[jira] [Commented] (SENTRY-2204) Revoke 'all/*' on server from role , revokes all privileges from the same role

Wed, 02 May 2018 10:28:26 -0700 

    [ 
https://issues.apache.org/jira/browse/SENTRY-2204?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16461343#comment-16461343
 ] 

Sergio Peña commented on SENTRY-2204:
-------------------------------------

This is the correct behavior. There is a discussion about this on SENTRY-2202 
regarding the new behavior for the all privilege.

> Revoke 'all/*' on server from role , revokes all privileges from the same role
> ------------------------------------------------------------------------------
>
>                 Key: SENTRY-2204
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2204
>             Project: Sentry
>          Issue Type: New Feature
>          Components: Sentry
>            Reporter: Sachin
>            Priority: Major
>
> I have assigned below privileges to one role i.e. role_1;
> {noformat}
> |+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
> |\| database \| table \| partition \| column \| principal_name \| 
> principal_type \| privilege \| grant_option \| grant_time \| grantor \||
> |+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
> |\| hdfs://nameservice01/user/h \| \| \| \| role_157 \| ROLE \| * \| false \| 
> 1523963168628000 \| -- \||
> |\| * \| \| \| \| role_157 \| ROLE \| * \| false \| 1523352328442000 \| -- \||
> |\| hdfs://nameservice01/user/m \| \| \| \| role_157 \| ROLE \| * \| false \| 
> 1523963186544000 \| -- \||
> |+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
> | |
> {noformat}
>  
> After that executed below command i.e revoke and show grant for the same role
> {noformat}
> revoke all on server server1 from role role_157;
> {noformat}
> {noformat}
> show grant role role_157;
> |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
> |\| database \| table \| partition \| column \| principal_name \| 
> principal_type \| privilege \| grant_option \| grant_time \| grantor \||
> |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
> |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
> |No rows selected (0.119 seconds)|
> {noformat}
>  
> As you can see from above, if you revoke all on server, it also revokes all 
> the other privileges from the same role as well. 
> So it is right behaviour? or It should revoke only all/* on server and should 
> keep other privileges?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to