[
https://issues.apache.org/jira/browse/SENTRY-2433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16661670#comment-16661670
]
Na Li commented on SENTRY-2433:
-------------------------------
This bug is introduced in https://issues.apache.org/jira/browse/SENTRY-432
we have two bugs 1) when dropping an object, only creates update that says to
remove all role-based privileges. 2) when the update says to remove all
role-based privilege, all privileges (including user-based privileges) are
removed. The combined result of both bugs is that when an object is removed,
all privileges are removed. Therefore, there is NO critical security issue. We
can fix these two bugs later, not in 5.16.0.
{code}
1) Bug #1: when dropping an object, only creates update that says to remove
all role-based privileges.
1.1) NotificationProcessor.java
@VisibleForTesting
static Update getPermUpdatableOnDrop(TSentryAuthorizable authorizable)
throws SentryInvalidInputException {
PermissionsUpdate update = new
PermissionsUpdate(ProviderConstants.INIT_CHANGE_ID, false);
String authzObj = SentryServiceUtil.getAuthzObj(authorizable);
update.addPrivilegeUpdate(authzObj)
.putToDelPrivileges(new
TPrivilegePrincipal(TPrivilegePrincipalType.ROLE,
PermissionsUpdate.ALL_ROLES), PermissionsUpdate.ALL_ROLES);
return update;
}
1.2) SentryPlugin.java
@Override
public Update onDropSentryPrivilege(TDropPrivilegesRequest request)
throws SentryPluginException {
Preconditions.checkNotNull(request, "request");
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("onDropSentryPrivilege: {}", request); // request.toString()
provides all details
}
{code}
My plan is to
1) use PermissionsUpdate.ALL_PRIVS in "1.1) NotificationProcessor.java static
Update getPermUpdatableOnDrop(TSentryAuthorizable authorizable)" and
"SentryPlugin.java public Update onDropSentryPrivilege(TDropPrivilegesRequest
request)" instead of "PermissionsUpdate.ALL_ROLES"
2) check PermissionsUpdate.ALL_PRIVS instead of PermissionsUpdate.ALL_ROLES in
UpdateableAuthzPermissions.applyPrivilegeUpdates() in
"pUpdate.getDelPrivileges()" processing.
It is better to fix both bug in one patch. Otherwise, fix in each bug will fail
the integration test.
> Dropping object privileges does not include update of dropping user privileges
> ------------------------------------------------------------------------------
>
> Key: SENTRY-2433
> URL: https://issues.apache.org/jira/browse/SENTRY-2433
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
> Affects Versions: 2.1.0, 2.2.0
> Reporter: Na Li
> Assignee: Na Li
> Priority: Major
>
> When dropping privileges of an object, the update of this processing only
> includes dropping role based privileges, and does not includes dropping user
> based privileges.
> If the to-be-dropped object is an external table, the path at HDFS still
> exists, and the user access wills till be there even after sentry privileges
> associated with that external table is dropped.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
