> On Sept. 21, 2018, 5:18 p.m., kalyan kumar kalvagadda wrote: > > Sergio, > > > > Sentry server is policy store and does not need to understand the > > action.Let's keep it that way. Logic of validiting the actions is present > > in the sentry bindings. I think this logic should go there instead of > > SentryPolicyStoreProcessor. > > Sergio Pena wrote: > I agree, but then we'll need to have the configuration in all the > bindings. Hive, Impala (and next SparkSQL) will need this configuration > otherwise they will be able to grant those privileges that we're trying to > avoid. If Impala does not configure those privileges correctly ,then Hive > will use them.
I understand that the approach I suggested would need configuration for both Hive and Impala. That is fine. All these compute engines have are same. Each have them support different commands. Not all operations that Impala supports are supported by Hive and Impala would like to allow set of operatins which hive may not even support. It could be true other way around. I really feel each of them should have seperate configuration and should be validated at the client side. Sentry server is just a policy store and it may not be the right place to enforce this configuration. - kalyan kumar ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/68788/#review208868 ----------------------------------------------------------- On Sept. 21, 2018, 2:24 p.m., Sergio Pena wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/68788/ > ----------------------------------------------------------- > > (Updated Sept. 21, 2018, 2:24 p.m.) > > > Review request for sentry. > > > Bugs: sentry-2413 > https://issues.apache.org/jira/browse/sentry-2413 > > > Repository: sentry > > > Description > ------- > > Add a new configuration 'sentry.db.explicit.grants.permitted' that accepts a > comma-separated list of privileges that can be granted by Sentry DB clients. > If the value is empty, then any privilege can be granted as it works normally > (this is the default behavior). > > > Diffs > ----- > > > sentry-core/sentry-core-common/src/main/java/org/apache/sentry/service/common/ServiceConstants.java > adc1947a1a1dd72ef9e6dd743e166979759709b2 > > sentry-service/sentry-service-api/src/main/java/org/apache/sentry/api/common/SentryServiceUtil.java > 8cdbde4f9e81b278c8737ea031820e20e0cf5704 > > sentry-service/sentry-service-api/src/test/java/org/apache/sentry/api/common/TestSentryServiceUtil.java > PRE-CREATION > > sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java > 3a9623b46f7c4335db18113574170f761da9a4ca > > sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java > c23b3850f097b563912c06b29ffd26ea0709b9fd > > > Diff: https://reviews.apache.org/r/68788/diff/2/ > > > Testing > ------- > > Unit tests added. > > > Thanks, > > Sergio Pena > >
