Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Not A Problem
-
1.8.0, 2.0.0
-
None
-
None
Description
Looking at SentryGenericPolicyProcessor:
@Override public TListSentryRolesResponse list_sentry_roles_by_group( final TListSentryRolesRequest request) throws TException { Response<Set<TSentryRole>> respose = requestHandle(new RequestHandler<Set<TSentryRole>>() { @Override public Response<Set<TSentryRole>> handle() throws Exception { validateClientVersion(request.getProtocol_version()); // Here we assign groups to the requestor's Unix groups! Set<String> groups = getRequestorGroups(conf, request.getRequestorUserName()); if (!AccessConstants.ALL.equalsIgnoreCase(request.getGroupName())) { boolean admin = inAdminGroups(groups); // Only admin users can list all roles in the system ( groupname = null) // Non admin users are only allowed to list only groups which they belong to if(!admin && (request.getGroupName() == null || !groups.contains(request.getGroupName()))) { throw new SentryAccessDeniedException(ACCESS_DENIAL_MESSAGE + request.getRequestorUserName()); } groups.clear(); groups.add(request.getGroupName()); } // And here we use Unix groups if the group is "*" Set<String> roleNames = store.getRolesByGroups(request.getComponent(), groups); ...
What happens here is weird - when the group in the request is ALL ("*"), we attempt to return roles for Unix groups that the requestor belongs to, not Sentry groups. The problem is that Sentry groups and User groups have nothing in common, so this is completely wrong.
Attachments
Issue Links
- is related to
-
SENTRY-398 Create the generic authorization model in Sentry
- Resolved
- relates to
-
SENTRY-1609 DelegateSentryStore is subject to JDQL injection
- Resolved