Return-Path: X-Original-To: apmail-sentry-commits-archive@minotaur.apache.org Delivered-To: apmail-sentry-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 41EFA11535 for ; Wed, 17 Sep 2014 08:19:55 +0000 (UTC) Received: (qmail 59763 invoked by uid 500); 17 Sep 2014 08:19:55 -0000 Delivered-To: apmail-sentry-commits-archive@sentry.apache.org Received: (qmail 59716 invoked by uid 500); 17 Sep 2014 08:19:55 -0000 Mailing-List: contact commits-help@sentry.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@sentry.incubator.apache.org Delivered-To: mailing list commits@sentry.incubator.apache.org Received: (qmail 59704 invoked by uid 99); 17 Sep 2014 08:19:55 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Sep 2014 08:19:55 +0000 X-ASF-Spam-Status: No, hits=-2000.7 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO mail.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with SMTP; Wed, 17 Sep 2014 08:19:54 +0000 Received: (qmail 59295 invoked by uid 99); 17 Sep 2014 08:19:33 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Sep 2014 08:19:33 +0000 Date: Wed, 17 Sep 2014 08:19:33 +0000 (UTC) From: "Lenni Kuff (JIRA)" To: commits@sentry.incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (SENTRY-445) WITH GRANT OPTION does not allow delegated user to grant less permissive privileges MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org Lenni Kuff created SENTRY-445: --------------------------------- Summary: WITH GRANT OPTION does not allow delegated user to grant less permissive privileges Key: SENTRY-445 URL: https://issues.apache.org/jira/browse/SENTRY-445 Project: Sentry Issue Type: Bug Affects Versions: 1.4.0 Reporter: Lenni Kuff Fix For: 1.5.0 In this case the delegated user (root) has been granted ALL on a database and the WITH GRANT OPTION was specified. When the user tries to issue a GRANT SELECT ON TABLE within that database the command fails saying the user does not have privileges to execute. It seems that since ALL implies SELECT they should be able to also GRANT SELECT privileges. {code} -- executing against localhost:21000 create role grant_revoke_test_ROOT; grant role grant_revoke_test_ROOT to group root; grant all on database functional to grant_revoke_test_ROOT WITH GRANT OPTION; -- connecting to: localhost:21000 as "root" -- FAILS: AuthorizationException: User 'root' does not have privileges to execute: GRANT_PRIVILEGE grant select on table functional.alltypes to grant_revoke_test_ROOT; -- SUCCEEDS grant ALL on table functional.alltypes to grant_revoke_test_ROOT; {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)