[
https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17040534#comment-17040534
]
Fang-Yu Rao edited comment on IMPALA-7282 at 2/20/20 5:28 AM:
--------------------------------------------------------------
Hi [~joemcdonnell] and [~vihangk1], it seems there are two issues reported
here. One is the issue originally reported by [~fredyw] and the other is the
issue reported by [~aholley]. The former issue does not involve the {{REVOKE}}
statement, whereas the latter involves the {{REVOKE}} statement.
In the first issue, the behavior of Hive is the same as Impala described at the
very beginning. That is, if a user previously being granted the {{SELECT}}
privilege on a database is granted the {{ALL}} privilege on the same database,
then {{SHOW GRANT ROLE}} statement will only show this user's {{ALL}} privilege
on the database.
For the second issue, the behavior of Hive is different from that of Impala.
Specifically, a Hive user would still possess the {{SELECT}} privilege on the
table {{default}} after the following 3 SQL statements.
{code:java}
GRANT SELECT(id) ON TABLE default TO ROLE foo_role;
GRANT SELECT ON SERVER TO ROLE foo_role;
REVOKE SELECT ON SERVER FROM ROLE foo_role;
{code}
was (Author: fangyurao):
Hi [~joemcdonnell] and [~vihangk1], it seems there are two issues reported
here. One is the issue originally reported by [~fredyw] and the other is the
issue reported by [~aholley]. The former issue does not involve the {{REVOKE}}
statement, whereas the latter involves the {{REVOKE}} statement.
In the first issue, the behavior of Hive is the same as Impala described at the
very beginning. That is, if a user previously being granted the {{SELECT}}
privilege on a database is granted the {{ALL}} privilege on the same database,
then {{SHOW GRANT ROLE}} statement will only show this user's {{ALL}} privilege
on the database.
> Sentry privilege disappears after a catalog refresh
> ---------------------------------------------------
>
> Key: IMPALA-7282
> URL: https://issues.apache.org/jira/browse/IMPALA-7282
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog, Security
> Affects Versions: Impala 3.0, Impala 2.12.0
> Reporter: Fredy Wijaya
> Priority: Critical
> Labels: security
>
> {noformat}
> [localhost:21000] default> grant select on database functional to role
> foo_role;
> Query: grant select on database functional to role foo_role
> +---------------------------------+
> | summary |
> +---------------------------------+
> | Privilege(s) have been granted. |
> +---------------------------------+
> Fetched 1 row(s) in 0.05s
> [localhost:21000] default> grant all on database functional to role foo_role;
> Query: grant all on database functional to role foo_role
> +---------------------------------+
> | summary |
> +---------------------------------+
> | Privilege(s) have been granted. |
> +---------------------------------+
> Fetched 1 row(s) in 0.03s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +----------+------------+-------+--------+-----+-----------+--------------+-------------+
> | scope | database | table | column | uri | privilege | grant_option |
> create_time |
> +----------+------------+-------+--------+-----+-----------+--------------+-------------+
> | database | functional | | | | select | false |
> NULL |
> | database | functional | | | | all | false |
> NULL |
> +----------+------------+-------+--------+-----+-----------+--------------+-------------+
> Fetched 2 row(s) in 0.02s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +----------+------------+-------+--------+-----+-----------+--------------+-------------------------------+
> | scope | database | table | column | uri | privilege | grant_option |
> create_time |
> +----------+------------+-------+--------+-----+-----------+--------------+-------------------------------+
> | database | functional | | | | all | false |
> Wed, Jul 11 2018 15:38:41.113 |
> +----------+------------+-------+--------+-----+-----------+--------------+-------------------------------+
> Fetched 1 row(s) in 0.01s
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
