sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Prasad Mujumdar (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SENTRY-488) Sentry list_sentry_privileges_by_authorizable API does not filter out roles/privileges for some cases.
Date Sat, 04 Oct 2014 03:33:33 GMT

    [ https://issues.apache.org/jira/browse/SENTRY-488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14158920#comment-14158920
] 

Prasad Mujumdar commented on SENTRY-488:
----------------------------------------

[~asuresh] Thanks for putting the patch together.

If I am not mistaken, the problem only happens when the user's roleset is empty, which due
to the fact that getMSentryPrivilegesByAuth() treats empty roleSet as wildchar.
In that case, would it make sense to check this case and return empty result set right away.
Basically if the requesting user is not an admin, then don't even try to call getMSentryPrivilegesByAuth()
and avoid extracting all roles and filtering all of them out ?

Rest of the patch look fine. Thanks for adding the testcase.

> Sentry list_sentry_privileges_by_authorizable API does not filter out roles/privileges
for some cases.
> ------------------------------------------------------------------------------------------------------
>
>                 Key: SENTRY-488
>                 URL: https://issues.apache.org/jira/browse/SENTRY-488
>             Project: Sentry
>          Issue Type: Bug
>            Reporter: Arun Suresh
>            Assignee: Arun Suresh
>         Attachments: SENTRY-488.1.patch, SENTRY-488.2.patch
>
>
> I am requestorUserName=u'user1_1' which is non admin and only have 'foo' group
> I can list ALL the roles/privilege attached to an object.
> I should only see the group foo and its privilege on sample_07.
> {code}
> [02/Oct/2014 16:41:23 -0700] thrift_util  DEBUG    Thrift call <class 'sentry_policy_service.SentryPolicyService.Client'>.list_sentry_privileges_by_authorizable
returned in 38ms: TListSentryPrivilegesByAuthResponse(status=TSentryResponseStatus(message='',
stack=None, value=0), privilegesMapByAuth={TSentryAuthorizable(table='sample_07', db='default',
uri=None, server='server1'): TSentryPrivilegeMap(privilegeMap={'foo': set([TSentryPrivilege(grantOption=0,
serverName='server1', tableName='sample_07', privilegeScope='TABLE', createTime=1412271660913,
URI='', action='all', dbName='default'), TSentryPrivilege(grantOption=0, serverName='server1',
tableName='sample_07', privilegeScope='TABLE', createTime=1412270683086, URI='', action='select',
dbName='default'), TSentryPrivilege(grantOption=0, serverName='server1', tableName='sample_07',
privilegeScope='TABLE', createTime=1412271260793, URI='', action='insert', dbName='default')]),
'jholoman': set([TSentryPrivilege(grantOption=0, serverName='server1', tableName='sample_07',
privilegeScope='TABLE', createTime=1412271260793, URI='', action='insert', dbName='default')]),
....
> [02/Oct/2014 16:41:23 -0700] thrift_util  DEBUG    Thrift call: <class 'sentry_policy_service.SentryPolicyService.Client'>.list_sentry_privileges_by_authorizable(args=(TListSentryPrivilegesByAuthRequest(protocol_version=1,
authorizableSet=[TSentryAuthorizable(table=u'sample_07', db=u'default', uri=None, server=u'server1')],
roleSet=None, groups=None, requestorUserName=u'user1_1'),), kwargs={})
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message