hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ashutosh Chauhan" <hashut...@apache.org>
Subject Re: Review Request 18250: SQL std auth - allow grant/revoke roles if user has ADMIN OPTION
Date Wed, 19 Feb 2014 18:20:34 GMT


> On Feb. 19, 2014, 4:31 p.m., Thejas Nair wrote:
> > ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java,
line 278
> > <https://reviews.apache.org/r/18250/diff/2/?file=497456#file497456line278>
> >
> >     We need to pass the roleNames argument to this function and check that user
has admin option on these roles. For example the role in grant-role could be role A while
current role is role B. The check is happening now on role B only.
> >     What should we do if a user a member with admin option of role Y , because it
belongs to role X and role X has admin option on Y?
> >     Should we check that X is in the current role in that case? I guess so, that
will make it consistent with rest of the current role behavior.

Lets say, user X has an admin option on role A. User X now wants to grant role A to user B.
IMO, user X's current role should be A. He shouldn't be allowed to grant role A to user B,
if his current role is C. Currently is that is whats implemented. It seems you are suggesting
that user X should be allowed to grant role A to user B, even if his current role is C. To
me, this seems counter intuitive. Not sure what does standard says here.


- Ashutosh


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18250/#review34869
-----------------------------------------------------------


On Feb. 19, 2014, 3:31 a.m., Ashutosh Chauhan wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/18250/
> -----------------------------------------------------------
> 
> (Updated Feb. 19, 2014, 3:31 a.m.)
> 
> 
> Review request for hive.
> 
> 
> Bugs: HIVE-6433
>     https://issues.apache.org/jira/browse/HIVE-6433
> 
> 
> Repository: hive-git
> 
> 
> Description
> -------
> 
> SQL std auth - allow grant/revoke roles if user has ADMIN OPTION
> 
> 
> Diffs
> -----
> 
>   ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
c1afaee 
>   ql/src/test/queries/clientpositive/authorization_role_grant2.q PRE-CREATION 
>   ql/src/test/results/clientpositive/authorization_role_grant2.q.out PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/18250/diff/
> 
> 
> Testing
> -------
> 
> Added new test
> 
> 
> Thanks,
> 
> Ashutosh Chauhan
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message