You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sentry.apache.org by "Na Li (JIRA)" <ji...@apache.org> on 2018/04/18 15:33:00 UTC

[jira] [Commented] (SENTRY-2204) Revoke 'all/*' on server from role , revokes all privileges from the same role

    [ https://issues.apache.org/jira/browse/SENTRY-2204?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16442700#comment-16442700 ] 

Na Li commented on SENTRY-2204:
-------------------------------

this is right behavior. The all privilege on server implies all privilege on all db under this server, and all privilege on all tables in all DB. So revoking all will remove privileges at DB and table

> Revoke 'all/*' on server from role , revokes all privileges from the same role
> ------------------------------------------------------------------------------
>
>                 Key: SENTRY-2204
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2204
>             Project: Sentry
>          Issue Type: New Feature
>          Components: Sentry
>            Reporter: Sachin
>            Priority: Major
>
> I have assigned below privileges to one role i.e. role_1;
> {noformat}
> |+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
> |\| database \| table \| partition \| column \| principal_name \| principal_type \| privilege \| grant_option \| grant_time \| grantor \||
> |+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
> |\| hdfs://nameservice01/user/h \| \| \| \| role_157 \| ROLE \| * \| false \| 1523963168628000 \| -- \||
> |\| * \| \| \| \| role_157 \| ROLE \| * \| false \| 1523352328442000 \| -- \||
> |\| hdfs://nameservice01/user/m \| \| \| \| role_157 \| ROLE \| * \| false \| 1523963186544000 \| -- \||
> |+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
> | |
> {noformat}
>  
> After that executed below command i.e revoke and show grant for the same role
> {noformat}
> revoke all on server server1 from role role_157;
> {noformat}
> {noformat}
> show grant role role_157;
> |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
> |\| database \| table \| partition \| column \| principal_name \| principal_type \| privilege \| grant_option \| grant_time \| grantor \||
> |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
> |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
> |No rows selected (0.119 seconds)|
> {noformat}
>  
> As you can see from above, if you revoke all on server, it also revokes all the other privileges from the same role as well. 
> So it is right behaviour? or It should revoke only all/* on server and should keep other privileges?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)