Repository: incubator-sentry Updated Branches: refs/heads/master 71b889ad9 -> 02f46d227
SENTRY-575: Table GRANTS should not Override Database GRANT in the Sentry HDFS Namenode plugin (Reviewed by Lenni Kuff) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/02f46d22 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/02f46d22 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/02f46d22 Branch: refs/heads/master Commit: 02f46d227a69bc1a43cabb451f75c84b5562d0c0 Parents: 71b889a Author: Arun Suresh <[email protected]> Authored: Wed Dec 10 19:16:41 2014 -0800 Committer: Arun Suresh <[email protected]> Committed: Wed Dec 10 19:16:41 2014 -0800 ---------------------------------------------------------------------- .../main/java/org/apache/sentry/hdfs/SentryPermissions.java | 6 ++---- .../org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegration.java | 4 ++++ 2 files changed, 6 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/02f46d22/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryPermissions.java ---------------------------------------------------------------------- diff --git a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryPermissions.java b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryPermissions.java index 4b27e7b..b9d1d70 100644 --- a/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryPermissions.java +++ b/sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryPermissions.java @@ -30,10 +30,8 @@ import org.apache.hadoop.fs.permission.AclEntryScope; import org.apache.hadoop.fs.permission.AclEntryType; import org.apache.hadoop.fs.permission.FsAction; -import com.google.common.collect.Lists; - public class SentryPermissions implements AuthzPermissions { - + public static class PrivilegeInfo { private final String authzObj; private final Map<String, FsAction> roleToPermission = new HashMap<String, FsAction>(); @@ -156,7 +154,7 @@ public class SentryPermissions implements AuthzPermissions { FsAction action = groupPerm.getValue(); FsAction pAction = pGroupPerms.get(groupPerm.getKey()); if (pAction != null) { - action.or(pAction); + action = action.or(pAction); } if ((action == FsAction.READ) || (action == FsAction.WRITE) || (action == FsAction.READ_WRITE)) { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/02f46d22/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegration.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegration.java index ae7a9a2..133daef 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegration.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegration.java @@ -661,6 +661,10 @@ public class TestHDFSIntegration { stmt.execute("alter table q1 rename to q2"); verifyOnAllSubDirs("/user/hive/warehouse/q2", FsAction.ALL, "hbase", true); + // Verify table GRANTS do not trump db GRANTS + stmt.execute("grant select on table q2 to role p1_admin"); + verifyOnAllSubDirs("/user/hive/warehouse/q2", FsAction.ALL, "hbase", true); + stmt.execute("create table q3 (s string)"); verifyOnAllSubDirs("/user/hive/warehouse/q3", FsAction.ALL, "hbase", true); verifyOnAllSubDirs("/user/hive/warehouse/q2", FsAction.ALL, "hbase", true);
