You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Na Li (JIRA)" <ji...@apache.org> on 2019/03/06 02:21:00 UTC
[jira] [Commented] (SENTRY-2507) Authorization of "default"
database is not controlled by "sentry.hive.restrict.defaultDB" at HMS
server
[ https://issues.apache.org/jira/browse/SENTRY-2507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16785161#comment-16785161 ]
Na Li commented on SENTRY-2507:
-------------------------------
From hive beeline, user no_pri ha "ALL" privilege on default.tb1. user no_pri_2 does not have any privilege
1) show databases;
1.1) with ALL privilege on default.tb1
default
1.2) no privilege at all
default
2) describe database default;
2.1) with ALL privilege on default.tb1
Error while compiling statement: FAILED: SemanticException No valid privileges User no_pri does not have privileges for DESCDATABASE The required privileges: Server=server1->Db=default->action=select->grantOption=false;Server=server1->Db=default->action=insert->grantOption=false;
2.2) no privilege at all
Error while compiling statement: FAILED: SemanticException No valid privileges User no_pri_2 does not have privileges for SWITCHDATABASE The required privileges: Server=server1->Db=*->Table=+->Column=*->action=select->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=insert->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=alter->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=create->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=drop->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=index->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=lock->grantOption=false;
3) use default;
3.1) with ALL privilege on default.tb1;
succeed
3.2) no privilege at all
Error while compiling statement: FAILED: SemanticException No valid privileges User no_pri_2 does not have privileges for SWITCHDATABASE The required privileges: Server=server1->Db=*->Table=+->Column=*->action=select->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=insert->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=alter->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=create->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=drop->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=index->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=lock->grantOption=false;
4) show tables;
4.1) with ALL privilege on default.tb1;
tb1
4.2) no privilege at all
Error while compiling statement: FAILED: SemanticException No valid privileges User no_pri_2 does not have privileges for SWITCHDATABASE The required privileges: Server=server1->Db=*->Table=+->Column=*->action=select->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=insert->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=alter->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=create->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=drop->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=index->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=lock->grantOption=false;
> Authorization of "default" database is not controlled by "sentry.hive.restrict.defaultDB" at HMS server
> -------------------------------------------------------------------------------------------------------
>
> Key: SENTRY-2507
> URL: https://issues.apache.org/jira/browse/SENTRY-2507
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
> Reporter: Na Li
> Priority: Major
>
> If "sentry.hive.restrict.defaultDB" at sentry-site.xml at HMS server is set to be false, user still has to have "SELECT", or "INSERT", or "ALL" privilege on the "default" database in order to access it.
> This behavior is not consistent with the behavior at Hive server.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)