[ https://issues.apache.org/jira/browse/SENTRY-2242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16489152#comment-16489152 ]
Na Li commented on SENTRY-2242: ------------------------------- The problem we want to solve is: Owner privilege on an object should be assigned to only one user or role at any given time. The proposed change has two issues: 1) It does not prevent the same owner privilege on an object assigned to a user and a role at the same time. 2) It changes the primary key of the table SENTRY_USER_DB_PRIVILEGE_MAP. Once we support user privilege, we have to change the primary key definition, and it could cause upgrade issue. > Add schema changes to limit one one owner privilege per object > -------------------------------------------------------------- > > Key: SENTRY-2242 > URL: https://issues.apache.org/jira/browse/SENTRY-2242 > Project: Sentry > Issue Type: Sub-task > Components: Sentry > Affects Versions: 2.1.0 > Reporter: kalyan kumar kalvagadda > Assignee: kalyan kumar kalvagadda > Priority: Major > > Currently user<-> privileges is implemented to handle privileges to owners of > the respective objects. There can not be more than one owner to single object > (database/table) so restriction should be added either at the application or > the database schema to prevent it from happening. > I feel schema change is the best way to do it for now as there is no plan to > implement user privileges in near future. In future when user privileges > feature is implemented this change could be reverted and restriction can be > added at application. > *Current Schema:* > {noformat} > ALTER TABLE `SENTRY_USER_DB_PRIVILEGE_MAP` > ADD CONSTRAINT `SENTRY_USER_DB_PRIVILEGE_MAP_PK` PRIMARY KEY > (`USER_ID`,`DB_PRIVILEGE_ID`); > {noformat} > *Proposed Solution:* > {noformat} > ALTER TABLE `SENTRY_USER_DB_PRIVILEGE_MAP` > ADD CONSTRAINT `SENTRY_USER_DB_PRIVILEGE_MAP_PK` PRIMARY KEY > (`DB_PRIVILEGE_ID`); > {noformat} > With this change DB_PRIVILEGE_ID would be the primary key and this restrict > same privilege to be granted to another user. -- This message was sent by Atlassian JIRA (v7.6.3#76005)