[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[
https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17041194#comment-17041194
]
Vihang Karajgaonkar commented on IMPALA-7282:
-
Hi [~joemcdonnell] I think we can continue investigation and possibly fix this
issue. I don't think this is a release blocker for since this issue has been
there for a while as per comment from [~jeszyb].
> Sentry privilege disappears after a catalog refresh
> ---
>
> Key: IMPALA-7282
> URL: https://issues.apache.org/jira/browse/IMPALA-7282
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog, Security
>Affects Versions: Impala 3.0, Impala 2.12.0
>Reporter: Fredy Wijaya
>Priority: Critical
> Labels: security
>
> {noformat}
> [localhost:21000] default> grant select on database functional to role
> foo_role;
> Query: grant select on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.05s
> [localhost:21000] default> grant all on database functional to role foo_role;
> Query: grant all on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.03s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+-+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+-+
> | database | functional | || | select| false|
> NULL|
> | database | functional | || | all | false|
> NULL|
> +--++---++-+---+--+-+
> Fetched 2 row(s) in 0.02s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+---+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+---+
> | database | functional | || | all | false|
> Wed, Jul 11 2018 15:38:41.113 |
> +--++---++-+---+--+---+
> Fetched 1 row(s) in 0.01s
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[
https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17040534#comment-17040534
]
Fang-Yu Rao commented on IMPALA-7282:
-
Hi [~joemcdonnell] and [~vihangk1], I took a look at the description above. I
am able to reproduce the issue reported by [~fredyw].
As for [~vihangk1]'s question regarding whether this should be an issue, I
briefly compared the case in which Impala is using Ranger as the authorization
provider. If we grant a user {{non_owner}} the {{SELECT}} privilege of a
database, e.g., {{functional}}, and then grant {{non_owner}} the {{ALL}}
privilege on {{SERVER}} to {{non_owner}}, {{non_owner}} would possess 2
privileges.
Now if we revoke the {{ALL}} privilege from the user {{non_owner}}, it will
still possess the {{SELECT}} privilege on the database {{functional}}.
I will try to see how Hive behaves with Sentry being the authorization provider
in this situation described above and keep you posted.
> Sentry privilege disappears after a catalog refresh
> ---
>
> Key: IMPALA-7282
> URL: https://issues.apache.org/jira/browse/IMPALA-7282
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog, Security
>Affects Versions: Impala 3.0, Impala 2.12.0
>Reporter: Fredy Wijaya
>Priority: Critical
> Labels: security
>
> {noformat}
> [localhost:21000] default> grant select on database functional to role
> foo_role;
> Query: grant select on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.05s
> [localhost:21000] default> grant all on database functional to role foo_role;
> Query: grant all on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.03s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+-+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+-+
> | database | functional | || | select| false|
> NULL|
> | database | functional | || | all | false|
> NULL|
> +--++---++-+---+--+-+
> Fetched 2 row(s) in 0.02s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+---+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+---+
> | database | functional | || | all | false|
> Wed, Jul 11 2018 15:38:41.113 |
> +--++---++-+---+--+---+
> Fetched 1 row(s) in 0.01s
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[
https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17040494#comment-17040494
]
Joe McDonnell commented on IMPALA-7282:
---
[~vihangk1] [~fangyurao] Can you triage this and let me know if this needs a
fix in Impala 3.4?
> Sentry privilege disappears after a catalog refresh
> ---
>
> Key: IMPALA-7282
> URL: https://issues.apache.org/jira/browse/IMPALA-7282
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog, Security
>Affects Versions: Impala 3.0, Impala 2.12.0
>Reporter: Fredy Wijaya
>Priority: Critical
> Labels: security
>
> {noformat}
> [localhost:21000] default> grant select on database functional to role
> foo_role;
> Query: grant select on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.05s
> [localhost:21000] default> grant all on database functional to role foo_role;
> Query: grant all on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.03s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+-+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+-+
> | database | functional | || | select| false|
> NULL|
> | database | functional | || | all | false|
> NULL|
> +--++---++-+---+--+-+
> Fetched 2 row(s) in 0.02s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+---+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+---+
> | database | functional | || | all | false|
> Wed, Jul 11 2018 15:38:41.113 |
> +--++---++-+---+--+---+
> Fetched 1 row(s) in 0.01s
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[
https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036433#comment-17036433
]
Vihang Karajgaonkar commented on IMPALA-7282:
-
hmm, what is the expected behavior here? if we revoke all from server, why
should there be a column level select privilege on the role? It would be
interesting to repeat these steps on hive to understand if this is something
happening on Sentry side. [~fangyurao] Would you be able to take a look at
this? If not, I can take this up.
> Sentry privilege disappears after a catalog refresh
> ---
>
> Key: IMPALA-7282
> URL: https://issues.apache.org/jira/browse/IMPALA-7282
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog, Security
>Affects Versions: Impala 3.0, Impala 2.12.0
>Reporter: Fredy Wijaya
>Priority: Critical
> Labels: security
>
> {noformat}
> [localhost:21000] default> grant select on database functional to role
> foo_role;
> Query: grant select on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.05s
> [localhost:21000] default> grant all on database functional to role foo_role;
> Query: grant all on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.03s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+-+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+-+
> | database | functional | || | select| false|
> NULL|
> | database | functional | || | all | false|
> NULL|
> +--++---++-+---+--+-+
> Fetched 2 row(s) in 0.02s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+---+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+---+
> | database | functional | || | all | false|
> Wed, Jul 11 2018 15:38:41.113 |
> +--++---++-+---+--+---+
> Fetched 1 row(s) in 0.01s
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[
https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17035807#comment-17035807
]
Tim Armstrong commented on IMPALA-7282:
---
[~vihangk1] might be of interest
> Sentry privilege disappears after a catalog refresh
> ---
>
> Key: IMPALA-7282
> URL: https://issues.apache.org/jira/browse/IMPALA-7282
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog, Security
>Affects Versions: Impala 3.0, Impala 2.12.0
>Reporter: Fredy Wijaya
>Priority: Critical
> Labels: security
>
> {noformat}
> [localhost:21000] default> grant select on database functional to role
> foo_role;
> Query: grant select on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.05s
> [localhost:21000] default> grant all on database functional to role foo_role;
> Query: grant all on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.03s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+-+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+-+
> | database | functional | || | select| false|
> NULL|
> | database | functional | || | all | false|
> NULL|
> +--++---++-+---+--+-+
> Fetched 2 row(s) in 0.02s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+---+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+---+
> | database | functional | || | all | false|
> Wed, Jul 11 2018 15:38:41.113 |
> +--++---++-+---+--+---+
> Fetched 1 row(s) in 0.01s
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[
https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16542724#comment-16542724
]
Balazs Jeszenszky commented on IMPALA-7282:
---
Did some more testing. Here's a copy-pasteable set of statements to repro:
{code:java}
create table test (id int);
create role foo_role;
grant select(id) on table test to role foo_role;
grant all on server to role foo_role;
show grant role foo_role;
invalidate metadata;
show grant role foo_role;
revoke all on server from foo_role;
show grant role foo_role;
invalidate metadata;
show grant role foo_role;
{code}
I tested it all the way to impala 2.5, and repro's on all of the released
versions from 2.5 to 2.12. The roles are removed from Sentry's DB by catalogd
(so it's not just that catalog fails to reload them). Since that's the case,
the last 'invalidate metadata' is not even necessary, once the catalog update
gets back to the impalad via statestore, the privilege is removed.
> Sentry privilege disappears after a catalog refresh
> ---
>
> Key: IMPALA-7282
> URL: https://issues.apache.org/jira/browse/IMPALA-7282
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog, Security
>Affects Versions: Impala 3.0, Impala 2.12.0
>Reporter: Fredy Wijaya
>Priority: Critical
> Labels: security
>
> {noformat}
> [localhost:21000] default> grant select on database functional to role
> foo_role;
> Query: grant select on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.05s
> [localhost:21000] default> grant all on database functional to role foo_role;
> Query: grant all on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.03s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+-+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+-+
> | database | functional | || | select| false|
> NULL|
> | database | functional | || | all | false|
> NULL|
> +--++---++-+---+--+-+
> Fetched 2 row(s) in 0.02s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+---+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+---+
> | database | functional | || | all | false|
> Wed, Jul 11 2018 15:38:41.113 |
> +--++---++-+---+--+---+
> Fetched 1 row(s) in 0.01s
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[
https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16542091#comment-16542091
]
Fredy Wijaya commented on IMPALA-7282:
--
Yes, it's critical. We still don't know the cause of the bug. We are still
investigating it.
> Sentry privilege disappears after a catalog refresh
> ---
>
> Key: IMPALA-7282
> URL: https://issues.apache.org/jira/browse/IMPALA-7282
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog, Security
>Affects Versions: Impala 3.0, Impala 2.12.0
>Reporter: Fredy Wijaya
>Priority: Critical
> Labels: security
>
> {noformat}
> [localhost:21000] default> grant select on database functional to role
> foo_role;
> Query: grant select on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.05s
> [localhost:21000] default> grant all on database functional to role foo_role;
> Query: grant all on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.03s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+-+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+-+
> | database | functional | || | select| false|
> NULL|
> | database | functional | || | all | false|
> NULL|
> +--++---++-+---+--+-+
> Fetched 2 row(s) in 0.02s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+---+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+---+
> | database | functional | || | all | false|
> Wed, Jul 11 2018 15:38:41.113 |
> +--++---++-+---+--+---+
> Fetched 1 row(s) in 0.01s
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[
https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16542083#comment-16542083
]
Balazs Jeszenszky commented on IMPALA-7282:
---
Should this be critical / blocker?
Which change introduced this bug?
> Sentry privilege disappears after a catalog refresh
> ---
>
> Key: IMPALA-7282
> URL: https://issues.apache.org/jira/browse/IMPALA-7282
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog, Security
>Affects Versions: Impala 3.0, Impala 2.12.0
>Reporter: Fredy Wijaya
>Priority: Major
> Labels: security
>
> {noformat}
> [localhost:21000] default> grant select on database functional to role
> foo_role;
> Query: grant select on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.05s
> [localhost:21000] default> grant all on database functional to role foo_role;
> Query: grant all on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.03s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+-+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+-+
> | database | functional | || | select| false|
> NULL|
> | database | functional | || | all | false|
> NULL|
> +--++---++-+---+--+-+
> Fetched 2 row(s) in 0.02s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+---+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+---+
> | database | functional | || | all | false|
> Wed, Jul 11 2018 15:38:41.113 |
> +--++---++-+---+--+---+
> Fetched 1 row(s) in 0.01s
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[
https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16542066#comment-16542066
]
Adam Holley commented on IMPALA-7282:
-
I've included details to show that simply granting select at the server level
does not revoke select at the column level, but only after revoking at the
server level does the column level privilege get removed. This also happens
when the grant is at the database level instead of the server level.
{noformat}
[localhost:21000] functional> grant select(id) on table functional.alltypes to
role foo_role;
Query: grant select(id) on table functional.alltypes to role foo_role
+-+
| summary |
+-+
| Privilege(s) have been granted. |
+-+
Fetched 1 row(s) in 0.09s
[localhost:21000] functional> grant select on server to role foo_role;
Query: grant select on server to role foo_role
+-+
| summary |
+-+
| Privilege(s) have been granted. |
+-+
Fetched 1 row(s) in 0.06s
[localhost:21000] functional> show grant role foo_role;
Query: show grant role foo_role
+++--++-+---+--+-+
| scope | database | table| column | uri | privilege | grant_option |
create_time |
+++--++-+---+--+-+
| column | functional | alltypes | id | | select| false|
NULL|
| server || || | select| false|
NULL|
+++--++-+---+--+-+
Fetched 2 row(s) in 0.04s
[localhost:21000] functional> invalidate metadata;
Query: invalidate metadata
Fetched 0 row(s) in 4.53s
[localhost:21000] functional> show grant role foo_role;
Query: show grant role foo_role
+++--++-+---+--+---+
| scope | database | table| column | uri | privilege | grant_option |
create_time |
+++--++-+---+--+---+
| column | functional | alltypes | id | | select| false|
Thu, Jul 12 2018 13:18:09.240 |
| server || || | select| false|
Thu, Jul 12 2018 13:18:34.476 |
+++--++-+---+--+---+
Fetched 2 row(s) in 0.03s
[localhost:21000] functional> revoke select on server from foo_role;
Query: revoke select on server from foo_role
+-+
| summary |
+-+
| Privilege(s) have been revoked. |
+-+
[localhost:21000] functional> show grant role foo_role;
Query: show grant role foo_role
+++--++-+---+--+---+
| scope | database | table| column | uri | privilege | grant_option |
create_time |
+++--++-+---+--+---+
| column | functional | alltypes | id | | select| false|
Thu, Jul 12 2018 13:18:09.240 |
+++--++-+---+--+---+
Fetched 1 row(s) in 0.03s
[localhost:21000] functional> invalidate metadata;
Query: invalidate metadata
Fetched 0 row(s) in 4.14s
[localhost:21000] functional> show grant role foo_role;
Query: show grant role foo_role
Fetched 0 row(s) in 0.03s
{noformat}
> Sentry privilege disappears after a catalog refresh
> ---
>
> Key: IMPALA-7282
> URL: https://issues.apache.org/jira/browse/IMPALA-7282
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog, Security
>Affects Versions: Impala 3.0, Impala 2.12.0
>Reporter: Fredy Wijaya
>Priority: Major
> Labels: security
>
> {noformat}
> [localhost:21000] default> grant select on database functional to role
> foo_role;
> Query: grant select on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.05s
> [localhost:21000] default> grant all on database functional to role foo_role;
> Query: grant all on database functional to role foo_role
> +-+
> |
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[
https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16541942#comment-16541942
]
Fredy Wijaya commented on IMPALA-7282:
--
[~jeszyb] Yes, it affects 2.x branch, too.
[~aholley] Can you add steps to reproduce the issue?
> Sentry privilege disappears after a catalog refresh
> ---
>
> Key: IMPALA-7282
> URL: https://issues.apache.org/jira/browse/IMPALA-7282
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog, Security
>Affects Versions: Impala 3.0, Impala 2.12.0
>Reporter: Fredy Wijaya
>Priority: Major
> Labels: security
>
> {noformat}
> [localhost:21000] default> grant select on database functional to role
> foo_role;
> Query: grant select on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.05s
> [localhost:21000] default> grant all on database functional to role foo_role;
> Query: grant all on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.03s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+-+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+-+
> | database | functional | || | select| false|
> NULL|
> | database | functional | || | all | false|
> NULL|
> +--++---++-+---+--+-+
> Fetched 2 row(s) in 0.02s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+---+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+---+
> | database | functional | || | all | false|
> Wed, Jul 11 2018 15:38:41.113 |
> +--++---++-+---+--+---+
> Fetched 1 row(s) in 0.01s
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[
https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16541715#comment-16541715
]
Adam Holley commented on IMPALA-7282:
-
I'm not sure if it's related, but if I have column select privilege, then get
granted select on server, if the server level select is revoked, the column
level select gets removed after a refresh.
> Sentry privilege disappears after a catalog refresh
> ---
>
> Key: IMPALA-7282
> URL: https://issues.apache.org/jira/browse/IMPALA-7282
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog, Security
>Affects Versions: Impala 3.0
>Reporter: Fredy Wijaya
>Priority: Major
> Labels: security
>
> {noformat}
> [localhost:21000] default> grant select on database functional to role
> foo_role;
> Query: grant select on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.05s
> [localhost:21000] default> grant all on database functional to role foo_role;
> Query: grant all on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.03s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+-+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+-+
> | database | functional | || | select| false|
> NULL|
> | database | functional | || | all | false|
> NULL|
> +--++---++-+---+--+-+
> Fetched 2 row(s) in 0.02s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+---+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+---+
> | database | functional | || | all | false|
> Wed, Jul 11 2018 15:38:41.113 |
> +--++---++-+---+--+---+
> Fetched 1 row(s) in 0.01s
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
[jira] [Commented] (IMPALA-7282) Sentry privilege disappears after a catalog refresh
[
https://issues.apache.org/jira/browse/IMPALA-7282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16541334#comment-16541334
]
Balazs Jeszenszky commented on IMPALA-7282:
---
[~fredyw] this seems like a potentially pretty bad issue. Any more details
would be welcome (in particular, are you confident it does not affect 2.x?).
> Sentry privilege disappears after a catalog refresh
> ---
>
> Key: IMPALA-7282
> URL: https://issues.apache.org/jira/browse/IMPALA-7282
> Project: IMPALA
> Issue Type: Bug
> Components: Catalog, Security
>Affects Versions: Impala 3.0
>Reporter: Fredy Wijaya
>Priority: Major
> Labels: security
>
> {noformat}
> [localhost:21000] default> grant select on database functional to role
> foo_role;
> Query: grant select on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.05s
> [localhost:21000] default> grant all on database functional to role foo_role;
> Query: grant all on database functional to role foo_role
> +-+
> | summary |
> +-+
> | Privilege(s) have been granted. |
> +-+
> Fetched 1 row(s) in 0.03s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+-+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+-+
> | database | functional | || | select| false|
> NULL|
> | database | functional | || | all | false|
> NULL|
> +--++---++-+---+--+-+
> Fetched 2 row(s) in 0.02s
> [localhost:21000] default> show grant role foo_role;
> Query: show grant role foo_role
> +--++---++-+---+--+---+
> | scope| database | table | column | uri | privilege | grant_option |
> create_time |
> +--++---++-+---+--+---+
> | database | functional | || | all | false|
> Wed, Jul 11 2018 15:38:41.113 |
> +--++---++-+---+--+---+
> Fetched 1 row(s) in 0.01s
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
