I feel unknown permission should be treated as NONE. Looking at the documentation, fine grained permissions were never officially supported. That is what is feel.
There are couple of gaps I have seen. 1. HDFS NameNode plug-in doesn't support fine grained permissions. 2. Sentry server doesn't support partial revokes for other fine grained permissions With out proper testing around it and proper documentation of what is supported and what's not, we can not say sentry supports fine grained privileges. we need to re-visit this area and fix/document the gaps and add more tests before we say that sentry supports fine grained privileges. -Kalyan On Tue, Jun 13, 2017 at 7:27 PM, Alexander Kolbasov <[email protected]> wrote: > As was discovered by Kalyan, there is a problem with fine-grained > privileges, implemented in SENTRY-331 when HDFS sync is enabled. These > privileges have no direct mapping for HDFS and can't be easily mapped. > > Currently, when HDFS NameNode gets one of these permissions it throws an > unchecked exceptions and stops processing any privileges whatsoever which > is pretty bad. > > We need to define a better behavior. Here are some options: > > > 1. Ignore unknown permission and continue with the rest > 2. Treat unknown permission as NONE > > I think that the second option is the safest and I personally would suggest > this approach, but it kind of defeats the purpose of fine-grained > privileges. > > Any thoughts on that? > > - Alex >
