[ https://issues.apache.org/jira/browse/SENTRY-2151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Na Li resolved SENTRY-2151. --------------------------- Resolution: Fixed > Automatically derive owner privileges from Hive Object Ownership > ---------------------------------------------------------------- > > Key: SENTRY-2151 > URL: https://issues.apache.org/jira/browse/SENTRY-2151 > Project: Sentry > Issue Type: New Feature > Components: Sentry > Affects Versions: 2.1.0 > Reporter: Na Li > Assignee: Na Li > Priority: Major > Fix For: 2.1.0 > > Attachments: Sentry DB owner privileges - Design Doc.pdf > > > admins want users who create tables to get implicit owner privileges during > the table creation. These privileges cannot be revoked. > For instance, a user under role1 with CREATE privileges gets all privileges > on newly created tables > {noformat} > # As an admin > hive> grant create on db1 to role1; > # As a user > user1> use db1; > user1> create table t1(id int); > -- An implicit 'grant all on db1.t1 to user user1' is generated in Sentry > user1> insert into table t1 values (1); > user1> select * from t1; > user1> drop table t1; > {noformat} > For backward compatibility, the default implicit privilege to be applied must > be determined by a configuration set by admins. This is to ensure that an > upgrade to this new feature does not affect the behavior of old privileges > set before the upgrade. For newly created tables, the privilege must be > obtained from the property ‘owner.privileges’ of the database property where > the table is created. > For instance, a user on db1 gets "all with grant privileges" but on db2 does > not get any privilege > {noformat} > # As an admin > hive> alter database db1 set dbproperty('owner.privileges'='all with grant'); > hive> grant create on db1 to role1; > hive> alter database db1 set dbproperty('owner.privileges='none'); > hive> grant create on db2 to role2; > # As a user > user1> create table db1.t1(id int); > -- An implicit 'all with grant' privilege is granted to the user on db1.t1 > user1> create table db2.t1(id int); > -- No privileges are granted to the user on db2.t1 > {noformat} > The privilege granted implicitly cannot be revoked by explicit revoke > commands nor if the 'owner.privileges' property changes. The only way is to > remove the implicit privileges is by dropping the table or changing the owner > of the table. -- This message was sent by Atlassian JIRA (v7.6.3#76005)