----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/29141/#review76703 -----------------------------------------------------------
sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java <https://reviews.apache.org/r/29141/#comment124333> Yes, thanks for pointing out this! sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java <https://reviews.apache.org/r/29141/#comment124334> Sure, it make sense to me. Now I don't support revoke child action with grant option. I will file a jira to track this improvement. - Xiaomeng Huang On March 12, 2015, 9:38 a.m., Xiaomeng Huang wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/29141/ > ----------------------------------------------------------- > > (Updated March 12, 2015, 9:38 a.m.) > > > Review request for sentry, Arun Suresh, Lenni Kuff, Prasad Mujumdar, and > Sravya Tirukkovalur. > > > Bugs: SENTRY-473 > https://issues.apache.org/jira/browse/SENTRY-473 > > > Repository: sentry > > > Description > ------- > > As hive version change to Hive 0.15, we should support revoke privilege with > grant option like: > REVOKE [GRANT OPTION FOR] > priv_type [, priv_type ] ... > ON table_or_view_name > FROM principal_specification [, principal_specification] ... ; > We should support downgrade grant option for "GRANT OPTION FOR". It means > when "GRANT OPTION FOR" set, we just modify grant option of this privilege > from true to false. > use cases: > 1. grant ALL on database db1 to role role1; > 2. grant ALL on database db1 to role role2 with grant option; > 3. revoke grant option for ALL on database db1 from role role1; > 4. revoke grant option for ALL on database db1 from role role2; > 5. revoke ALL on database db1 from role role2; > After 3rd command executed, role1 still has privilege with action ALL on db1, > grant option is false. > After 4th command executed, role2 downgrade privilege to grant option is > false. > After 5th command executed, role2 will remove privilege with action ALL on > db1. > > > Diffs > ----- > > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.java > 2a60a23 > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java > 5898b7e > > sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java > d7937d0 > > sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift > 993ea46 > > sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java > 35319db > > sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java > 02c7535 > > sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestPrivilegeWithGrantOption.java > 5c49f98 > > Diff: https://reviews.apache.org/r/29141/diff/ > > > Testing > ------- > > test cases are included. > > > Thanks, > > Xiaomeng Huang > >
