Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.0.1
-
None
-
None
Description
https://issues.apache.org/jira/browse/SENTRY-2413 introduced "sentry.db.explicit.grants.permitted" to specify which privileges are permitted to be granted explicitly. Empty value means allow all privileges. However the following sentry-site.xml does not work.
<property> <name>sentry.db.explicit.grants.permitted</name> <value></value> </property>
Apparently using a space works.
<property> <name>sentry.db.explicit.grants.permitted</name> <value> </value> </property>
Steps to reproduce in Impala:
[localhost:21000] default> create role foo_role; [localhost:21000] default> grant alter on table functional.alltypes to role foo_role; ERROR: AuthorizationException: User 'foobar' does not have privileges to execute: GRANT_PRIVILEGE
Stacktrace:
18/10/04 20:01:06 ERROR thrift.SentryPolicyStoreProcessor: GRANT privilege for [ALTER] not permitted. org.apache.sentry.core.common.exception.SentryGrantDeniedException: GRANT privilege for [ALTER] not permitted. at org.apache.sentry.api.common.SentryServiceUtil.checkDbExplicitGrantsPermitted(SentryServiceUtil.java:364) at org.apache.sentry.api.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_grant_privilege(SentryPolicyStoreProcessor.java:265) at org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1597) at org.apache.sentry.api.service.thrift.SentryPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryPolicyService.java:1582) at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) at org.apache.sentry.api.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:36) at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)