> On June 12, 2018, 4:27 p.m., kalyan kumar kalvagadda wrote: > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java > > Line 110 (original), 110-111 (patched) > > <https://reviews.apache.org/r/67539/diff/1/?file=2039246#file2039246line110> > > > > Can you explain why this change is needed? > > > > having drop on the old database and create on new database good enough?
The problem we had was user does not have privilege to select the data, but can do so with "alter table rename" as what's mentioned in jira description. The change requires more privileges from user who executes this command to mimic the minimum privilege for someone to export the data, drop the table in original DB, and create table, add data to the new table in destination DB. After introducing FGP, a user with only DROP on a database db1 and at least CREATE on db2 can run ============================== ALTER TABLE RENAME db1.table1 db2.table2, and thus elevate their privileges. that is why drop on old DB and create on new DB is not enough. To reproduce: As admin (e.g. hive): 1. Create db1, db1.table1, db2, role r1. 2. Grant DROP on db1 to role r1. 3. Grant ALL on db2 to role r1 4. Grant role r1 to user testuser1. As testuser1: 1. use db1; alter table db1.table1 rename to db2.table1 2. select * from db2. table1 Result: the select command succeeds. - Na ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/67539/#review204605 ----------------------------------------------------------- On June 11, 2018, 10:45 p.m., Na Li wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/67539/ > ----------------------------------------------------------- > > (Updated June 11, 2018, 10:45 p.m.) > > > Review request for sentry, kalyan kumar kalvagadda and Sergio Pena. > > > Bugs: sentry-2264 > https://issues.apache.org/jira/browse/sentry-2264 > > > Repository: sentry > > > Description > ------- > > change privilege for table rename > > > Diffs > ----- > > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java > 4f932ea > > > Diff: https://reviews.apache.org/r/67539/diff/1/ > > > Testing > ------- > > > Thanks, > > Na Li > >
