You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Arjun Mishra (JIRA)" <ji...@apache.org> on 2018/04/16 13:23:00 UTC

[jira] [Comment Edited] (SENTRY-2202) Revoking SELECT or INSERT from parent privilege does not get applied in Impala

    [ https://issues.apache.org/jira/browse/SENTRY-2202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16439430#comment-16439430 ] 

Arjun Mishra edited comment on SENTRY-2202 at 4/16/18 1:22 PM:
---------------------------------------------------------------

Its a bug decomposing ALL vs "*" keyword. 

Yes you are right. Look at the code below. If you are revoking SELECT, it forces child privilege to be an INSERT, and vice-versa. I agree with you on that this is not how it should work. 

{noformat}
else if (requestedPrivToRevoke.getAction().equalsIgnoreCase(AccessConstants.SELECT)
  && !currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.INSERT)) {
  revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, AccessConstants.INSERT);
} else if (requestedPrivToRevoke.getAction().equalsIgnoreCase(AccessConstants.INSERT)
  && !currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.SELECT)) {
  revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, AccessConstants.SELECT);
}
{noformat}


was (Author: arjunmishra13):
Its a bug decomposing ALL vs "*" keyword. 

Yes you are right. Look at the code below. If you are revoking SELECT, it forces child privilege to be an INSERT, and vice-versa. I agree with you on that this is not how it should work. 

{noformat}
} else if (requestedPrivToRevoke.getAction().equalsIgnoreCase(AccessConstants.SELECT)
      && !currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.INSERT)) {
      revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, AccessConstants.INSERT);
    } else if (requestedPrivToRevoke.getAction().equalsIgnoreCase(AccessConstants.INSERT)
      && !currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.SELECT)) {
      revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, AccessConstants.SELECT);
    }
{noformat}

> Revoking SELECT or INSERT from parent privilege does not get applied in Impala
> ------------------------------------------------------------------------------
>
>                 Key: SENTRY-2202
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2202
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 2.1.0
>            Reporter: Arjun Mishra
>            Assignee: Arjun Mishra
>            Priority: Major
>             Fix For: 2.1.0
>
>
> When revoking select or insert from privilege, child privilege should be appropriately updated. For eg if there is ALL on table and SELECT on database and SELECT is revoked from database, then table privileges should be changed from ALL to INSERT. This is not happening in Impala because when looking for child privilege we only filter by "\*" as opposed to both "\*" or "all" depending on the original privilege



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)