[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[ https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17041194#comment-17041194 ] Vihang Karajgaonkar commented on IMPALA-7282: - Hi [~joemcdonnell] I think we can continue investigation and possibly fix this issue. I don't think this is a release blocker for since this issue has been there for a while as per comment from [~jeszyb]. > Sentry privilege disappears after a catalog refresh > --- > > Key: IMPALA-7282 > URL: https://issues.apache.org/jira/browse/IMPALA-7282 > Project: IMPALA > Issue Type: Bug > Components: Catalog, Security >Affects Versions: Impala 3.0, Impala 2.12.0 >Reporter: Fredy Wijaya >Priority: Critical > Labels: security > > {noformat} > [localhost:21000] default> grant select on database functional to role > foo_role; > Query: grant select on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.05s > [localhost:21000] default> grant all on database functional to role foo_role; > Query: grant all on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.03s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+-+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+-+ > | database | functional | || | select| false| > NULL| > | database | functional | || | all | false| > NULL| > +--++---++-+---+--+-+ > Fetched 2 row(s) in 0.02s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+---+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+---+ > | database | functional | || | all | false| > Wed, Jul 11 2018 15:38:41.113 | > +--++---++-+---+--+---+ > Fetched 1 row(s) in 0.01s > {noformat} -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[ https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17040534#comment-17040534 ] Fang-Yu Rao commented on IMPALA-7282: - Hi [~joemcdonnell] and [~vihangk1], I took a look at the description above. I am able to reproduce the issue reported by [~fredyw]. As for [~vihangk1]'s question regarding whether this should be an issue, I briefly compared the case in which Impala is using Ranger as the authorization provider. If we grant a user {{non_owner}} the {{SELECT}} privilege of a database, e.g., {{functional}}, and then grant {{non_owner}} the {{ALL}} privilege on {{SERVER}} to {{non_owner}}, {{non_owner}} would possess 2 privileges. Now if we revoke the {{ALL}} privilege from the user {{non_owner}}, it will still possess the {{SELECT}} privilege on the database {{functional}}. I will try to see how Hive behaves with Sentry being the authorization provider in this situation described above and keep you posted. > Sentry privilege disappears after a catalog refresh > --- > > Key: IMPALA-7282 > URL: https://issues.apache.org/jira/browse/IMPALA-7282 > Project: IMPALA > Issue Type: Bug > Components: Catalog, Security >Affects Versions: Impala 3.0, Impala 2.12.0 >Reporter: Fredy Wijaya >Priority: Critical > Labels: security > > {noformat} > [localhost:21000] default> grant select on database functional to role > foo_role; > Query: grant select on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.05s > [localhost:21000] default> grant all on database functional to role foo_role; > Query: grant all on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.03s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+-+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+-+ > | database | functional | || | select| false| > NULL| > | database | functional | || | all | false| > NULL| > +--++---++-+---+--+-+ > Fetched 2 row(s) in 0.02s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+---+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+---+ > | database | functional | || | all | false| > Wed, Jul 11 2018 15:38:41.113 | > +--++---++-+---+--+---+ > Fetched 1 row(s) in 0.01s > {noformat} -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[ https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17040494#comment-17040494 ] Joe McDonnell commented on IMPALA-7282: --- [~vihangk1] [~fangyurao] Can you triage this and let me know if this needs a fix in Impala 3.4? > Sentry privilege disappears after a catalog refresh > --- > > Key: IMPALA-7282 > URL: https://issues.apache.org/jira/browse/IMPALA-7282 > Project: IMPALA > Issue Type: Bug > Components: Catalog, Security >Affects Versions: Impala 3.0, Impala 2.12.0 >Reporter: Fredy Wijaya >Priority: Critical > Labels: security > > {noformat} > [localhost:21000] default> grant select on database functional to role > foo_role; > Query: grant select on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.05s > [localhost:21000] default> grant all on database functional to role foo_role; > Query: grant all on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.03s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+-+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+-+ > | database | functional | || | select| false| > NULL| > | database | functional | || | all | false| > NULL| > +--++---++-+---+--+-+ > Fetched 2 row(s) in 0.02s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+---+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+---+ > | database | functional | || | all | false| > Wed, Jul 11 2018 15:38:41.113 | > +--++---++-+---+--+---+ > Fetched 1 row(s) in 0.01s > {noformat} -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[ https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036433#comment-17036433 ] Vihang Karajgaonkar commented on IMPALA-7282: - hmm, what is the expected behavior here? if we revoke all from server, why should there be a column level select privilege on the role? It would be interesting to repeat these steps on hive to understand if this is something happening on Sentry side. [~fangyurao] Would you be able to take a look at this? If not, I can take this up. > Sentry privilege disappears after a catalog refresh > --- > > Key: IMPALA-7282 > URL: https://issues.apache.org/jira/browse/IMPALA-7282 > Project: IMPALA > Issue Type: Bug > Components: Catalog, Security >Affects Versions: Impala 3.0, Impala 2.12.0 >Reporter: Fredy Wijaya >Priority: Critical > Labels: security > > {noformat} > [localhost:21000] default> grant select on database functional to role > foo_role; > Query: grant select on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.05s > [localhost:21000] default> grant all on database functional to role foo_role; > Query: grant all on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.03s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+-+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+-+ > | database | functional | || | select| false| > NULL| > | database | functional | || | all | false| > NULL| > +--++---++-+---+--+-+ > Fetched 2 row(s) in 0.02s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+---+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+---+ > | database | functional | || | all | false| > Wed, Jul 11 2018 15:38:41.113 | > +--++---++-+---+--+---+ > Fetched 1 row(s) in 0.01s > {noformat} -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[ https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17035807#comment-17035807 ] Tim Armstrong commented on IMPALA-7282: --- [~vihangk1] might be of interest > Sentry privilege disappears after a catalog refresh > --- > > Key: IMPALA-7282 > URL: https://issues.apache.org/jira/browse/IMPALA-7282 > Project: IMPALA > Issue Type: Bug > Components: Catalog, Security >Affects Versions: Impala 3.0, Impala 2.12.0 >Reporter: Fredy Wijaya >Priority: Critical > Labels: security > > {noformat} > [localhost:21000] default> grant select on database functional to role > foo_role; > Query: grant select on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.05s > [localhost:21000] default> grant all on database functional to role foo_role; > Query: grant all on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.03s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+-+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+-+ > | database | functional | || | select| false| > NULL| > | database | functional | || | all | false| > NULL| > +--++---++-+---+--+-+ > Fetched 2 row(s) in 0.02s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+---+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+---+ > | database | functional | || | all | false| > Wed, Jul 11 2018 15:38:41.113 | > +--++---++-+---+--+---+ > Fetched 1 row(s) in 0.01s > {noformat} -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[ https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16542724#comment-16542724 ] Balazs Jeszenszky commented on IMPALA-7282: --- Did some more testing. Here's a copy-pasteable set of statements to repro: {code:java} create table test (id int); create role foo_role; grant select(id) on table test to role foo_role; grant all on server to role foo_role; show grant role foo_role; invalidate metadata; show grant role foo_role; revoke all on server from foo_role; show grant role foo_role; invalidate metadata; show grant role foo_role; {code} I tested it all the way to impala 2.5, and repro's on all of the released versions from 2.5 to 2.12. The roles are removed from Sentry's DB by catalogd (so it's not just that catalog fails to reload them). Since that's the case, the last 'invalidate metadata' is not even necessary, once the catalog update gets back to the impalad via statestore, the privilege is removed. > Sentry privilege disappears after a catalog refresh > --- > > Key: IMPALA-7282 > URL: https://issues.apache.org/jira/browse/IMPALA-7282 > Project: IMPALA > Issue Type: Bug > Components: Catalog, Security >Affects Versions: Impala 3.0, Impala 2.12.0 >Reporter: Fredy Wijaya >Priority: Critical > Labels: security > > {noformat} > [localhost:21000] default> grant select on database functional to role > foo_role; > Query: grant select on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.05s > [localhost:21000] default> grant all on database functional to role foo_role; > Query: grant all on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.03s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+-+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+-+ > | database | functional | || | select| false| > NULL| > | database | functional | || | all | false| > NULL| > +--++---++-+---+--+-+ > Fetched 2 row(s) in 0.02s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+---+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+---+ > | database | functional | || | all | false| > Wed, Jul 11 2018 15:38:41.113 | > +--++---++-+---+--+---+ > Fetched 1 row(s) in 0.01s > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[ https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16542091#comment-16542091 ] Fredy Wijaya commented on IMPALA-7282: -- Yes, it's critical. We still don't know the cause of the bug. We are still investigating it. > Sentry privilege disappears after a catalog refresh > --- > > Key: IMPALA-7282 > URL: https://issues.apache.org/jira/browse/IMPALA-7282 > Project: IMPALA > Issue Type: Bug > Components: Catalog, Security >Affects Versions: Impala 3.0, Impala 2.12.0 >Reporter: Fredy Wijaya >Priority: Critical > Labels: security > > {noformat} > [localhost:21000] default> grant select on database functional to role > foo_role; > Query: grant select on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.05s > [localhost:21000] default> grant all on database functional to role foo_role; > Query: grant all on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.03s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+-+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+-+ > | database | functional | || | select| false| > NULL| > | database | functional | || | all | false| > NULL| > +--++---++-+---+--+-+ > Fetched 2 row(s) in 0.02s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+---+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+---+ > | database | functional | || | all | false| > Wed, Jul 11 2018 15:38:41.113 | > +--++---++-+---+--+---+ > Fetched 1 row(s) in 0.01s > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[ https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16542083#comment-16542083 ] Balazs Jeszenszky commented on IMPALA-7282: --- Should this be critical / blocker? Which change introduced this bug? > Sentry privilege disappears after a catalog refresh > --- > > Key: IMPALA-7282 > URL: https://issues.apache.org/jira/browse/IMPALA-7282 > Project: IMPALA > Issue Type: Bug > Components: Catalog, Security >Affects Versions: Impala 3.0, Impala 2.12.0 >Reporter: Fredy Wijaya >Priority: Major > Labels: security > > {noformat} > [localhost:21000] default> grant select on database functional to role > foo_role; > Query: grant select on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.05s > [localhost:21000] default> grant all on database functional to role foo_role; > Query: grant all on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.03s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+-+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+-+ > | database | functional | || | select| false| > NULL| > | database | functional | || | all | false| > NULL| > +--++---++-+---+--+-+ > Fetched 2 row(s) in 0.02s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+---+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+---+ > | database | functional | || | all | false| > Wed, Jul 11 2018 15:38:41.113 | > +--++---++-+---+--+---+ > Fetched 1 row(s) in 0.01s > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[ https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16542066#comment-16542066 ] Adam Holley commented on IMPALA-7282: - I've included details to show that simply granting select at the server level does not revoke select at the column level, but only after revoking at the server level does the column level privilege get removed. This also happens when the grant is at the database level instead of the server level. {noformat} [localhost:21000] functional> grant select(id) on table functional.alltypes to role foo_role; Query: grant select(id) on table functional.alltypes to role foo_role +-+ | summary | +-+ | Privilege(s) have been granted. | +-+ Fetched 1 row(s) in 0.09s [localhost:21000] functional> grant select on server to role foo_role; Query: grant select on server to role foo_role +-+ | summary | +-+ | Privilege(s) have been granted. | +-+ Fetched 1 row(s) in 0.06s [localhost:21000] functional> show grant role foo_role; Query: show grant role foo_role +++--++-+---+--+-+ | scope | database | table| column | uri | privilege | grant_option | create_time | +++--++-+---+--+-+ | column | functional | alltypes | id | | select| false| NULL| | server || || | select| false| NULL| +++--++-+---+--+-+ Fetched 2 row(s) in 0.04s [localhost:21000] functional> invalidate metadata; Query: invalidate metadata Fetched 0 row(s) in 4.53s [localhost:21000] functional> show grant role foo_role; Query: show grant role foo_role +++--++-+---+--+---+ | scope | database | table| column | uri | privilege | grant_option | create_time | +++--++-+---+--+---+ | column | functional | alltypes | id | | select| false| Thu, Jul 12 2018 13:18:09.240 | | server || || | select| false| Thu, Jul 12 2018 13:18:34.476 | +++--++-+---+--+---+ Fetched 2 row(s) in 0.03s [localhost:21000] functional> revoke select on server from foo_role; Query: revoke select on server from foo_role +-+ | summary | +-+ | Privilege(s) have been revoked. | +-+ [localhost:21000] functional> show grant role foo_role; Query: show grant role foo_role +++--++-+---+--+---+ | scope | database | table| column | uri | privilege | grant_option | create_time | +++--++-+---+--+---+ | column | functional | alltypes | id | | select| false| Thu, Jul 12 2018 13:18:09.240 | +++--++-+---+--+---+ Fetched 1 row(s) in 0.03s [localhost:21000] functional> invalidate metadata; Query: invalidate metadata Fetched 0 row(s) in 4.14s [localhost:21000] functional> show grant role foo_role; Query: show grant role foo_role Fetched 0 row(s) in 0.03s {noformat} > Sentry privilege disappears after a catalog refresh > --- > > Key: IMPALA-7282 > URL: https://issues.apache.org/jira/browse/IMPALA-7282 > Project: IMPALA > Issue Type: Bug > Components: Catalog, Security >Affects Versions: Impala 3.0, Impala 2.12.0 >Reporter: Fredy Wijaya >Priority: Major > Labels: security > > {noformat} > [localhost:21000] default> grant select on database functional to role > foo_role; > Query: grant select on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.05s > [localhost:21000] default> grant all on database functional to role foo_role; > Query: grant all on database functional to role foo_role > +-+ > |
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[ https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16541942#comment-16541942 ] Fredy Wijaya commented on IMPALA-7282: -- [~jeszyb] Yes, it affects 2.x branch, too. [~aholley] Can you add steps to reproduce the issue? > Sentry privilege disappears after a catalog refresh > --- > > Key: IMPALA-7282 > URL: https://issues.apache.org/jira/browse/IMPALA-7282 > Project: IMPALA > Issue Type: Bug > Components: Catalog, Security >Affects Versions: Impala 3.0, Impala 2.12.0 >Reporter: Fredy Wijaya >Priority: Major > Labels: security > > {noformat} > [localhost:21000] default> grant select on database functional to role > foo_role; > Query: grant select on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.05s > [localhost:21000] default> grant all on database functional to role foo_role; > Query: grant all on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.03s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+-+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+-+ > | database | functional | || | select| false| > NULL| > | database | functional | || | all | false| > NULL| > +--++---++-+---+--+-+ > Fetched 2 row(s) in 0.02s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+---+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+---+ > | database | functional | || | all | false| > Wed, Jul 11 2018 15:38:41.113 | > +--++---++-+---+--+---+ > Fetched 1 row(s) in 0.01s > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[ https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16541715#comment-16541715 ] Adam Holley commented on IMPALA-7282: - I'm not sure if it's related, but if I have column select privilege, then get granted select on server, if the server level select is revoked, the column level select gets removed after a refresh. > Sentry privilege disappears after a catalog refresh > --- > > Key: IMPALA-7282 > URL: https://issues.apache.org/jira/browse/IMPALA-7282 > Project: IMPALA > Issue Type: Bug > Components: Catalog, Security >Affects Versions: Impala 3.0 >Reporter: Fredy Wijaya >Priority: Major > Labels: security > > {noformat} > [localhost:21000] default> grant select on database functional to role > foo_role; > Query: grant select on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.05s > [localhost:21000] default> grant all on database functional to role foo_role; > Query: grant all on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.03s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+-+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+-+ > | database | functional | || | select| false| > NULL| > | database | functional | || | all | false| > NULL| > +--++---++-+---+--+-+ > Fetched 2 row(s) in 0.02s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+---+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+---+ > | database | functional | || | all | false| > Wed, Jul 11 2018 15:38:41.113 | > +--++---++-+---+--+---+ > Fetched 1 row(s) in 0.01s > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[ https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16541334#comment-16541334 ] Balazs Jeszenszky commented on IMPALA-7282: --- [~fredyw] this seems like a potentially pretty bad issue. Any more details would be welcome (in particular, are you confident it does not affect 2.x?). > Sentry privilege disappears after a catalog refresh > --- > > Key: IMPALA-7282 > URL: https://issues.apache.org/jira/browse/IMPALA-7282 > Project: IMPALA > Issue Type: Bug > Components: Catalog, Security >Affects Versions: Impala 3.0 >Reporter: Fredy Wijaya >Priority: Major > Labels: security > > {noformat} > [localhost:21000] default> grant select on database functional to role > foo_role; > Query: grant select on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.05s > [localhost:21000] default> grant all on database functional to role foo_role; > Query: grant all on database functional to role foo_role > +-+ > | summary | > +-+ > | Privilege(s) have been granted. | > +-+ > Fetched 1 row(s) in 0.03s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+-+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+-+ > | database | functional | || | select| false| > NULL| > | database | functional | || | all | false| > NULL| > +--++---++-+---+--+-+ > Fetched 2 row(s) in 0.02s > [localhost:21000] default> show grant role foo_role; > Query: show grant role foo_role > +--++---++-+---+--+---+ > | scope| database | table | column | uri | privilege | grant_option | > create_time | > +--++---++-+---+--+---+ > | database | functional | || | all | false| > Wed, Jul 11 2018 15:38:41.113 | > +--++---++-+---+--+---+ > Fetched 1 row(s) in 0.01s > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org