You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@sentry.apache.org by "Na Li (JIRA)" <ji...@apache.org> on 2018/05/24 14:56:00 UTC

[jira] [Commented] (SENTRY-2242) Add schema changes to limit one one owner privilege per object

    [ https://issues.apache.org/jira/browse/SENTRY-2242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16489152#comment-16489152 ] 

Na Li commented on SENTRY-2242:
-------------------------------

The problem we want to solve is:

Owner privilege on an object should be assigned to only one user or role at any given time. 

The proposed change has two issues:
1) It does not prevent the same owner privilege on an object assigned to a user and a role at the same time.
2) It changes the primary key of the table SENTRY_USER_DB_PRIVILEGE_MAP. Once we support user privilege, we have to change the primary key definition, and it could cause upgrade issue. 

> Add schema changes to limit one one owner privilege per object
> --------------------------------------------------------------
>
>                 Key: SENTRY-2242
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2242
>             Project: Sentry
>          Issue Type: Sub-task
>          Components: Sentry
>    Affects Versions: 2.1.0
>            Reporter: kalyan kumar kalvagadda
>            Assignee: kalyan kumar kalvagadda
>            Priority: Major
>
> Currently user<-> privileges is implemented to handle privileges to owners of the respective objects. There can not be more than one owner to single object (database/table) so restriction should be added either at the application or the database schema to prevent it from happening.
> I feel schema change is the best way to do it for now as there is no plan to implement user privileges in near future. In future when user privileges feature is implemented this change could be reverted and restriction can be added at application.
> *Current Schema:*
> {noformat}
> ALTER TABLE `SENTRY_USER_DB_PRIVILEGE_MAP`
>   ADD CONSTRAINT `SENTRY_USER_DB_PRIVILEGE_MAP_PK` PRIMARY KEY (`USER_ID`,`DB_PRIVILEGE_ID`);
> {noformat}
> *Proposed Solution:*
> {noformat}
> ALTER TABLE `SENTRY_USER_DB_PRIVILEGE_MAP`
>   ADD CONSTRAINT `SENTRY_USER_DB_PRIVILEGE_MAP_PK` PRIMARY KEY (`DB_PRIVILEGE_ID`);
> {noformat}
> With this change DB_PRIVILEGE_ID would be the primary key and this restrict same privilege  to be granted to another user.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)