[
https://issues.apache.org/jira/browse/IMPALA-9341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fang-Yu Rao resolved IMPALA-9341.
---------------------------------
Fix Version/s: Impala 4.0
Resolution: Fixed
> A grantee gains the delegation privilege after a revoke statement
> -----------------------------------------------------------------
>
> Key: IMPALA-9341
> URL: https://issues.apache.org/jira/browse/IMPALA-9341
> Project: IMPALA
> Issue Type: Bug
> Components: Frontend
> Affects Versions: Impala 3.4.0
> Reporter: Fang-Yu Rao
> Assignee: Fang-Yu Rao
> Priority: Major
> Fix For: Impala 4.0
>
>
> When Ranger is used as the authorization provider, a grantee that was granted
> the {{insert}} privilege on a table without the delegation privilege gains
> the delegation privilege after executing a statement to {{revoke}} the
> grantee's {{select}} privilege on the same table. In what follows, we provide
> the steps to reproduce the issue.
> # Start a Ranger-enabled Impala minicluster.
> # Log into Impala shell as the user {{admin}} using "{{./bin/impala-shell.sh
> -u admin}}".
> # Execute "{{grant insert on table <table_name> to user
> <user_name_of_grantee>;}}".
> # Execute "{{show grant user <user_name_of_grantee> on table <table_name>;}}".
> # Execute "{{revoke select on table <table_name> from user
> <user_name_of_grantee>;}}".
> # Execute "{{show grant user <user_name_of_grantee> on table <table_name>;}}".
> When {{<table_name>}} equals "{{functional.alltypes}}" and
> {{<user_name_of_grantee>}} equals "{{non_owner}}" which was not granted any
> privilege at the very beginning, after the 4th step, we will see the
> following.
> {code:java}
> +----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
> | principal_type | principal_name | database | table | column | uri |
> udf | privilege | grant_option | create_time |
> +----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
> | USER | non_owner | functional | alltypes | * | |
> | insert | false | 1580345254347 |
> +----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
> {code}
> However, we will see the following after the 6th step above. We can see the
> field of {{grant_option}} is changed from {{false}} to {{true}}, which should
> not happen.
> {code:java}
> +----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
> | principal_type | principal_name | database | table | column | uri |
> udf | privilege | grant_option | create_time |
> +----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
> | USER | non_owner | functional | alltypes | * | |
> | insert | true | 1580345254347 |
> +----------------+----------------+------------+----------+--------+-----+-----+-----------+--------------+---------------+
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
