</li> <li>[SENTRY-1164] - Fix testCaseSensitivity test failure on a real cluster</li> <li>[SENTRY-1169] - MetastorePlugin#renameAuthzObject log message prints oldpathname as newpathname</li> <li>[SENTRY-1217] - NPE for list_sentry_privileges_by_authorizable when activeRoleSet is not set</li> <li>[SENTRY-1234] - JDO exception for list_sentry_privileges_by_authorizable </li> </ul> <p>更多日志:<a href="/misc/goto?guid=4958991544943081075">CHANGELOG.txt</a></p> <h2>下载</h2> <ul> <li><a href="/misc/goto?guid=4958991545041436596" rel="nofollow"><strong>Source code</strong> (zip)</a></li> <li><a href="/misc/goto?guid=4958991545132261420" rel="nofollow"><strong>Source code</strong> (tar.gz)</a></li> <li><a href="/misc/goto?guid=4958991545233408428">apache-sentry-1.7.0-src.tar.gz</a></li> </ul>