Sergio Peña commented on SENTRY-2202:

I've seen this behavior in Impala too. Is it that Sentry does not understand 
the ALL privilege or is it just a bug in decomposing the ALL privilege vs the * 

Btw, I find this decomposition behavior a little inconsistent with how 
privileges should work. If a user has all privileges, either ALL or *, then it 
means such user should be able to do any action on the object she or he is 
authorized, such as create, alter, drop, select, insert, lock, index, truncate, 
etc. But if just one privilege is revoked from the user, such as select, then 
the behavior is revoking not just the select but all other privileges except 
the insert, right? That means the user will now have insert privileges only. 
Isn't this confusing?

> Revoking SELECT or INSERT from parent privilege does not get applied in Impala
> ------------------------------------------------------------------------------
>                 Key: SENTRY-2202
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2202
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 2.1.0
>            Reporter: Arjun Mishra
>            Assignee: Arjun Mishra
>            Priority: Major
>             Fix For: 2.1.0
> When revoking select or insert from privilege, child privilege should be 
> appropriately updated. For eg if there is ALL on table and SELECT on database 
> and SELECT is revoked from database, then table privileges should be changed 
> from ALL to INSERT. This is not happening in Impala because when looking for 
> child privilege we only filter by "\*" as opposed to both "\*" or "all" 
> depending on the original privilege

This message was sent by Atlassian JIRA

Reply via email to