mirror of
https://github.com/apache/impala.git
synced 2026-01-10 09:00:16 -05:00
5cae398a48
This commit fixes an issue where a GRANT ALL ON SERVER to role_name statement followed by a REVOKE ALL ON SERVER from role_name statement would not revoke all privileges from role_name. The problem was triggered by a specific combination of Sentry client API calls used in Impala during grant/revoke statements at server scope. In particular, during GRANT, Impala was using an API call that didn't explicitly specify the privilege action (Sentry uses '*' if no action is specified). In contrast, the corresponding REVOKE call was explicitly specifying the privilege action to be 'ALL'. Sentry doesn't seem to handle this case correctly, thereby failing to remove all the privileges after a REVOKE ALL ON SERVER call. The fix from the Impala side, that results in the correct behavior, is to always specify the privilege action by using the appropriate API calls. Change-Id: I6b3a0d10f5e88c6a0a10bd20f620562d2de7ab25 Reviewed-on: http://gerrit.cloudera.org:8080/2979 Reviewed-by: Dimitris Tsirogiannis <dtsirogiannis@cloudera.com> Tested-by: Internal Jenkins