[jira] [Commented] (SENTRY-848) [column level privilege] DESCRIBE FORMATTED test_tb.s requires table level privilege

["Anne Yu (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SENTRY-848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14712051#comment-14712051 ] 

Anne Yu commented on SENTRY-848:
--------------------------------

Even only with column level privileges, user can run "DESCRIBE FORMATTED test_tb" and "DESCRIBE FORMATTED test_tb.s", even if it might expose some columns user doesn't have privileges.

> [column level privilege] DESCRIBE FORMATTED test_tb.s requires table level privilege
> ------------------------------------------------------------------------------------
>
>                 Key: SENTRY-848
>                 URL: https://issues.apache.org/jira/browse/SENTRY-848
>             Project: Sentry
>          Issue Type: Bug
>    Affects Versions: 1.5.1
>            Reporter: Anne Yu
>
> {code}
> create table test_tb(s string, i int);
> grant select(s) on table test_tb to role test_role;
> grant role test_role to group test_user;
> {code}
> use test_user to login,
> {code}
> describe formatted test_tb s;
> Error: Error while compiling statement: FAILED: SemanticException No valid privileges
>  Required privileges for this query: Server=server1->Db=test_db->Table=test_tb->action=insert;Server=server1->Db=test_db->Table=test_tb->action=select; (state=42000,code=40000)
> {code}
> How about describe [formatted] test_tb; do we allow test_user to list his permitted columns? for example,
> +-----------+------------+----------+--+
> | col_name  | data_type  | comment  |
> +-----------+------------+----------+--+
> | s         | string     |          |
> +-----------+------------+----------+--+
> 2 rows selected (0.167 seconds)
> However "ANALYZE TABLE test_tb COMPUTE STATISTICS FOR COLUMNS s" is allowed for test_user.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)