Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Not A Problem
-
None
-
None
-
None
Description
Assume I have a user |jack| and a group |datateam|. The
user |jack| belongs to group |datateam|.
Use Sentry for authorization.
create role admin; grant role admin to group datateam; grant all on server server1 to role admin; |
Now the role |admin| has the following priveleges.
|+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ | database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor | +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ | * | | | | admin | ROLE | * | false | 1480985013185000 | -- | +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
Assume I have this database.
create database testdb; |
It is successful. User |jack| created a database |testdb|.
Use Sentry to revoke the privileges on |testdb|;
revoke all on database `testdb` from role admin; |
The priveleges is still the same.
|+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ | database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor | +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+ | * | | | | admin | ROLE | * | false | 1480985013185000 | -- | +-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
Shouldn't Sentry take the privileges on database |testdb| away from the
server |server1|?