[ https://issues.apache.org/jira/browse/SENTRY-488?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14158920#comment-14158920 ] Prasad Mujumdar commented on SENTRY-488: ---------------------------------------- [~asuresh] Thanks for putting the patch together. If I am not mistaken, the problem only happens when the user's roleset is empty, which due to the fact that getMSentryPrivilegesByAuth() treats empty roleSet as wildchar. In that case, would it make sense to check this case and return empty result set right away. Basically if the requesting user is not an admin, then don't even try to call getMSentryPrivilegesByAuth() and avoid extracting all roles and filtering all of them out ? Rest of the patch look fine. Thanks for adding the testcase. > Sentry list_sentry_privileges_by_authorizable API does not filter out roles/privileges for some cases. > ------------------------------------------------------------------------------------------------------ > > Key: SENTRY-488 > URL: https://issues.apache.org/jira/browse/SENTRY-488 > Project: Sentry > Issue Type: Bug > Reporter: Arun Suresh > Assignee: Arun Suresh > Attachments: SENTRY-488.1.patch, SENTRY-488.2.patch > > > I am requestorUserName=u'user1_1' which is non admin and only have 'foo' group > I can list ALL the roles/privilege attached to an object. > I should only see the group foo and its privilege on sample_07. > {code} > [02/Oct/2014 16:41:23 -0700] thrift_util DEBUG Thrift call .list_sentry_privileges_by_authorizable returned in 38ms: TListSentryPrivilegesByAuthResponse(status=TSentryResponseStatus(message='', stack=None, value=0), privilegesMapByAuth={TSentryAuthorizable(table='sample_07', db='default', uri=None, server='server1'): TSentryPrivilegeMap(privilegeMap={'foo': set([TSentryPrivilege(grantOption=0, serverName='server1', tableName='sample_07', privilegeScope='TABLE', createTime=1412271660913, URI='', action='all', dbName='default'), TSentryPrivilege(grantOption=0, serverName='server1', tableName='sample_07', privilegeScope='TABLE', createTime=1412270683086, URI='', action='select', dbName='default'), TSentryPrivilege(grantOption=0, serverName='server1', tableName='sample_07', privilegeScope='TABLE', createTime=1412271260793, URI='', action='insert', dbName='default')]), 'jholoman': set([TSentryPrivilege(grantOption=0, serverName='server1', tableName='sample_07', privilegeScope='TABLE', createTime=1412271260793, URI='', action='insert', dbName='default')]), .... > [02/Oct/2014 16:41:23 -0700] thrift_util DEBUG Thrift call: .list_sentry_privileges_by_authorizable(args=(TListSentryPrivilegesByAuthRequest(protocol_version=1, authorizableSet=[TSentryAuthorizable(table=u'sample_07', db=u'default', uri=None, server=u'server1')], roleSet=None, groups=None, requestorUserName=u'user1_1'),), kwargs={}) > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)