Na Li created SENTRY-2161: ----------------------------- Summary: Make sure partial invoke only applies to explicit privileges Key: SENTRY-2161 URL: https://issues.apache.org/jira/browse/SENTRY-2161 Project: Sentry Issue Type: Sub-task Reporter: Na Li
*Background:* Partial revoke For examples: 1. When a role has been granted "all" on table and the role already has select/insert on privileges, they are removed automatically as "all" covers the "select/insert". 2. When a role already has "all" privileges on a table and "select" privilege are revoked, "all" privileges is revoked and "insert" is added automatically as there are only "select", "insert", and "all". Hierarchical privileges: Revoking privilege on a database would effect the privileges granted to the tables in that database. *Problem:* For example: 1) User_A has "select" on table_B 2) User_A is set to owner of table_B and gets "all" privilege on table_B as implicit privilege 3) User_A is not owner of table_B any more based on partial invoke behavior, User_A will lose "select" on table_B after step 3). The desired behavior is for User_A still retains "select" on table_B after step 3) *Solution:* Only apply partial revoke to user configured privileges (explicit privilege), and not affect implicit privileges. -- This message was sent by Atlassian JIRA (v7.6.3#76005)