Austin Nobis has posted comments on this change. ( http://gerrit.cloudera.org:8080/14356 )
Change subject: IMPALA-8587: show grant does not produce correct privileges ...................................................................... Patch Set 4: Csaba - In regards to the Impala + Sentry implementation I don't believe it shows inherited privileges when you do SHOW GRANT on a resource, however, it is possible to just do SHOW GRANT <user> with Impala + Sentry which will show all of the user's privileges. When Fredy and I were working on the initial Impala + Ranger integration we investigated if it would be possible to build the SHOW GRANT <user>, but it seems that the functionality isn't supported by the current Ranger API. In regards to the Hive + Ranger implementation, it is similar to the change that Fang-Yu is currently proposing. Note that this may have changed in the months that have passed since I last worked on Ranger + Impala integration. Hive + Ranger will show that you have inherited privileges but it will not provide the "parent" that granted the privilege. I consider the change I initially proposed as an improvement compared to the Hive + Ranger implementation. > Patch Set 4: > > (5 comments) > > About the high level design: I prefer https://gerrit.cloudera.org/#/c/13673/ > , as it gives back the exact privileges that the user/group has. I can > imagine the scenario when you want to revoke someone's privilege to access a > given object, so you call SHOW GRANT, and then revoke the privileges you see > there. This will be more tricky if you cannot distinguish between > server/db/table/column level privileges in SHOW GRANT's output. > > Your change is simpler, but the whole class is just as complex in my opinion. > So I would prefer to take over Austin's change and some comments to make it > clearer. > > It would be also good to know how Hive handles inherited privileges + how > this works with Sentry in Impala. -- To view, visit http://gerrit.cloudera.org:8080/14356 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I8511656fe386a37a66d20e07ce1b875190bc4b65 Gerrit-Change-Number: 14356 Gerrit-PatchSet: 4 Gerrit-Owner: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Austin Nobis <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Fang-Yu Rao <[email protected]> Gerrit-Reviewer: Fredy Wijaya <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Quanlong Huang <[email protected]> Gerrit-Comment-Date: Mon, 27 Jan 2020 15:34:05 +0000 Gerrit-HasComments: No
