[
https://issues.apache.org/jira/browse/SENTRY-2151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Na Li resolved SENTRY-2151.
---------------------------
Resolution: Fixed
> Automatically derive owner privileges from Hive Object Ownership
> ----------------------------------------------------------------
>
> Key: SENTRY-2151
> URL: https://issues.apache.org/jira/browse/SENTRY-2151
> Project: Sentry
> Issue Type: New Feature
> Components: Sentry
> Affects Versions: 2.1.0
> Reporter: Na Li
> Assignee: Na Li
> Priority: Major
> Fix For: 2.1.0
>
> Attachments: Sentry DB owner privileges - Design Doc.pdf
>
>
> admins want users who create tables to get implicit owner privileges during
> the table creation. These privileges cannot be revoked.
> For instance, a user under role1 with CREATE privileges gets all privileges
> on newly created tables
> {noformat}
> # As an admin
> hive> grant create on db1 to role1;
> # As a user
> user1> use db1;
> user1> create table t1(id int);
> -- An implicit 'grant all on db1.t1 to user user1' is generated in Sentry
> user1> insert into table t1 values (1);
> user1> select * from t1;
> user1> drop table t1;
> {noformat}
> For backward compatibility, the default implicit privilege to be applied must
> be determined by a configuration set by admins. This is to ensure that an
> upgrade to this new feature does not affect the behavior of old privileges
> set before the upgrade. For newly created tables, the privilege must be
> obtained from the property ‘owner.privileges’ of the database property where
> the table is created.
> For instance, a user on db1 gets "all with grant privileges" but on db2 does
> not get any privilege
> {noformat}
> # As an admin
> hive> alter database db1 set dbproperty('owner.privileges'='all with grant');
> hive> grant create on db1 to role1;
> hive> alter database db1 set dbproperty('owner.privileges='none');
> hive> grant create on db2 to role2;
> # As a user
> user1> create table db1.t1(id int);
> -- An implicit 'all with grant' privilege is granted to the user on db1.t1
> user1> create table db2.t1(id int);
> -- No privileges are granted to the user on db2.t1
> {noformat}
> The privilege granted implicitly cannot be revoked by explicit revoke
> commands nor if the 'owner.privileges' property changes. The only way is to
> remove the implicit privileges is by dropping the table or changing the owner
> of the table.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
