[ https://issues.apache.org/jira/browse/SENTRY-2424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Na Li reassigned SENTRY-2424: ----------------------------- Assignee: Sergio Peña > sentry.db.explicit.grants.permitted config does not allow empty value to mean > allow all privileges > -------------------------------------------------------------------------------------------------- > > Key: SENTRY-2424 > URL: https://issues.apache.org/jira/browse/SENTRY-2424 > Project: Sentry > Issue Type: Bug > Components: Core > Affects Versions: 2.0.1 > Reporter: Fredy Wijaya > Assignee: Sergio Peña > Priority: Major > > https://issues.apache.org/jira/browse/SENTRY-2413 introduced > "sentry.db.explicit.grants.permitted" to specify which privileges are > permitted to be granted explicitly. Empty value means allow all privileges. > However the following sentry-site.xml does not work. > {noformat} > <property> > <name>sentry.db.explicit.grants.permitted</name> > <value></value> > </property> > {noformat} > Apparently using a space works. > {noformat} > <property> > <name>sentry.db.explicit.grants.permitted</name> > <value> </value> > </property> > {noformat} > Steps to reproduce in Impala: > {noformat} > [localhost:21000] default> create role foo_role; > [localhost:21000] default> grant alter on table functional.alltypes to role > foo_role; > ERROR: AuthorizationException: User 'foobar' does not have privileges to > execute: GRANT_PRIVILEGE > {noformat} > Stacktrace: > {noformat} > 18/10/04 20:01:06 ERROR thrift.SentryPolicyStoreProcessor: GRANT privilege > for [ALTER] not permitted. > org.apache.sentry.core.common.exception.SentryGrantDeniedException: GRANT > privilege for [ALTER] not permitted. > at > org.apache.sentry.api.common.SentryServiceUtil.checkDbExplicitGrantsPermitted(SentryServiceUtil.java:364) > at > org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_grant_privilege(SentryPolicyStoreProcessor.java:265) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1597) > at > org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1582) > at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) > > at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) > > at > org.apache.sentry.api.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:36) > at > org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) > > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > > at java.lang.Thread.run(Thread.java:748) > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)