[
https://issues.apache.org/jira/browse/SENTRY-2341?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16594215#comment-16594215
]
Arjun Mishra commented on SENTRY-2341:
--------------------------------------
After reviewing behavior the conclusion is that the current working of ACLs
getting applied is working as expected. One important thing is that we cannot
depend on SHOW GRANT ROLE to evaluate if ACLs are accurate. This is because
SHOW GRANT ROLE shows privileges on *_objects_*, where as ACLs are applied on
*_paths_*. +With external tables authz objects and paths may not match.+ Please
see below.
# Implied Privileges (meaning e.g: Db has Select, therefore Table under Db has
select)
## Case: Alter Table Rename within Same Db (db1 has privileges)
### Case: Internal Tables
#### Path changes
#### New path has ACLs
#### Show grant on role matches (since it shows db1 privileges)
### Case: External Tables
#### No path change
#### Old path (unchanged path) has ACLs
#### Show grant on role matches (since it shows db1 privileges)
### *+ACLs consistent between internal and external tables+*
## Case: Alter Table Rename across different Databases where only initial
database has privileges (db1 has privileges, db2 does not)
### Case: Internal Tables
#### Path changes
#### New path does not have ACLs since db2 does not have privileges
#### Show grant on role matches
### Case: External Tables
#### No path change
#### Old path loses ACLs
#### Show grant on role shows db1 has privileges (/user/hive/warehouse/db1.db)
has ACLs, but (/user/hive/warehouse/db1.db/tbl1) does not, even though db1 has
privileges
### *+ACLs consistent between internal and external tables+*
## Case: Alter Table Rename across different Databases where both databases
have privileges (db1, db2 have privileges)
### Case: Internal Tables
#### Path changes
#### New path does acquires ACLs based on db2 privileges
#### Show grant on role matches
### Case: External Tables
#### No path change
#### Old path gets ACLs based on db2 privileges
#### Show grant on role shows db1, db2 have privileges but ACLs don’t match
(/user/hive/warehouse/db1.db) has ACLs, (/user/hive/warehouse/db2.db) has ACLs,
but (/user/hive/warehouse/db1.db/tbl1) has ACLs from db2.db
### *+ACLs consistent between internal and external tables+*
# Explicit Privileges (meaning privileges granted to Table on which alter table
rename is being executed)
## Case: Alter Table Rename within Same Db (db1 has privileges)
### Case: Internal Tables
#### Path changes
#### New path has ACLs
#### Show grant on role matches (since it shows db1 privileges)
### Case: External Tables
#### No path change
#### Old path (unchanged path) has ACLs
#### Show grant on role matches (since it shows db1 privileges)
### *+ACLs consistent between internal and external tables+*
## Case: Alter Table Rename across different Databases where only initial
database has privileges (db1 has privileges, db2 does not)
### Case: Internal Tables
#### Path changes
#### New path has ACLs, as they have transferred
#### Show grant on role matches
### Case: External Tables
#### No path change
#### Old path retains it’s ACLs
#### Show grant on role shows db2.new_table has privileges
(/user/hive/warehouse/db1.db/tbl1) has ACLs and
(/user/hive/warehouse/db2.db/new_table) does not exist
### *+ACLs consistent between internal and external tables+*
## Case: Alter Table Rename across different Databases where both databases
have privileges (db1.tbl1, db2 have privileges)
### Case: Internal Tables
#### Path changes
#### New path has cumulative ACLs from db1.tbl1 and db2
#### Show grant on role matches
### Case: External Tables
#### No path change
#### Old path has cumulative ACLs from db1.tbl1 and db2
#### Show grant on role shows db2.new_table has privileges
(/user/hive/warehouse/db1.db/tbl1) has ACLs of tbl1 + db2 and
(/user/hive/warehouse/db2.db/new_table) does not exist
### *+ACLs consistent between internal and external tables+*
> With External Tables Sentry does not handle alter table rename correctly
> ------------------------------------------------------------------------
>
> Key: SENTRY-2341
> URL: https://issues.apache.org/jira/browse/SENTRY-2341
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
> Affects Versions: 2.1.0
> Reporter: Arjun Mishra
> Assignee: Arjun Mishra
> Priority: Major
>
> For external tables, running ALTER TABLE RENAME will not change the location
> of that table, but will drop the ACL.
> Sentry drops privileges every time we delete an object, or rename an object.
> In case of rename Sentry drops the privilege from old object and adds to new
> one
> However with external tables, on renaming the table no new location is
> created. So even though Sentry has in its SENTRY_PATH_CHANGE the ACL for this
> new location, it never gets applied because it doesn't actually exist
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
