You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Na Li (JIRA)" <ji...@apache.org> on 2018/10/05 03:13:00 UTC
[jira] [Commented] (SENTRY-2424)
sentry.db.explicit.grants.permitted config does not allow empty value to
mean allow all privileges
[ https://issues.apache.org/jira/browse/SENTRY-2424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16639211#comment-16639211 ]
Na Li commented on SENTRY-2424:
-------------------------------
the reason this issue was not discovered is because in Sergio's test, the property is not present in the configuration file, so its default value "" is used. In Fredy's test, the property is present, but its value field is empty, and causes the value to be null.
The following changes should be made
1) check null
The following code should be changed from
private static Set<String> getDbGrantsPermittedFromConf(Configuration conf) {
String grantsConfig = conf.get(SENTRY_DB_EXPLICIT_GRANTS_PERMITTED,
SENTRY_DB_EXPLICIT_GRANTS_PERMITTED_DEFAULT).trim();
to
private static Set<String> getDbGrantsPermittedFromConf(Configuration conf) {
String grantsConfig = conf.get(SENTRY_DB_EXPLICIT_GRANTS_PERMITTED,
SENTRY_DB_EXPLICIT_GRANTS_PERMITTED_DEFAULT)
if (grantsConfig == null) {
return Collections.emptySet();
} else {
grantsConfig = grantsConfig.trim();
}
2) Update test code to add the scenario found by Fredy
> sentry.db.explicit.grants.permitted config does not allow empty value to mean allow all privileges
> --------------------------------------------------------------------------------------------------
>
> Key: SENTRY-2424
> URL: https://issues.apache.org/jira/browse/SENTRY-2424
> Project: Sentry
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.0.1
> Reporter: Fredy Wijaya
> Priority: Major
>
> https://issues.apache.org/jira/browse/SENTRY-2413 introduced "sentry.db.explicit.grants.permitted" to specify which privileges are permitted to be granted explicitly. Empty value means allow all privileges. However the following sentry-site.xml does not work.
> {noformat}
> <property>
> <name>sentry.db.explicit.grants.permitted</name>
> <value></value>
> </property>
> {noformat}
> Apparently using a space works.
> {noformat}
> <property>
> <name>sentry.db.explicit.grants.permitted</name>
> <value> </value>
> </property>
> {noformat}
> Steps to reproduce in Impala:
> {noformat}
> [localhost:21000] default> create role foo_role;
> [localhost:21000] default> grant alter on table functional.alltypes to role foo_role;
> ERROR: AuthorizationException: User 'foobar' does not have privileges to execute: GRANT_PRIVILEGE
> {noformat}
> Stacktrace:
> {noformat}
> 18/10/04 20:01:06 ERROR thrift.SentryPolicyStoreProcessor: GRANT privilege for [ALTER] not permitted.
> org.apache.sentry.core.common.exception.SentryGrantDeniedException: GRANT privilege for [ALTER] not permitted.
> at org.apache.sentry.api.common.SentryServiceUtil.checkDbExplicitGrantsPermitted(SentryServiceUtil.java:364)
> at org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_grant_privilege(SentryPolicyStoreProcessor.java:265)
> at org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1597)
> at org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1582)
> at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
> at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
> at org.apache.sentry.api.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:36)
> at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
> at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)