Na Li created SENTRY-2151:

             Summary: Object Ownership
                 Key: SENTRY-2151
             Project: Sentry
          Issue Type: New Feature
          Components: Sentry
    Affects Versions: 2.1.0
            Reporter: Na Li
            Assignee: Na Li
             Fix For: 2.1.0

admins want users who create tables to get implicit owner privileges during the 
table creation. These privileges cannot be revoked.

For instance, a user under role1 with CREATE privileges gets all privileges on 
newly created tables
# As an admin
hive> grant create on db1 to role1;

# As a user
user1> use db1;
user1> create table t1(id int);
-- An implicit 'grant all on db1.t1 to user user1' is generated in Sentry 
user1> insert into table t1 values (1);
user1> select * from t1;
user1> drop table t1;
For backward compatibility, the default implicit privilege to be applied must 
be determined by a configuration set by admins. This is to ensure that an 
upgrade to this new feature does not affect the behavior of old privileges set 
before the upgrade. For newly created tables, the privilege must be obtained 
from the property ‘owner.privileges’ of the database property where the table 
is created.

For instance, a user on db1 gets "all with grant privileges" but on db2 does 
not get any privilege
# As an admin
hive> alter database db1 set dbproperty('owner.privileges'='all with grant');
hive> grant create on db1 to role1;
hive> alter database db1 set dbproperty('owner.privileges='none');
hive> grant create on db2 to role2;

# As a user
user1> create table db1.t1(id int);
-- An implicit 'all with grant' privilege is granted to the user on db1.t1
user1> create table db2.t1(id int);
-- No privileges are granted to the user on db2.t1
The privilege granted implicitly cannot be revoked by explicit revoke commands 
nor if the 'owner.privileges' property changes. The only way is to remove the 
implicit privileges is by dropping the table or changing the owner of the table.

This message was sent by Atlassian JIRA

Reply via email to