[
https://issues.apache.org/jira/browse/SENTRY-2424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16639803#comment-16639803
]
Sergio Peña commented on SENTRY-2424:
-------------------------------------
[~LinaAtAustin] Did you verify the code works? The conf.get() method will
return the default value if the property is found to be null, so there should
not return a null value ever. This could be a bug in the Configuration object
if that is happening.
Btw, I added the test to set the property to an empty value, and I am not
getting any errors in the unit test.
> sentry.db.explicit.grants.permitted config does not allow empty value to mean
> allow all privileges
> --------------------------------------------------------------------------------------------------
>
> Key: SENTRY-2424
> URL: https://issues.apache.org/jira/browse/SENTRY-2424
> Project: Sentry
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.0.1
> Reporter: Fredy Wijaya
> Assignee: Sergio Peña
> Priority: Major
>
> https://issues.apache.org/jira/browse/SENTRY-2413 introduced
> "sentry.db.explicit.grants.permitted" to specify which privileges are
> permitted to be granted explicitly. Empty value means allow all privileges.
> However the following sentry-site.xml does not work.
> {noformat}
> <property>
> <name>sentry.db.explicit.grants.permitted</name>
> <value></value>
> </property>
> {noformat}
> Apparently using a space works.
> {noformat}
> <property>
> <name>sentry.db.explicit.grants.permitted</name>
> <value> </value>
> </property>
> {noformat}
> Steps to reproduce in Impala:
> {noformat}
> [localhost:21000] default> create role foo_role;
> [localhost:21000] default> grant alter on table functional.alltypes to role
> foo_role;
> ERROR: AuthorizationException: User 'foobar' does not have privileges to
> execute: GRANT_PRIVILEGE
> {noformat}
> Stacktrace:
> {noformat}
> 18/10/04 20:01:06 ERROR thrift.SentryPolicyStoreProcessor: GRANT privilege
> for [ALTER] not permitted.
> org.apache.sentry.core.common.exception.SentryGrantDeniedException: GRANT
> privilege for [ALTER] not permitted.
> at
> org.apache.sentry.api.common.SentryServiceUtil.checkDbExplicitGrantsPermitted(SentryServiceUtil.java:364)
> at
> org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_grant_privilege(SentryPolicyStoreProcessor.java:265)
> at
> org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1597)
> at
> org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1582)
> at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
>
> at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
>
> at
> org.apache.sentry.api.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:36)
> at
> org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
>
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>
> at java.lang.Thread.run(Thread.java:748)
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
