Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-9305

Not able to grant a privilege to a role if the granting user does not have the same privilege on the entity

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 4.1.1, 4.1.0, 3.5.0
    • Fix Version/s: 4.3.0
    • Component/s: Security
    • Labels:
    • Rank:
      1|hzzzev:

      Description

      Sentry allows granting an action on a entity by a requesting user only if the requesting user has an existing grant for the same action and is allowed to pass on the grant (determined by grantOption boolean flag in TSentryPrivilege). Note: This check is not done if the requesting user is configured as a sentry.admin.group.

      In CDAP we allow grant if the requesting user had ADMIN on the given entity. In our current implementation following the case where an user has ADMIN on an entity and tries to grant any other action such as WRITE, READ etc to some role fails in sentry because of the check mentioned above. Here is the error:

      Error: 500: rsinha has no grant!. Server Stacktrace: org.apache.sentry.provider.db.SentryGrantDeniedException: rsinha has no grant!
      	at org.apache.sentry.provider.db.generic.service.persistent.DelegateSentryStore.grantOptionCheck(DelegateSentryStore.java:305)
      	at org.apache.sentry.provider.db.generic.service.persistent.DelegateSentryStore.alterRoleGrantPrivilege(DelegateSentryStore.java:176)
      	at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor$5.handle(SentryGenericPolicyProcessor.java:451)
      	at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.requestHandle(SentryGenericPolicyProcessor.java:201)
      	at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor.alter_sentry_role_grant_privilege(SentryGenericPolicyProcessor.java:447)
      	at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryGenericPolicyService.java:877)
      	at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService$Processor$alter_sentry_role_grant_privilege.getResult(SentryGenericPolicyService.java:862)
      	at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
      	at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
      	at org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessorWrapper.process(SentryGenericPolicyProcessorWrapper.java:37)
      	at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
      	at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:745)
      

      Note this will only fail if the requesting user does not have the same action granted on the entity. Also this does not fail while granting to a user or group since we perform the grant as an sentry admin group.

      One way to get around this for now will that the requesting user grant to action to himself first and then to the role.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rsinha Rohit Sinha
                Reporter:
                rsinha Rohit Sinha
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: