[ 
https://issues.apache.org/jira/browse/SENTRY-2161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Na Li updated SENTRY-2161:
--------------------------
    Description: 
*Background:*
Partial revoke
For examples:
1. When a role has been granted "all" on table and the role already has 
select/insert on privileges, they are removed automatically as "all" covers the 
"select/insert".
2. When a role already has "all" privileges on a table and "select" privilege 
are revoked, "all" privileges is revoked and "insert" is added automatically as 
there are only "select", "insert", and "all".

Hierarchical privileges:
Revoking privilege on a database would effect the privileges granted to the 
tables in that database.

*Problem:*
For example: 
1) User_A has "select" on table_B
2) User_A is set to owner of table_B and gets "ALL" privilege on table_B as 
implicit privilege
3) User_A is not owner of table_B any more

based on partial invoke behavior, User_A will lose "select" on table_B after 
step 3). The desired behavior is for User_A still retains "select" on table_B 
after step 3)

*Solution:*

Only apply partial revoke to user configured privileges (explicit privilege), 
and not affect implicit privileges.

  was:
*Background:*
Partial revoke
For examples:
1. When a role has been granted "all" on table and the role already has 
select/insert on privileges, they are removed automatically as "all" covers the 
"select/insert".
2. When a role already has "all" privileges on a table and "select" privilege 
are revoked, "all" privileges is revoked and "insert" is added automatically as 
there are only "select", "insert", and "all".

Hierarchical privileges:
Revoking privilege on a database would effect the privileges granted to the 
tables in that database.

*Problem:*
For example: 
1) User_A has "select" on table_B
2) User_A is set to owner of table_B and gets "all" privilege on table_B as 
implicit privilege
3) User_A is not owner of table_B any more

based on partial invoke behavior, User_A will lose "select" on table_B after 
step 3). The desired behavior is for User_A still retains "select" on table_B 
after step 3)

*Solution:*

Only apply partial revoke to user configured privileges (explicit privilege), 
and not affect implicit privileges.


> Make sure partial invoke only applies to explicit privileges
> ------------------------------------------------------------
>
>                 Key: SENTRY-2161
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2161
>             Project: Sentry
>          Issue Type: Sub-task
>            Reporter: Na Li
>            Assignee: Na Li
>            Priority: Major
>
> *Background:*
> Partial revoke
> For examples:
> 1. When a role has been granted "all" on table and the role already has 
> select/insert on privileges, they are removed automatically as "all" covers 
> the "select/insert".
> 2. When a role already has "all" privileges on a table and "select" privilege 
> are revoked, "all" privileges is revoked and "insert" is added automatically 
> as there are only "select", "insert", and "all".
> Hierarchical privileges:
> Revoking privilege on a database would effect the privileges granted to the 
> tables in that database.
> *Problem:*
> For example: 
> 1) User_A has "select" on table_B
> 2) User_A is set to owner of table_B and gets "ALL" privilege on table_B as 
> implicit privilege
> 3) User_A is not owner of table_B any more
> based on partial invoke behavior, User_A will lose "select" on table_B after 
> step 3). The desired behavior is for User_A still retains "select" on table_B 
> after step 3)
> *Solution:*
> Only apply partial revoke to user configured privileges (explicit privilege), 
> and not affect implicit privileges.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to