[iceberg-hive-metastore] Support setting individual and group ownership for Namespace #6045
Conversation
hive-metastore/src/main/java/org/apache/iceberg/hive/HiveCatalog.java
Outdated
Show resolved
Hide resolved
hive-metastore/src/main/java/org/apache/iceberg/hive/HiveCatalog.java
Outdated
Show resolved
Hide resolved
| @@ -532,13 +536,27 @@ Database convertToDatabase(Namespace namespace, Map<String, String> meta) { | |||
|
|
|||
| database.setName(namespace.level(0)); | |||
| database.setLocationUri(databaseLocation(namespace.level(0))); | |||
| // default ownership is determined from Hadoop.UGI.currentUser | |||
There was a problem hiding this comment.
As I see it's not just createNamespace() that calls this convertToDatabase() function but it's also used in HiveCatalog.setProperties() and removeProperties(). I'm no expert here but what if user-A calls createNamespace() and then user-B calls setProperties() (but not changing the DB owner) then won't we end up unintentionally changing the DB owner as a result of convertToDatabase() setting the owner during a setProperties() as well?
There was a problem hiding this comment.
Your concern make sense.
Currently, convertToDatabase is used by createNamespace, setProperties and removeProperties.
Here is the change I propose:
- HiveCatalog.class should expose a public method named
setOwnership, it helps user setting ownership either at creation time or if they intentionally want ownership change for a namespace. LikesetProperties,setOwnershipcan be only invoked on existingNamespaces - Under the hood, only
createNamespaceandsetOwnershipcan set/alter ownership;setPropertiesandremovePropertiescannot change ownership in anyway
a. If user attempts to change ownership withsetPropertiesandremoveProperties, then they should explicitly get a RuntimeException. I'm against just silently ignoring users' attempts to change ownership withsetPropertiesandremovePropertiesbecause that does not foster the right user behavior.
Let me know what you think.
There was a problem hiding this comment.
Eventually, I made a code change so that users are allowed to alter ownership properties through setProperties and removeProperties methods. See my latest commit for more details.
hive-metastore/src/main/java/org/apache/iceberg/hive/HiveCatalog.java
Outdated
Show resolved
Hide resolved
hive-metastore/src/main/java/org/apache/iceberg/hive/HiveTableOperations.java
Outdated
Show resolved
Hide resolved
hive-metastore/src/main/java/org/apache/iceberg/hive/HiveTableOperations.java
Outdated
Show resolved
Hide resolved
hive-metastore/src/test/java/org/apache/iceberg/hive/TestHiveCatalog.java
Outdated
Show resolved
Hide resolved
hive-metastore/src/test/java/org/apache/iceberg/hive/TestHiveCatalog.java
Outdated
Show resolved
Hide resolved
hive-metastore/src/test/java/org/apache/iceberg/hive/TestHiveCatalog.java
Show resolved
Hide resolved
hive-metastore/src/test/java/org/apache/iceberg/hive/TestHiveCatalog.java
Show resolved
Hide resolved
|
Thanks for this patch, @haizhou-zhao! I managed to go through the changes and left some comments. Hope they make sense. |
|
Took a look with @haizhou-zhao , I think we can make the following changes with to make this patch more mergeable and address some of the review comments:
So then the change will only set owner, type on HiveDb for createNamespace, if the user passes it in via properties. Owner will take from user.name if that is not passed it. This will make createNamespace in line with the createTable behavior today. |
haizhou-zhao
changed the title
There was a problem hiding this comment.
I think looks much simpler now, thanks @haizhou-zhao . Some comments
hive-metastore/src/main/java/org/apache/iceberg/hive/HiveCatalog.java
Outdated
Show resolved
Hide resolved
hive-metastore/src/test/java/org/apache/iceberg/hive/TestHiveCatalog.java
Outdated
Show resolved
Hide resolved
hive-metastore/src/test/java/org/apache/iceberg/hive/TestHiveCatalog.java
Outdated
Show resolved
Hide resolved
haizhou-zhao
changed the title
There was a problem hiding this comment.
Reducing the scope of this patch was a great idea, @haizhou-zhao! It is way more readable this way. I've left some comments but nothing really serious. What do you think?
| String expectedOwner = "apache"; | ||
| PrincipalType expectedOwnerType = PrincipalType.USER; |
There was a problem hiding this comment.
nit: I think its more readable to not introduce variables here for the expected result but provide the expected values right at the test runner function call. Might be only a personal preference, though.
There was a problem hiding this comment.
Not sure if I get your suggestion exactly. Do you mean using parameterized junit test here?
There was a problem hiding this comment.
No, what I meant is to instead of this:
String expectedOwner = "apache"; PrincipalType expectedOwnerType = PrincipalType.USER; createNamespaceAndVerifyOwnership("userOwnership", prop, expectedOwner, expectedOwnerType);
we could have this:
createNamespaceAndVerifyOwnership( "userOwnership", prop, "apache", PrincipalType.USER);
Might be personal preference. Let me know if you feel that this wouldn't improve readability.
There was a problem hiding this comment.
Got it. I'll make the change
|
|
||
| createNamespaceAndVerifyOwnership("ownedByDefaultUser", prop, expectedOwner, expectedOwnerType); | ||
|
|
||
| prop = ImmutableMap.of(TableProperties.HMS_DB_OWNER_TYPE, PrincipalType.GROUP.name()); |
There was a problem hiding this comment.
Just thinking out loud, but shouldn't we indicate failure if only the owner type is set without the owner, instead of silently omitting it?
There was a problem hiding this comment.
Yes, let's add a precondition check to forbid setting owner type without setting owner.
hive-metastore/src/test/java/org/apache/iceberg/hive/TestHiveCatalog.java
Outdated
Show resolved
Hide resolved
| removeNamespaceOwnershipAndVerify("remove_group_ownership", prop); | ||
| } | ||
|
|
||
| private void removeNamespaceOwnershipAndVerify(String name, Map<String, String> prop) |
There was a problem hiding this comment.
This test has a precondition in a sense that prop is expected to hold some username and owner type that is going to be used when creating a namespace. For reflecting this I'd add an extra check right after the createNamespace() call that these are reflected in the DB ownership (before we remove these properties).
There was a problem hiding this comment.
Let's allow the test to execute on databases without ownership.
In case customer removes ownership on databases which does not have any ownership set (ownership equals default value), then it's a noop (ownership stays with default).
There was a problem hiding this comment.
see the "remove_ownership_noop" test case at line 593 above.
There was a problem hiding this comment.
I think you got me wrong. I just wanted to say that when you call catalog.createNamespace() at L619 then you immediately call catalog.removeNamespace(). To be on the safe side I'd add an extra check between these two steps that right after creating the namespace the owner and owner type are as expected.
There was a problem hiding this comment.
I see what you mean, make sense
| @@ -360,5 +360,7 @@ private TableProperties() {} | |||
| public static final String UPSERT_ENABLED = "write.upsert.enabled"; | |||
| public static final boolean UPSERT_ENABLED_DEFAULT = false; | |||
|
|
|||
| public static final String HMS_TABLE_OWNER = "hms_table_owner"; | |||
| public static final String HMS_TABLE_OWNER = "hive.metastore.table.owner"; | |||
There was a problem hiding this comment.
@haizhou-zhao thanks for updating the property names, but now looking more closely at how these are used, I don't think they should live in the class.
Two of the properties are database properties (not table properties) and they are all hive specific. We're trying to keep the properties here isolated to general properties for tables (I know there are a few spark ones, but they should probably move as well).
I think it makes sense just to put these as properties in the HiveCatalog class or create a HiveCatalogProperties to encapsulate these behaviors.
Other than that, this looks good.
There was a problem hiding this comment.
thanks @danielcweeks , I'll put them in HiveCatalog class.
There was a problem hiding this comment.
What I'm not sure about is if we release 1.1.0 now with HMS_TABLE_OWNER = "hms_table_owner" but then we change this property to "hive.metastore.table.owner" then when this patch gets released (most probably in 1.2.0) wouldn't it be a breaking change?
@danielcweeks could you please share your view on this?
There was a problem hiding this comment.
If this goes in before cutting 1.1, we're fine. If it goes in after, then we just need to mark that deprecated for removal in 1.2.
There was a problem hiding this comment.
Just to be on the safe side I opened a one-liner PR to rename the HMS_TABLE_OWNER that we can squeeze into 1.1.0 easier and once that's in we don't have to break backward compatibility.
#6154
hive-metastore/src/main/java/org/apache/iceberg/hive/HiveCatalog.java
Outdated
Show resolved
Hide resolved
hive-metastore/src/main/java/org/apache/iceberg/hive/HiveCatalog.java
Outdated
Show resolved
Hide resolved
| @@ -360,5 +360,7 @@ private TableProperties() {} | |||
| public static final String UPSERT_ENABLED = "write.upsert.enabled"; | |||
| public static final boolean UPSERT_ENABLED_DEFAULT = false; | |||
|
|
|||
| public static final String HMS_TABLE_OWNER = "hms_table_owner"; | |||
| public static final String HMS_TABLE_OWNER = "hive.metastore.table.owner"; | |||
There was a problem hiding this comment.
What I'm not sure about is if we release 1.1.0 now with HMS_TABLE_OWNER = "hms_table_owner" but then we change this property to "hive.metastore.table.owner" then when this patch gets released (most probably in 1.2.0) wouldn't it be a breaking change?
@danielcweeks could you please share your view on this?
| String expectedOwner = "apache"; | ||
| PrincipalType expectedOwnerType = PrincipalType.USER; |
There was a problem hiding this comment.
No, what I meant is to instead of this:
String expectedOwner = "apache"; PrincipalType expectedOwnerType = PrincipalType.USER; createNamespaceAndVerifyOwnership("userOwnership", prop, expectedOwner, expectedOwnerType);
we could have this:
createNamespaceAndVerifyOwnership( "userOwnership", prop, "apache", PrincipalType.USER);
Might be personal preference. Let me know if you feel that this wouldn't improve readability.
| removeNamespaceOwnershipAndVerify("remove_group_ownership", prop); | ||
| } | ||
|
|
||
| private void removeNamespaceOwnershipAndVerify(String name, Map<String, String> prop) |
There was a problem hiding this comment.
I think you got me wrong. I just wanted to say that when you call catalog.createNamespace() at L619 then you immediately call catalog.removeNamespace(). To be on the safe side I'd add an extra check between these two steps that right after creating the namespace the owner and owner type are as expected.
|
|
||
| prop = ImmutableMap.of(); | ||
|
|
||
| removeNamespaceOwnershipAndVerify("remove_ownership_noop", prop); |
There was a problem hiding this comment.
This tests that what happens when there is no specific owner/ownertype set for the namespace but then we try to remove them, right?
What would also be beneficial in my opinion is to create the namespace with some owner and then run a noop remove and check if the owner is still the same what we provided during creation.
There was a problem hiding this comment.
Thanks for another round of changes!
I mainly have 2 main comments:
- I made another PR to change the HMS_TABLE_OWNER value to follow the naming convention. It got merged so a rebase could be useful here. As a result we shouldn't worry about breaking backward compatibility anymore if this PR doesn't make it into 1.1.0.
- The use cases when the DB_OWNER is not given but DB_OWNER_TYPE is given seems a bit off to me. I left some further explanation in comments.
|
|
||
| createNamespaceAndVerifyOwnership( | ||
| "default_ownership_2", | ||
| ImmutableMap.of(HiveCatalog.HMS_DB_OWNER_TYPE, PrincipalType.USER.name()), |
There was a problem hiding this comment.
I believe we shouldn't differentiate between the default value and non-default value. If the owner type is given but the owner is not then we should raise an error.
| setNamespaceOwnershipAndVerify( | ||
| "change_individual_to_group_ownership_1", | ||
| ImmutableMap.of(HiveCatalog.HMS_DB_OWNER, "some_owner"), | ||
| ImmutableMap.of(HiveCatalog.HMS_DB_OWNER_TYPE, PrincipalType.GROUP.name()), |
There was a problem hiding this comment.
Shouldn't we also get an error here when setting owner type only? Is there a chance that there is going to be a user and a group with the same name? I'd bet it's highly unlikely so to keep the logic consistent I'd vote for raising an error here as well.
There was a problem hiding this comment.
Taken. Indeed, and this works with what you later suggested: have separate precondition check at each public API, not at the convertToDatabaseLevel
| "some_owner", | ||
| HiveCatalog.HMS_DB_OWNER_TYPE, | ||
| PrincipalType.GROUP.name()), | ||
| ImmutableMap.of(HiveCatalog.HMS_DB_OWNER_TYPE, PrincipalType.USER.name()), |
| PrincipalType.GROUP); | ||
|
|
||
| AssertHelpers.assertThrows( | ||
| "Setting non default value for " |
There was a problem hiding this comment.
This error message seems off from the users perspective as they tried to remove the DB_OWNER property and then they get an error message that tells about setting the DB_OWNER_TYPE property.
The problem might by implementation-wise is that these checks are in the convertToDatabase() function that is in turned called by 3 different purpose use-cases. Would it make sense to do the checks on the callsites of convertToDatabase() instead and then they could be fine tuned for the actual purpose?
There was a problem hiding this comment.
Make sense, taken.
| removeNamespaceOwnershipAndVerify( | ||
| "remove_ownership_noop_0", | ||
| ImmutableMap.of(HiveCatalog.HMS_DB_OWNER, "some_owner"), | ||
| ImmutableSet.of(HiveCatalog.HMS_DB_OWNER_TYPE), |
There was a problem hiding this comment.
In case we only remove the OWNER_TYPE is there a chance that we expect that there is going to be a USER with the same name as the GROUP has?
I feel that to keep consistency adding-removing ownership should be always using the owner only, or with the owner + owner type, but shouldn't be using owner type only.
I'm open to hear other opinions, though.
There was a problem hiding this comment.
Make sense, taken
|
@danielcweeks I made a separate PR to rename the one existing property so we won't break backward compatibility with this patch. It has already gone in #6154 so I believe this one shouldn't be a blocker for 1.1.0. |
|
Hey Gabor, Thanks for your last round of review. All your comments make sense to me and taken. Major changes in the latest commit:
|
hive-metastore/src/main/java/org/apache/iceberg/hive/HiveCatalog.java
Outdated
Show resolved
Hide resolved
hive-metastore/src/test/java/org/apache/iceberg/hive/TestHiveCatalog.java
Show resolved
Hide resolved
|
@gaborkaszab Thanks for the last round of review. I have some different opinions on whether the preconditions for createNamespace and setProperty are the same or different. Feel free to take a look at my response when you get a chance. |
| } else { | ||
| if (value != null) { | ||
| parameter.put(key, value); | ||
| } | ||
| } | ||
| }); | ||
|
|
||
| if (database.getOwnerName() == null) { | ||
| database.setOwnerName(System.getProperty("user.name")); |
There was a problem hiding this comment.
You might want to consider falling back to UserGroupInformation.getCurrentUser() as opposed to just the java user. I believe this is used in many placed by Spark and Hive to identify the current user and may be different from the process owner.
There was a problem hiding this comment.
Hi, its probably my fault here, @haizhou-zhao had this initially but it seemed there was some unresolved concern at the time : #6045 (comment) , so I actually asked @haizhou-zhao to follow what the table implementation uses for consistency , and we could change both to UserGroupInformation.getCurrentUser() later once there's consensus.
But looks like its cleared up since then, @gaborkaszab ? If so we can go ahead and use UserGroupInformation.getCurrentUser() here and then change table to be consistent as well? I also agree that it's more complete.
There was a problem hiding this comment.
I think it actually makes sense to use just user.name in other places in Iceberg since we want to avoid hard dependencies on Hadoop/Hive where possible. In this case though, Hive requires a Hadoop dependency and since this catalog is likely used in that context, UserGroupInformation seems like it would produce more consistent behavior with the Spark/Hive engine itself.
Other catalog implementation probably should not use UGI since they may be running on environments where hadoop is not available (e.g. some flink environments don't have hadoop).
There was a problem hiding this comment.
@danielcweeks I actually had conversation with both @gaborkaszab and @szehon-ho on this topic. We want to put "adding ownership support for namespaces" and "use UGI.getCurrentUser as default value" into two separate PRs. My very first version of this PR was actually a combination of both, which people felt was just too much content into a single PR for reviewing purpose. Context is: the current iceberg-hive-metastore code is using Java/OS username as default value.
Yes, I will follow up this PR with another one to switch to UGI.currentUser (yes, I agree with you that it would be a more correct default value in the Hive world comparing to Java/OS username). If you have a strong opinion on these two changes should be in one single PR, then, for sure, please let us know. Thx!
There was a problem hiding this comment.
I'm fine using UGI.currentUser() as the default I just wanted to be on the safe side and make sure we won't break any backward compatibility when we change the default during table creation.
| @@ -426,7 +426,7 @@ private Table newHmsTable(TableMetadata metadata) { | |||
| new Table( | |||
| tableName, | |||
| database, | |||
| metadata.property(TableProperties.HMS_TABLE_OWNER, System.getProperty("user.name")), | |||
| metadata.property(HiveCatalog.HMS_TABLE_OWNER, System.getProperty("user.name")), | |||
There was a problem hiding this comment.
Possibly consider UserGroupInformation.getCurrentUser() here as well.
danielcweeks
dismissed
their stale review
Original change request was addressed
I dismissed the change request because that's been addressed. Minor comments about what user to fallback to. It probably won't be an issue, but you might be able to rebase against master to drop the changes to |
|
@danielcweeks thx for your last round of review. I agree with you that UGI.currentUser is a better default owner, though I plan to make that change in a separate follow up PR. (See my reply above for more details) Also, I tried to rebase on master branch, but the change to |
The property is meant to remain in TableProperties I just renamed it in another patch. I expected this patch to move that property out from TableProperties. About using UGI.currentUser() as the default, If there is consensus we can use this, I'm fine. I just wanted to know if we break any backward compatibility if we change the default from system's "user.name" property to UGI.currentUser() for table creation. |
Sorry, somehow I missed that. Thanks! |
I'm fine separating UGI into a separate PR, but in that case we should hold off until the |
|
@danielcweeks @gaborkaszab Make sense , for this patch we should go with user.name then on Database side, to be consistent with Table? Then switch both after 1.1? Probably makes most sense from user point of view |
|
Thank you all! In that case, I'll raise a PR for UGI change later and we can merge after 1.1 release. Let me know if there's more I can do for this PR. |
|
@gaborkaszab sorry i know we are super close, but do you think we could change both to use UserGroupInformation quickly before cutting final 1.1 RC? That way no need to change behavior. |
@szehon-ho Frankly we already had 2 RCs and we'll only create a third one because of a test failure so I wouldn't add another dependency for the release and do the cut early today to get the voting going again as early as possible. |
|
Thought so, no worries :), thought it was worth a try |
There was a problem hiding this comment.
Hi thanks for getting close @haizhou-zhao , had a few minor comments for your consideration.
| @@ -365,6 +374,13 @@ public boolean dropNamespace(Namespace namespace) { | |||
|
|
|||
| @Override | |||
| public boolean setProperties(Namespace namespace, Map<String, String> properties) { | |||
| Preconditions.checkArgument( | |||
| (properties.get(HMS_DB_OWNER_TYPE) == null) == (properties.get(HMS_DB_OWNER) == null), | |||
| "Setting " | |||
There was a problem hiding this comment.
Nit: we usually use Preconditions with formatted strings, it makes it fit more easily on one line ie, ("Setting %s and %s", ...)
hive-metastore/src/main/java/org/apache/iceberg/hive/HiveCatalog.java
Outdated
Show resolved
Hide resolved
|
thanks @szehon-ho . All comments from the last round of review has been taken and committed. |
There was a problem hiding this comment.
Thanks @haizhou-zhao for those nits! Just one perhaps misunderstanding there.
| @@ -356,6 +365,11 @@ public boolean dropNamespace(Namespace namespace) { | |||
|
|
|||
| @Override | |||
| public boolean setProperties(Namespace namespace, Map<String, String> properties) { | |||
| Preconditions.checkArgument( | |||
| (properties.get(HMS_DB_OWNER_TYPE) == null) == (properties.get(HMS_DB_OWNER) == null), | |||
| String.format( | |||
There was a problem hiding this comment.
Ah sorry should have been more clear, Preconditions(..., "%s %s", myVarA, myVarB) should work, that's what I meant, no need to explicitly do String.format (see the other Iceberg uses for example)
…tion (apache#602) AWS Kms based Kms Client Implementation for envelope encryption
Draft save Add unit test Fix for compilation failure Remove some unneeded change to simplify Remove unneeded file from change Remove unneeded change Remove whitespace change Remove unneeded imports Adding unit test for invalid owner type and remove noop Moving hive properties to HiveCatalog Fix check style Misc. Unit test fix Remove unneeded change Change preconditions
|
Merged, thanks @haizhou-zhao . Thanks @gaborkaszab and @danielcweeks for extended review. |
Build on top of this PR: #5763
This is to add individual and group ownership support for namespaces in iceberg-hive-metastore module
Change list: