[
https://issues.apache.org/jira/browse/SENTRY-2424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16639814#comment-16639814
]
Sergio Peña commented on SENTRY-2424:
-------------------------------------
[~fredyw] I setup a local sentry/hms service and set the property to an empty
value, and it is allowing me to grant any privileges on the server. It is
strange that it is not working for you. Have you tried debugging the sentry
server and see if the Configuration object has the property value set to empty?
> sentry.db.explicit.grants.permitted config does not allow empty value to mean
> allow all privileges
> --------------------------------------------------------------------------------------------------
>
> Key: SENTRY-2424
> URL: https://issues.apache.org/jira/browse/SENTRY-2424
> Project: Sentry
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.0.1
> Reporter: Fredy Wijaya
> Assignee: Sergio Peña
> Priority: Major
>
> https://issues.apache.org/jira/browse/SENTRY-2413 introduced
> "sentry.db.explicit.grants.permitted" to specify which privileges are
> permitted to be granted explicitly. Empty value means allow all privileges.
> However the following sentry-site.xml does not work.
> {noformat}
> <property>
> <name>sentry.db.explicit.grants.permitted</name>
> <value></value>
> </property>
> {noformat}
> Apparently using a space works.
> {noformat}
> <property>
> <name>sentry.db.explicit.grants.permitted</name>
> <value> </value>
> </property>
> {noformat}
> Steps to reproduce in Impala:
> {noformat}
> [localhost:21000] default> create role foo_role;
> [localhost:21000] default> grant alter on table functional.alltypes to role
> foo_role;
> ERROR: AuthorizationException: User 'foobar' does not have privileges to
> execute: GRANT_PRIVILEGE
> {noformat}
> Stacktrace:
> {noformat}
> 18/10/04 20:01:06 ERROR thrift.SentryPolicyStoreProcessor: GRANT privilege
> for [ALTER] not permitted.
> org.apache.sentry.core.common.exception.SentryGrantDeniedException: GRANT
> privilege for [ALTER] not permitted.
> at
> org.apache.sentry.api.common.SentryServiceUtil.checkDbExplicitGrantsPermitted(SentryServiceUtil.java:364)
> at
> org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_grant_privilege(SentryPolicyStoreProcessor.java:265)
> at
> org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1597)
> at
> org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1582)
> at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
>
> at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
>
> at
> org.apache.sentry.api.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:36)
> at
> org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
>
> at
> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>
> at java.lang.Thread.run(Thread.java:748)
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
