You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@sentry.apache.org by "Prasad Mujumdar (JIRA)" <ji...@apache.org> on 2014/04/23 23:50:15 UTC

[jira] [Commented] (SENTRY-182) Granting ALL privileges to table does not seem to do the right thing when using the SimpleDbPolicyProvider

    [ https://issues.apache.org/jira/browse/SENTRY-182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13978954#comment-13978954 ] 

Prasad Mujumdar commented on SENTRY-182:
----------------------------------------

I think this is addressed by the proposed patch for SENTRY-153. I will submit the review request for that soon. Wait for a Hive side change which is required for that patch. Thanks!

> Granting ALL privileges to table does not seem to do the right thing when using the SimpleDbPolicyProvider
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: SENTRY-182
>                 URL: https://issues.apache.org/jira/browse/SENTRY-182
>             Project: Sentry
>          Issue Type: Bug
>    Affects Versions: 1.3.0
>            Reporter: Lenni Kuff
>
> I noticed that if I grant ALL privileges to table (or to all tables under a database using a wildcard), I get back false when I try to access that table using PrivilegeLevel = SELECT | INSERT, but the access works if I accessing using PrivilegeLevel=ALL.
> I believe this is because in DBWildcardPrivilege.java @ line 119 the "policyPart" KeyValue param has a key=>value of: "action" => "ALL" (note the string "ALL" as the value) where AccessConstants.ALL has a string val of a wildcard char: "*".
> {code}
> private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) {    
>     if(policyPart.getValue().equals(AccessConstants.ALL) || policyPart.equals(requestPart)) {
>         return true;
>     } else ...
> {code}
> In the BE policy server db I see:
> {code}
> sentry_test2=# select "DB_PRIVILEGE_ID", "DB_NAME", "TABLE_NAME", "PRIVILEGE_NAME" FROM "SENTRY_DB_PRIVILEGE" ORDER BY "DB_PRIVILEGE_ID" desc;
>  DB_PRIVILEGE_ID |       DB_NAME       |  TABLE_NAME  |             PRIVILEGE_NAME             
> -----------------+---------------------+--------------+----------------------------------------
>               18 | functional_seq_snap | *            | server1+functional_seq_snap+*+ALL
> {code}
> This doesn't seem specific to the DbPolicyProvider, but when using a policy file I seem to be able to work around this by explicitly using a wildcard character for the action rather than "ALL". There doesn't seem to be a way to do this with the DbPolicyProvider.



--
This message was sent by Atlassian JIRA
(v6.2#6252)