Arjun Mishra commented on SENTRY-2202:

Its a bug decomposing ALL vs "*" keyword. 

Yes you are right. Look at the code below. If you are revoking SELECT, it 
forces child privilege to be an INSERT, and vice-versa. I agree with you on 
that this is not how it should work. 

} else if 
!currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.INSERT)) {
      revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, 
    } else if 
!currentPrivilege.getAction().equalsIgnoreCase(AccessConstants.SELECT)) {
      revokeRolePartial(pm, mRole, currentPrivilege, persistedPriv, 

> Revoking SELECT or INSERT from parent privilege does not get applied in Impala
> ------------------------------------------------------------------------------
>                 Key: SENTRY-2202
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2202
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 2.1.0
>            Reporter: Arjun Mishra
>            Assignee: Arjun Mishra
>            Priority: Major
>             Fix For: 2.1.0
> When revoking select or insert from privilege, child privilege should be 
> appropriately updated. For eg if there is ALL on table and SELECT on database 
> and SELECT is revoked from database, then table privileges should be changed 
> from ALL to INSERT. This is not happening in Impala because when looking for 
> child privilege we only filter by "\*" as opposed to both "\*" or "all" 
> depending on the original privilege

This message was sent by Atlassian JIRA

Reply via email to