You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sentry.apache.org by Eric Lin via Review Board <no...@reviews.apache.org> on 2018/05/20 23:34:37 UTC

Review Request 67231: User can DROP function under a database that he/she has no access

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67231/
-----------------------------------------------------------

Review request for sentry.


Bugs: SENTRY-2240
    https://issues.apache.org/jira/browse/SENTRY-2240


Repository: sentry


Description
-------

User can DROP UDF function under a database that he/she has no access to.

I created it as separate JIRA from SENTRY-781 due to changes are quite different.


Diffs
-----

  sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingHookBaseV2.java 5a21dd3e 
  sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzPrivilegesMapV2.java 61278fe0 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 09bd9b56 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java 447deaf5 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java 4f932ea6 
  sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java 3bbf6fb1 
  sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java e0b584c6 
  sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/StaticUserGroup.java 8306e953 
  sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java bd0f978e 


Diff: https://reviews.apache.org/r/67231/diff/1/


Testing
-------

Manual testing + updated test cases.

1. user can create/drop function if he/she has ALL access to DB
2. user can't create/drop function if he/she does not have access to DB, nor tables
3. user can't create/drop function if he/she only has read access to DB
4. user can't create/drop function if he/she only has read access to a table under the DB
5. user can't create/drop function if he/she does not have access to URI JAR file


Thanks,

Eric Lin

Re: Review Request 67231: User can DROP function under a database that he/she has no access

Posted by Eric Lin via Review Board <no...@reviews.apache.org>.


> On May 21, 2018, 2:48 p.m., Na Li wrote:
> > can you put the upstream jira number as part of the Summary?

Thanks for your review Na Li!! 

Done


- Eric


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67231/#review203494
-----------------------------------------------------------


On May 20, 2018, 11:34 p.m., Eric Lin wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67231/
> -----------------------------------------------------------
> 
> (Updated May 20, 2018, 11:34 p.m.)
> 
> 
> Review request for sentry.
> 
> 
> Bugs: SENTRY-2240
>     https://issues.apache.org/jira/browse/SENTRY-2240
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> User can DROP UDF function under a database that he/she has no access to.
> 
> I created it as separate JIRA from SENTRY-781 due to changes are quite different.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingHookBaseV2.java 5a21dd3e 
>   sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzPrivilegesMapV2.java 61278fe0 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 09bd9b56 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java 447deaf5 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java 4f932ea6 
>   sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java 3bbf6fb1 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java e0b584c6 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/StaticUserGroup.java 8306e953 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java bd0f978e 
> 
> 
> Diff: https://reviews.apache.org/r/67231/diff/1/
> 
> 
> Testing
> -------
> 
> Manual testing + updated test cases.
> 
> 1. user can create/drop function if he/she has ALL access to DB
> 2. user can't create/drop function if he/she does not have access to DB, nor tables
> 3. user can't create/drop function if he/she only has read access to DB
> 4. user can't create/drop function if he/she only has read access to a table under the DB
> 5. user can't create/drop function if he/she does not have access to URI JAR file
> 
> 
> Thanks,
> 
> Eric Lin
> 
>

Re: Review Request 67231: User can DROP function under a database that he/she has no access

Posted by Na Li via Review Board <no...@reviews.apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67231/#review203494
-----------------------------------------------------------



can you put the upstream jira number as part of the Summary?


sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingHookBaseV2.java
Lines 433 (patched)
<https://reviews.apache.org/r/67231/#comment285785>

    We are planning to remove the code under sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2
    
    The only reason it is here is to check what tests are in v2, but not in sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/ before we remove it.


- Na Li


On May 20, 2018, 11:34 p.m., Eric Lin wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67231/
> -----------------------------------------------------------
> 
> (Updated May 20, 2018, 11:34 p.m.)
> 
> 
> Review request for sentry.
> 
> 
> Bugs: SENTRY-2240
>     https://issues.apache.org/jira/browse/SENTRY-2240
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> User can DROP UDF function under a database that he/she has no access to.
> 
> I created it as separate JIRA from SENTRY-781 due to changes are quite different.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingHookBaseV2.java 5a21dd3e 
>   sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzPrivilegesMapV2.java 61278fe0 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 09bd9b56 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java 447deaf5 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java 4f932ea6 
>   sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java 3bbf6fb1 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java e0b584c6 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/StaticUserGroup.java 8306e953 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java bd0f978e 
> 
> 
> Diff: https://reviews.apache.org/r/67231/diff/1/
> 
> 
> Testing
> -------
> 
> Manual testing + updated test cases.
> 
> 1. user can create/drop function if he/she has ALL access to DB
> 2. user can't create/drop function if he/she does not have access to DB, nor tables
> 3. user can't create/drop function if he/she only has read access to DB
> 4. user can't create/drop function if he/she only has read access to a table under the DB
> 5. user can't create/drop function if he/she does not have access to URI JAR file
> 
> 
> Thanks,
> 
> Eric Lin
> 
>

Re: Review Request 67231: SENTRY-2240 - User can DROP function under a database that he/she has no access

Posted by Eric Lin via Review Board <no...@reviews.apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67231/
-----------------------------------------------------------

(Updated May 22, 2018, 1:16 a.m.)


Review request for sentry.


Changes
-------

reverted changes to V2 classes based Na Li's review.


Summary (updated)
-----------------

SENTRY-2240 - User can DROP function under a database that he/she has no access


Bugs: SENTRY-2240
    https://issues.apache.org/jira/browse/SENTRY-2240


Repository: sentry


Description
-------

User can DROP UDF function under a database that he/she has no access to.

I created it as separate JIRA from SENTRY-781 due to changes are quite different.


Diffs (updated)
-----

  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 09bd9b56 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java 447deaf5 
  sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java 4f932ea6 
  sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java 3bbf6fb1 
  sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java e0b584c6 
  sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/StaticUserGroup.java 8306e953 
  sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java bd0f978e 


Diff: https://reviews.apache.org/r/67231/diff/2/

Changes: https://reviews.apache.org/r/67231/diff/1-2/


Testing
-------

Manual testing + updated test cases.

1. user can create/drop function if he/she has ALL access to DB
2. user can't create/drop function if he/she does not have access to DB, nor tables
3. user can't create/drop function if he/she only has read access to DB
4. user can't create/drop function if he/she only has read access to a table under the DB
5. user can't create/drop function if he/she does not have access to URI JAR file


Thanks,

Eric Lin

Re: Review Request 67231: User can DROP function under a database that he/she has no access

Posted by Na Li via Review Board <no...@reviews.apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67231/#review203496
-----------------------------------------------------------




sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingHookBaseV2.java
Lines 433 (patched)
<https://reviews.apache.org/r/67231/#comment285786>

    So it is better we don't update any code under sentry-binding/sentry-binding-hive-v2/


- Na Li


On May 20, 2018, 11:34 p.m., Eric Lin wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67231/
> -----------------------------------------------------------
> 
> (Updated May 20, 2018, 11:34 p.m.)
> 
> 
> Review request for sentry.
> 
> 
> Bugs: SENTRY-2240
>     https://issues.apache.org/jira/browse/SENTRY-2240
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> User can DROP UDF function under a database that he/she has no access to.
> 
> I created it as separate JIRA from SENTRY-781 due to changes are quite different.
> 
> 
> Diffs
> -----
> 
>   sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingHookBaseV2.java 5a21dd3e 
>   sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzPrivilegesMapV2.java 61278fe0 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 09bd9b56 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java 447deaf5 
>   sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java 4f932ea6 
>   sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java 3bbf6fb1 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java e0b584c6 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/StaticUserGroup.java 8306e953 
>   sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java bd0f978e 
> 
> 
> Diff: https://reviews.apache.org/r/67231/diff/1/
> 
> 
> Testing
> -------
> 
> Manual testing + updated test cases.
> 
> 1. user can create/drop function if he/she has ALL access to DB
> 2. user can't create/drop function if he/she does not have access to DB, nor tables
> 3. user can't create/drop function if he/she only has read access to DB
> 4. user can't create/drop function if he/she only has read access to a table under the DB
> 5. user can't create/drop function if he/she does not have access to URI JAR file
> 
> 
> Thanks,
> 
> Eric Lin
> 
>