[
https://issues.apache.org/jira/browse/SENTRY-2161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Na Li updated SENTRY-2161:
--------------------------
Description:
*Background:*
Partial revoke
For examples:
1. When a role has been granted "all" on table and the role already has
select/insert on privileges, they are removed automatically as "all" covers the
"select/insert".
2. When a role already has "all" privileges on a table and "select" privilege
are revoked, "all" privileges is revoked and "insert" is added automatically as
there are only "select", "insert", and "all".
Hierarchical privileges:
Revoking privilege on a database would effect the privileges granted to the
tables in that database.
*Problem:*
For example:
1) User_A has "select" on table_B
2) User_A is set to owner of table_B and gets "ALL" privilege on table_B as
implicit privilege
3) User_A is not owner of table_B any more
based on partial invoke behavior, User_A will lose "select" on table_B after
step 3). The desired behavior is for User_A still retains "select" on table_B
after step 3)
*Solution:*
Only apply partial revoke to user configured privileges (explicit privilege),
and not affect implicit privileges.
was:
*Background:*
Partial revoke
For examples:
1. When a role has been granted "all" on table and the role already has
select/insert on privileges, they are removed automatically as "all" covers the
"select/insert".
2. When a role already has "all" privileges on a table and "select" privilege
are revoked, "all" privileges is revoked and "insert" is added automatically as
there are only "select", "insert", and "all".
Hierarchical privileges:
Revoking privilege on a database would effect the privileges granted to the
tables in that database.
*Problem:*
For example:
1) User_A has "select" on table_B
2) User_A is set to owner of table_B and gets "all" privilege on table_B as
implicit privilege
3) User_A is not owner of table_B any more
based on partial invoke behavior, User_A will lose "select" on table_B after
step 3). The desired behavior is for User_A still retains "select" on table_B
after step 3)
*Solution:*
Only apply partial revoke to user configured privileges (explicit privilege),
and not affect implicit privileges.
> Make sure partial invoke only applies to explicit privileges
> ------------------------------------------------------------
>
> Key: SENTRY-2161
> URL: https://issues.apache.org/jira/browse/SENTRY-2161
> Project: Sentry
> Issue Type: Sub-task
> Reporter: Na Li
> Assignee: Na Li
> Priority: Major
>
> *Background:*
> Partial revoke
> For examples:
> 1. When a role has been granted "all" on table and the role already has
> select/insert on privileges, they are removed automatically as "all" covers
> the "select/insert".
> 2. When a role already has "all" privileges on a table and "select" privilege
> are revoked, "all" privileges is revoked and "insert" is added automatically
> as there are only "select", "insert", and "all".
> Hierarchical privileges:
> Revoking privilege on a database would effect the privileges granted to the
> tables in that database.
> *Problem:*
> For example:
> 1) User_A has "select" on table_B
> 2) User_A is set to owner of table_B and gets "ALL" privilege on table_B as
> implicit privilege
> 3) User_A is not owner of table_B any more
> based on partial invoke behavior, User_A will lose "select" on table_B after
> step 3). The desired behavior is for User_A still retains "select" on table_B
> after step 3)
> *Solution:*
> Only apply partial revoke to user configured privileges (explicit privilege),
> and not affect implicit privileges.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
