You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sentry.apache.org by Xiaomeng Huang <xi...@intel.com> on 2015/01/20 04:06:19 UTC

Re: Review Request 29141: SENTRY-473: Support revoking privilege with grant option

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/29141/
-----------------------------------------------------------

(Updated 一月 20, 2015, 3:06 a.m.)


Review request for sentry, Arun Suresh, Lenni Kuff, Prasad Mujumdar, and Sravya Tirukkovalur.


Bugs: SENTRY-473
    https://issues.apache.org/jira/browse/SENTRY-473


Repository: sentry


Description
-------

As hive version change to Hive 0.15, we should support revoke privilege with grant option like:
REVOKE [GRANT OPTION FOR]
    priv_type [, priv_type ] ...
    ON table_or_view_name
    FROM principal_specification [, principal_specification] ... ;
We should support downgrade grant option for "GRANT OPTION FOR". It means when "GRANT OPTION FOR" set, we just modify grant option of this privilege from true to false.
use cases:
1. grant ALL on database db1 to role role1;
2. grant ALL on database db1 to role role2 with grant option;
3. revoke grant option for ALL on database db1 from role role1;
4. revoke grant option for ALL on database db1 from role role2;
5. revoke ALL on database db1 from role role2;
After 3rd command executed, role1 still has privilege with action ALL on db1, grant option is false.
After 4th command executed, role2 downgrade privilege to grant option is false.
After 5th command executed, role2 will remove privilege with action ALL on db1.


Diffs
-----

  sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java 69e97a6 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java 5898b7e 
  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java f98e853 
  sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift 993ea46 
  sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java 8fbe3f4 
  sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java 4a6cac9 
  sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java 5c49f98 

Diff: https://reviews.apache.org/r/29141/diff/


Testing
-------

test cases are included.


Thanks,

Xiaomeng Huang

Re: Review Request 29141: SENTRY-473: Support revoking privilege with grant option

Posted by Xiaomeng Huang <xi...@intel.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/29141/#review76703
-----------------------------------------------------------



sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
<https://reviews.apache.org/r/29141/#comment124333>

    Yes, thanks for pointing out this!



sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
<https://reviews.apache.org/r/29141/#comment124334>

    Sure, it make sense to me. Now I don't support revoke child action with grant option. I will file a jira to track this improvement.


- Xiaomeng Huang


On March 12, 2015, 9:38 a.m., Xiaomeng Huang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/29141/
> -----------------------------------------------------------
> 
> (Updated March 12, 2015, 9:38 a.m.)
> 
> 
> Review request for sentry, Arun Suresh, Lenni Kuff, Prasad Mujumdar, and Sravya Tirukkovalur.
> 
> 
> Bugs: SENTRY-473
>     https://issues.apache.org/jira/browse/SENTRY-473
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> As hive version change to Hive 0.15, we should support revoke privilege with grant option like:
> REVOKE [GRANT OPTION FOR]
>     priv_type [, priv_type ] ...
>     ON table_or_view_name
>     FROM principal_specification [, principal_specification] ... ;
> We should support downgrade grant option for "GRANT OPTION FOR". It means when "GRANT OPTION FOR" set, we just modify grant option of this privilege from true to false.
> use cases:
> 1. grant ALL on database db1 to role role1;
> 2. grant ALL on database db1 to role role2 with grant option;
> 3. revoke grant option for ALL on database db1 from role role1;
> 4. revoke grant option for ALL on database db1 from role role2;
> 5. revoke ALL on database db1 from role role2;
> After 3rd command executed, role1 still has privilege with action ALL on db1, grant option is false.
> After 4th command executed, role2 downgrade privilege to grant option is false.
> After 5th command executed, role2 will remove privilege with action ALL on db1.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java 2a60a23 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java 5898b7e 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java d7937d0 
>   sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift 993ea46 
>   sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java 35319db 
>   sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java 02c7535 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java 5c49f98 
> 
> Diff: https://reviews.apache.org/r/29141/diff/
> 
> 
> Testing
> -------
> 
> test cases are included.
> 
> 
> Thanks,
> 
> Xiaomeng Huang
> 
>

Re: Review Request 29141: SENTRY-473: Support revoking privilege with grant option

Posted by Xiaomeng Huang <xi...@intel.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/29141/
-----------------------------------------------------------

(Updated March 17, 2015, 3:43 a.m.)


Review request for sentry, Arun Suresh, Lenni Kuff, Prasad Mujumdar, and Sravya Tirukkovalur.


Changes
-------

Fixed comments from dapeng


Bugs: SENTRY-473
    https://issues.apache.org/jira/browse/SENTRY-473


Repository: sentry


Description
-------

As hive version change to Hive 0.15, we should support revoke privilege with grant option like:
REVOKE [GRANT OPTION FOR]
    priv_type [, priv_type ] ...
    ON table_or_view_name
    FROM principal_specification [, principal_specification] ... ;
We should support downgrade grant option for "GRANT OPTION FOR". It means when "GRANT OPTION FOR" set, we just modify grant option of this privilege from true to false.
use cases:
1. grant ALL on database db1 to role role1;
2. grant ALL on database db1 to role role2 with grant option;
3. revoke grant option for ALL on database db1 from role role1;
4. revoke grant option for ALL on database db1 from role role2;
5. revoke ALL on database db1 from role role2;
After 3rd command executed, role1 still has privilege with action ALL on db1, grant option is false.
After 4th command executed, role2 downgrade privilege to grant option is false.
After 5th command executed, role2 will remove privilege with action ALL on db1.


Diffs (updated)
-----

  sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java 2a60a23 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java 5898b7e 
  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java d7937d0 
  sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift 993ea46 
  sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java 35319db 
  sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java 02c7535 
  sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java 5c49f98 

Diff: https://reviews.apache.org/r/29141/diff/


Testing
-------

test cases are included.


Thanks,

Xiaomeng Huang

Re: Review Request 29141: SENTRY-473: Support revoking privilege with grant option

Posted by Dapeng Sun <da...@intel.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/29141/#review68688
-----------------------------------------------------------

Ship it!



sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java
<https://reviews.apache.org/r/29141/#comment124327>

    Hi Xiaomeng,I think here should have comments for grantOption is null



sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
<https://reviews.apache.org/r/29141/#comment124328>

    Hi Xiaomeng
    I think we should file a jira to improve **downgradePrivilegeGrantOption** in future, for the cases like:
    grant db1->tb1->All->grantOption, revoke grantOption of db1->tb1->Select


Hi Xiaomeng, the feature looks good to me, please also help to file jira for the improvement.

- Dapeng Sun


On 三月 12, 2015, 5:38 p.m., Xiaomeng Huang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/29141/
> -----------------------------------------------------------
> 
> (Updated 三月 12, 2015, 5:38 p.m.)
> 
> 
> Review request for sentry, Arun Suresh, Lenni Kuff, Prasad Mujumdar, and Sravya Tirukkovalur.
> 
> 
> Bugs: SENTRY-473
>     https://issues.apache.org/jira/browse/SENTRY-473
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> As hive version change to Hive 0.15, we should support revoke privilege with grant option like:
> REVOKE [GRANT OPTION FOR]
>     priv_type [, priv_type ] ...
>     ON table_or_view_name
>     FROM principal_specification [, principal_specification] ... ;
> We should support downgrade grant option for "GRANT OPTION FOR". It means when "GRANT OPTION FOR" set, we just modify grant option of this privilege from true to false.
> use cases:
> 1. grant ALL on database db1 to role role1;
> 2. grant ALL on database db1 to role role2 with grant option;
> 3. revoke grant option for ALL on database db1 from role role1;
> 4. revoke grant option for ALL on database db1 from role role2;
> 5. revoke ALL on database db1 from role role2;
> After 3rd command executed, role1 still has privilege with action ALL on db1, grant option is false.
> After 4th command executed, role2 downgrade privilege to grant option is false.
> After 5th command executed, role2 will remove privilege with action ALL on db1.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java 2a60a23 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java 5898b7e 
>   sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java d7937d0 
>   sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift 993ea46 
>   sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java 35319db 
>   sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java 02c7535 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java 5c49f98 
> 
> Diff: https://reviews.apache.org/r/29141/diff/
> 
> 
> Testing
> -------
> 
> test cases are included.
> 
> 
> Thanks,
> 
> Xiaomeng Huang
> 
>

Re: Review Request 29141: SENTRY-473: Support revoking privilege with grant option

Posted by Xiaomeng Huang <xi...@intel.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/29141/
-----------------------------------------------------------

(Updated March 12, 2015, 9:38 a.m.)


Review request for sentry, Arun Suresh, Lenni Kuff, Prasad Mujumdar, and Sravya Tirukkovalur.


Changes
-------

rebased


Bugs: SENTRY-473
    https://issues.apache.org/jira/browse/SENTRY-473


Repository: sentry


Description
-------

As hive version change to Hive 0.15, we should support revoke privilege with grant option like:
REVOKE [GRANT OPTION FOR]
    priv_type [, priv_type ] ...
    ON table_or_view_name
    FROM principal_specification [, principal_specification] ... ;
We should support downgrade grant option for "GRANT OPTION FOR". It means when "GRANT OPTION FOR" set, we just modify grant option of this privilege from true to false.
use cases:
1. grant ALL on database db1 to role role1;
2. grant ALL on database db1 to role role2 with grant option;
3. revoke grant option for ALL on database db1 from role role1;
4. revoke grant option for ALL on database db1 from role role2;
5. revoke ALL on database db1 from role role2;
After 3rd command executed, role1 still has privilege with action ALL on db1, grant option is false.
After 4th command executed, role2 downgrade privilege to grant option is false.
After 5th command executed, role2 will remove privilege with action ALL on db1.


Diffs (updated)
-----

  sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java 2a60a23 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java 5898b7e 
  sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java d7937d0 
  sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift 993ea46 
  sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java 35319db 
  sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java 02c7535 
  sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java 5c49f98 

Diff: https://reviews.apache.org/r/29141/diff/


Testing
-------

test cases are included.


Thanks,

Xiaomeng Huang