Na Li created SENTRY-2354: ----------------------------- Summary: Beeline error message only shows one of the permissions when multiple permissions are required for an operation Key: SENTRY-2354 URL: https://issues.apache.org/jira/browse/SENTRY-2354 Project: Sentry Issue Type: Bug Components: Sentry Affects Versions: 2.1.0 Reporter: Na Li Assignee: Na Li
When multiple permissions are required by a principle for an operation in beeline to be authorized by sentry, beeline only displays one of the needed permissions in its error message. For example, to execute ALTER TABLE SET LOCATION, a principle needs ALL on the location URI, and ALTER on the table. If a user's role has neither of these, beeline just displays that the role needs ALL on the location URI. Once the user role has all on the location URI, then beeline displays that the user role needs ALTER on the table. Before the role has any privileges: > alter table db1.table1 set location '/tmp'; Error: Error while compiling statement: FAILED: SemanticException No valid privileges User merry does not have privileges for ALTERTABLE_LOCATION The required privileges: Server=server1->URI=hdfs://rogue-4.gce.com:8020/tmp->action=*; (state=42000,code=40000) After granting all on the location URI: > alter table db1.table1 set location '/tmp'; Error: Error while compiling statement: FAILED: SemanticException No valid privileges User merry does not have privileges for ALTERTABLE_LOCATION The required privileges: Server=server1->Db=db1->Table=table1->action=alter; (state=42000,code=40000) Instead, the error message should be something like the following: The required privileges are all of: Server=server1->URI=hdfs://rogue-4.gce.com:8020/tmp->action=*;Server=server1->Db=db1->Table=table1->action=alter; -- This message was sent by Atlassian JIRA (v7.6.3#76005)