Return-Path: X-Original-To: apmail-sentry-commits-archive@minotaur.apache.org Delivered-To: apmail-sentry-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2A5FD17C53 for ; Tue, 30 Sep 2014 16:43:58 +0000 (UTC) Received: (qmail 17516 invoked by uid 500); 30 Sep 2014 16:43:58 -0000 Delivered-To: apmail-sentry-commits-archive@sentry.apache.org Received: (qmail 17471 invoked by uid 500); 30 Sep 2014 16:43:58 -0000 Mailing-List: contact commits-help@sentry.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@sentry.incubator.apache.org Delivered-To: mailing list commits@sentry.incubator.apache.org Received: (qmail 17462 invoked by uid 99); 30 Sep 2014 16:43:58 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Sep 2014 16:43:58 +0000 X-ASF-Spam-Status: No, hits=-2000.6 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO mail.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 30 Sep 2014 16:43:36 +0000 Received: (qmail 17298 invoked by uid 99); 30 Sep 2014 16:43:34 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Sep 2014 16:43:34 +0000 Date: Tue, 30 Sep 2014 16:43:34 +0000 (UTC) From: "Prasad Mujumdar (JIRA)" To: commits@sentry.incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (SENTRY-445) WITH GRANT OPTION does not allow delegated user to grant less permissive privileges MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/SENTRY-445?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Prasad Mujumdar updated SENTRY-445: ----------------------------------- Attachment: SENTRY-445.2.patch > WITH GRANT OPTION does not allow delegated user to grant less permissive privileges > ----------------------------------------------------------------------------------- > > Key: SENTRY-445 > URL: https://issues.apache.org/jira/browse/SENTRY-445 > Project: Sentry > Issue Type: Bug > Affects Versions: 1.4.0 > Reporter: Lenni Kuff > Assignee: Prasad Mujumdar > Fix For: 1.5.0 > > Attachments: SENTRY-445.1.patch, SENTRY-445.2.patch > > > In this case the delegated user (root) has been granted ALL on a database and the WITH GRANT OPTION was specified. When the user tries to issue a GRANT SELECT ON TABLE within that database the command fails saying the user does not have privileges to execute. It seems that since ALL implies SELECT they should be able to also GRANT SELECT privileges. > {code} > -- executing against localhost:21000 > create role grant_revoke_test_ROOT; > grant role grant_revoke_test_ROOT to group root; > grant all on database functional to grant_revoke_test_ROOT WITH GRANT OPTION; > -- connecting to: localhost:21000 as "root" > -- FAILS: AuthorizationException: User 'root' does not have privileges to execute: GRANT_PRIVILEGE > grant select on table functional.alltypes to grant_revoke_test_ROOT; > -- SUCCEEDS > grant ALL on table functional.alltypes to grant_revoke_test_ROOT; > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)