[jira] [Created] (SENTRY-1702) Revoke on Server Causes Broken URI Privilege

Johndee Burks (JIRA) Tue, 11 Apr 2017 12:03:06 -0700

Johndee Burks created SENTRY-1702:
-------------------------------------

             Summary: Revoke on Server Causes Broken URI Privilege
                 Key: SENTRY-1702
                 URL: https://issues.apache.org/jira/browse/SENTRY-1702
             Project: Sentry
          Issue Type: Bug
          Components: Sentry
         Environment: CDH5.9
            Reporter: Johndee Burks



== Issue ==

SENTRY-281 can create a situation in which a URI privilege is not removable 
using revoke. 

== Reproduction Steps ==

If you do the following you end up with a privilege that cannot be revoked on a 
URI. 

1. Create Role and Grant all on server:

{code}
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> create role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> grant all on server server1 to 
role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> show grant role turi;
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database  | table  | partition  | column  | principal_name  | principal_type  
| privilege  | grant_option  |    grant_time     | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| *         |        |            |         | turi            | ROLE            
| *          | false         | 1486508699269000  | --       |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
{code}

2. Grant all on URI: 

{code}
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> grant all on uri 
"hdfs://jreposec-1.gce.cloudera.com:8020/tmp" to role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> show grant role turi;
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
|                   database                   | table  | partition  | column  
| principal_name  | principal_type  | privilege  | grant_option  |    
grant_time     | grantor  |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| *                                            |        |            |         
| turi            | ROLE            | *          | false         | 
1486508699269000  | --       |
| hdfs://jreposec-1.gce.cloudera.com:8020/tmp  |        |            |         
| turi            | ROLE            | *          | false         | 
1491867083637000  | --       |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
{code}

3. Now revoke insert from that role on server

{code}
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> revoke insert on server server1 
from role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> show grant role turi;
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
|                   database                   | table  | partition  | column  
| principal_name  | principal_type  | privilege  | grant_option  |    
grant_time     | grantor  |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| *                                            |        |            |         
| turi            | ROLE            | select     | false         | 
1491867142657000  | --       |
| hdfs://jreposec-1.gce.cloudera.com:8020/tmp  |        |            |         
| turi            | ROLE            | select     | false         | 
1491867142646000  | --       |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
{code}

4. Attempt to revoke the URI. 

{code}
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> revoke all on uri 
"hdfs://jreposec-1.gce.cloudera.com:8020/tmp" from role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> revoke select on uri 
"hdfs://jreposec-1.gce.cloudera.com:8020/tmp" from role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> revoke insert on uri 
"hdfs://jreposec-1.gce.cloudera.com:8020/tmp" from role turi;
0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> show grant role turi;
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
|                   database                   | table  | partition  | column  
| principal_name  | principal_type  | privilege  | grant_option  |    
grant_time     | grantor  |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| *                                            |        |            |         
| turi            | ROLE            | select     | false         | 
1491867142657000  | --       |
| hdfs://jreposec-1.gce.cloudera.com:8020/tmp  |        |            |         
| turi            | ROLE            | select     | false         | 
1491867142646000  | --       |
+----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
{code}





--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Created] (SENTRY-1702) Revoke on Server Causes Broken URI Privilege

Reply via email to