You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by "Prasad Mujumdar (JIRA)" <ji...@apache.org> on 2014/04/23 23:56:23 UTC
[jira] [Assigned] (SENTRY-182) Granting ALL privileges to table
does not seem to do the right thing when using the SimpleDbPolicyProvider
[ https://issues.apache.org/jira/browse/SENTRY-182?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Prasad Mujumdar reassigned SENTRY-182:
--------------------------------------
Assignee: Prasad Mujumdar
> Granting ALL privileges to table does not seem to do the right thing when using the SimpleDbPolicyProvider
> ----------------------------------------------------------------------------------------------------------
>
> Key: SENTRY-182
> URL: https://issues.apache.org/jira/browse/SENTRY-182
> Project: Sentry
> Issue Type: Bug
> Affects Versions: 1.3.0
> Reporter: Lenni Kuff
> Assignee: Prasad Mujumdar
>
> I noticed that if I grant ALL privileges to table (or to all tables under a database using a wildcard), I get back false when I try to access that table using PrivilegeLevel = SELECT | INSERT, but the access works if I accessing using PrivilegeLevel=ALL.
> I believe this is because in DBWildcardPrivilege.java @ line 119 the "policyPart" KeyValue param has a key=>value of: "action" => "ALL" (note the string "ALL" as the value) where AccessConstants.ALL has a string val of a wildcard char: "*".
> {code}
> private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) {
> if(policyPart.getValue().equals(AccessConstants.ALL) || policyPart.equals(requestPart)) {
> return true;
> } else ...
> {code}
> In the BE policy server db I see:
> {code}
> sentry_test2=# select "DB_PRIVILEGE_ID", "DB_NAME", "TABLE_NAME", "PRIVILEGE_NAME" FROM "SENTRY_DB_PRIVILEGE" ORDER BY "DB_PRIVILEGE_ID" desc;
> DB_PRIVILEGE_ID | DB_NAME | TABLE_NAME | PRIVILEGE_NAME
> -----------------+---------------------+--------------+----------------------------------------
> 18 | functional_seq_snap | * | server1+functional_seq_snap+*+ALL
> {code}
> This doesn't seem specific to the DbPolicyProvider, but when using a policy file I seem to be able to work around this by explicitly using a wildcard character for the action rather than "ALL". There doesn't seem to be a way to do this with the DbPolicyProvider.
--
This message was sent by Atlassian JIRA
(v6.2#6252)