You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Sachin (JIRA)" <ji...@apache.org> on 2018/04/18 09:18:00 UTC

[jira] [Updated] (SENTRY-2204) Revoke 'all/*' on server from role , revokes all privileges from the same role

     [ https://issues.apache.org/jira/browse/SENTRY-2204?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sachin updated SENTRY-2204:
---------------------------
    Description: 
I have assigned below privileges to one role i.e. role_1;
{noformat}
|+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
|\| database \| table \| partition \| column \| principal_name \| principal_type \| privilege \| grant_option \| grant_time \| grantor \||
|+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
|\| hdfs://nameservice01/user/h \| \| \| \| role_157 \| ROLE \| * \| false \| 1523963168628000 \| -- \||
|\| * \| \| \| \| role_157 \| ROLE \| * \| false \| 1523352328442000 \| -- \||
|\| hdfs://nameservice01/user/m \| \| \| \| role_157 \| ROLE \| * \| false \| 1523963186544000 \| -- \||
|+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
| |

{noformat}
 

After that executed below command i.e revoke and show grant for the same role
{noformat}
revoke all on server server1 from role role_157;

{noformat}
 \{noformat}

show grant role role_157;

 \{noformat}
{noformat}
|+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
|\| database \| table \| partition \| column \| principal_name \| principal_type \| privilege \| grant_option \| grant_time \| grantor \||
|+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
|+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
|No rows selected (0.119 seconds)|

{noformat}
 

As you can see from above, if you revoke all on server, it also revokes all the other privileges from the same role as well. 

So it is right behaviour? or It should revoke only all/* on server and should keep other privileges?

  was:
I have assigned below privileges to one role i.e. role_1;

{noformat}
|+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
|\| database \| table \| partition \| column \| principal_name \| principal_type \| privilege \| grant_option \| grant_time \| grantor \||
|+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
|\| hdfs://nameservice01/user/h \| \| \| \| role_157 \| ROLE \| * \| false \| 1523963168628000 \| -- \||
|\| * \| \| \| \| role_157 \| ROLE \| * \| false \| 1523352328442000 \| -- \||
|\| hdfs://nameservice01/user/m \| \| \| \| role_157 \| ROLE \| * \| false \| 1523963186544000 \| -- \||
|+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
| |

{noformat}

 

After that executed below command i.e revoke and show grant for the same role

{noformat}

revoke all on server server1 from role role_157;

{noformat}

 

{noformat}
|+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
|\| database \| table \| partition \| column \| principal_name \| principal_type \| privilege \| grant_option \| grant_time \| grantor \||
|+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
|+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
|No rows selected (0.119 seconds)|

{noformat}

 

As you can see from above, if you revoke all on server, it also revokes all the other privileges from the same role as well. 

So it is right behaviour? or It should revoke only all/* on server and should keep other privileges?


> Revoke 'all/*' on server from role , revokes all privileges from the same role
> ------------------------------------------------------------------------------
>
>                 Key: SENTRY-2204
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2204
>             Project: Sentry
>          Issue Type: New Feature
>          Components: Sentry
>            Reporter: Sachin
>            Priority: Major
>
> I have assigned below privileges to one role i.e. role_1;
> {noformat}
> |+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
> |\| database \| table \| partition \| column \| principal_name \| principal_type \| privilege \| grant_option \| grant_time \| grantor \||
> |+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
> |\| hdfs://nameservice01/user/h \| \| \| \| role_157 \| ROLE \| * \| false \| 1523963168628000 \| -- \||
> |\| * \| \| \| \| role_157 \| ROLE \| * \| false \| 1523352328442000 \| -- \||
> |\| hdfs://nameservice01/user/m \| \| \| \| role_157 \| ROLE \| * \| false \| 1523963186544000 \| -- \||
> |+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
> | |
> {noformat}
>  
> After that executed below command i.e revoke and show grant for the same role
> {noformat}
> revoke all on server server1 from role role_157;
> {noformat}
>  \{noformat}
> show grant role role_157;
>  \{noformat}
> {noformat}
> |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
> |\| database \| table \| partition \| column \| principal_name \| principal_type \| privilege \| grant_option \| grant_time \| grantor \||
> |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
> |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
> |No rows selected (0.119 seconds)|
> {noformat}
>  
> As you can see from above, if you revoke all on server, it also revokes all the other privileges from the same role as well. 
> So it is right behaviour? or It should revoke only all/* on server and should keep other privileges?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)