Fang-Yu Rao created IMPALA-9341:
-----------------------------------
Summary: A grantee gains the delegation privilege after executing
a revoke statement
Key: IMPALA-9341
URL: https://issues.apache.org/jira/browse/IMPALA-9341
Project: IMPALA
Issue Type: Bug
Components: Frontend
Affects Versions: Impala 3.4.0
Reporter: Fang-Yu Rao
Assignee: Fang-Yu Rao
When Ranger is used as the authorization provider, a grantee that was granted
the {{insert}} privilege on a table without the delegation privilege gains the
delegation privilege after executing a statement to {{revoke}} the grantee's
{{select}} privilege on the same table. In what follows, we provide the steps
to reproduce the issue.
# Start a Ranger-enabled Impala minicluster.
# Log into Impala shell as the user {{admin}} using {{./bin/impala-shell.sh -u
admin}}.
# Execute {{grant insert on table <table_name> to user <user_name_of_grantee>;}}
# Execute {{show grant user <user_name_of_grantee> on table <table_name>;}}
# Execute {{revoke select on table <table_name> from user
<user_name_of_grantee>;}}
# Execute {{show grant user <user_name_of_grantee> on table <table_name>;}}
When {{<table_name>}} equals {{functional.alltypes}} and
{{<user_name_of_grantee>}} equals {{fangyurao}}, after the 4th step, we will
see the following.
{code:java}
+----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
| principal_type | principal_name | database | table | column | uri | udf
| privilege | grant_option | create_time |
+----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
| USER | fangyurao | functional | alltypes | * | |
| insert | false | 1580345254347 |
+----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
{code}
However, we will see the following after the 6th step above. We can see the
filed of {{grant_option}} is changed from {{false}} to {{true}}, which should
not happen.
{code:java}
+----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
| principal_type | principal_name | database | table | column | uri | udf
| privilege | grant_option | create_time |
+----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
| USER | fangyurao | functional | alltypes | * | |
| insert | true | 1580345254347 |
+----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
