This has been fixed in 0.14 release. Please open new jira if you see any issues.

Yes, revoking admin/grant option for roles/privileges should work for both default and sql standard auth.

Aha, there it is in the HIVE-5923 release note, plain as day. Thanks, Jason Dere.

Do the changes in HIVE-6252 (revoke admin option for role) and HIVE-7404 (revoke grant option for priv_type, this jira) apply to the default authorization as well as SQL standard based authorization? I'll assume so, unless you tell me otherwise, and put all the version information in the wiki with links to the jiras.

Hey Lefty Leverenz, looks like WITH ADMIN OPTION was added as part of HIVE-5923 (0.13.0).

Thanks for the docs, Jason Dere. I added version information to the SQL Standard Based Authorization wiki, but held off on the wiki for default Authorization because I don't know which jira added WITH ADMIN OPTION to GRANT ROLE. Was that added in 0.13.0 along with the clause in SQL standard based authorization? (That's the earliest I've found it in the test suite, but I can't tell whether it's SQL standard or default, or both.)

Updated https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization and https://cwiki.apache.org/confluence/display/Hive/LanguageManual+Authorization#LanguageManualAuthorization-Grant/RevokePrivileges

Document this in the SQL Standard Based Authorization wiki:

• Object Privilege Commands – Revoke

Committed to trunk. Thanks for the review Thejas

+1

Overall: -1 at least one tests failed

Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12656189/HIVE-7404.2.patch

ERROR: -1 due to 3 failed/errored test(s), 5741 tests executed
Failed tests:

org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver_temp_table
org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_ql_rewrite_gbtoidx
org.apache.hive.hcatalog.pig.TestHCatLoader.testReadDataPrimitiveTypes

Test results: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-Build/828/testReport
Console output: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-Build/828/console
Test logs: http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-Build-828/

Messages:

Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 3 tests failed

This message is automatically generated.

ATTACHMENT ID: 12656189

Patch v2 changes the new grantOption arg for the Thrift grant_revoke_privileges() to only apply for revoking privileges. This way there is only one way to set the grant option for grant privilege requests - it should be set in the privilegeBag.

Failures do not appear to be related to patch.

Overall: -1 at least one tests failed

Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12655649/HIVE-7404.1.patch

ERROR: -1 due to 3 failed/errored test(s), 5718 tests executed
Failed tests:

org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver_temp_table
org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_ql_rewrite_gbtoidx
org.apache.hadoop.hive.metastore.txn.TestCompactionTxnHandler.testRevokeTimedOutWorkers

Test results: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-Build/786/testReport
Console output: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-Build/786/console
Test logs: http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-Build-786/

Messages:

Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
Tests exited with: TestsFailedException: 3 tests failed

This message is automatically generated.

ATTACHMENT ID: 12655649

RB at https://reviews.apache.org/r/23470/