You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sentry.apache.org by Sergio Pena via Review Board <no...@reviews.apache.org> on 2018/08/13 22:49:57 UTC
Review Request 68332: SENTRY-2352: User roles with ALTER on a table
can not show or describe the table on which they have ALTER
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68332/
-----------------------------------------------------------
Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
Bugs: sentry-2352
https://issues.apache.org/jira/browse/sentry-2352
Repository: sentry
Description
-------
Added the following matrix of privileges on the DESCRIBE TABLE and SHOW TABLES:
DESCRIBE table allowed and not allowed privileges:
{ null, NOT_ALLOWED }, // Means no privileges
{ DBModelAction.ALL, ALLOWED },
{ DBModelAction.CREATE, NOT_ALLOWED },
{ DBModelAction.SELECT, ALLOWED },
{ DBModelAction.INSERT, ALLOWED },
{ DBModelAction.ALTER, ALLOWED },
{ DBModelAction.DROP, NOT_ALLOWED },
{ DBModelAction.INDEX, NOT_ALLOWED },
{ DBModelAction.LOCK, NOT_ALLOWED },
SHOW TABLES allowed and not allowed privileges:
{ null, NOT_ALLOWED }, // Means no privileges
{ DBModelAction.ALL, ALLOWED },
{ DBModelAction.CREATE, NOT_ALLOWED },
{ DBModelAction.SELECT, ALLOWED },
{ DBModelAction.INSERT, ALLOWED },
{ DBModelAction.ALTER, ALLOWED },
{ DBModelAction.DROP, ALLOWED },
{ DBModelAction.INDEX, ALLOWED },
{ DBModelAction.LOCK, ALLOWED },
Diffs
-----
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java 1ab5be35dcb7991f723c0bb885ed2a15c6f5873a
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java 447deaf5831675257be1bbb05934a1ab4826fe9e
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java 78742fdacd72531eed4a7dde86871a57cf54493b
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDescribeMetadataPrivileges.java PRE-CREATION
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestShowMetadataPrivileges.java PRE-CREATION
Diff: https://reviews.apache.org/r/68332/diff/1/
Testing
-------
Thanks,
Sergio Pena
Re: Review Request 68332: SENTRY-2352: User roles with ALTER on a
table can not show or describe the table on which they have ALTER
Posted by Na Li via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68332/#review207247
-----------------------------------------------------------
Ship it!
Ship It!
- Na Li
On Aug. 13, 2018, 10:49 p.m., Sergio Pena wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68332/
> -----------------------------------------------------------
>
> (Updated Aug. 13, 2018, 10:49 p.m.)
>
>
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
>
>
> Bugs: sentry-2352
> https://issues.apache.org/jira/browse/sentry-2352
>
>
> Repository: sentry
>
>
> Description
> -------
>
> Added the following matrix of privileges on the DESCRIBE TABLE and SHOW TABLES:
>
> DESCRIBE table allowed and not allowed privileges:
>
> { null, NOT_ALLOWED }, // Means no privileges
> { DBModelAction.ALL, ALLOWED },
> { DBModelAction.CREATE, NOT_ALLOWED },
> { DBModelAction.SELECT, ALLOWED },
> { DBModelAction.INSERT, ALLOWED },
> { DBModelAction.ALTER, ALLOWED },
> { DBModelAction.DROP, NOT_ALLOWED },
> { DBModelAction.INDEX, NOT_ALLOWED },
> { DBModelAction.LOCK, NOT_ALLOWED },
>
> SHOW TABLES allowed and not allowed privileges:
>
> { null, NOT_ALLOWED }, // Means no privileges
> { DBModelAction.ALL, ALLOWED },
> { DBModelAction.CREATE, NOT_ALLOWED },
> { DBModelAction.SELECT, ALLOWED },
> { DBModelAction.INSERT, ALLOWED },
> { DBModelAction.ALTER, ALLOWED },
> { DBModelAction.DROP, ALLOWED },
> { DBModelAction.INDEX, ALLOWED },
> { DBModelAction.LOCK, ALLOWED },
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java 1ab5be35dcb7991f723c0bb885ed2a15c6f5873a
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java 447deaf5831675257be1bbb05934a1ab4826fe9e
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java 78742fdacd72531eed4a7dde86871a57cf54493b
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDescribeMetadataPrivileges.java PRE-CREATION
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestShowMetadataPrivileges.java PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/68332/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Sergio Pena
>
>
Re: Review Request 68332: SENTRY-2352: User roles with ALTER on a
table can not show or describe the table on which they have ALTER
Posted by Sergio Pena via Review Board <no...@reviews.apache.org>.
> On Aug. 13, 2018, 11:25 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
> > Line 104 (original), 104 (patched)
> > <https://reviews.apache.org/r/68332/diff/1/?file=2072166#file2072166line104>
> >
> > does Alter apply to column?
Yes, a user with ALTER privileges should be able to view column metadata. ALTER Is used to change column names, add columns ,etc; so they need to be able to see what they can change.
> On Aug. 13, 2018, 11:25 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
> > Lines 177 (patched)
> > <https://reviews.apache.org/r/68332/diff/1/?file=2072167#file2072167line177>
> >
> > should Drop be included as well?
I don't see a need for a user with DROP privileges to be able to view the column names and the rest of the table metadata. If a user has DROP privileges, then they should only see the table with the SHOW TABLES.
- Sergio
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68332/#review207179
-----------------------------------------------------------
On Aug. 13, 2018, 10:49 p.m., Sergio Pena wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68332/
> -----------------------------------------------------------
>
> (Updated Aug. 13, 2018, 10:49 p.m.)
>
>
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
>
>
> Bugs: sentry-2352
> https://issues.apache.org/jira/browse/sentry-2352
>
>
> Repository: sentry
>
>
> Description
> -------
>
> Added the following matrix of privileges on the DESCRIBE TABLE and SHOW TABLES:
>
> DESCRIBE table allowed and not allowed privileges:
>
> { null, NOT_ALLOWED }, // Means no privileges
> { DBModelAction.ALL, ALLOWED },
> { DBModelAction.CREATE, NOT_ALLOWED },
> { DBModelAction.SELECT, ALLOWED },
> { DBModelAction.INSERT, ALLOWED },
> { DBModelAction.ALTER, ALLOWED },
> { DBModelAction.DROP, NOT_ALLOWED },
> { DBModelAction.INDEX, NOT_ALLOWED },
> { DBModelAction.LOCK, NOT_ALLOWED },
>
> SHOW TABLES allowed and not allowed privileges:
>
> { null, NOT_ALLOWED }, // Means no privileges
> { DBModelAction.ALL, ALLOWED },
> { DBModelAction.CREATE, NOT_ALLOWED },
> { DBModelAction.SELECT, ALLOWED },
> { DBModelAction.INSERT, ALLOWED },
> { DBModelAction.ALTER, ALLOWED },
> { DBModelAction.DROP, ALLOWED },
> { DBModelAction.INDEX, ALLOWED },
> { DBModelAction.LOCK, ALLOWED },
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java 1ab5be35dcb7991f723c0bb885ed2a15c6f5873a
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java 447deaf5831675257be1bbb05934a1ab4826fe9e
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java 78742fdacd72531eed4a7dde86871a57cf54493b
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDescribeMetadataPrivileges.java PRE-CREATION
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestShowMetadataPrivileges.java PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/68332/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Sergio Pena
>
>
Re: Review Request 68332: SENTRY-2352: User roles with ALTER on a
table can not show or describe the table on which they have ALTER
Posted by Na Li via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68332/#review207179
-----------------------------------------------------------
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
Line 104 (original), 104 (patched)
<https://reviews.apache.org/r/68332/#comment290476>
does Alter apply to column?
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
Lines 177 (patched)
<https://reviews.apache.org/r/68332/#comment290477>
should Drop be included as well?
- Na Li
On Aug. 13, 2018, 10:49 p.m., Sergio Pena wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68332/
> -----------------------------------------------------------
>
> (Updated Aug. 13, 2018, 10:49 p.m.)
>
>
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
>
>
> Bugs: sentry-2352
> https://issues.apache.org/jira/browse/sentry-2352
>
>
> Repository: sentry
>
>
> Description
> -------
>
> Added the following matrix of privileges on the DESCRIBE TABLE and SHOW TABLES:
>
> DESCRIBE table allowed and not allowed privileges:
>
> { null, NOT_ALLOWED }, // Means no privileges
> { DBModelAction.ALL, ALLOWED },
> { DBModelAction.CREATE, NOT_ALLOWED },
> { DBModelAction.SELECT, ALLOWED },
> { DBModelAction.INSERT, ALLOWED },
> { DBModelAction.ALTER, ALLOWED },
> { DBModelAction.DROP, NOT_ALLOWED },
> { DBModelAction.INDEX, NOT_ALLOWED },
> { DBModelAction.LOCK, NOT_ALLOWED },
>
> SHOW TABLES allowed and not allowed privileges:
>
> { null, NOT_ALLOWED }, // Means no privileges
> { DBModelAction.ALL, ALLOWED },
> { DBModelAction.CREATE, NOT_ALLOWED },
> { DBModelAction.SELECT, ALLOWED },
> { DBModelAction.INSERT, ALLOWED },
> { DBModelAction.ALTER, ALLOWED },
> { DBModelAction.DROP, ALLOWED },
> { DBModelAction.INDEX, ALLOWED },
> { DBModelAction.LOCK, ALLOWED },
>
>
> Diffs
> -----
>
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java 1ab5be35dcb7991f723c0bb885ed2a15c6f5873a
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java 447deaf5831675257be1bbb05934a1ab4826fe9e
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java 78742fdacd72531eed4a7dde86871a57cf54493b
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDescribeMetadataPrivileges.java PRE-CREATION
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestShowMetadataPrivileges.java PRE-CREATION
>
>
> Diff: https://reviews.apache.org/r/68332/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Sergio Pena
>
>