> On Feb. 19, 2014, 4:31 p.m., Thejas Nair wrote: > > ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java, > > line 278 > > <https://reviews.apache.org/r/18250/diff/2/?file=497456#file497456line278> > > > > We need to pass the roleNames argument to this function and check that > > user has admin option on these roles. For example the role in grant-role > > could be role A while current role is role B. The check is happening now on > > role B only. > > What should we do if a user a member with admin option of role Y , > > because it belongs to role X and role X has admin option on Y? > > Should we check that X is in the current role in that case? I guess so, > > that will make it consistent with rest of the current role behavior.
Lets say, user X has an admin option on role A. User X now wants to grant role A to user B. IMO, user X's current role should be A. He shouldn't be allowed to grant role A to user B, if his current role is C. Currently is that is whats implemented. It seems you are suggesting that user X should be allowed to grant role A to user B, even if his current role is C. To me, this seems counter intuitive. Not sure what does standard says here. - Ashutosh ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18250/#review34869 ----------------------------------------------------------- On Feb. 19, 2014, 3:31 a.m., Ashutosh Chauhan wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/18250/ > ----------------------------------------------------------- > > (Updated Feb. 19, 2014, 3:31 a.m.) > > > Review request for hive. > > > Bugs: HIVE-6433 > https://issues.apache.org/jira/browse/HIVE-6433 > > > Repository: hive-git > > > Description > ------- > > SQL std auth - allow grant/revoke roles if user has ADMIN OPTION > > > Diffs > ----- > > > ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java > c1afaee > ql/src/test/queries/clientpositive/authorization_role_grant2.q PRE-CREATION > ql/src/test/results/clientpositive/authorization_role_grant2.q.out > PRE-CREATION > > Diff: https://reviews.apache.org/r/18250/diff/ > > > Testing > ------- > > Added new test > > > Thanks, > > Ashutosh Chauhan > >
