[
https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17040534#comment-17040534
]
Fang-Yu Rao commented on IMPALA-7282:
-------------------------------------
Hi [~joemcdonnell] and [~vihangk1], I took a look at the description above. I
am able to reproduce the issue reported by [~fredyw].
As for [~vihangk1]'s question regarding whether this should be an issue, I
briefly compared the case in which Impala is using Ranger as the authorization
provider. If we grant a user {{non_owner}} the {{SELECT}} privilege of a
database, e.g., {{functional}}, and then grant {{non_owner}} the {{ALL}}
privilege on {{SERVER}} to {{non_owner}}, {{non_owner}} would possess 2
privileges.
Now if we revoke the {{ALL}} privilege from the user {{non_owner}}, it will
still possess the {{SELECT}} privilege on the database {{functional}}.
I will try to see how Hive behaves with Sentry being the authorization provider
in this situation described above and keep you posted.
> Sentry privilege disappears after a catalog refresh
> ---------------------------------------------------
>
> Key: IMPALA-7282
> URL: https://issues.apache.org/jira/browse/IMPALA-7282
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog, Security
> Affects Versions: Impala 3.0, Impala 2.12.0
> Reporter: Fredy Wijaya
> Priority: Critical
> Labels: security
>
> {noformat}
> [localhost:21000] default> grant select on database functional to role
> foo_role;
> Query: grant select on database functional to role foo_role
> +---------------------------------+
> | summary |
> +---------------------------------+
> | Privilege(s) have been granted. |
> +---------------------------------+
> Fetched 1 row(s) in 0.05s
> [localhost:21000] default> grant all on database functional to role foo_role;
> Query: grant all on database functional to role foo_role
> +---------------------------------+
> | summary |
> +---------------------------------+
> | Privilege(s) have been granted. |
> +---------------------------------+
> Fetched 1 row(s) in 0.03s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +----------+------------+-------+--------+-----+-----------+--------------+-------------+
> | scope | database | table | column | uri | privilege | grant_option |
> create_time |
> +----------+------------+-------+--------+-----+-----------+--------------+-------------+
> | database | functional | | | | select | false |
> NULL |
> | database | functional | | | | all | false |
> NULL |
> +----------+------------+-------+--------+-----+-----------+--------------+-------------+
> Fetched 2 row(s) in 0.02s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +----------+------------+-------+--------+-----+-----------+--------------+-------------------------------+
> | scope | database | table | column | uri | privilege | grant_option |
> create_time |
> +----------+------------+-------+--------+-----+-----------+--------------+-------------------------------+
> | database | functional | | | | all | false |
> Wed, Jul 11 2018 15:38:41.113 |
> +----------+------------+-------+--------+-----+-----------+--------------+-------------------------------+
> Fetched 1 row(s) in 0.01s
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
