[jira] [Commented] (SENTRY-849) [column level privilege] without table level privilege and column level privilege for column i, test user can still explain select column from test_tb;

Anne Yu (JIRA) Mon, 21 Sep 2015 16:28:04 -0700

    [ 
https://issues.apache.org/jira/browse/SENTRY-849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14901607#comment-14901607
 ]


Anne Yu commented on SENTRY-849:
--------------------------------

[~guoquan], this is definitely a blocker, 

There are 2 issues:

{noformat}
for a table with columns a and b;

1. with privilege only on column a, explain select *, count(*) from table; user 
can always see all columns metadata information;  thought it requires user to 
have table level privileges.

2. without column level privilege and without table level privilege, any user 
can explain select *, count(*), a or b from table; this is worse.
{noformat}

> [column level privilege] without table level privilege and column level 
> privilege for column i, test user can still explain select column from 
> test_tb;
> -------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SENTRY-849
>                 URL: https://issues.apache.org/jira/browse/SENTRY-849
>             Project: Sentry
>          Issue Type: Bug
>    Affects Versions: 1.5.1
>            Reporter: Anne Yu
>            Assignee: guoquan
>
> {code}
> 0: jdbc:hive2://anneyu-cdh55-1.vpc.cloudera.c> show grant role test_role on 
> table test_tb;
> +-----------+----------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> | database  |  table   | partition  | column  | principal_name  | 
> principal_type  | privilege  | grant_option  |    grant_time     | grantor  |
> +-----------+----------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> | test_db   | test_tb  |            | s       | test_role       | ROLE        
>     | select     | false         | 1439502394526000  | --       |
> +-----------+----------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> {code}
> However explain "select i from test_tb" shows the column "i" test_user 
> doesn't have privileges.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (SENTRY-849) [column level privilege] without table level privilege and column level privilege for column i, test user can still explain select column from test_tb;

Reply via email to