[
https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17040534#comment-17040534
]
Fang-Yu Rao edited comment on IMPALA-7282 at 2/20/20 2:27 AM:
--------------------------------------------------------------
Hi [~joemcdonnell] and [~vihangk1], it seems there are two issues reported
here. One is the issue originally reported by [~fredyw] and the other is the
issue reported by [~jeszyb]. The former issue does not involve the {{REVOKE}}
statement, whereas the latter involves the {{REVOKE}} statement.
Will take a closer look at both and keep you posted.
was (Author: fangyurao):
Hi [~joemcdonnell] and [~vihangk1], I took a look at the description above. I
am able to reproduce the issue reported by [~fredyw].
I have also briefly compared Impala's behavior and Hive's behavior using the
SQL statements provided by [~fredyw] and found that their behavior is
different. Specifically, in the end, the role {{foo_role}} would still possess
the {{SELECT}} privilege even though we explicitly revoke the {{ALL}} privilege
from {{foo_role}} in HIve. Those 2 privileges are considered separately.
> Sentry privilege disappears after a catalog refresh
> ---------------------------------------------------
>
> Key: IMPALA-7282
> URL: https://issues.apache.org/jira/browse/IMPALA-7282
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog, Security
> Affects Versions: Impala 3.0, Impala 2.12.0
> Reporter: Fredy Wijaya
> Priority: Critical
> Labels: security
>
> {noformat}
> [localhost:21000] default> grant select on database functional to role
> foo_role;
> Query: grant select on database functional to role foo_role
> +---------------------------------+
> | summary |
> +---------------------------------+
> | Privilege(s) have been granted. |
> +---------------------------------+
> Fetched 1 row(s) in 0.05s
> [localhost:21000] default> grant all on database functional to role foo_role;
> Query: grant all on database functional to role foo_role
> +---------------------------------+
> | summary |
> +---------------------------------+
> | Privilege(s) have been granted. |
> +---------------------------------+
> Fetched 1 row(s) in 0.03s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +----------+------------+-------+--------+-----+-----------+--------------+-------------+
> | scope | database | table | column | uri | privilege | grant_option |
> create_time |
> +----------+------------+-------+--------+-----+-----------+--------------+-------------+
> | database | functional | | | | select | false |
> NULL |
> | database | functional | | | | all | false |
> NULL |
> +----------+------------+-------+--------+-----+-----------+--------------+-------------+
> Fetched 2 row(s) in 0.02s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +----------+------------+-------+--------+-----+-----------+--------------+-------------------------------+
> | scope | database | table | column | uri | privilege | grant_option |
> create_time |
> +----------+------------+-------+--------+-----+-----------+--------------+-------------------------------+
> | database | functional | | | | all | false |
> Wed, Jul 11 2018 15:38:41.113 |
> +----------+------------+-------+--------+-----+-----------+--------------+-------------------------------+
> Fetched 1 row(s) in 0.01s
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
