sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lenni Kuff (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SENTRY-445) WITH GRANT OPTION does not allow delegated user to grant less permissive privileges
Date Mon, 29 Sep 2014 18:19:34 GMT

    [ https://issues.apache.org/jira/browse/SENTRY-445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14151996#comment-14151996
] 

Lenni Kuff commented on SENTRY-445:
-----------------------------------

Chatted with [~prasadm] on this. We think the problem is due to Impala and Hue sending "ALL"
as the action where Hive may send "*". 
We should update Sentry to make ALL and "*" synonymous when it comes to the action name, with
ALL being the preferred naming.

> WITH GRANT OPTION does not allow delegated user to grant less permissive privileges
> -----------------------------------------------------------------------------------
>
>                 Key: SENTRY-445
>                 URL: https://issues.apache.org/jira/browse/SENTRY-445
>             Project: Sentry
>          Issue Type: Bug
>    Affects Versions: 1.4.0
>            Reporter: Lenni Kuff
>             Fix For: 1.5.0
>
>
> In this case the delegated user (root) has been granted ALL on a database and the WITH
GRANT OPTION was specified. When the user tries to issue a GRANT SELECT ON TABLE within that
database the command fails saying the user does not have privileges to execute. It seems that
since ALL implies SELECT they should be able to also GRANT SELECT privileges. 
> {code}
> -- executing against localhost:21000
> create role grant_revoke_test_ROOT;
> grant role grant_revoke_test_ROOT to group root;
> grant all on database functional to grant_revoke_test_ROOT WITH GRANT OPTION;
> -- connecting to: localhost:21000 as "root"
> -- FAILS:  AuthorizationException: User 'root' does not have privileges to execute: GRANT_PRIVILEGE
> grant select on table functional.alltypes to grant_revoke_test_ROOT;
> -- SUCCEEDS
> grant ALL on table functional.alltypes to grant_revoke_test_ROOT;
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message