Repository: sentry Updated Branches: refs/heads/master 035333a4d -> 9c3614bce
SENTRY-2270: Illegal privileges on columns can be granted on Hive (Sergio Pena, reviewd by Arjun Mishra) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/9c3614bc Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/9c3614bc Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/9c3614bc Branch: refs/heads/master Commit: 9c3614bcebd84b4218ec3195201483cc88d8be4a Parents: 035333a Author: Sergio Pena <[email protected]> Authored: Fri Jun 15 11:32:54 2018 -0500 Committer: Sergio Pena <[email protected]> Committed: Fri Jun 15 11:32:54 2018 -0500 ---------------------------------------------------------------------- .../binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java | 4 ++-- .../sentry/binding/hive/authz/DefaultSentryAccessController.java | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/9c3614bc/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java index 23246c9..0518938 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java @@ -367,8 +367,8 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization if (privilegeDef.getChildCount() > 1) { cols = BaseSemanticAnalyzer.getColumnNames((ASTNode) privilegeDef.getChild(1)); } - if (cols != null && (privObj.getPriv().equals(PrivilegeType.INSERT) - || privObj.getPriv().equals(PrivilegeType.ALL))) { + // Columns accept only SELECT privileges + if (cols != null && !privObj.getPriv().equals(PrivilegeType.SELECT)) { String msg = SentryHiveConstants.PRIVILEGE_NOT_SUPPORTED + privObj.getPriv() + " on Column"; throw new SemanticException(msg); } http://git-wip-us.apache.org/repos/asf/sentry/blob/9c3614bc/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java index f0b4b44..321701d 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java @@ -405,8 +405,8 @@ public class DefaultSentryAccessController extends SentryHiveAccessController { case TABLE_OR_VIEW: // For column level security if (columnNames != null && !columnNames.isEmpty()) { - if (action.equalsIgnoreCase(AccessConstants.INSERT) - || action.equalsIgnoreCase(AccessConstants.ALL)) { + // Columns accept only SELECT privileges + if (!action.equalsIgnoreCase(AccessConstants.SELECT)) { String msg = SentryHiveConstants.PRIVILEGE_NOT_SUPPORTED + privilege.getName() + " on Column";
