[
https://issues.apache.org/jira/browse/IMPALA-7537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16628282#comment-16628282
]
ASF subversion and git services commented on IMPALA-7537:
---------------------------------------------------------
Commit c5dc6ded68c62f9f2138ab3376531c6292d1df78 in impala's branch
refs/heads/master from [~aholley]
[ https://git-wip-us.apache.org/repos/asf?p=impala.git;h=c5dc6de ]
IMPALA-7537: REVOKE GRANT OPTION regression
This patch fixes several issues around granting and revoking of
privileges. This includes:
- REVOKE ALL ON SERVER where the privilege has the grant option was
removing from the cache but not Sentry.
- With the addition of the grantoption to the name in the catalog
object, refactoring was required to make grants and revokes work
correctly.
Assertions with regard to granting and revoking:
- If there is a privilege that has the grant option, that privilege
can be revoked simply with "REVOKE privilege..." or the grant option
can be removed with "REVOKE GRANT OPTION ON..."
- We should not limit the privilege being revoked simply because it
has the grant option.
- If a privilege already exists without the grant option, granting the
privilege with the grant option should add the grant option to it.
- If a privilege already exists with the grant option, granting the
privilege without the grant option will not change anything as the
expectation is if you want to remove the grant option, you should
explicitly use the "REVOKE GRANT OPTION ON...".
Testing:
- Added new grant/revoke tests that validate cache and Sentry refresh
- Ran all FE, E2E, and custom-cluster tests.
Change-Id: I3be5c8f15e9bc53e9661347578832bf446abaedc
Reviewed-on: http://gerrit.cloudera.org:8080/11483
Reviewed-by: Fredy Wijaya <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> REVOKE GRANT OPTION regression
> ------------------------------
>
> Key: IMPALA-7537
> URL: https://issues.apache.org/jira/browse/IMPALA-7537
> Project: IMPALA
> Issue Type: Bug
> Components: Frontend
> Affects Versions: Impala 3.1.0
> Reporter: Adam Holley
> Assignee: Adam Holley
> Priority: Major
> Fix For: Impala 3.1.0
>
>
> Recent commit ec88aa2 added 'grantoption' to the privilege name. This name
> is used by the catalog cache which broke "revoke grant option" since the
> privilege names do not match.
> [localhost:21000] default> create role foo_role;
> [localhost:21000] default> grant all on server to foo_role with grant option;
> [localhost:21000] default> revoke grant option for all on server from
> foo_role;
> ERROR: IllegalStateException: null
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
