You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Colin Ma <ju...@intel.com> on 2016/07/15 01:22:10 UTC
Re: Review Request 48055: SENTRY-1209: Sentry does not block Hive's
cross-schema table renames
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/48055/
-----------------------------------------------------------
(Updated July 15, 2016, 1:22 a.m.)
Review request for sentry and Sravya Tirukkovalur.
Repository: sentry
Description
-------
User Pete
has read-write access to schema A
has read-only access to schema B
User Pete nevertheless was able to rename/move Hive table
from schema A to schema B (where he has read-only access):
{quote}
use A;
alter table table_a rename to B.table_a;
{quote}
Hive allows to use rename table syntax to move tables across schemas, not just rename.
Sentry does not check security boundaries in this case.
Diffs (updated)
-----
sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHookBase.java dd16960
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 7242fde
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java 6c9f223
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegeCleanupOnDrop.java 767bcbe
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java a13aef5
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java 8eb2851
Diff: https://reviews.apache.org/r/48055/diff/
Testing
-------
Thanks,
Colin Ma
Re: Review Request 48055: SENTRY-1209: Sentry does not block Hive's
cross-schema table renames
Posted by Sravya Tirukkovalur <sr...@cloudera.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/48055/#review142323
-----------------------------------------------------------
Ship it!
Thanks for the changes Colin! Do we have coverage for rename db1.tb1 to db1.tb2?
- Sravya Tirukkovalur
On July 15, 2016, 1:22 a.m., Colin Ma wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/48055/
> -----------------------------------------------------------
>
> (Updated July 15, 2016, 1:22 a.m.)
>
>
> Review request for sentry and Sravya Tirukkovalur.
>
>
> Repository: sentry
>
>
> Description
> -------
>
> User Pete
> has read-write access to schema A
> has read-only access to schema B
>
> User Pete nevertheless was able to rename/move Hive table
> from schema A to schema B (where he has read-only access):
>
> {quote}
> use A;
> alter table table_a rename to B.table_a;
> {quote}
>
> Hive allows to use rename table syntax to move tables across schemas, not just rename.
>
> Sentry does not check security boundaries in this case.
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHookBase.java dd16960
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 7242fde
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java 6c9f223
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbPrivilegeCleanupOnDrop.java 767bcbe
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java a13aef5
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java 8eb2851
>
> Diff: https://reviews.apache.org/r/48055/diff/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Colin Ma
>
>