[
https://issues.apache.org/jira/browse/SENTRY-552?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14229038#comment-14229038
]
Lenni Kuff commented on SENTRY-552:
-----------------------------------
I think this is the right fix. Some minor comments:
* Please comment on the method to describe the behavior (mention that it may
not return the complete child privilege).
* I had added some comments that I think help clarify the test case for
"testGrantRevokePrivilegeWithColumn". Can you copy those over to this change?
Also add similar comments to the new test case.
* Please rename the new test case to something more descriptive than
testGrantRevokePrivilegeWithColumn2. The 2 doesn't let us know what this is
testing. You are really validating recursive revoke for column level
privileges, so make that clear in the test name.
* For the new test case can you also revoke at the database and/or scope (to
cover regression test case for SENTRY-543)?
> Downgrading privileges does not always work for column-level privileges
> -----------------------------------------------------------------------
>
> Key: SENTRY-552
> URL: https://issues.apache.org/jira/browse/SENTRY-552
> Project: Sentry
> Issue Type: Bug
> Affects Versions: 1.5.0
> Reporter: Lenni Kuff
> Assignee: Dapeng Sun
> Fix For: 1.5.0
>
> Attachments: SENTRY-552.patch
>
>
> The following doesn't work properly:
> grant all on col1
> grant all on col2
> revoke select on col2
> -- at this point, will have ALL on col1, INSERT on col2
> revoke INSERT from table <--- Does not do the proper thing.
> The expectation is that revoking INSERT from the table would remove INSERT
> privilege on col2 and also downgrade the ALL privilege on col1 to SELECT.
> Instead the privilege on col1 stays in-tact.
> Note that this was exposed as part of the fix for SENTRY-543. Prior to that
> the REVOKE would incorrectly remove both privileges.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
