Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
STEPS TO REPRODUCE:
User u1 is a ranger admin, also configured as service admin user for hive. Users u2 and u3 have USER role on ranger side.
Create a hive table tl1 as user u1. User u1 has full permissions on tl1 via ranger policy.
As user u1, execute hive beeline command 'grant select on tl1 to user u2'
Ranger grant policy is created with user u2 added with select access type.
As user u1, execute hive beeline command 'grant select on tl1 to user u3 with grant option'
Ranger grant policy is updated with user u3 added with select access type and delegate admin flag set.
As user u1, execute hive beeline command 'revoke select on table tl1 from user u2'
User u2 is removed from ranger grant policy
As user u1, execute hive beeline command 'revoke grant option for select on table tl1 from user u3'
CURRENT BEHAVIOUR:
User u3 is removed from ranger grant policy
EXPECTED BEHAVIOUR:
Revoke grant option should retain the privilege for user and remove only with grant permission, ie access type permission should still exist for user in ranger policy and delegate admin permission should be removed.
From hive documentation:
If a user is granted a privilege WITH GRANT OPTION on a table or view, then the user can also grant/revoke privileges of other users and roles on those objects. As of Hive 0.14.0, the grant option for a privilege can be removed while still keeping the privilege by using REVOKE GRANT OPTION FOR <privilege>