[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh

Adam Holley (JIRA) Thu, 12 Jul 2018 11:31:18 -0700


    [ 
https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16542066#comment-16542066
 ]


Adam Holley commented on IMPALA-7282:
-------------------------------------

I've included details to show that simply granting select at the server level 
does not revoke select at the column level, but only after revoking at the 
server level does the column level privilege get removed.  This also happens 
when the grant is at the database level instead of the server level.

{noformat}
[localhost:21000] functional> grant select(id) on table functional.alltypes to 
role foo_role;
Query: grant select(id) on table functional.alltypes to role foo_role
+---------------------------------+
| summary                         |
+---------------------------------+
| Privilege(s) have been granted. |
+---------------------------------+
Fetched 1 row(s) in 0.09s
[localhost:21000] functional> grant select on server to role foo_role;
Query: grant select on server to role foo_role
+---------------------------------+
| summary                         |
+---------------------------------+
| Privilege(s) have been granted. |
+---------------------------------+
Fetched 1 row(s) in 0.06s
[localhost:21000] functional> show grant role foo_role;
Query: show grant role foo_role
+--------+------------+----------+--------+-----+-----------+--------------+-------------+
| scope  | database   | table    | column | uri | privilege | grant_option | 
create_time |
+--------+------------+----------+--------+-----+-----------+--------------+-------------+
| column | functional | alltypes | id     |     | select    | false        | 
NULL        |
| server |            |          |        |     | select    | false        | 
NULL        |
+--------+------------+----------+--------+-----+-----------+--------------+-------------+
Fetched 2 row(s) in 0.04s
[localhost:21000] functional> invalidate metadata;
Query: invalidate metadata
Fetched 0 row(s) in 4.53s
[localhost:21000] functional> show grant role foo_role;
Query: show grant role foo_role
+--------+------------+----------+--------+-----+-----------+--------------+-------------------------------+
| scope  | database   | table    | column | uri | privilege | grant_option | 
create_time                   |
+--------+------------+----------+--------+-----+-----------+--------------+-------------------------------+
| column | functional | alltypes | id     |     | select    | false        | 
Thu, Jul 12 2018 13:18:09.240 |
| server |            |          |        |     | select    | false        | 
Thu, Jul 12 2018 13:18:34.476 |
+--------+------------+----------+--------+-----+-----------+--------------+-------------------------------+
Fetched 2 row(s) in 0.03s
[localhost:21000] functional> revoke select on server from foo_role;
Query: revoke select on server from foo_role
+---------------------------------+
| summary                         |
+---------------------------------+
| Privilege(s) have been revoked. |
+---------------------------------+
[localhost:21000] functional> show grant role foo_role;
Query: show grant role foo_role
+--------+------------+----------+--------+-----+-----------+--------------+-------------------------------+
| scope  | database   | table    | column | uri | privilege | grant_option | 
create_time                   |
+--------+------------+----------+--------+-----+-----------+--------------+-------------------------------+
| column | functional | alltypes | id     |     | select    | false        | 
Thu, Jul 12 2018 13:18:09.240 |
+--------+------------+----------+--------+-----+-----------+--------------+-------------------------------+
Fetched 1 row(s) in 0.03s
[localhost:21000] functional> invalidate metadata;
Query: invalidate metadata
Fetched 0 row(s) in 4.14s
[localhost:21000] functional> show grant role foo_role;
Query: show grant role foo_role
Fetched 0 row(s) in 0.03s
{noformat}

> Sentry privilege disappears after a catalog refresh
> ---------------------------------------------------
>
>                 Key: IMPALA-7282
>                 URL: https://issues.apache.org/jira/browse/IMPALA-7282
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Catalog, Security
>    Affects Versions: Impala 3.0, Impala 2.12.0
>            Reporter: Fredy Wijaya
>            Priority: Major
>              Labels: security
>
> {noformat}
> [localhost:21000] default> grant select on database functional to role 
> foo_role;
> Query: grant select on database functional to role foo_role
> +---------------------------------+
> | summary                         |
> +---------------------------------+
> | Privilege(s) have been granted. |
> +---------------------------------+
> Fetched 1 row(s) in 0.05s
> [localhost:21000] default> grant all on database functional to role foo_role;
> Query: grant all on database functional to role foo_role
> +---------------------------------+
> | summary                         |
> +---------------------------------+
> | Privilege(s) have been granted. |
> +---------------------------------+
> Fetched 1 row(s) in 0.03s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +----------+------------+-------+--------+-----+-----------+--------------+-------------+
> | scope    | database   | table | column | uri | privilege | grant_option | 
> create_time |
> +----------+------------+-------+--------+-----+-----------+--------------+-------------+
> | database | functional |       |        |     | select    | false        | 
> NULL        |
> | database | functional |       |        |     | all       | false        | 
> NULL        |
> +----------+------------+-------+--------+-----+-----------+--------------+-------------+
> Fetched 2 row(s) in 0.02s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +----------+------------+-------+--------+-----+-----------+--------------+-------------------------------+
> | scope    | database   | table | column | uri | privilege | grant_option | 
> create_time                   |
> +----------+------------+-------+--------+-----+-----------+--------------+-------------------------------+
> | database | functional |       |        |     | all       | false        | 
> Wed, Jul 11 2018 15:38:41.113 |
> +----------+------------+-------+--------+-----+-----------+--------------+-------------------------------+
> Fetched 1 row(s) in 0.01s
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org

[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh

Reply via email to