You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by ta...@apache.org on 2016/05/12 22:10:00 UTC

[25/50] [abbrv] incubator-impala git commit: IMPALA-3133: Wrong privileges after a REVOKE ALL ON SERVER statement

IMPALA-3133: Wrong privileges after a REVOKE ALL ON SERVER statement

This commit fixes an issue where a GRANT ALL ON SERVER to role_name statement
followed by a REVOKE ALL ON SERVER from role_name statement would not revoke all
privileges from role_name. The problem was triggered by a specific
combination of Sentry client API calls used in Impala during
grant/revoke statements at server scope. In particular, during GRANT, Impala was using
an API call that didn't explicitly specify the privilege action (Sentry uses '*' if
no action is specified). In contrast, the corresponding REVOKE call was explicitly
specifying the privilege action to be 'ALL'. Sentry doesn't seem to
handle this case correctly, thereby failing to remove all the privileges
after a REVOKE ALL ON SERVER call. The fix from the Impala side, that
results in the correct behavior, is to always specify the privilege
action by using the appropriate API calls.

Change-Id: I6b3a0d10f5e88c6a0a10bd20f620562d2de7ab25
Reviewed-on: http://gerrit.cloudera.org:8080/2979
Reviewed-by: Dimitris Tsirogiannis <dt...@cloudera.com>
Tested-by: Internal Jenkins


Project: http://git-wip-us.apache.org/repos/asf/incubator-impala/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-impala/commit/5cae398a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-impala/tree/5cae398a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-impala/diff/5cae398a

Branch: refs/heads/master
Commit: 5cae398a488ca43b7a688c35f130fe7ff360e553
Parents: 41e3143
Author: Dimitris Tsirogiannis <dt...@cloudera.com>
Authored: Thu May 5 19:59:56 2016 -0700
Committer: Tim Armstrong <ta...@cloudera.com>
Committed: Thu May 12 14:17:57 2016 -0700

----------------------------------------------------------------------
 .../impala/util/SentryPolicyService.java        |  3 ++-
 .../queries/QueryTest/grant_revoke.test         | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/5cae398a/fe/src/main/java/com/cloudera/impala/util/SentryPolicyService.java
----------------------------------------------------------------------
diff --git a/fe/src/main/java/com/cloudera/impala/util/SentryPolicyService.java b/fe/src/main/java/com/cloudera/impala/util/SentryPolicyService.java
index ac78e02..b410485 100644
--- a/fe/src/main/java/com/cloudera/impala/util/SentryPolicyService.java
+++ b/fe/src/main/java/com/cloudera/impala/util/SentryPolicyService.java
@@ -244,7 +244,8 @@ public class SentryPolicyService {
       switch (scope) {
         case SERVER:
           client.get().grantServerPrivilege(requestingUser.getShortName(), roleName,
-              privilege.getServer_name(), privilege.isHas_grant_opt());
+              privilege.getServer_name(), privilege.getPrivilege_level().toString(),
+              privilege.isHas_grant_opt());
           break;
         case DATABASE:
           client.get().grantDatabasePrivilege(requestingUser.getShortName(), roleName,

http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/5cae398a/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test
----------------------------------------------------------------------
diff --git a/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test b/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test
index e9f768e..fe340c2 100644
--- a/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test
+++ b/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test
@@ -694,6 +694,26 @@ create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_r
 does not have privileges to execute 'CREATE' on: grant_rev_db
 ====
 ---- QUERY
+show grant role grant_revoke_test_ALL_SERVER1
+---- RESULTS: VERIFY_IS_EQUAL_SORTED
+'SERVER','','','','','ALL',FALSE,regex:.+
+---- LABELS
+scope, database, table, column, uri, privilege, grant_option, create_time
+---- TYPES
+STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
+====
+---- QUERY
+revoke all on server server1 from grant_revoke_test_ALL_SERVER1
+====
+---- QUERY
+show grant role grant_revoke_test_ALL_SERVER1
+---- RESULTS: VERIFY_IS_EQUAL_SORTED
+---- LABELS
+scope, database, table, column, uri, privilege, grant_option, create_time
+---- TYPES
+STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
+====
+---- QUERY
 # Cleanup test roles
 drop role grant_revoke_test_ALL_SERVER;
 drop role grant_revoke_test_SELECT_INSERT_TEST_TBL;