[ 
https://issues.apache.org/jira/browse/SENTRY-2202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16439430#comment-16439430
 ] 

Arjun Mishra commented on SENTRY-2202:
--------------------------------------

Its a bug decomposing ALL vs "*" keyword. 

Yes you are right. Look at the code below. If you are revoking SELECT, it 
forces child privilege to be an INSERT, and vice-versa. I agree with you on 
that this is not how it should work. 

{noformat}
} else if 
(requestedPrivToRevoke.getAction().equalsIgnoreCase(AccessConstants.SELECT)
      && 
!currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.INSERT)) {
      revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, 
AccessConstants.INSERT);
    } else if 
(requestedPrivToRevoke.getAction().equalsIgnoreCase(AccessConstants.INSERT)
      && 
!currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.SELECT)) {
      revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, 
AccessConstants.SELECT);
    }
{noformat}

> Revoking SELECT or INSERT from parent privilege does not get applied in Impala
> ------------------------------------------------------------------------------
>
>                 Key: SENTRY-2202
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2202
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 2.1.0
>            Reporter: Arjun Mishra
>            Assignee: Arjun Mishra
>            Priority: Major
>             Fix For: 2.1.0
>
>
> When revoking select or insert from privilege, child privilege should be 
> appropriately updated. For eg if there is ALL on table and SELECT on database 
> and SELECT is revoked from database, then table privileges should be changed 
> from ALL to INSERT. This is not happening in Impala because when looking for 
> child privilege we only filter by "\*" as opposed to both "\*" or "all" 
> depending on the original privilege



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to