Johndee Burks created SENTRY-1702: ------------------------------------- Summary: Revoke on Server Causes Broken URI Privilege Key: SENTRY-1702 URL: https://issues.apache.org/jira/browse/SENTRY-1702 Project: Sentry Issue Type: Bug Components: Sentry Environment: CDH5.9 Reporter: Johndee Burks
== Issue == SENTRY-281 can create a situation in which a URI privilege is not removable using revoke. == Reproduction Steps == If you do the following you end up with a privilege that cannot be revoked on a URI. 1. Create Role and Grant all on server: {code} 0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> create role turi; 0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> grant all on server server1 to role turi; 0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> show grant role turi; +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ | database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor | +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ | * | | | | turi | ROLE | * | false | 1486508699269000 | -- | +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ {code} 2. Grant all on URI: {code} 0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> grant all on uri "hdfs://jreposec-1.gce.cloudera.com:8020/tmp" to role turi; 0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> show grant role turi; +----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ | database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor | +----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ | * | | | | turi | ROLE | * | false | 1486508699269000 | -- | | hdfs://jreposec-1.gce.cloudera.com:8020/tmp | | | | turi | ROLE | * | false | 1491867083637000 | -- | +----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ {code} 3. Now revoke insert from that role on server {code} 0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> revoke insert on server server1 from role turi; 0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> show grant role turi; +----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ | database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor | +----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ | * | | | | turi | ROLE | select | false | 1491867142657000 | -- | | hdfs://jreposec-1.gce.cloudera.com:8020/tmp | | | | turi | ROLE | select | false | 1491867142646000 | -- | +----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ {code} 4. Attempt to revoke the URI. {code} 0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> revoke all on uri "hdfs://jreposec-1.gce.cloudera.com:8020/tmp" from role turi; 0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> revoke select on uri "hdfs://jreposec-1.gce.cloudera.com:8020/tmp" from role turi; 0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> revoke insert on uri "hdfs://jreposec-1.gce.cloudera.com:8020/tmp" from role turi; 0: jdbc:hive2://jreposec-1.gce.cloudera.com:1> show grant role turi; +----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ | database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor | +----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ | * | | | | turi | ROLE | select | false | 1491867142657000 | -- | | hdfs://jreposec-1.gce.cloudera.com:8020/tmp | | | | turi | ROLE | select | false | 1491867142646000 | -- | +----------------------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ {code} -- This message was sent by Atlassian JIRA (v6.3.15#6346)