Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Won't Fix
-
2.1.0
-
None
-
None
Description
When multiple permissions are required by a principle for an operation in beeline to be authorized by sentry, beeline only displays one of the needed permissions in its error message.
For example, to execute ALTER TABLE SET LOCATION, a principle needs ALL on the location URI, and ALTER on the table. If a user's role has neither of these, beeline just displays that the role needs ALL on the location URI. Once the user role has all on the location URI, then beeline displays that the user role needs ALTER on the table.
Before the role has any privileges:
> alter table db1.table1 set location '/tmp';
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User merry does not have privileges for ALTERTABLE_LOCATION
The required privileges: Server=server1->URI=hdfs://rogue-4.gce.com:8020/tmp->action=*; (state=42000,code=40000)
After granting all on the location URI:
> alter table db1.table1 set location '/tmp';
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User merry does not have privileges for ALTERTABLE_LOCATION
The required privileges: Server=server1->Db=db1->Table=table1->action=alter; (state=42000,code=40000)
Instead, the error message should be something like the following:
The required privileges are all of:
Server=server1->URI=hdfs://rogue-4.gce.com:8020/tmp->action=*;Server=server1->Db=db1->Table=table1->action=alter;
Attachments
Attachments
Issue Links
- relates to
-
SENTRY-2361 Document the access check behavior of Sentry and required privileges for DDL operation
-
- Open
-
- links to
