You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@sentry.apache.org by "Sergio Peña (JIRA)" <ji...@apache.org> on 2018/04/13 15:34:00 UTC

[jira] [Commented] (SENTRY-2202) Revoking SELECT or INSERT from parent privilege does not get applied in Impala

    [ https://issues.apache.org/jira/browse/SENTRY-2202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16437448#comment-16437448 ] 

Sergio Peña commented on SENTRY-2202:
-------------------------------------

I've seen this behavior in Impala too. Is it that Sentry does not understand the ALL privilege or is it just a bug in decomposing the ALL privilege vs the * keyword?

Btw, I find this decomposition behavior a little inconsistent with how privileges should work. If a user has all privileges, either ALL or *, then it means such user should be able to do any action on the object she or he is authorized, such as create, alter, drop, select, insert, lock, index, truncate, etc. But if just one privilege is revoked from the user, such as select, then the behavior is revoking not just the select but all other privileges except the insert, right? That means the user will now have insert privileges only. Isn't this confusing?

> Revoking SELECT or INSERT from parent privilege does not get applied in Impala
> ------------------------------------------------------------------------------
>
>                 Key: SENTRY-2202
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2202
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 2.1.0
>            Reporter: Arjun Mishra
>            Assignee: Arjun Mishra
>            Priority: Major
>             Fix For: 2.1.0
>
>
> When revoking select or insert from privilege, child privilege should be appropriately updated. For eg if there is ALL on table and SELECT on database and SELECT is revoked from database, then table privileges should be changed from ALL to INSERT. This is not happening in Impala because when looking for child privilege we only filter by "\*" as opposed to both "\*" or "all" depending on the original privilege



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)