You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@impala.apache.org by "Fang-Yu Rao (Jira)" <ji...@apache.org> on 2020/01/30 01:09:00 UTC

[jira] [Created] (IMPALA-9341) A grantee gains the delegation privilege after executing a revoke statement

Fang-Yu Rao created IMPALA-9341:
-----------------------------------

             Summary: A grantee gains the delegation privilege after executing a revoke statement
                 Key: IMPALA-9341
                 URL: https://issues.apache.org/jira/browse/IMPALA-9341
             Project: IMPALA
          Issue Type: Bug
          Components: Frontend
    Affects Versions: Impala 3.4.0
            Reporter: Fang-Yu Rao
            Assignee: Fang-Yu Rao


When Ranger is used as the authorization provider, a grantee that was granted the {{insert}} privilege on a table without the delegation privilege gains the delegation privilege after executing a statement to {{revoke}} the grantee's {{select}} privilege on the same table. In what follows, we provide the steps to reproduce the issue.

# Start a Ranger-enabled Impala minicluster.
# Log into Impala shell as the user {{admin}} using {{./bin/impala-shell.sh -u admin}}.
# Execute {{grant insert on table <table_name> to user <user_name_of_grantee>;}}
# Execute {{show grant user <user_name_of_grantee> on table <table_name>;}}
# Execute {{revoke select on table <table_name> from user <user_name_of_grantee>;}}
# Execute {{show grant user <user_name_of_grantee> on table <table_name>;}}

When {{<table_name>}} equals {{functional.alltypes}} and {{<user_name_of_grantee>}} equals {{fangyurao}}, after the 4th step, we will see the following.
{code:java}
+----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
| principal_type | principal_name | database   | table    | column | uri | udf | privilege | grant_option | create_time   |
+----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
| USER           | fangyurao      | functional | alltypes | *      |     |     | insert    | false        | 1580345254347 |
+----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
{code}


However, we will see the following after the 6th step above. We can see the filed of {{grant_option}} is changed from {{false}} to {{true}}, which should not happen.
{code:java}
+----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
| principal_type | principal_name | database   | table    | column | uri | udf | privilege | grant_option | create_time   |
+----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
| USER           | fangyurao      | functional | alltypes | *      |     |     | insert    | true         | 1580345254347 |
+----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
{code}




--
This message was sent by Atlassian Jira
(v8.3.4#803005)