Uploaded image for project: 'Sentry'
  1. Sentry
  2. SENTRY-2268

Review the required privileges for DDL commands

    Details

    • Type: Task
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      The privileges required for DDL commands are listed in HiveAuthzPrivilegesMap.

      addOutputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.INSERT, DBModelAction.ALTER))
      

      means the required output privileges is table level insert OR alter.

      addOutputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.INSERT)).
      addOutputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.ALTER))
      

      means the required output privileges is table level insert AND alter.

      We need to review the privileges to see if they are defined correctly. I suspect multiple definitions want to have privileges with AND, but end up getting privileges with OR.
      We should also check if the privilege level is correct. for example, "insert" is table level privilege. It does not make sense to require database level "insert".

        Attachments

          Activity

            People

            • Assignee:
              LinaAtAustin Na Li
              Reporter:
              LinaAtAustin Na Li
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: