[
https://issues.apache.org/jira/browse/SENTRY-2315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16603441#comment-16603441
]
Sergio Peña commented on SENTRY-2315:
-------------------------------------
The REVOKE privilege is kind of broken these days. It is hard to decide what
privileges will be granted after revoking a single privilege from ALL. For
example. components like Impala (and next SparkSQL) are (or will) using
privileges that mean differently for Hive, like the REFRESH privilege. If we do
revoke a single privilege from ALL, then what privileges should we grant?
I think we should move towards using the ALL privilege as a new privilege, and
not a combination of all supported privileges. For now, Sentry supports the
option #1 only, so we should keep it that way, and we should fix the grant ALL,
which now it combines all privileges exception ALTER. We can talk about moving
to option #2 in a different Sentry version.
> The grant all operation is not dropping the create/alter/drop/index/lock
> privileges.
> ------------------------------------------------------------------------------------
>
> Key: SENTRY-2315
> URL: https://issues.apache.org/jira/browse/SENTRY-2315
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
> Affects Versions: 2.1.0
> Reporter: Sergio Peña
> Assignee: Sergio Peña
> Priority: Major
> Attachments: SENTRY-2315.1.patch
>
>
> When an object has the ALL privilege, any individual privilege explicitly
> granted (i.e. create, select, insert, ...) after that has no effect on the
> privilege list because ALL implies the role or user has all those privileges.
> However, when any of the new privileges list (create, alter, drop) is granted
> before, and then the grant ALL happens, those privileges are not removed. We
> should keep the GRANT ALL consistent and remove any individual privilege
> (except the OWNER privilege) from the list.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
