subject:"Review Request 68332\: SENTRY\-2352\: User roles with ALTER on a table can not show or describe the table on which they have ALTER"

Re: Review Request 68332: SENTRY-2352: User roles with ALTER on a table can not show or describe the table on which they have ALTER

2018-08-14 Thread Na Li via Review Board


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68332/#review207247
---


Ship it!




Ship It!

- Na Li


On Aug. 13, 2018, 10:49 p.m., Sergio Pena wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68332/
> ---
> 
> (Updated Aug. 13, 2018, 10:49 p.m.)
> 
> 
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
> 
> 
> Bugs: sentry-2352
> https://issues.apache.org/jira/browse/sentry-2352
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Added the following matrix of privileges on the DESCRIBE TABLE and SHOW 
> TABLES:
> 
> DESCRIBE table allowed and not allowed privileges:
> 
>   { null,  NOT_ALLOWED }, // Means no privileges
>   { DBModelAction.ALL, ALLOWED },
>   { DBModelAction.CREATE,  NOT_ALLOWED },
>   { DBModelAction.SELECT,  ALLOWED },
>   { DBModelAction.INSERT,  ALLOWED },
>   { DBModelAction.ALTER,   ALLOWED },
>   { DBModelAction.DROP,NOT_ALLOWED },
>   { DBModelAction.INDEX,   NOT_ALLOWED },
>   { DBModelAction.LOCK,NOT_ALLOWED },
>   
> SHOW TABLES allowed and not allowed privileges:
> 
>   { null,  NOT_ALLOWED }, // Means no privileges
>   { DBModelAction.ALL, ALLOWED },
>   { DBModelAction.CREATE,  NOT_ALLOWED },
>   { DBModelAction.SELECT,  ALLOWED },
>   { DBModelAction.INSERT,  ALLOWED },
>   { DBModelAction.ALTER,   ALLOWED },
>   { DBModelAction.DROP,ALLOWED },
>   { DBModelAction.INDEX,   ALLOWED },
>   { DBModelAction.LOCK,ALLOWED },
> 
> 
> Diffs
> -
> 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
>  1ab5be35dcb7991f723c0bb885ed2a15c6f5873a 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
>  447deaf5831675257be1bbb05934a1ab4826fe9e 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
>  78742fdacd72531eed4a7dde86871a57cf54493b 
>   
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDescribeMetadataPrivileges.java
>  PRE-CREATION 
>   
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestShowMetadataPrivileges.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/68332/diff/1/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 68332: SENTRY-2352: User roles with ALTER on a table can not show or describe the table on which they have ALTER

2018-08-14 Thread Sergio Pena via Review Board



> On Aug. 13, 2018, 11:25 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
> > Line 104 (original), 104 (patched)
> > 
> >
> > does Alter apply to column?

Yes, a user with ALTER privileges should be able to view column metadata. ALTER 
Is used to change column names, add columns ,etc; so they need to be able to 
see what they can change.


> On Aug. 13, 2018, 11:25 p.m., Na Li wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
> > Lines 177 (patched)
> > 
> >
> > should Drop be included as well?

I don't see a need for a user with DROP privileges to be able to view the 
column names and the rest of the table metadata. If a user has DROP privileges, 
then they should only see the table with the SHOW TABLES.


- Sergio


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68332/#review207179
---


On Aug. 13, 2018, 10:49 p.m., Sergio Pena wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68332/
> ---
> 
> (Updated Aug. 13, 2018, 10:49 p.m.)
> 
> 
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
> 
> 
> Bugs: sentry-2352
> https://issues.apache.org/jira/browse/sentry-2352
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Added the following matrix of privileges on the DESCRIBE TABLE and SHOW 
> TABLES:
> 
> DESCRIBE table allowed and not allowed privileges:
> 
>   { null,  NOT_ALLOWED }, // Means no privileges
>   { DBModelAction.ALL, ALLOWED },
>   { DBModelAction.CREATE,  NOT_ALLOWED },
>   { DBModelAction.SELECT,  ALLOWED },
>   { DBModelAction.INSERT,  ALLOWED },
>   { DBModelAction.ALTER,   ALLOWED },
>   { DBModelAction.DROP,NOT_ALLOWED },
>   { DBModelAction.INDEX,   NOT_ALLOWED },
>   { DBModelAction.LOCK,NOT_ALLOWED },
>   
> SHOW TABLES allowed and not allowed privileges:
> 
>   { null,  NOT_ALLOWED }, // Means no privileges
>   { DBModelAction.ALL, ALLOWED },
>   { DBModelAction.CREATE,  NOT_ALLOWED },
>   { DBModelAction.SELECT,  ALLOWED },
>   { DBModelAction.INSERT,  ALLOWED },
>   { DBModelAction.ALTER,   ALLOWED },
>   { DBModelAction.DROP,ALLOWED },
>   { DBModelAction.INDEX,   ALLOWED },
>   { DBModelAction.LOCK,ALLOWED },
> 
> 
> Diffs
> -
> 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
>  1ab5be35dcb7991f723c0bb885ed2a15c6f5873a 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
>  447deaf5831675257be1bbb05934a1ab4826fe9e 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
>  78742fdacd72531eed4a7dde86871a57cf54493b 
>   
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDescribeMetadataPrivileges.java
>  PRE-CREATION 
>   
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestShowMetadataPrivileges.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/68332/diff/1/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Re: Review Request 68332: SENTRY-2352: User roles with ALTER on a table can not show or describe the table on which they have ALTER

2018-08-13 Thread Na Li via Review Board


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68332/#review207179
---




sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
Line 104 (original), 104 (patched)


does Alter apply to column?



sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
Lines 177 (patched)


should Drop be included as well?


- Na Li


On Aug. 13, 2018, 10:49 p.m., Sergio Pena wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68332/
> ---
> 
> (Updated Aug. 13, 2018, 10:49 p.m.)
> 
> 
> Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.
> 
> 
> Bugs: sentry-2352
> https://issues.apache.org/jira/browse/sentry-2352
> 
> 
> Repository: sentry
> 
> 
> Description
> ---
> 
> Added the following matrix of privileges on the DESCRIBE TABLE and SHOW 
> TABLES:
> 
> DESCRIBE table allowed and not allowed privileges:
> 
>   { null,  NOT_ALLOWED }, // Means no privileges
>   { DBModelAction.ALL, ALLOWED },
>   { DBModelAction.CREATE,  NOT_ALLOWED },
>   { DBModelAction.SELECT,  ALLOWED },
>   { DBModelAction.INSERT,  ALLOWED },
>   { DBModelAction.ALTER,   ALLOWED },
>   { DBModelAction.DROP,NOT_ALLOWED },
>   { DBModelAction.INDEX,   NOT_ALLOWED },
>   { DBModelAction.LOCK,NOT_ALLOWED },
>   
> SHOW TABLES allowed and not allowed privileges:
> 
>   { null,  NOT_ALLOWED }, // Means no privileges
>   { DBModelAction.ALL, ALLOWED },
>   { DBModelAction.CREATE,  NOT_ALLOWED },
>   { DBModelAction.SELECT,  ALLOWED },
>   { DBModelAction.INSERT,  ALLOWED },
>   { DBModelAction.ALTER,   ALLOWED },
>   { DBModelAction.DROP,ALLOWED },
>   { DBModelAction.INDEX,   ALLOWED },
>   { DBModelAction.LOCK,ALLOWED },
> 
> 
> Diffs
> -
> 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
>  1ab5be35dcb7991f723c0bb885ed2a15c6f5873a 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
>  447deaf5831675257be1bbb05934a1ab4826fe9e 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
>  78742fdacd72531eed4a7dde86871a57cf54493b 
>   
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDescribeMetadataPrivileges.java
>  PRE-CREATION 
>   
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestShowMetadataPrivileges.java
>  PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/68332/diff/1/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Sergio Pena
> 
>

Review Request 68332: SENTRY-2352: User roles with ALTER on a table can not show or describe the table on which they have ALTER

2018-08-13 Thread Sergio Pena via Review Board


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68332/
---

Review request for sentry, Arjun Mishra, kalyan kumar kalvagadda, and Na Li.


Bugs: sentry-2352
https://issues.apache.org/jira/browse/sentry-2352


Repository: sentry


Description
---

Added the following matrix of privileges on the DESCRIBE TABLE and SHOW TABLES:

DESCRIBE table allowed and not allowed privileges:

  { null,  NOT_ALLOWED }, // Means no privileges
  { DBModelAction.ALL, ALLOWED },
  { DBModelAction.CREATE,  NOT_ALLOWED },
  { DBModelAction.SELECT,  ALLOWED },
  { DBModelAction.INSERT,  ALLOWED },
  { DBModelAction.ALTER,   ALLOWED },
  { DBModelAction.DROP,NOT_ALLOWED },
  { DBModelAction.INDEX,   NOT_ALLOWED },
  { DBModelAction.LOCK,NOT_ALLOWED },
  
SHOW TABLES allowed and not allowed privileges:

  { null,  NOT_ALLOWED }, // Means no privileges
  { DBModelAction.ALL, ALLOWED },
  { DBModelAction.CREATE,  NOT_ALLOWED },
  { DBModelAction.SELECT,  ALLOWED },
  { DBModelAction.INSERT,  ALLOWED },
  { DBModelAction.ALTER,   ALLOWED },
  { DBModelAction.DROP,ALLOWED },
  { DBModelAction.INDEX,   ALLOWED },
  { DBModelAction.LOCK,ALLOWED },


Diffs
-

  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryValidator.java
 1ab5be35dcb7991f723c0bb885ed2a15c6f5873a 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
 447deaf5831675257be1bbb05934a1ab4826fe9e 
  
sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
 78742fdacd72531eed4a7dde86871a57cf54493b 
  
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestDescribeMetadataPrivileges.java
 PRE-CREATION 
  
sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestShowMetadataPrivileges.java
 PRE-CREATION 


Diff: https://reviews.apache.org/r/68332/diff/1/


Testing
---


Thanks,

Sergio Pena

Re: Review Request 68332: SENTRY-2352: User roles with ALTER on a table can not show or describe the table on which they have ALTER

Re: Review Request 68332: SENTRY-2352: User roles with ALTER on a table can not show or describe the table on which they have ALTER

Re: Review Request 68332: SENTRY-2352: User roles with ALTER on a table can not show or describe the table on which they have ALTER

Review Request 68332: SENTRY-2352: User roles with ALTER on a table can not show or describe the table on which they have ALTER

4 matches

Site Navigation

Mail list logo

Footer information