suja s created RANGER-4707:
------------------------------
Summary: Revoke grant option for command removes the user
privilege from ranger policy
Key: RANGER-4707
URL: https://issues.apache.org/jira/browse/RANGER-4707
Project: Ranger
Issue Type: Bug
Components: Ranger
Reporter: suja s
STEPS TO REPRODUCE:
User u1 is a ranger admin, also configured as service admin user for hive.
Users u2 and u3 have USER role on ranger side.
Create a hive table tl1 as user u1. User u1 has full permissions on tl1 via
ranger policy.
As user u1, execute hive beeline command 'grant select on tl1 to user u2'
Ranger grant policy is created with user u2 added with select access type.
As user u1, execute hive beeline command 'grant select on tl1 to user u3 with
grant option'
Ranger grant policy is updated with user u3 added with select access type and
delegate admin flag set.
As user u1, execute hive beeline command 'revoke select on table tl1 from user
u2'
User u2 is removed from ranger grant policy
As user u1, execute hive beeline command 'revoke grant option for select on
table tl1 from user u3'
CURRENT BEHAVIOUR:
User u3 is removed from ranger grant policy
EXPECTED BEHAVIOUR:
Revoke grant option should retain the privilege for user and remove only with
grant permission, ie access type permission should still exist for user in
ranger policy and delegate admin permission should be removed.
>From hive documentation:
If a user is granted a privilege WITH GRANT OPTION on a table or view, then the
user can also grant/revoke privileges of other users and roles on those
objects. As of Hive 0.14.0, the grant option for a privilege can be removed
while still keeping the privilege by using REVOKE GRANT OPTION FOR <privilege>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
