[jira] [Commented] (SENTRY-1252) grantServerPrivilege and revokeServerPrivilege should treat "*" and "ALL" as synonyms when action is not explicitly specified

Mon, 16 May 2016 18:40:28 -0700 

    [ 
https://issues.apache.org/jira/browse/SENTRY-1252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15285838#comment-15285838
 ] 

Hao Hao commented on SENTRY-1252:
---------------------------------

[~anneyu] Thanks a lot for reviewing! Yeah, revokeServerPrivilege is a public 
API, it could be used by downstream service and client. But, as {{public 
synchronized TSentryPrivilege grantServerPrivilege(String requestorUserName, 
String roleName, String server, Boolean grantOption)}} were deprecated in 
SENTRY-744, I think it is better to deprecate {{public synchronized void 
revokeServerPrivilege(String requestorUserName, public synchronized void 
revokeServerPrivilege(String requestorUserName, String roleName, String server, 
boolean grantOption)}} as well.

The grantServerPrivilege API should not be deprecated, since it has explicit 
action being specified as the argument to avoid confusion.

> grantServerPrivilege and revokeServerPrivilege should treat "*" and "ALL" as 
> synonyms when action is not explicitly specified
> -----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SENTRY-1252
>                 URL: https://issues.apache.org/jira/browse/SENTRY-1252
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 1.6.0
>            Reporter: Hao Hao
>            Assignee: Hao Hao
>         Attachments: SENTRY-1252.0.patch
>
>
> grantServerPrivilege and revokeServerPrivilege should treat "*" and "ALL" as 
> synonyms when action is not explicitly specified. Otherwise, if 
> grantServerPrivilege is called without action explicitly specified, and 
> follow with a revokeServerPrivilege invocation with action as "ALL" , the 
> server level privilege will not be revoked. For example, in impala
> {noformat}
> When pretty-printing is disabled, you can use the '--output_delimiter' flag 
> to set
> the delimiter for fields in the same row. The default is ','.
> ***********************************************************************************
> [test.com:21000] > create role test;
> Query: create role test
> Fetched 0 row(s) in 0.23s
> [test.com:21000] > grant select on database default to test;
> Query: grant select on database default to test
> Fetched 0 row(s) in 0.12s
> [test.com:21000] > grant all on server to test;
> Query: grant all on server to test
> Fetched 0 row(s) in 0.04s
> [test.com:21000] > show grant role test;
> Query: show grant role test
> +----------+----------+-------+--------+-----+-----------+--------------+-------------+
> | scope    | database | table | column | uri | privilege | grant_option | 
> create_time |
> +----------+----------+-------+--------+-----+-----------+--------------+-------------+
> | DATABASE | default  |       |        |     | SELECT    | false        | 
> NULL        |
> | SERVER   |          |       |        |     | ALL       | false        | 
> NULL        |
> +----------+----------+-------+--------+-----+-----------+--------------+-------------+
> Fetched 2 row(s) in 0.08s
> [test.com:21000] > revoke all on server from role test;
> Query: revoke all on server from role test
> Fetched 0 row(s) in 0.14s
> [test.com:21000] > show grant role test;
> Query: show grant role test
> +----------+----------+-------+--------+-----+-----------+--------------+-------------+
> | scope    | database | table | column | uri | privilege | grant_option | 
> create_time |
> +----------+----------+-------+--------+-----+-----------+--------------+-------------+
> | DATABASE | default  |       |        |     | SELECT    | false        | 
> NULL        |
> +----------+----------+-------+--------+-----+-----------+--------------+-------------+
> Fetched 1 row(s) in 0.03s
> [test.com:21000] > show grant role test;
> Query: show grant role test
> +----------+----------+-------+--------+-----+-----------+--------------+-------------+
> | scope    | database | table | column | uri | privilege | grant_option | 
> create_time |
> +----------+----------+-------+--------+-----+-----------+--------------+-------------+
> | DATABASE | default  |       |        |     | SELECT    | false        | 
> NULL        |
> +----------+----------+-------+--------+-----+-----------+--------------+-------------+
> Fetched 1 row(s) in 0.03s
> [FIVE MINUTES ELAPSE]
> [test.com21000] > show grant role test;
> Query: show grant role test
> +--------+----------+-------+--------+-----+-----------+--------------+-------------------------------+
> | scope  | database | table | column | uri | privilege | grant_option | 
> create_time                   |
> +--------+----------+-------+--------+-----+-----------+--------------+-------------------------------+
> | SERVER |          |       |        |     | ALL       | false        | Sun, 
> Apr 24 2016 20:24:33.888 |
> +--------+----------+-------+--------+-----+-----------+--------------+-------------------------------+
> Fetched 1 row(s) in 0.05s
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to