Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.3.0
-
None
-
None
Description
I noticed that if I grant ALL privileges to table (or to all tables under a database using a wildcard), I get back false when I try to access that table using PrivilegeLevel = SELECT | INSERT, but the access works if I accessing using PrivilegeLevel=ALL.
I believe this is because in DBWildcardPrivilege.java @ line 119 the "policyPart" KeyValue param has a key=>value of: "action" => "ALL" (note the string "ALL" as the value) where AccessConstants.ALL has a string val of a wildcard char: "*".
private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) { if(policyPart.getValue().equals(AccessConstants.ALL) || policyPart.equals(requestPart)) { return true; } else ...
In the BE policy server db I see:
sentry_test2=# select "DB_PRIVILEGE_ID", "DB_NAME", "TABLE_NAME", "PRIVILEGE_NAME" FROM "SENTRY_DB_PRIVILEGE" ORDER BY "DB_PRIVILEGE_ID" desc; DB_PRIVILEGE_ID | DB_NAME | TABLE_NAME | PRIVILEGE_NAME -----------------+---------------------+--------------+---------------------------------------- 18 | functional_seq_snap | * | server1+functional_seq_snap+*+ALL
This doesn't seem specific to the DbPolicyProvider, but when using a policy file I seem to be able to work around this by explicitly using a wildcard character for the action rather than "ALL". There doesn't seem to be a way to do this with the DbPolicyProvider.
Attachments
Issue Links
- depends upon
-
SENTRY-217 Add Insert and URI tests for Sentry DB provider
- Resolved
- is part of
-
SENTRY-217 Add Insert and URI tests for Sentry DB provider
- Resolved