[
https://issues.apache.org/jira/browse/SENTRY-594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14283413#comment-14283413
]
Xiaomeng Huang commented on SENTRY-594:
---------------------------------------
Hi [~lskuff]
Because current sentry have a workaround method to get db name and table name
in HiveAuthzBindingHook.preAnalyze(), and then add to both inputHierarchy and
outputHierarchy to do authorization, so that we can pass the test cases. But as
for some operations(e.g. create table, alter table), if we can get
inputHierarchy from readEntity or outputHierarchy from writeEntity, we don't
need to add extra and repeated hierarchy.
What's more, according to the semantic meaning of "ALTER TABLE", we need write
permission to this table, so that we actually need output privilege.
Before this patch, as for the operation "ALTER TABLE", firstly we get
outputHierarchy from writeEntity(e.g. \[db1->tb1\]), then we add workaround
object names to both inputHierarchy and outputHierarchy. InputHierarchy will be
"\[db1->tb1\]", and outputHierarchy will be "\[db1->tb1\], \[db1->tb1\]". Then
we check *input privilege* of this operation, inputHierarchy "\[db1->tb1\]" can
pass test cases.
After this patch, as for the operation "ALTER TABLE", firstly we get
outputHierarchy from writeEntity(e.g. \[db1->tb1\]), then we add workaround
object names to both inputHierarchy and outputHierarchy. InputHierarchy will be
"\[db1->tb1\]", and outputHierarchy will be "\[db1->tb1\], \[db1->tb1\]". Then
we check *output privilege* of this operation, outputHierarchy "\[db1->tb1\],
\[db1->tb1\]" can pass test cases, too.
But you see, after this patch, for the operation "ALTER TABLE", we even don't
need to add workaround object names. If we don't add workaround object names,
outputHierarchy "\[db1->tb1\]" can pass test cases.
> Alter database should check output privilege instead of input
> -------------------------------------------------------------
>
> Key: SENTRY-594
> URL: https://issues.apache.org/jira/browse/SENTRY-594
> Project: Sentry
> Issue Type: Bug
> Reporter: Xiaomeng Huang
> Assignee: Xiaomeng Huang
> Attachments: SENTRY-594.001.patch
>
>
> "ALTER DATABASE" command can get entities from WriteEntity, and get nothing
> from ReadEntity. So this command should check output privilege instead of
> input.
> What's more, "ALTER TABLE" also check output privilege, likes below:
> {code}
> HiveAuthzPrivileges alterTablePrivilege = new
> HiveAuthzPrivileges.AuthzPrivilegeBuilder().
> addOutputObjectPriviledge(AuthorizableType.Table,
> EnumSet.of(DBModelAction.ALTER)).
> setOperationScope(HiveOperationScope.TABLE).
> setOperationType(HiveOperationType.DDL).
> build();
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
