You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@sentry.apache.org by "Prasad Mujumdar (JIRA)" <ji...@apache.org> on 2014/09/30 06:19:34 UTC

[jira] [Updated] (SENTRY-445) WITH GRANT OPTION does not allow delegated user to grant less permissive privileges

     [ https://issues.apache.org/jira/browse/SENTRY-445?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Prasad Mujumdar updated SENTRY-445:
-----------------------------------
    Attachment: SENTRY-445.1.patch

> WITH GRANT OPTION does not allow delegated user to grant less permissive privileges
> -----------------------------------------------------------------------------------
>
>                 Key: SENTRY-445
>                 URL: https://issues.apache.org/jira/browse/SENTRY-445
>             Project: Sentry
>          Issue Type: Bug
>    Affects Versions: 1.4.0
>            Reporter: Lenni Kuff
>             Fix For: 1.5.0
>
>         Attachments: SENTRY-445.1.patch
>
>
> In this case the delegated user (root) has been granted ALL on a database and the WITH GRANT OPTION was specified. When the user tries to issue a GRANT SELECT ON TABLE within that database the command fails saying the user does not have privileges to execute. It seems that since ALL implies SELECT they should be able to also GRANT SELECT privileges. 
> {code}
> -- executing against localhost:21000
> create role grant_revoke_test_ROOT;
> grant role grant_revoke_test_ROOT to group root;
> grant all on database functional to grant_revoke_test_ROOT WITH GRANT OPTION;
> -- connecting to: localhost:21000 as "root"
> -- FAILS:  AuthorizationException: User 'root' does not have privileges to execute: GRANT_PRIVILEGE
> grant select on table functional.alltypes to grant_revoke_test_ROOT;
> -- SUCCEEDS
> grant ALL on table functional.alltypes to grant_revoke_test_ROOT;
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)