Hello Alex Behm,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/2979
to look at the new patch set (#2).
Change subject: IMPALA-3133: Wrong privileges after a REVOKE ALL ON SERVER
statement
......................................................................
IMPALA-3133: Wrong privileges after a REVOKE ALL ON SERVER statement
This commit fixes an issue where a GRANT ALL ON SERVER to role_name statement
followed by a REVOKE ALL ON SERVER from role_name statement would not revoke all
privileges from role_name. The problem was triggered by a specific
combination of Sentry client API calls used in Impala during
grant/revoke statements at server scope. In particular, during GRANT, Impala
was using
an API call that didn't explicitly specify the privilege action (Sentry uses
'*' if
no action is specified). In contrast, the corresponding REVOKE call was
explicitly
specifying the privilege action to be 'ALL'. Sentry doesn't seem to
handle this case correctly, thereby failing to remove all the privileges
after a REVOKE ALL ON SERVER call. The fix from the Impala side, that
results in the correct behavior, is to always specify the privilege
action by using the appropriate API calls.
Change-Id: I6b3a0d10f5e88c6a0a10bd20f620562d2de7ab25
---
M fe/src/main/java/com/cloudera/impala/util/SentryPolicyService.java
M testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test
2 files changed, 22 insertions(+), 1 deletion(-)
git pull ssh://gerrit.cloudera.org:29418/Impala refs/changes/79/2979/2
--
To view, visit http://gerrit.cloudera.org:8080/2979
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I6b3a0d10f5e88c6a0a10bd20f620562d2de7ab25
Gerrit-PatchSet: 2
Gerrit-Project: Impala
Gerrit-Branch: cdh5-trunk
Gerrit-Owner: Dimitris Tsirogiannis <[email protected]>
Gerrit-Reviewer: Alex Behm <[email protected]>
