[jira] [Updated] (RANGER-4714) Issue with delegate admin and with grant option policy

[Sanket Shelar (Jira)]

     [ 
https://issues.apache.org/jira/browse/RANGER-4714?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sanket Shelar updated RANGER-4714:
----------------------------------
    Description: 
STEPS TO REPRODUCE:
User u1 exists on ranger side and has policy configured for all access for 
table t1
Create new user u2.
Create a hive table and grant access to user u1
As user u1, connect to beeline and execute command 'grant select on table t1 to 
user u2 with grant option'
Ranger grant policy is created with user u1 having select permission and 
delegate admin flag enabled(for with grant option)
As user u1, connect to beeline and execute command 'grant update on table t1 to 
user u2'
Grant policy created earlier is updated to include update permission

CURRENT BEHAVIOUR:
Since policy is updated, delegate admin flag is now set for the policy item for 
both select and update permissions for user u2and user u2 is now able to edit 
the policy to grant update permissions for other users

EXPECTED BEHAVIOUR:
For grant without specifying 'with grant option', ranger policy should not be 
edited if delegate admin is already set on existing policyitem for other 
access, instead a new policy item should be added.

> Issue with delegate admin and with grant option policy
> ------------------------------------------------------
>
>                 Key: RANGER-4714
>                 URL: https://issues.apache.org/jira/browse/RANGER-4714
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: suja s
>            Assignee: Sanket Shelar
>            Priority: Major
>
> STEPS TO REPRODUCE:
> User u1 exists on ranger side and has policy configured for all access for 
> table t1
> Create new user u2.
> Create a hive table and grant access to user u1
> As user u1, connect to beeline and execute command 'grant select on table t1 
> to user u2 with grant option'
> Ranger grant policy is created with user u1 having select permission and 
> delegate admin flag enabled(for with grant option)
> As user u1, connect to beeline and execute command 'grant update on table t1 
> to user u2'
> Grant policy created earlier is updated to include update permission
> CURRENT BEHAVIOUR:
> Since policy is updated, delegate admin flag is now set for the policy item 
> for both select and update permissions for user u2and user u2 is now able to 
> edit the policy to grant update permissions for other users
> EXPECTED BEHAVIOUR:
> For grant without specifying 'with grant option', ranger policy should not be 
> edited if delegate admin is already set on existing policyitem for other 
> access, instead a new policy item should be added.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)