Uploaded image for project: 'Sentry (Retired)'
  1. Sentry (Retired)
  2. SENTRY-2268

Review the required privileges for DDL commands

    XMLWordPrintableJSON

Details

    • Task
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • None
    • None

    Description

      The privileges required for DDL commands are listed in HiveAuthzPrivilegesMap. 

      addOutputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.INSERT, DBModelAction.ALTER))

      means the required output privileges is table level insert OR alter.

      addOutputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.INSERT)).
addOutputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.ALTER))

      means the required output privileges is table level insert AND alter.

      We need to review the privileges to see if they are defined correctly. I suspect multiple definitions want to have privileges with AND, but end up getting privileges with OR.
      We should also check if the privilege level is correct. for example, "insert" is table level privilege. It does not make sense to require database level "insert".

      Attachments

        Activity

          People

            Unassigned Unassigned
            linaataustin Na Li
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: