You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@sentry.apache.org by "Na Li (JIRA)" <ji...@apache.org> on 2017/12/12 20:09:00 UTC

[jira] [Assigned] (SENTRY-2097) Sentry privileges model: Can Sentry take a database privileges away from a server privileges?

     [ https://issues.apache.org/jira/browse/SENTRY-2097?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Na Li reassigned SENTRY-2097:
-----------------------------

    Assignee: Na Li

> Sentry privileges model: Can Sentry take a database privileges away from a server privileges?
> ---------------------------------------------------------------------------------------------
>
>                 Key: SENTRY-2097
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2097
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>            Reporter: Sergio Peña
>            Assignee: Na Li
>            Priority: Critical
>
> Assume I have a user |jack| and a group |datateam|. The
> user |jack| belongs to group |datateam|.
> Use Sentry for authorization.
> |create role admin; grant role admin to group datateam; grant all on
> server server1 to role admin; |
> Now the role |admin| has the following priveleges.
> {noformat}
> |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> | database | table | partition | column | principal_name |
> principal_type | privilege | grant_option | grant_time | grantor |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> | * | | | | admin | ROLE | * | false | 1480985013185000 | -- |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
> {noformat}
> Assume I have this database.
> |create database testdb; |
> It is successful. User |jack| created a database |testdb|.
> Use Sentry to revoke the privileges on |testdb|;
> |revoke all on database `testdb` from role admin; |
> The priveleges is still the same.
> {noformat}
> |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> | database | table | partition | column | principal_name |
> principal_type | privilege | grant_option | grant_time | grantor |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> | * | | | | admin | ROLE | * | false | 1480985013185000 | -- |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
> {noformat}
> Shouldn't Sentry take the privileges on database |testdb| away from the
> server |server1|?



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)