> On Aug. 17, 2018, 4:12 p.m., kalyan kumar kalvagadda wrote: > > Why can we just return the requiredInputPrivileges and > > requiredOutputPrivileges combined when there is an autorization failure? > > What is the difference between this and the "lastFailedPrivileges" leanrt > > in your patch?
in HiveAuthzPrivilegesMap, the required input privileges and out privileges only specify the level of the privilege and the actions. It is not specific enough to be useful for end user. We need to call buildPermissions() to combine the input authorizable hierarchy from user query with required input privileges from HiveAuthzPrivilegesMap to construct the specific input privileges required for access check, such as "Server=server1->Db=db_7efca->Table=tbl_hzq8l->Column=fname->action=select". If we don't call buildPermissions(), we can only reture "Column level select" - Na ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/68367/#review207508 ----------------------------------------------------------- On Aug. 17, 2018, 2:56 a.m., Na Li wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/68367/ > ----------------------------------------------------------- > > (Updated Aug. 17, 2018, 2:56 a.m.) > > > Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Sergio > Pena. > > > Bugs: sentry-2354 > https://issues.apache.org/jira/browse/sentry-2354 > > > Repository: sentry > > > Description > ------- > > When multiple privileges are required on a Hive operation, return the > privilege that failed access check and the required privileges not checked > yet (they may fail the access check, or may not. We don't check those > privileges to avoid unnecessary overhead) > > > Diffs > ----- > > > sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java > 6a1556f > > sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java > 3bbf6fb > > sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java > aecfe5b > > sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java > 61400ca > > sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java > 1e1aa63 > > > Diff: https://reviews.apache.org/r/68367/diff/2/ > > > Testing > ------- > > Add test case that verifies the behavior stated above. All test cases in > TestHiveAuthzBindings passed > > > Thanks, > > Na Li > >
