[
https://issues.apache.org/jira/browse/SENTRY-552?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14231013#comment-14231013
]
Xiaomeng Huang commented on SENTRY-552:
---------------------------------------
Thanks [~dapengsun] to fix this issue. I think this jira fixed two issues, both
use cases in SENTRY-543 and use cases of downgrade privileges in this jira. I
can understand this fix and it actually can work. BTW, I think this issue is
not caused by column level feature, it also exist when we revoke downgrade
database level privileges from table level privileges.
> Downgrading privileges does not always work for column-level privileges
> -----------------------------------------------------------------------
>
> Key: SENTRY-552
> URL: https://issues.apache.org/jira/browse/SENTRY-552
> Project: Sentry
> Issue Type: Bug
> Affects Versions: 1.5.0
> Reporter: Lenni Kuff
> Assignee: Dapeng Sun
> Fix For: 1.5.0
>
> Attachments: SENTRY-552.002.patch, SENTRY-552.003.patch,
> SENTRY-552.004.patch, SENTRY-552.patch
>
>
> The following doesn't work properly:
> grant all on col1
> grant all on col2
> revoke select on col2
> -- at this point, will have ALL on col1, INSERT on col2
> revoke INSERT from table <--- Does not do the proper thing.
> The expectation is that revoking INSERT from the table would remove INSERT
> privilege on col2 and also downgrade the ALL privilege on col1 to SELECT.
> Instead the privilege on col1 stays in-tact.
> Note that this was exposed as part of the fix for SENTRY-543. Prior to that
> the REVOKE would incorrectly remove both privileges.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
