> On Sept. 4, 2018, 9:49 p.m., Na Li wrote:
> > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
> > Lines 866 (patched)
> > <https://reviews.apache.org/r/68624/diff/1/?file=2082219#file2082219line880>
> >
> > if action is ALL or ACTION_ALL, SHOULD you continue? Before calling
> > this function, if the action to grant is all, and all is already granted,
> > we can do nothing
>
> Sergio Pena wrote:
> No. This part of the code drops the privileges before granting the new
> one. If I leave ALL, then we might have two entries with ALL. OWNER is the
> special privilege that cannot be combined with ALL because means the same.
>
> Na Li wrote:
> 1) If the principle has "ALL with grant option", and to be granted with
> "ALL". If you remove existing one, then grant option is lost. Is this the
> correct behavior?
> 2) If the principle has "ALL", and to be granted with "ALL with grant
> option". If you remove existing one, then ALL with grant option is granted. I
> think this is the correct behavior.
I don't think so. The code that is executed after all privileges are dropped is
this:
mPrivilege = getMSentryPrivilege(privilege, pm);
if (mPrivilege == null) {
mPrivilege = convertToMSentryPrivilege(privilege);
}
mPrivilege.appendPrincipal(mPrincipal);
pm.makePersistent(mPrivilege);
The above code will get the privilege to be granted, if it does not exist
(meaning if the all was dropped), then it will create a new ALL privilege with
the grant option.
- Sergio
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68624/#review208323
-----------------------------------------------------------
On Sept. 4, 2018, 7:02 p.m., Sergio Pena wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68624/
> -----------------------------------------------------------
>
> (Updated Sept. 4, 2018, 7:02 p.m.)
>
>
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
>
>
> Bugs: sentry-2315
> https://issues.apache.org/jira/browse/sentry-2315
>
>
> Repository: sentry
>
>
> Description
> -------
>
> Fixes the issue where GRANT ALL does not include the ALTER privilege.
>
> It does not fix the REVOKE command where revoking a single privilege will end
> up revoking ALL and granting all invididual supported privileges. For now,
> such behavior only works for SELECT and INSERT.
>
>
> Diffs
> -----
>
>
> sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
> db8c08ba0839400c65658e90ebd18906fed9919f
>
> sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
> 6b732ea5a89dafd94a6a3ae9c423747118352d84
>
>
> Diff: https://reviews.apache.org/r/68624/diff/1/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Sergio Pena
>
>
