Na Li created SENTRY-2161:
-----------------------------
Summary: Make sure partial invoke only applies to explicit
privileges
Key: SENTRY-2161
URL: https://issues.apache.org/jira/browse/SENTRY-2161
Project: Sentry
Issue Type: Sub-task
Reporter: Na Li
*Background:*
Partial revoke
For examples:
1. When a role has been granted "all" on table and the role already has
select/insert on privileges, they are removed automatically as "all" covers the
"select/insert".
2. When a role already has "all" privileges on a table and "select" privilege
are revoked, "all" privileges is revoked and "insert" is added automatically as
there are only "select", "insert", and "all".
Hierarchical privileges:
Revoking privilege on a database would effect the privileges granted to the
tables in that database.
*Problem:*
For example:
1) User_A has "select" on table_B
2) User_A is set to owner of table_B and gets "all" privilege on table_B as
implicit privilege
3) User_A is not owner of table_B any more
based on partial invoke behavior, User_A will lose "select" on table_B after
step 3). The desired behavior is for User_A still retains "select" on table_B
after step 3)
*Solution:*
Only apply partial revoke to user configured privileges (explicit privilege),
and not affect implicit privileges.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
