You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Ben Breakstone (JIRA)" <ji...@apache.org> on 2018/10/31 16:34:00 UTC
[jira] [Commented] (SENTRY-1407) 'default' database is listed
without having any grants on it
[ https://issues.apache.org/jira/browse/SENTRY-1407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16670354#comment-16670354 ]
Ben Breakstone commented on SENTRY-1407:
----------------------------------------
[~morhidi], this behavior is an exception to the standard security model. My understanding is that some client was found in testing to experience a critical failure if the "default" database couldn't be listed (although I haven't been able to learn exactly which client).
In Hive, you can get the "default" database to follow the same behavior as other databases by configuring sentry.hive.restrict.defaultDB = true.
Unfortunately, Impala doesn't have an equivalent option. See IMPALA-7334 for a feature request to add one.
> 'default' database is listed without having any grants on it
> ------------------------------------------------------------
>
> Key: SENTRY-1407
> URL: https://issues.apache.org/jira/browse/SENTRY-1407
> Project: Sentry
> Issue Type: Bug
> Components: Hive V2
> Affects Versions: 1.5.1
> Reporter: Matyas Orhidi
> Priority: Major
>
> {{default}} database should not be listed when issuing the {{show database}} command and the user has no privileges on the object:
> {code}
> 0: jdbc:hive2://localhost:10000/default> show current roles;
> +---------------+--+
> | role |
> +---------------+--+
> | analyst_role |
> +---------------+--+
> 1 row selected (0.086 seconds)
> 0: jdbc:hive2://localhost:10000/default> show grant role analyst_role;
> +------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> | database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
> +------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> | sample_database | | | | analyst_role | ROLE | * | false | 1464280571499000 | -- |
> +------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> 1 row selected (0.087 seconds)
> 0: jdbc:hive2://localhost:10000/default> show databases;
> +------------------+--+
> | database_name |
> +------------------+--+
> | default |
> | sample_database |
> +------------------+--+
> 2 rows selected (0.137 seconds)
> 0: jdbc:hive2://localhost:10000/default>
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)