Lenni Kuff created SENTRY-182:
---------------------------------
Summary: Granting ALL privileges to table does not seem to do the
right thing when using the SimpleDbPolicyProvider
Key: SENTRY-182
URL: https://issues.apache.org/jira/browse/SENTRY-182
Project: Sentry
Issue Type: Bug
Affects Versions: 1.3.0
Reporter: Lenni Kuff
I noticed that if I grant ALL privileges to table (or to all tables under a
database using a wildcard), I get back false when I try to access that table
using PrivilegeLevel = SELECT | INSERT, but the access works if I accessing
using PrivilegeLevel=ALL.
I believe this is because in DBWildcardPrivilege.java @ line 119 the
"policyPart" KeyValue param has a key=>value of: "action" => "ALL" (note the
string "ALL" as the value) where AccessConstants.ALL has a string val of a
wildcard char: "*".
{code}
private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) {
if(policyPart.getValue().equals(AccessConstants.ALL) ||
policyPart.equals(requestPart)) {
return true;
} else ...
{code}
In the BE policy server db I see:
{code}
sentry_test2=# select "DB_PRIVILEGE_ID", "DB_NAME", "TABLE_NAME",
"PRIVILEGE_NAME" FROM "SENTRY_DB_PRIVILEGE" ORDER BY "DB_PRIVILEGE_ID" desc;
DB_PRIVILEGE_ID | DB_NAME | TABLE_NAME |
PRIVILEGE_NAME
-----------------+---------------------+--------------+----------------------------------------
18 | functional_seq_snap | * |
server1+functional_seq_snap+*+ALL
{code}
This doesn't seem specific to the DbPolicyProvider, but when using a policy
file I seem to be able to work around this by explicitly using a wildcard
character for the action rather than "ALL". There doesn't seem to be a way to
do this with the DbPolicyProvider.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
