You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "kalyan kumar kalvagadda (JIRA)" <ji...@apache.org> on 2018/08/17 18:11:00 UTC

[jira] [Comment Edited] (SENTRY-2354) Beeline error message only shows first required permission that failed access check

    [ https://issues.apache.org/jira/browse/SENTRY-2354?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16584236#comment-16584236 ] 

kalyan kumar kalvagadda edited comment on SENTRY-2354 at 8/17/18 6:10 PM:
--------------------------------------------------------------------------

[~LinaAtAustin], [~spena] [~biglauer]

Issue that is been reported is that, user doesn't get a clear understanding on what privileges he/she is missing if sentry just sends the first failure that was encountered.

Approach [~LinaAtAustin] has taken in her patch is as below.
 # Send the first privilege that is missed.
 # Also send all the subsequent required privileges(input/output).

This certainly provides more information that before but it is still not clear as the user might have had some of the privileges we listed in the SemanticException send back to the user. Moreover, it will be more confusing.  

I think one of the below behaviors should be ideal.
 # Error should list only the privileges that user is missing. It is certainly additional overhead on the sentry server but will help the user understand what privilege he/she is lacking.
 ## Error could say "These are the additional privileges needed"
 #  Error should list all the required privileges.
 ## Error could say "These are all the required privileges needed for this operation to succeed"

 

 

 

 


was (Author: kkalyan):
[~LinaAtAustin], [~spena] [~biglauer]

Issue that is been reported is that, user doesn't get a clear understanding on what privileges he/she is missing if sentry just sends the first failure that was encountered.

Approach [~LinaAtAustin] has taken in her patch is as below.
 # Send the first privilege that is missed.
 # Also send all the subsequent required privileges(input/output).

This certainly provides more information that before but it is still not clear as the user might have had some of the privileges we listed in the SemanticException send back to the user. Moreover, it will be more confusing. 

 

 

 

I think one of the below behaviors should be ideal.
 # Error should list only the privileges that user is missing. It is certainly additional overhead on the sentry server but will help the user understand what privilege he/she is lacking.
 ## Error could say "These are the additional privileges needed"
 #  Error should list all the required privileges.
 ## Error could say "These are all the required privileges needed for this operation to succeed"

 

 

 

 

> Beeline error message only shows first required permission that failed access check
> -----------------------------------------------------------------------------------
>
>                 Key: SENTRY-2354
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2354
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 2.1.0
>            Reporter: Na Li
>            Assignee: Na Li
>            Priority: Major
>         Attachments: SENTRY-2354.001.patch, SENTRY-2354.002.patch
>
>
> When multiple permissions are required by a principle for an operation in beeline to be authorized by sentry, beeline only displays one of the needed permissions in its error message.
> For example, to execute ALTER TABLE SET LOCATION, a principle needs ALL on the location URI, and ALTER on the table. If a user's role has neither of these, beeline just displays that the role needs ALL on the location URI. Once the user role has all on the location URI, then beeline displays that the user role needs ALTER on the table.
> Before the role has any privileges:
> > alter table db1.table1 set location '/tmp';
> Error: Error while compiling statement: FAILED: SemanticException No valid privileges
>  User merry does not have privileges for ALTERTABLE_LOCATION
>  The required privileges: Server=server1->URI=hdfs://rogue-4.gce.com:8020/tmp->action=*; (state=42000,code=40000)
> After granting all on the location URI:
> > alter table db1.table1 set location '/tmp';
> Error: Error while compiling statement: FAILED: SemanticException No valid privileges
>  User merry does not have privileges for ALTERTABLE_LOCATION
>  The required privileges: Server=server1->Db=db1->Table=table1->action=alter; (state=42000,code=40000)
> Instead, the error message should be something like the following:
> The required privileges are all of:
> Server=server1->URI=hdfs://rogue-4.gce.com:8020/tmp->action=*;Server=server1->Db=db1->Table=table1->action=alter;



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)