Details
-
Sub-task
-
Status: Patch Available
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
-
None
Description
SENTRY-327 is based on Hive-0.13, now hive-0.14 have supported revoking privilege with grant option in HIVE-7404.
It looks like:
REVOKE [GRANT OPTION FOR] priv_type [, priv_type ] ... ON table_or_view_name FROM principal_specification [, principal_specification] ... ;
We should support downgrade grant option for "GRANT OPTION FOR". It means when "GRANT OPTION FOR" set, we just modify grant option of this privilege from true to false.
use cases:
1. grant ALL on database db1 to role role1; 2. grant ALL on database db1 to role role2 with grant option; 3. revoke grant option for ALL on database db1 from role role1; 4. revoke grant option for ALL on database db1 from role role2; 5. revoke ALL on database db1 from role role2;
After 3rd command executed, role1 still has privilege with action ALL on db1, grant option is false.
After 4th command executed, role2 downgrade privilege to grant option is false.
After 5th command executed, role2 will remove privilege with action ALL on db1.
Attachments
Attachments
Issue Links
- is depended upon by
-
SENTRY-672 Support revoking child action with grant option
- Open
- relates to
-
SENTRY-327 Support auth admin delegation via SQL construct 'with grant option'
- Resolved
- links to