sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiaomeng Huang (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (SENTRY-552) Downgrading privileges does not always work for column-level privileges
Date Tue, 02 Dec 2014 05:24:13 GMT

    [ https://issues.apache.org/jira/browse/SENTRY-552?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14231013#comment-14231013
] 

Xiaomeng Huang edited comment on SENTRY-552 at 12/2/14 5:24 AM:
----------------------------------------------------------------

Thanks [~dapengsun] to fix this issue. I think this jira fixed two issues, both use cases
in SENTRY-543 and use cases of downgrade privileges in this jira. I can understand this fix
and it actually can work. BTW, I think this issue is not caused by column level feature, it
also exist when we downgrade database level privileges from table level privileges.


was (Author: huang xiaomeng):
Thanks [~dapengsun] to fix this issue. I think this jira fixed two issues, both use cases
in SENTRY-543 and use cases of downgrade privileges in this jira. I can understand this fix
and it actually can work. BTW, I think this issue is not caused by column level feature, it
also exist when we revoke downgrade database level privileges from table level privileges.

> Downgrading privileges does not always work for column-level privileges
> -----------------------------------------------------------------------
>
>                 Key: SENTRY-552
>                 URL: https://issues.apache.org/jira/browse/SENTRY-552
>             Project: Sentry
>          Issue Type: Bug
>    Affects Versions: 1.5.0
>            Reporter: Lenni Kuff
>            Assignee: Dapeng Sun
>             Fix For: 1.5.0
>
>         Attachments: SENTRY-552.002.patch, SENTRY-552.003.patch, SENTRY-552.004.patch,
SENTRY-552.patch
>
>
> The following doesn't work properly:
> grant all on col1
> grant all on col2
> revoke select on col2
> -- at this point, will have ALL on col1, INSERT on col2
> revoke INSERT from table <--- Does not do the proper thing.
> The expectation is that revoking INSERT from the table would remove INSERT privilege
on col2 and also downgrade the ALL privilege on col1 to SELECT. Instead the privilege on col1
stays in-tact. 
> Note that this was exposed as part of the fix for SENTRY-543. Prior to that the REVOKE
would incorrectly remove both privileges.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message