[ https://issues.apache.org/jira/browse/SENTRY-2507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16785161#comment-16785161 ]
Na Li commented on SENTRY-2507: ------------------------------- >From hive beeline, user no_pri ha "ALL" privilege on default.tb1. user >no_pri_2 does not have any privilege 1) show databases; 1.1) with ALL privilege on default.tb1 default 1.2) no privilege at all default 2) describe database default; 2.1) with ALL privilege on default.tb1 Error while compiling statement: FAILED: SemanticException No valid privileges User no_pri does not have privileges for DESCDATABASE The required privileges: Server=server1->Db=default->action=select->grantOption=false;Server=server1->Db=default->action=insert->grantOption=false; 2.2) no privilege at all Error while compiling statement: FAILED: SemanticException No valid privileges User no_pri_2 does not have privileges for SWITCHDATABASE The required privileges: Server=server1->Db=*->Table=+->Column=*->action=select->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=insert->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=alter->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=create->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=drop->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=index->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=lock->grantOption=false; 3) use default; 3.1) with ALL privilege on default.tb1; succeed 3.2) no privilege at all Error while compiling statement: FAILED: SemanticException No valid privileges User no_pri_2 does not have privileges for SWITCHDATABASE The required privileges: Server=server1->Db=*->Table=+->Column=*->action=select->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=insert->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=alter->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=create->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=drop->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=index->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=lock->grantOption=false; 4) show tables; 4.1) with ALL privilege on default.tb1; tb1 4.2) no privilege at all Error while compiling statement: FAILED: SemanticException No valid privileges User no_pri_2 does not have privileges for SWITCHDATABASE The required privileges: Server=server1->Db=*->Table=+->Column=*->action=select->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=insert->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=alter->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=create->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=drop->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=index->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=lock->grantOption=false; > Authorization of "default" database is not controlled by > "sentry.hive.restrict.defaultDB" at HMS server > ------------------------------------------------------------------------------------------------------- > > Key: SENTRY-2507 > URL: https://issues.apache.org/jira/browse/SENTRY-2507 > Project: Sentry > Issue Type: Bug > Components: Sentry > Reporter: Na Li > Priority: Major > > If "sentry.hive.restrict.defaultDB" at sentry-site.xml at HMS server is set > to be false, user still has to have "SELECT", or "INSERT", or "ALL" privilege > on the "default" database in order to access it. > This behavior is not consistent with the behavior at Hive server. -- This message was sent by Atlassian JIRA (v7.6.3#76005)