Description
admins want users who create tables to get implicit owner privileges during the table creation. These privileges cannot be revoked.
For instance, a user under role1 with CREATE privileges gets all privileges on newly created tables
# As an admin hive> grant create on db1 to role1; # As a user user1> use db1; user1> create table t1(id int); -- An implicit 'grant all on db1.t1 to user user1' is generated in Sentry user1> insert into table t1 values (1); user1> select * from t1; user1> drop table t1;
For backward compatibility, the default implicit privilege to be applied must be determined by a configuration set by admins. This is to ensure that an upgrade to this new feature does not affect the behavior of old privileges set before the upgrade. For newly created tables, the privilege must be obtained from the property ‘owner.privileges’ of the database property where the table is created.
For instance, a user on db1 gets "all with grant privileges" but on db2 does not get any privilege
# As an admin
hive> alter database db1 set dbproperty('owner.privileges'='all with grant');
hive> grant create on db1 to role1;
hive> alter database db1 set dbproperty('owner.privileges='none');
hive> grant create on db2 to role2;
# As a user
user1> create table db1.t1(id int);
-- An implicit 'all with grant' privilege is granted to the user on db1.t1
user1> create table db2.t1(id int);
-- No privileges are granted to the user on db2.t1
The privilege granted implicitly cannot be revoked by explicit revoke commands nor if the 'owner.privileges' property changes. The only way is to remove the implicit privileges is by dropping the table or changing the owner of the table.
Attachments
Attachments
Issue Links
- is duplicated by
-
SENTRY-1073 User who creates a table should be grnated all privileges on it by default
-
- Resolved
-
- links to
