You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Na Li (JIRA)" <ji...@apache.org> on 2018/03/26 21:04:00 UTC

[jira] [Updated] (SENTRY-2151) Automatically derive owner privileges from Hive Object Ownership

     [ https://issues.apache.org/jira/browse/SENTRY-2151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Na Li updated SENTRY-2151:
--------------------------
    Summary: Automatically derive owner privileges from Hive Object Ownership  (was: Automatically derive owner privileges from Object Ownership)

> Automatically derive owner privileges from Hive Object Ownership
> ----------------------------------------------------------------
>
>                 Key: SENTRY-2151
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2151
>             Project: Sentry
>          Issue Type: New Feature
>          Components: Sentry
>    Affects Versions: 2.1.0
>            Reporter: Na Li
>            Assignee: Na Li
>            Priority: Major
>             Fix For: 2.1.0
>
>
> admins want users who create tables to get implicit owner privileges during the table creation. These privileges cannot be revoked.
> For instance, a user under role1 with CREATE privileges gets all privileges on newly created tables
> {noformat}
> # As an admin
> hive> grant create on db1 to role1;
> # As a user
> user1> use db1;
> user1> create table t1(id int);
> -- An implicit 'grant all on db1.t1 to user user1' is generated in Sentry 
> user1> insert into table t1 values (1);
> user1> select * from t1;
> user1> drop table t1;
> {noformat}
> For backward compatibility, the default implicit privilege to be applied must be determined by a configuration set by admins. This is to ensure that an upgrade to this new feature does not affect the behavior of old privileges set before the upgrade. For newly created tables, the privilege must be obtained from the property ‘owner.privileges’ of the database property where the table is created.
> For instance, a user on db1 gets "all with grant privileges" but on db2 does not get any privilege
> {noformat}
> # As an admin
> hive> alter database db1 set dbproperty('owner.privileges'='all with grant');
> hive> grant create on db1 to role1;
> hive> alter database db1 set dbproperty('owner.privileges='none');
> hive> grant create on db2 to role2;
> # As a user
> user1> create table db1.t1(id int);
> -- An implicit 'all with grant' privilege is granted to the user on db1.t1
> user1> create table db2.t1(id int);
> -- No privileges are granted to the user on db2.t1
> {noformat}
> The privilege granted implicitly cannot be revoked by explicit revoke commands nor if the 'owner.privileges' property changes. The only way is to remove the implicit privileges is by dropping the table or changing the owner of the table.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)