Uploaded image for project: 'Sentry'
  1. Sentry
  2. SENTRY-2204

Revoke 'all/*' on server from role , revokes all privileges from the same role

    XMLWordPrintableJSON

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Major
    • Resolution: Not A Problem
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Sentry
    • Labels:
      None

      Description

      I have assigned below privileges to one role i.e. role_1;

      |+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
      |\| database \| table \| partition \| column \| principal_name \| principal_type \| privilege \| grant_option \| grant_time \| grantor \||
      |+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
      |\| hdfs://nameservice01/user/h \| \| \| \| role_157 \| ROLE \| * \| false \| 1523963168628000 \| -- \||
      |\| * \| \| \| \| role_157 \| ROLE \| * \| false \| 1523352328442000 \| -- \||
      |\| hdfs://nameservice01/user/m \| \| \| \| role_157 \| ROLE \| * \| false \| 1523963186544000 \| -- \||
      |+------------------------------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+|
      | |
      
      

       

      After that executed below command i.e revoke and show grant for the same role

      revoke all on server server1 from role role_157;
      
      show grant role role_157;
      
      |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
      |\| database \| table \| partition \| column \| principal_name \| principal_type \| privilege \| grant_option \| grant_time \| grantor \||
      |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
      |+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------+----------+--+|
      |No rows selected (0.119 seconds)|
      
      

       

      As you can see from above, if you revoke all on server, it also revokes all the other privileges from the same role as well. 

      So it is right behaviour? or It should revoke only all/* on server and should keep other privileges?

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Dawre Sachin
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: