0

Assume I have a user jack and a group datateam. The user jack belongs to group datateam.

Use Sentry for authorization.

create role admin; 
grant role admin to group datateam; 
grant all on server server1 to role admin;

Now the role admin has the following priveleges.

+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |    grant_time     | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| *         |        |            |         | admin           | ROLE            | *          | false         | 1480985013185000  | --       |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+

Assume I have this database.

create database testdb;

It is successful. User jack created a database testdb.

Use Sentry to revoke the privileges on testdb;

revoke all on database `testdb` from role admin;

The priveleges is still the same.

+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |    grant_time     | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| *         |        |            |         | admin           | ROLE            | *          | false         | 1480985013185000  | --       |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+

Shouldn't Sentry take the privileges on database testdb away from the server server1?

ehfeng
  • 3,807
  • 4
  • 33
  • 42
cdhit
  • 1,384
  • 1
  • 15
  • 38

1 Answers1

2

No, the Sentry privilege model is hierarchical, as described in the documentation:

Privileges can be granted on different objects in the Hive warehouse. Any privilege that can be granted is associated with a level in the object hierarchy. If a privilege is granted on a container object in the hierarchy, the base object automatically inherits it. For instance, if a user has ALL privileges on the database scope, then (s)he has ALL privileges on all of the base objects contained within that scope.

The privileges are always positive, not negative - you start from nothing by default, and add privileges.

So if you have a privilege at a higher level in the hierarchy ( e.g. server), you cannot take anything away from this privilege at a lower level (such as database). You can only add finer-grained privileges at the lower levels.

Concrete example: suppose we have a server which currently has two databases, A and B. Any privilege granted at the server level will apply to A and B, and to any new databases that are created. Let's say we grant SELECT at the server level:

   Server-level    Database-level   Result
A  SELECT          -                SELECT
B  SELECT          -                SELECT

Then we could add finer-grained privileges at the database level, e.g. INSERT on database B:

   Server-level    Database-level   Result
A  SELECT          -                SELECT
B  SELECT          INSERT           SELECT,INSERT

Then if we revoked all database-level privileges on database B, we are back to where we started:

   Server-level    Database-level   Result
A  SELECT          -                SELECT
B  SELECT          -                SELECT

Changing lower-level privileges has no effect on the higher levels, which are inherited by the lower levels.

DNA
  • 42,007
  • 12
  • 107
  • 146
  • It is clearly very impractical model if you have a table with a lot of columns (i.e. 100 columns, -very common in the Big Data world-) and you want to remove select privileges for just a few columns (like 2 columns). Then you need to specify 98 columns privileges because privileges aren't negative. You can't specify select on the table and revoke select on just a few columns. How this could make sense? – Gabriel Avellaneda May 31 '18 at 21:01
  • Yes, it's inconvenient for that type of usage! It might be possible to grant access to all columns (*) and then revoke just a few specific columns, but I haven't tried this and I can't see any such usage in the documentation. Otherwise it looks like you just have to list all 100 columns, or split the data into multiple tables (with different privileges) and join them where desired. – DNA May 31 '18 at 22:26
  • I was expecting * to work but actually it isn't supported because it returns a syntax error. Having this limitation and looking at the Github repository where the last commit was 5 years ago makes me think that nobody is using Sentry. – Gabriel Avellaneda May 31 '18 at 23:23