You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Sergio Peña (JIRA)" <ji...@apache.org> on 2017/12/12 17:12:00 UTC

[jira] [Updated] (SENTRY-2097) Sentry privileges model: Can Sentry take a database privileges away from a server privileges?

     [ https://issues.apache.org/jira/browse/SENTRY-2097?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sergio Peña updated SENTRY-2097:
--------------------------------
    Description: 
Assume I have a user |jack| and a group |datateam|. The
user |jack| belongs to group |datateam|.

Use Sentry for authorization.

|create role admin; grant role admin to group datateam; grant all on
server server1 to role admin; |

Now the role |admin| has the following priveleges.

{noformat}
|+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database | table | partition | column | principal_name |
principal_type | privilege | grant_option | grant_time | grantor |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| * | | | | admin | ROLE | * | false | 1480985013185000 | -- |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
{noformat}

Assume I have this database.

|create database testdb; |

It is successful. User |jack| created a database |testdb|.

Use Sentry to revoke the privileges on |testdb|;

|revoke all on database `testdb` from role admin; |
The priveleges is still the same.

{noformat}
|+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database | table | partition | column | principal_name |
principal_type | privilege | grant_option | grant_time | grantor |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| * | | | | admin | ROLE | * | false | 1480985013185000 | -- |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
{noformat}

Shouldn't Sentry take the privileges on database |testdb| away from the
server |server1|?

  was:
This issue has been allocated:
CVE-2017-15711

From security@sentry.apache.org:

Assume I have a user |jack| and a group |datateam|. The
user |jack| belongs to group |datateam|.

Use Sentry for authorization.

|create role admin; grant role admin to group datateam; grant all on
server server1 to role admin; |

Now the role |admin| has the following priveleges.

{noformat}
|+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database | table | partition | column | principal_name |
principal_type | privilege | grant_option | grant_time | grantor |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| * | | | | admin | ROLE | * | false | 1480985013185000 | -- |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
{noformat}

Assume I have this database.

|create database testdb; |

It is successful. User |jack| created a database |testdb|.

Use Sentry to revoke the privileges on |testdb|;

|revoke all on database `testdb` from role admin; |
The priveleges is still the same.

{noformat}
|+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database | table | partition | column | principal_name |
principal_type | privilege | grant_option | grant_time | grantor |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| * | | | | admin | ROLE | * | false | 1480985013185000 | -- |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
{noformat}

Shouldn't Sentry take the privileges on database |testdb| away from the
server |server1|?


> Sentry privileges model: Can Sentry take a database privileges away from a server privileges?
> ---------------------------------------------------------------------------------------------
>
>                 Key: SENTRY-2097
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2097
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>            Reporter: Sergio Peña
>            Priority: Critical
>
> Assume I have a user |jack| and a group |datateam|. The
> user |jack| belongs to group |datateam|.
> Use Sentry for authorization.
> |create role admin; grant role admin to group datateam; grant all on
> server server1 to role admin; |
> Now the role |admin| has the following priveleges.
> {noformat}
> |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> | database | table | partition | column | principal_name |
> principal_type | privilege | grant_option | grant_time | grantor |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> | * | | | | admin | ROLE | * | false | 1480985013185000 | -- |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
> {noformat}
> Assume I have this database.
> |create database testdb; |
> It is successful. User |jack| created a database |testdb|.
> Use Sentry to revoke the privileges on |testdb|;
> |revoke all on database `testdb` from role admin; |
> The priveleges is still the same.
> {noformat}
> |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> | database | table | partition | column | principal_name |
> principal_type | privilege | grant_option | grant_time | grantor |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> | * | | | | admin | ROLE | * | false | 1480985013185000 | -- |
> +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
> {noformat}
> Shouldn't Sentry take the privileges on database |testdb| away from the
> server |server1|?



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)