IMPALA-3133: Wrong privileges after a REVOKE ALL ON SERVER statement This commit fixes an issue where a GRANT ALL ON SERVER to role_name statement followed by a REVOKE ALL ON SERVER from role_name statement would not revoke all privileges from role_name. The problem was triggered by a specific combination of Sentry client API calls used in Impala during grant/revoke statements at server scope. In particular, during GRANT, Impala was using an API call that didn't explicitly specify the privilege action (Sentry uses '*' if no action is specified). In contrast, the corresponding REVOKE call was explicitly specifying the privilege action to be 'ALL'. Sentry doesn't seem to handle this case correctly, thereby failing to remove all the privileges after a REVOKE ALL ON SERVER call. The fix from the Impala side, that results in the correct behavior, is to always specify the privilege action by using the appropriate API calls.
Change-Id: I6b3a0d10f5e88c6a0a10bd20f620562d2de7ab25 Reviewed-on: http://gerrit.cloudera.org:8080/2979 Reviewed-by: Dimitris Tsirogiannis <[email protected]> Tested-by: Internal Jenkins Project: http://git-wip-us.apache.org/repos/asf/incubator-impala/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-impala/commit/5cae398a Tree: http://git-wip-us.apache.org/repos/asf/incubator-impala/tree/5cae398a Diff: http://git-wip-us.apache.org/repos/asf/incubator-impala/diff/5cae398a Branch: refs/heads/master Commit: 5cae398a488ca43b7a688c35f130fe7ff360e553 Parents: 41e3143 Author: Dimitris Tsirogiannis <[email protected]> Authored: Thu May 5 19:59:56 2016 -0700 Committer: Tim Armstrong <[email protected]> Committed: Thu May 12 14:17:57 2016 -0700 ---------------------------------------------------------------------- .../impala/util/SentryPolicyService.java | 3 ++- .../queries/QueryTest/grant_revoke.test | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/5cae398a/fe/src/main/java/com/cloudera/impala/util/SentryPolicyService.java ---------------------------------------------------------------------- diff --git a/fe/src/main/java/com/cloudera/impala/util/SentryPolicyService.java b/fe/src/main/java/com/cloudera/impala/util/SentryPolicyService.java index ac78e02..b410485 100644 --- a/fe/src/main/java/com/cloudera/impala/util/SentryPolicyService.java +++ b/fe/src/main/java/com/cloudera/impala/util/SentryPolicyService.java @@ -244,7 +244,8 @@ public class SentryPolicyService { switch (scope) { case SERVER: client.get().grantServerPrivilege(requestingUser.getShortName(), roleName, - privilege.getServer_name(), privilege.isHas_grant_opt()); + privilege.getServer_name(), privilege.getPrivilege_level().toString(), + privilege.isHas_grant_opt()); break; case DATABASE: client.get().grantDatabasePrivilege(requestingUser.getShortName(), roleName, http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/5cae398a/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test ---------------------------------------------------------------------- diff --git a/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test b/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test index e9f768e..fe340c2 100644 --- a/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test +++ b/testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test @@ -694,6 +694,26 @@ create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_r does not have privileges to execute 'CREATE' on: grant_rev_db ==== ---- QUERY +show grant role grant_revoke_test_ALL_SERVER1 +---- RESULTS: VERIFY_IS_EQUAL_SORTED +'SERVER','','','','','ALL',FALSE,regex:.+ +---- LABELS +scope, database, table, column, uri, privilege, grant_option, create_time +---- TYPES +STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING +==== +---- QUERY +revoke all on server server1 from grant_revoke_test_ALL_SERVER1 +==== +---- QUERY +show grant role grant_revoke_test_ALL_SERVER1 +---- RESULTS: VERIFY_IS_EQUAL_SORTED +---- LABELS +scope, database, table, column, uri, privilege, grant_option, create_time +---- TYPES +STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING +==== +---- QUERY # Cleanup test roles drop role grant_revoke_test_ALL_SERVER; drop role grant_revoke_test_SELECT_INSERT_TEST_TBL;
