You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Johndee Burks (JIRA)" <ji...@apache.org> on 2017/04/11 19:02:42 UTC

[jira] [Created] (SENTRY-1702) Revoke on Server Causes Broken URI Privilege

Johndee Burks created SENTRY-1702:
-------------------------------------

             Summary: Revoke on Server Causes Broken URI Privilege
                 Key: SENTRY-1702
                 URL: https://issues.apache.org/jira/browse/SENTRY-1702
             Project: Sentry
          Issue Type: Bug
          Components: Sentry
         Environment: CDH5.9
            Reporter: Johndee Burks


== Issue ==

SENTRY-281 can create a situation in which a URI privilege is not removable using revoke. 

== Reproduction Steps ==

If you do the following you end up with a privilege that cannot be revoked on a URI. 

1. Create Role and Grant all on server:

{code}
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> create role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> grant all on server server1 to role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> show grant role turi;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |    grant_time     | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| *         |        |            |         | turi            | ROLE            | *          | false         | 1486508699269000  | --       |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
{code}

2. Grant all on URI: 

{code}
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> grant all on uri "hdfs://jreposec-1.gce.cloudera.com:8020/tmp" to role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> show grant role turi;
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
|                   database                   | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |    grant_time     | grantor  |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| *                                            |        |            |         | turi            | ROLE            | *          | false         | 1486508699269000  | --       |
| hdfs://jreposec-1.gce.cloudera.com:8020/tmp  |        |            |         | turi            | ROLE            | *          | false         | 1491867083637000  | --       |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
{code}

3. Now revoke insert from that role on server

{code}
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> revoke insert on server server1 from role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> show grant role turi;
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
|                   database                   | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |    grant_time     | grantor  |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| *                                            |        |            |         | turi            | ROLE            | select     | false         | 1491867142657000  | --       |
| hdfs://jreposec-1.gce.cloudera.com:8020/tmp  |        |            |         | turi            | ROLE            | select     | false         | 1491867142646000  | --       |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
{code}

4. Attempt to revoke the URI. 

{code}
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> revoke all on uri "hdfs://jreposec-1.gce.cloudera.com:8020/tmp" from role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> revoke select on uri "hdfs://jreposec-1.gce.cloudera.com:8020/tmp" from role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> revoke insert on uri "hdfs://jreposec-1.gce.cloudera.com:8020/tmp" from role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> show grant role turi;
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
|                   database                   | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |    grant_time     | grantor  |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| *                                            |        |            |         | turi            | ROLE            | select     | false         | 1491867142657000  | --       |
| hdfs://jreposec-1.gce.cloudera.com:8020/tmp  |        |            |         | turi            | ROLE            | select     | false         | 1491867142646000  | --       |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
{code}





--
This message was sent by Atlassian JIRA
(v6.3.15#6346)