You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Eric Lin via Review Board <no...@reviews.apache.org> on 2018/05/20 23:34:37 UTC
Review Request 67231: User can DROP function under a database that
he/she has no access
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67231/
-----------------------------------------------------------
Review request for sentry.
Bugs: SENTRY-2240
https://issues.apache.org/jira/browse/SENTRY-2240
Repository: sentry
Description
-------
User can DROP UDF function under a database that he/she has no access to.
I created it as separate JIRA from SENTRY-781 due to changes are quite different.
Diffs
-----
sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingHookBaseV2.java 5a21dd3e
sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzPrivilegesMapV2.java 61278fe0
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 09bd9b56
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java 447deaf5
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java 4f932ea6
sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java 3bbf6fb1
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java e0b584c6
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/StaticUserGroup.java 8306e953
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java bd0f978e
Diff: https://reviews.apache.org/r/67231/diff/1/
Testing
-------
Manual testing + updated test cases.
1. user can create/drop function if he/she has ALL access to DB
2. user can't create/drop function if he/she does not have access to DB, nor tables
3. user can't create/drop function if he/she only has read access to DB
4. user can't create/drop function if he/she only has read access to a table under the DB
5. user can't create/drop function if he/she does not have access to URI JAR file
Thanks,
Eric Lin
Re: Review Request 67231: User can DROP function under a database that
he/she has no access
Posted by Eric Lin via Review Board <no...@reviews.apache.org>.
> On May 21, 2018, 2:48 p.m., Na Li wrote:
> > can you put the upstream jira number as part of the Summary?
Thanks for your review Na Li!!
Done
- Eric
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67231/#review203494
-----------------------------------------------------------
On May 20, 2018, 11:34 p.m., Eric Lin wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67231/
> -----------------------------------------------------------
>
> (Updated May 20, 2018, 11:34 p.m.)
>
>
> Review request for sentry.
>
>
> Bugs: SENTRY-2240
> https://issues.apache.org/jira/browse/SENTRY-2240
>
>
> Repository: sentry
>
>
> Description
> -------
>
> User can DROP UDF function under a database that he/she has no access to.
>
> I created it as separate JIRA from SENTRY-781 due to changes are quite different.
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingHookBaseV2.java 5a21dd3e
> sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzPrivilegesMapV2.java 61278fe0
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 09bd9b56
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java 447deaf5
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java 4f932ea6
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java 3bbf6fb1
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java e0b584c6
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/StaticUserGroup.java 8306e953
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java bd0f978e
>
>
> Diff: https://reviews.apache.org/r/67231/diff/1/
>
>
> Testing
> -------
>
> Manual testing + updated test cases.
>
> 1. user can create/drop function if he/she has ALL access to DB
> 2. user can't create/drop function if he/she does not have access to DB, nor tables
> 3. user can't create/drop function if he/she only has read access to DB
> 4. user can't create/drop function if he/she only has read access to a table under the DB
> 5. user can't create/drop function if he/she does not have access to URI JAR file
>
>
> Thanks,
>
> Eric Lin
>
>
Re: Review Request 67231: User can DROP function under a database that
he/she has no access
Posted by Na Li via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67231/#review203494
-----------------------------------------------------------
can you put the upstream jira number as part of the Summary?
sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingHookBaseV2.java
Lines 433 (patched)
<https://reviews.apache.org/r/67231/#comment285785>
We are planning to remove the code under sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2
The only reason it is here is to check what tests are in v2, but not in sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/ before we remove it.
- Na Li
On May 20, 2018, 11:34 p.m., Eric Lin wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67231/
> -----------------------------------------------------------
>
> (Updated May 20, 2018, 11:34 p.m.)
>
>
> Review request for sentry.
>
>
> Bugs: SENTRY-2240
> https://issues.apache.org/jira/browse/SENTRY-2240
>
>
> Repository: sentry
>
>
> Description
> -------
>
> User can DROP UDF function under a database that he/she has no access to.
>
> I created it as separate JIRA from SENTRY-781 due to changes are quite different.
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingHookBaseV2.java 5a21dd3e
> sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzPrivilegesMapV2.java 61278fe0
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 09bd9b56
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java 447deaf5
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java 4f932ea6
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java 3bbf6fb1
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java e0b584c6
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/StaticUserGroup.java 8306e953
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java bd0f978e
>
>
> Diff: https://reviews.apache.org/r/67231/diff/1/
>
>
> Testing
> -------
>
> Manual testing + updated test cases.
>
> 1. user can create/drop function if he/she has ALL access to DB
> 2. user can't create/drop function if he/she does not have access to DB, nor tables
> 3. user can't create/drop function if he/she only has read access to DB
> 4. user can't create/drop function if he/she only has read access to a table under the DB
> 5. user can't create/drop function if he/she does not have access to URI JAR file
>
>
> Thanks,
>
> Eric Lin
>
>
Re: Review Request 67231: SENTRY-2240 - User can DROP function under a
database that he/she has no access
Posted by Eric Lin via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67231/
-----------------------------------------------------------
(Updated May 22, 2018, 1:16 a.m.)
Review request for sentry.
Changes
-------
reverted changes to V2 classes based Na Li's review.
Summary (updated)
-----------------
SENTRY-2240 - User can DROP function under a database that he/she has no access
Bugs: SENTRY-2240
https://issues.apache.org/jira/browse/SENTRY-2240
Repository: sentry
Description
-------
User can DROP UDF function under a database that he/she has no access to.
I created it as separate JIRA from SENTRY-781 due to changes are quite different.
Diffs (updated)
-----
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 09bd9b56
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java 447deaf5
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java 4f932ea6
sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java 3bbf6fb1
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java e0b584c6
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/StaticUserGroup.java 8306e953
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java bd0f978e
Diff: https://reviews.apache.org/r/67231/diff/2/
Changes: https://reviews.apache.org/r/67231/diff/1-2/
Testing
-------
Manual testing + updated test cases.
1. user can create/drop function if he/she has ALL access to DB
2. user can't create/drop function if he/she does not have access to DB, nor tables
3. user can't create/drop function if he/she only has read access to DB
4. user can't create/drop function if he/she only has read access to a table under the DB
5. user can't create/drop function if he/she does not have access to URI JAR file
Thanks,
Eric Lin
Re: Review Request 67231: User can DROP function under a database that
he/she has no access
Posted by Na Li via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67231/#review203496
-----------------------------------------------------------
sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingHookBaseV2.java
Lines 433 (patched)
<https://reviews.apache.org/r/67231/#comment285786>
So it is better we don't update any code under sentry-binding/sentry-binding-hive-v2/
- Na Li
On May 20, 2018, 11:34 p.m., Eric Lin wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67231/
> -----------------------------------------------------------
>
> (Updated May 20, 2018, 11:34 p.m.)
>
>
> Review request for sentry.
>
>
> Bugs: SENTRY-2240
> https://issues.apache.org/jira/browse/SENTRY-2240
>
>
> Repository: sentry
>
>
> Description
> -------
>
> User can DROP UDF function under a database that he/she has no access to.
>
> I created it as separate JIRA from SENTRY-781 due to changes are quite different.
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingHookBaseV2.java 5a21dd3e
> sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzPrivilegesMapV2.java 61278fe0
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java 09bd9b56
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java 447deaf5
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java 4f932ea6
> sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java 3bbf6fb1
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java e0b584c6
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/StaticUserGroup.java 8306e953
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java bd0f978e
>
>
> Diff: https://reviews.apache.org/r/67231/diff/1/
>
>
> Testing
> -------
>
> Manual testing + updated test cases.
>
> 1. user can create/drop function if he/she has ALL access to DB
> 2. user can't create/drop function if he/she does not have access to DB, nor tables
> 3. user can't create/drop function if he/she only has read access to DB
> 4. user can't create/drop function if he/she only has read access to a table under the DB
> 5. user can't create/drop function if he/she does not have access to URI JAR file
>
>
> Thanks,
>
> Eric Lin
>
>