[jira] [Resolved] (SENTRY-182) Granting ALL privileges to table does not seem to do the right thing when using the SimpleDbPolicyProvider

Wed, 21 May 2014 13:34:03 -0700 

     [ 
https://issues.apache.org/jira/browse/SENTRY-182?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sravya Tirukkovalur resolved SENTRY-182.
----------------------------------------

       Resolution: Fixed
    Fix Version/s: 1.4.0

This is fixed as part of SENTRY-217

> Granting ALL privileges to table does not seem to do the right thing when 
> using the SimpleDbPolicyProvider
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: SENTRY-182
>                 URL: https://issues.apache.org/jira/browse/SENTRY-182
>             Project: Sentry
>          Issue Type: Bug
>    Affects Versions: 1.3.0
>            Reporter: Lenni Kuff
>            Assignee: Prasad Mujumdar
>             Fix For: 1.4.0
>
>
> I noticed that if I grant ALL privileges to table (or to all tables under a 
> database using a wildcard), I get back false when I try to access that table 
> using PrivilegeLevel = SELECT | INSERT, but the access works if I accessing 
> using PrivilegeLevel=ALL.
> I believe this is because in DBWildcardPrivilege.java @ line 119 the 
> "policyPart" KeyValue param has a key=>value of: "action" => "ALL" (note the 
> string "ALL" as the value) where AccessConstants.ALL has a string val of a 
> wildcard char: "*".
> {code}
> private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) {  
>   
>     if(policyPart.getValue().equals(AccessConstants.ALL) || 
> policyPart.equals(requestPart)) {
>         return true;
>     } else ...
> {code}
> In the BE policy server db I see:
> {code}
> sentry_test2=# select "DB_PRIVILEGE_ID", "DB_NAME", "TABLE_NAME", 
> "PRIVILEGE_NAME" FROM "SENTRY_DB_PRIVILEGE" ORDER BY "DB_PRIVILEGE_ID" desc;
>  DB_PRIVILEGE_ID |       DB_NAME       |  TABLE_NAME  |             
> PRIVILEGE_NAME             
> -----------------+---------------------+--------------+----------------------------------------
>               18 | functional_seq_snap | *            | 
> server1+functional_seq_snap+*+ALL
> {code}
> This doesn't seem specific to the DbPolicyProvider, but when using a policy 
> file I seem to be able to work around this by explicitly using a wildcard 
> character for the action rather than "ALL". There doesn't seem to be a way to 
> do this with the DbPolicyProvider.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to