You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Na Li (JIRA)" <ji...@apache.org> on 2018/03/06 21:46:00 UTC

[jira] [Created] (SENTRY-2151) Object Ownership

Na Li created SENTRY-2151:
-----------------------------

             Summary: Object Ownership
                 Key: SENTRY-2151
                 URL: https://issues.apache.org/jira/browse/SENTRY-2151
             Project: Sentry
          Issue Type: New Feature
          Components: Sentry
    Affects Versions: 2.1.0
            Reporter: Na Li
            Assignee: Na Li
             Fix For: 2.1.0


admins want users who create tables to get implicit owner privileges during the table creation. These privileges cannot be revoked.

For instance, a user under role1 with CREATE privileges gets all privileges on newly created tables
{noformat}
# As an admin
hive> grant create on db1 to role1;

# As a user
user1> use db1;
user1> create table t1(id int);
-- An implicit 'grant all on db1.t1 to user user1' is generated in Sentry 
user1> insert into table t1 values (1);
user1> select * from t1;
user1> drop table t1;
{noformat}
For backward compatibility, the default implicit privilege to be applied must be determined by a configuration set by admins. This is to ensure that an upgrade to this new feature does not affect the behavior of old privileges set before the upgrade. For newly created tables, the privilege must be obtained from the property ‘owner.privileges’ of the database property where the table is created.

For instance, a user on db1 gets "all with grant privileges" but on db2 does not get any privilege
{noformat}
# As an admin
hive> alter database db1 set dbproperty('owner.privileges'='all with grant');
hive> grant create on db1 to role1;
hive> alter database db1 set dbproperty('owner.privileges='none');
hive> grant create on db2 to role2;

# As a user
user1> create table db1.t1(id int);
-- An implicit 'all with grant' privilege is granted to the user on db1.t1
user1> create table db2.t1(id int);
-- No privileges are granted to the user on db2.t1
{noformat}
The privilege granted implicitly cannot be revoked by explicit revoke commands nor if the 'owner.privileges' property changes. The only way is to remove the implicit privileges is by dropping the table or changing the owner of the table.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)