[
https://issues.apache.org/jira/browse/SENTRY-488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14158920#comment-14158920
]
Prasad Mujumdar commented on SENTRY-488:
----------------------------------------
[~asuresh] Thanks for putting the patch together.
If I am not mistaken, the problem only happens when the user's roleset is
empty, which due to the fact that getMSentryPrivilegesByAuth() treats empty
roleSet as wildchar.
In that case, would it make sense to check this case and return empty result
set right away. Basically if the requesting user is not an admin, then don't
even try to call getMSentryPrivilegesByAuth() and avoid extracting all roles
and filtering all of them out ?
Rest of the patch look fine. Thanks for adding the testcase.
> Sentry list_sentry_privileges_by_authorizable API does not filter out
> roles/privileges for some cases.
> ------------------------------------------------------------------------------------------------------
>
> Key: SENTRY-488
> URL: https://issues.apache.org/jira/browse/SENTRY-488
> Project: Sentry
> Issue Type: Bug
> Reporter: Arun Suresh
> Assignee: Arun Suresh
> Attachments: SENTRY-488.1.patch, SENTRY-488.2.patch
>
>
> I am requestorUserName=u'user1_1' which is non admin and only have 'foo' group
> I can list ALL the roles/privilege attached to an object.
> I should only see the group foo and its privilege on sample_07.
> {code}
> [02/Oct/2014 16:41:23 -0700] thrift_util DEBUG Thrift call <class
> 'sentry_policy_service.SentryPolicyService.Client'>.list_sentry_privileges_by_authorizable
> returned in 38ms:
> TListSentryPrivilegesByAuthResponse(status=TSentryResponseStatus(message='',
> stack=None, value=0),
> privilegesMapByAuth={TSentryAuthorizable(table='sample_07', db='default',
> uri=None, server='server1'): TSentryPrivilegeMap(privilegeMap={'foo':
> set([TSentryPrivilege(grantOption=0, serverName='server1',
> tableName='sample_07', privilegeScope='TABLE', createTime=1412271660913,
> URI='', action='all', dbName='default'), TSentryPrivilege(grantOption=0,
> serverName='server1', tableName='sample_07', privilegeScope='TABLE',
> createTime=1412270683086, URI='', action='select', dbName='default'),
> TSentryPrivilege(grantOption=0, serverName='server1', tableName='sample_07',
> privilegeScope='TABLE', createTime=1412271260793, URI='', action='insert',
> dbName='default')]), 'jholoman': set([TSentryPrivilege(grantOption=0,
> serverName='server1', tableName='sample_07', privilegeScope='TABLE',
> createTime=1412271260793, URI='', action='insert', dbName='default')]), ....
> [02/Oct/2014 16:41:23 -0700] thrift_util DEBUG Thrift call: <class
> 'sentry_policy_service.SentryPolicyService.Client'>.list_sentry_privileges_by_authorizable(args=(TListSentryPrivilegesByAuthRequest(protocol_version=1,
> authorizableSet=[TSentryAuthorizable(table=u'sample_07', db=u'default',
> uri=None, server=u'server1')], roleSet=None, groups=None,
> requestorUserName=u'user1_1'),), kwargs={})
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
