impala-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dimitris Tsirogiannis (Code Review)" <ger...@cloudera.org>
Subject [Impala-CR](cdh5-trunk) IMPALA-3133: Wrong privileges after a REVOKE ALL ON SERVER statement
Date Fri, 06 May 2016 03:19:10 GMT
Dimitris Tsirogiannis has uploaded a new change for review.

  http://gerrit.cloudera.org:8080/2979

Change subject: IMPALA-3133: Wrong privileges after a REVOKE ALL ON SERVER statement
......................................................................

IMPALA-3133: Wrong privileges after a REVOKE ALL ON SERVER statement

This commit fixes an issue where a GRANT ALL ON SERVER to role_name statement
followed by a REVOKE ALL ON SERVER from role_name statement would not revoke all
privileges from role_name. The problem was triggered by a specific
combination of Sentry client API calls used in Impala during
grant/revoke statements at server scope. In particular, during GRANT, Impala was using
an API call that didn't explicitly specify the privilege action (Sentry uses '*' if
no action is specified). In contrast, the corresponding REVOKE call was explicitly
specifying the privilege action to be 'ALL'. Sentry doesn't seem to
handle this case correctly, thereby failing to remove all the privileges
after a REVOKE ALL ON SERVER call. The fix from the Impala side, that
results in the correct behavior, is to always specify the privilege
action by using the appropriate API calls.

Change-Id: I6b3a0d10f5e88c6a0a10bd20f620562d2de7ab25
---
M fe/src/main/java/com/cloudera/impala/util/SentryPolicyService.java
M testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test
2 files changed, 22 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala refs/changes/79/2979/1
-- 
To view, visit http://gerrit.cloudera.org:8080/2979
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I6b3a0d10f5e88c6a0a10bd20f620562d2de7ab25
Gerrit-PatchSet: 1
Gerrit-Project: Impala
Gerrit-Branch: cdh5-trunk
Gerrit-Owner: Dimitris Tsirogiannis <dtsirogiannis@cloudera.com>

Mime
View raw message