[ https://issues.apache.org/jira/browse/SENTRY-2097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16295731#comment-16295731 ]
kalyan kumar kalvagadda commented on SENTRY-2097: ------------------------------------------------- Jest for reference https://cwiki.apache.org/confluence/display/SENTRY/Sentry+Privileges > Sentry privileges model: Can Sentry take a database privileges away from a > server privileges? > --------------------------------------------------------------------------------------------- > > Key: SENTRY-2097 > URL: https://issues.apache.org/jira/browse/SENTRY-2097 > Project: Sentry > Issue Type: Bug > Components: Sentry > Reporter: Sergio Peña > Assignee: Na Li > Priority: Minor > > Assume I have a user |jack| and a group |datateam|. The > user |jack| belongs to group |datateam|. > Use Sentry for authorization. > |create role admin; grant role admin to group datateam; grant all on > server server1 to role admin; | > Now the role |admin| has the following priveleges. > {noformat} > |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ > | database | table | partition | column | principal_name | > principal_type | privilege | grant_option | grant_time | grantor | > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ > | * | | | | admin | ROLE | * | false | 1480985013185000 | -- | > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+| > {noformat} > Assume I have this database. > |create database testdb; | > It is successful. User |jack| created a database |testdb|. > Use Sentry to revoke the privileges on |testdb|; > |revoke all on database `testdb` from role admin; | > The priveleges is still the same. > {noformat} > |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ > | database | table | partition | column | principal_name | > principal_type | privilege | grant_option | grant_time | grantor | > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ > | * | | | | admin | ROLE | * | false | 1480985013185000 | -- | > +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+| > {noformat} > Shouldn't Sentry take the privileges on database |testdb| away from the > server |server1|? -- This message was sent by Atlassian JIRA (v6.4.14#64029)