[jira] [Commented] (SENTRY-848) [column level privilege] if grant user column level select privilege, DESCRIBE FORMATTED table[.column] shouldn't require extra table level privilege

[Anne Yu (JIRA)]

    [ 
https://issues.apache.org/jira/browse/SENTRY-848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15388125#comment-15388125
 ] 

Anne Yu commented on SENTRY-848:
--------------------------------

FYI, [~lskuff] confirmed the behavior could be best for our current users:
{code}
Allow (If user has access to any column in the table):
Basic DESCRIBE TABLE and SHOW COLUMNS. Blocking these is a usability issue and 
impacts Hue integration.
Note: Do not filter column values. May revisit this in the future.
Block (Require Table-Level Privileges):
DESCRIBE FORMATTED/DESCRIBE EXTENDED
SHOW COLUMN STATS
SHOW PARTITIONS
COMPUTE STATS/ANALYZE TABLE
It seems like there is a bug with ANALYZE TABLE, but I'm not sure we want to 
change the behavior for DESCRIBE EXTENDED. Especially since this can expose 
information about views.
{code}

> [column level privilege] if grant user column level select privilege, 
> DESCRIBE FORMATTED table[.column] shouldn't require extra table level 
> privilege
> -----------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SENTRY-848
>                 URL: https://issues.apache.org/jira/browse/SENTRY-848
>             Project: Sentry
>          Issue Type: Bug
>    Affects Versions: 1.5.1
>            Reporter: Anne Yu
>            Assignee: Ke Jia
>         Attachments: SENTRY-848-001.patch, SENTRY-848-002.patch, 
> SENTRY-848-002.patch, SENTRY-848-003.patch
>
>
> {code}
> create table test_tb(s string, i int);
> grant select(s) on table test_tb to role test_role;
> grant role test_role to group test_user;
> {code}
> use test_user to login,
> {code}
> describe formatted test_tb s;
> Error: Error while compiling statement: FAILED: SemanticException No valid 
> privileges
>  Required privileges for this query: 
> Server=server1->Db=test_db->Table=test_tb->action=insert;Server=server1->Db=test_db->Table=test_tb->action=select;
>  (state=42000,code=40000)
> {code}
> How about describe [formatted] test_tb; do we allow test_user to list his 
> permitted columns? for example,
> +-----------+------------+----------+--+
> | col_name  | data_type  | comment  |
> +-----------+------------+----------+--+
> | s         | string     |          |
> +-----------+------------+----------+--+
> 2 rows selected (0.167 seconds)
> However "ANALYZE TABLE test_tb COMPUTE STATISTICS FOR COLUMNS s" is allowed 
> for test_user.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)