Review Request 75407: RANGER-4707: Revoke grant option for command removes the user privilege from ranger policy

Wed, 24 Sep 2025 00:08:28 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/75407/
-----------------------------------------------------------

Review request for ranger, Dineshkumar Yadav, Kishor Gollapalliwar, Abhay 
Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja 
Polavarapu, Velmurugan Periasamy, and Vyom Tiwari.


Bugs: RANGER-4707
    https://issues.apache.org/jira/browse/RANGER-4707


Repository: ranger


Description
-------

STEPS TO REPRODUCE:
User u1 is a ranger admin, also configured as service admin user for hive. 
Users u2 and u3 have USER role on ranger side.
Create a hive table tl1 as user u1. User u1 has full permissions on tl1 via 
ranger policy.
As user u1, execute hive beeline command 'grant select on tl1 to user u2'
Ranger grant policy is created with user u2 added with select access type.
As user u1, execute hive beeline command 'grant select on tl1 to user u3 with 
grant option'
Ranger grant policy is updated with user u3 added with select access type and 
delegate admin flag set.
As user u1, execute hive beeline command 'revoke select on table tl1 from user 
u2'
User u2 is removed from ranger grant policy
As user u1, execute hive beeline command 'revoke grant option for select on 
table tl1 from user u3'

CURRENT BEHAVIOUR:
User u3 is removed from ranger grant policy

EXPECTED BEHAVIOUR:
Revoke grant option should retain the privilege for user and remove only with 
grant permission, ie access type permission should still exist for user in 
ranger policy and delegate admin permission should be removed.
>From hive documentation:
If a user is granted a privilege WITH GRANT OPTION on a table or view, then the 
user can also grant/revoke privileges of other users and roles on those 
objects. As of Hive 0.14.0, the grant option for a privilege can be removed 
while still keeping the privilege by using REVOKE GRANT OPTION FOR <privilege>


Diffs
-----

  security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java 
81ed00ec0 


Diff: https://reviews.apache.org/r/75407/diff/1/


Testing
-------

Build succesful
Tested Revoke with grant option only removing delegate admin flag.


Thanks,

sanket shelar

Reply via email to