You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@sentry.apache.org by "Prasad Mujumdar (JIRA)" <ji...@apache.org> on 2014/04/23 23:56:23 UTC

[jira] [Assigned] (SENTRY-182) Granting ALL privileges to table does not seem to do the right thing when using the SimpleDbPolicyProvider

     [ https://issues.apache.org/jira/browse/SENTRY-182?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Prasad Mujumdar reassigned SENTRY-182:
--------------------------------------

    Assignee: Prasad Mujumdar

> Granting ALL privileges to table does not seem to do the right thing when using the SimpleDbPolicyProvider
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: SENTRY-182
>                 URL: https://issues.apache.org/jira/browse/SENTRY-182
>             Project: Sentry
>          Issue Type: Bug
>    Affects Versions: 1.3.0
>            Reporter: Lenni Kuff
>            Assignee: Prasad Mujumdar
>
> I noticed that if I grant ALL privileges to table (or to all tables under a database using a wildcard), I get back false when I try to access that table using PrivilegeLevel = SELECT | INSERT, but the access works if I accessing using PrivilegeLevel=ALL.
> I believe this is because in DBWildcardPrivilege.java @ line 119 the "policyPart" KeyValue param has a key=>value of: "action" => "ALL" (note the string "ALL" as the value) where AccessConstants.ALL has a string val of a wildcard char: "*".
> {code}
> private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) {    
>     if(policyPart.getValue().equals(AccessConstants.ALL) || policyPart.equals(requestPart)) {
>         return true;
>     } else ...
> {code}
> In the BE policy server db I see:
> {code}
> sentry_test2=# select "DB_PRIVILEGE_ID", "DB_NAME", "TABLE_NAME", "PRIVILEGE_NAME" FROM "SENTRY_DB_PRIVILEGE" ORDER BY "DB_PRIVILEGE_ID" desc;
>  DB_PRIVILEGE_ID |       DB_NAME       |  TABLE_NAME  |             PRIVILEGE_NAME             
> -----------------+---------------------+--------------+----------------------------------------
>               18 | functional_seq_snap | *            | server1+functional_seq_snap+*+ALL
> {code}
> This doesn't seem specific to the DbPolicyProvider, but when using a policy file I seem to be able to work around this by explicitly using a wildcard character for the action rather than "ALL". There doesn't seem to be a way to do this with the DbPolicyProvider.



--
This message was sent by Atlassian JIRA
(v6.2#6252)