You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Johndee Burks (JIRA)" <ji...@apache.org> on 2017/04/11 19:02:42 UTC
[jira] [Created] (SENTRY-1702) Revoke on Server Causes Broken URI
Privilege
Johndee Burks created SENTRY-1702:
-------------------------------------
Summary: Revoke on Server Causes Broken URI Privilege
Key: SENTRY-1702
URL: https://issues.apache.org/jira/browse/SENTRY-1702
Project: Sentry
Issue Type: Bug
Components: Sentry
Environment: CDH5.9
Reporter: Johndee Burks
== Issue ==
SENTRY-281 can create a situation in which a URI privilege is not removable using revoke.
== Reproduction Steps ==
If you do the following you end up with a privilege that cannot be revoked on a URI.
1. Create Role and Grant all on server:
{code}
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> create role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> grant all on server server1 to role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> show grant role turi;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| * | | | | turi | ROLE | * | false | 1486508699269000 | -- |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
{code}
2. Grant all on URI:
{code}
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> grant all on uri "hdfs://jreposec-1.gce.cloudera.com:8020/tmp" to role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> show grant role turi;
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| * | | | | turi | ROLE | * | false | 1486508699269000 | -- |
| hdfs://jreposec-1.gce.cloudera.com:8020/tmp | | | | turi | ROLE | * | false | 1491867083637000 | -- |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
{code}
3. Now revoke insert from that role on server
{code}
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> revoke insert on server server1 from role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> show grant role turi;
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| * | | | | turi | ROLE | select | false | 1491867142657000 | -- |
| hdfs://jreposec-1.gce.cloudera.com:8020/tmp | | | | turi | ROLE | select | false | 1491867142646000 | -- |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
{code}
4. Attempt to revoke the URI.
{code}
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> revoke all on uri "hdfs://jreposec-1.gce.cloudera.com:8020/tmp" from role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> revoke select on uri "hdfs://jreposec-1.gce.cloudera.com:8020/tmp" from role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> revoke insert on uri "hdfs://jreposec-1.gce.cloudera.com:8020/tmp" from role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> show grant role turi;
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| * | | | | turi | ROLE | select | false | 1491867142657000 | -- |
| hdfs://jreposec-1.gce.cloudera.com:8020/tmp | | | | turi | ROLE | select | false | 1491867142646000 | -- |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
{code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)