[jira] [Created] (SENTRY-2424) sentry.db.explicit.grants.permitted config does not allow empty value to mean allow all privileges

Thu, 04 Oct 2018 20:05:12 -0700 

Fredy Wijaya created SENTRY-2424:
------------------------------------

             Summary: sentry.db.explicit.grants.permitted config does not allow 
empty value to mean allow all privileges
                 Key: SENTRY-2424
                 URL: https://issues.apache.org/jira/browse/SENTRY-2424
             Project: Sentry
          Issue Type: Bug
          Components: Core
    Affects Versions: 2.0.1
            Reporter: Fredy Wijaya


https://issues.apache.org/jira/browse/SENTRY-2413 introduced 
"sentry.db.explicit.grants.permitted" to specify which privileges are permitted 
to be granted explicitly. Empty value means allow all privileges. However the 
following sentry-site.xml does not work.

{noformat}
<property>
  <name>sentry.db.explicit.grants.permitted</name>
  <value></value>
</property>
{noformat}

Apparently using a space works.
{noformat}
<property>
  <name>sentry.db.explicit.grants.permitted</name>
  <value> </value>
</property>
{noformat}

Steps to reproduce in Impala:
{noformat}
[localhost:21000] default> create role foo_role;
[localhost:21000] default> grant alter on table functional.alltypes to role 
foo_role;
ERROR: AuthorizationException: User 'foobar' does not have privileges to 
execute: GRANT_PRIVILEGE
{noformat}

Stacktrace:
{noformat}
18/10/04 20:01:06 ERROR thrift.SentryPolicyStoreProcessor: GRANT privilege for 
[ALTER] not permitted.
org.apache.sentry.core.common.exception.SentryGrantDeniedException: GRANT 
privilege for [ALTER] not permitted.
    at 
org.apache.sentry.api.common.SentryServiceUtil.checkDbExplicitGrantsPermitted(SentryServiceUtil.java:364)
    at 
org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_grant_privilege(SentryPolicyStoreProcessor.java:265)
    at 
org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1597)
    at 
org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1582)
    at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)       
          
    at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)         
          
    at 
org.apache.sentry.api.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:36)
    at 
org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) 
      
    at 
org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
    at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
      
    at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
      
    at java.lang.Thread.run(Thread.java:748)
{noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to