[jira] [Updated] (RANGER-4707) Revoke grant option for command removes the user privilege from ranger policy

Sat, 18 Oct 2025 13:48:35 -0700 


     [ 
https://issues.apache.org/jira/browse/RANGER-4707?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sanket Shelar updated RANGER-4707:
----------------------------------
    Affects Version/s: 3.0.0

> Revoke grant option for command removes the user privilege from ranger policy
> -----------------------------------------------------------------------------
>
>                 Key: RANGER-4707
>                 URL: https://issues.apache.org/jira/browse/RANGER-4707
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>    Affects Versions: 3.0.0
>            Reporter: suja s
>            Assignee: Sanket Shelar
>            Priority: Major
>
> STEPS TO REPRODUCE:
> User u1 is a ranger admin, also configured as service admin user for hive. 
> Users u2 and u3 have USER role on ranger side.
> Create a hive table tl1 as user u1. User u1 has full permissions on tl1 via 
> ranger policy.
> As user u1, execute hive beeline command 'grant select on tl1 to user u2'
> Ranger grant policy is created with user u2 added with select access type.
> As user u1, execute hive beeline command 'grant select on tl1 to user u3 with 
> grant option'
> Ranger grant policy is updated with user u3 added with select access type and 
> delegate admin flag set.
> As user u1, execute hive beeline command 'revoke select on table tl1 from 
> user u2'
> User u2 is removed from ranger grant policy
> As user u1, execute hive beeline command 'revoke grant option for select on 
> table tl1 from user u3'
> CURRENT BEHAVIOUR:
> User u3 is removed from ranger grant policy
> EXPECTED BEHAVIOUR:
> Revoke grant option should retain the privilege for user and remove only with 
> grant permission, ie access type permission should still exist for user in 
> ranger policy and delegate admin permission should be removed.
> From hive documentation:
> If a user is granted a privilege WITH GRANT OPTION on a table or view, then 
> the user can also grant/revoke privileges of other users and roles on those 
> objects. As of Hive 0.14.0, the grant option for a privilege can be removed 
> while still keeping the privilege by using REVOKE GRANT OPTION FOR <privilege>



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to