sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arun Suresh (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (SENTRY-222) Privileges are sometimes granted to the wrong roles
Date Tue, 20 May 2014 23:24:39 GMT

    [ https://issues.apache.org/jira/browse/SENTRY-222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14004114#comment-14004114
] 

Arun Suresh edited comment on SENTRY-222 at 5/20/14 11:24 PM:
--------------------------------------------------------------

[~lskuff] I am not able to replicate the issue..

This is the test Case, which should fail if I understand correctly :

{code}
public void testRoleGroupPrivilege() throws Exception {
    String requestorUserName = ADMIN_USER;
    Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
    String roleName1 = "admin_r1";
    String roleName2 = "admin_r2";
    String groupName = "adminGroup";

    client.dropRoleIfExists(requestorUserName, requestorUserGroupNames,roleName1);
    client.createRole(requestorUserName, requestorUserGroupNames, roleName1);
    client.grantRoleToGroup(requestorUserName, requestorUserGroupNames, groupName, roleName1);
    client.grantTablePrivilege(requestorUserName, requestorUserGroupNames, roleName1, "server",
"db", "table1", "ALL");

    client.dropRoleIfExists(requestorUserName, requestorUserGroupNames, roleName2);
    client.createRole(requestorUserName, requestorUserGroupNames, roleName2);
    client.grantRoleToGroup(requestorUserName, requestorUserGroupNames, groupName, roleName2);
    client.grantTablePrivilege(requestorUserName, requestorUserGroupNames, roleName2, "server",
"db", "table2", "ALL");

    Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName,
requestorUserGroupNames, roleName1);
    assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1);
    assertEquals("Incorrect Privilege assigned to role1 !!", "table1", ((TSentryPrivilege)listPrivilegesByRoleName.toArray()[0]).getTableName());

    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, requestorUserGroupNames,
roleName2);
    assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1);
    assertEquals("Incorrect Privilege assigned to role2 !!", "table2", ((TSentryPrivilege)listPrivilegesByRoleName.toArray()[0]).getTableName());
  }
{code}

It passes for me


was (Author: asuresh):
[~lskuff] I am not able to replicate the issue..

This is the test Case, which should fail if I understand correctly :

{quote}
public void testRoleGroupPrivilege() throws Exception {
    String requestorUserName = ADMIN_USER;
    Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
    String roleName1 = "admin_r1";
    String roleName2 = "admin_r2";
    String groupName = "adminGroup";

    client.dropRoleIfExists(requestorUserName, requestorUserGroupNames,roleName1);
    client.createRole(requestorUserName, requestorUserGroupNames, roleName1);
    client.grantRoleToGroup(requestorUserName, requestorUserGroupNames, groupName, roleName1);
    client.grantTablePrivilege(requestorUserName, requestorUserGroupNames, roleName1, "server",
"db", "table1", "ALL");

    client.dropRoleIfExists(requestorUserName, requestorUserGroupNames, roleName2);
    client.createRole(requestorUserName, requestorUserGroupNames, roleName2);
    client.grantRoleToGroup(requestorUserName, requestorUserGroupNames, groupName, roleName2);
    client.grantTablePrivilege(requestorUserName, requestorUserGroupNames, roleName2, "server",
"db", "table2", "ALL");

    Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName,
requestorUserGroupNames, roleName1);
    assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1);
    assertEquals("Incorrect Privilege assigned to role1 !!", "table1", ((TSentryPrivilege)listPrivilegesByRoleName.toArray()[0]).getTableName());

    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, requestorUserGroupNames,
roleName2);
    assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1);
    assertEquals("Incorrect Privilege assigned to role2 !!", "table2", ((TSentryPrivilege)listPrivilegesByRoleName.toArray()[0]).getTableName());
  }
{quote}

It passes for me

> Privileges are sometimes granted to the wrong roles
> ---------------------------------------------------
>
>                 Key: SENTRY-222
>                 URL: https://issues.apache.org/jira/browse/SENTRY-222
>             Project: Sentry
>          Issue Type: Bug
>            Reporter: Lenni Kuff
>            Priority: Blocker
>             Fix For: 1.4.0
>
>
> I have a workflow that does the following:
> # Create role role1 // (handle error if role already exists)
> # Grant role role1 to group "group1"
> # Grant role role1 privilege on table ...
> Using the same connection, I run:
> # Create role role2 // (handle error if role already exists)
> # Grant role role2 to group "group1"
> # Grant role role2 privilege on table ...
> After executing these operations, the backend sentry policy DB shows that the role2 privileges
were actually granted to role1. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message