You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@sentry.apache.org by "Sergio Peña (JIRA)" <ji...@apache.org> on 2018/09/04 18:50:01 UTC

[jira] [Commented] (SENTRY-2315) The grant all operation is not dropping the create/alter/drop/index/lock privileges.

    [ https://issues.apache.org/jira/browse/SENTRY-2315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16603441#comment-16603441 ] 

Sergio Peña commented on SENTRY-2315:
-------------------------------------

The REVOKE privilege is kind of broken these days. It is hard to decide what privileges will be granted after revoking a single privilege from ALL. For example. components like Impala (and next SparkSQL) are (or will) using privileges that mean differently for Hive, like the REFRESH privilege. If we do revoke a single privilege from ALL, then what privileges should we grant?

I think we should move towards using the ALL privilege as a new privilege, and not a combination of all supported privileges. For now, Sentry supports the option #1 only, so we should keep it that way, and we should fix the grant ALL, which now it combines all privileges exception ALTER. We can talk about moving to option #2 in a different Sentry version.

> The grant all operation is not dropping the create/alter/drop/index/lock privileges.
> ------------------------------------------------------------------------------------
>
>                 Key: SENTRY-2315
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2315
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 2.1.0
>            Reporter: Sergio Peña
>            Assignee: Sergio Peña
>            Priority: Major
>         Attachments: SENTRY-2315.1.patch
>
>
> When an object has the ALL privilege, any individual privilege explicitly granted (i.e. create, select, insert, ...) after that has no effect on the privilege list because ALL implies the role or user has all those privileges.
> However, when any of the new privileges list (create, alter, drop) is granted before, and then the grant ALL happens, those privileges are not removed. We should keep the GRANT ALL consistent and remove any individual privilege (except the OWNER privilege) from the list. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)