[jira] [Commented] (SENTRY-849) [column level privilege] without table level privilege and column level privilege for column i, test user can still explain select column from test_tb;

Qianbo Huai (JIRA) Wed, 24 May 2017 08:31:26 -0700

    [ 
https://issues.apache.org/jira/browse/SENTRY-849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16023099#comment-16023099
 ]


Qianbo Huai commented on SENTRY-849:
------------------------------------

We are testing a fix. Results are positive so far.

== Details ==

Before Hive calls the authz binding book, it passes the inputs and outputs of 
the top level semantic analyzer to the hook context. However, for explain 
semantic analyzer (hive cdh5.7.2), its inputs and outputs are empty by design. 
The interesting data is stored inside the inner semantic analyzer which is 
buried inside the explain work which is inside the explain task. Therefore, we 
need to fix the hook context before we can do the actual permission check for 
Hive explain command later on.

Our fix is currently done inside Sentry's HiveAuthzBindingHook, though a better 
place for the fix may be inside Hive's own ExplainSemanticAnalyzer.

> [column level privilege] without table level privilege and column level 
> privilege for column i, test user can still explain select column from 
> test_tb;
> -------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SENTRY-849
>                 URL: https://issues.apache.org/jira/browse/SENTRY-849
>             Project: Sentry
>          Issue Type: Bug
>    Affects Versions: 1.5.1
>            Reporter: Anne Yu
>            Assignee: shenguoquan
>
> {code}
> 0: jdbc:hive2://anneyu-cdh55-1.vpc.cloudera.c> show grant role test_role on 
> table test_tb;
> +-----------+----------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> | database  |  table   | partition  | column  | principal_name  | 
> principal_type  | privilege  | grant_option  |    grant_time     | grantor  |
> +-----------+----------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> | test_db   | test_tb  |            | s       | test_role       | ROLE        
>     | select     | false         | 1439502394526000  | --       |
> +-----------+----------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> {code}
> However explain "select i from test_tb" shows the column "i" test_user 
> doesn't have privileges.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Commented] (SENTRY-849) [column level privilege] without table level privilege and column level privilege for column i, test user can still explain select column from test_tb;

Reply via email to