Uploaded image for project: 'Sentry'
  1. Sentry
  2. SENTRY-445

WITH GRANT OPTION does not allow delegated user to grant less permissive privileges

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.4.0
    • Fix Version/s: 1.5.0
    • Component/s: None
    • Labels:
      None

      Description

      In this case the delegated user (root) has been granted ALL on a database and the WITH GRANT OPTION was specified. When the user tries to issue a GRANT SELECT ON TABLE within that database the command fails saying the user does not have privileges to execute. It seems that since ALL implies SELECT they should be able to also GRANT SELECT privileges.

      -- executing against localhost:21000
      create role grant_revoke_test_ROOT;
      grant role grant_revoke_test_ROOT to group root;
      grant all on database functional to grant_revoke_test_ROOT WITH GRANT OPTION;
      
      -- connecting to: localhost:21000 as "root"
      -- FAILS:  AuthorizationException: User 'root' does not have privileges to execute: GRANT_PRIVILEGE
      grant select on table functional.alltypes to grant_revoke_test_ROOT;
      
      -- SUCCEEDS
      grant ALL on table functional.alltypes to grant_revoke_test_ROOT;
      

        Attachments

        1. SENTRY-445.1.patch
          5 kB
          Prasad Suresh Mujumdar
        2. SENTRY-445.2.patch
          5 kB
          Prasad Suresh Mujumdar

          Issue Links

            Activity

              People

              • Assignee:
                prasadm Prasad Suresh Mujumdar
                Reporter:
                lskuff Lenni Kuff
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: