[SENTRY-445] WITH GRANT OPTION does not allow delegated user to grant less permissive privileges - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.4.0
Fix Version/s: 1.5.0
Component/s: None
Labels:
None

Description

In this case the delegated user (root) has been granted ALL on a database and the WITH GRANT OPTION was specified. When the user tries to issue a GRANT SELECT ON TABLE within that database the command fails saying the user does not have privileges to execute. It seems that since ALL implies SELECT they should be able to also GRANT SELECT privileges.

-- executing against localhost:21000
create role grant_revoke_test_ROOT;
grant role grant_revoke_test_ROOT to group root;
grant all on database functional to grant_revoke_test_ROOT WITH GRANT OPTION;

-- connecting to: localhost:21000 as "root"
-- FAILS:  AuthorizationException: User 'root' does not have privileges to execute: GRANT_PRIVILEGE
grant select on table functional.alltypes to grant_revoke_test_ROOT;

-- SUCCEEDS
grant ALL on table functional.alltypes to grant_revoke_test_ROOT;

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SENTRY-445.2.patch
30/Sep/14 16:43
5 kB
Prasad Suresh Mujumdar
SENTRY-445.1.patch
30/Sep/14 04:19
5 kB
Prasad Suresh Mujumdar

Issue Links

links to

Review #26164

Activity

People

Assignee:: Prasad Suresh Mujumdar

Reporter:: Lenni Kuff

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 17/Sep/14 08:19

Updated:: 30/Sep/14 18:20

Resolved:: 30/Sep/14 18:20