Sentry privileges model: Can Sentry take a database privileges away from a server privileges?

Question

Assume I have a user jack and a group datateam. The user jack belongs to group datateam.

Use Sentry for authorization.

create role admin; 
grant role admin to group datateam; 
grant all on server server1 to role admin;

Now the role admin has the following priveleges.

+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |    grant_time     | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| *         |        |            |         | admin           | ROLE            | *          | false         | 1480985013185000  | --       |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+

Assume I have this database.

create database testdb;

It is successful. User jack created a database testdb.

Use Sentry to revoke the privileges on testdb;

revoke all on database `testdb` from role admin;

The priveleges is still the same.

+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| database  | table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |    grant_time     | grantor  |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
| *         |        |            |         | admin           | ROLE            | *          | false         | 1480985013185000  | --       |
+-----------+--------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+

Shouldn't Sentry take the privileges on database testdb away from the server server1?

Answer 1

No, the Sentry privilege model is hierarchical, as described in the documentation:

Privileges can be granted on different objects in the Hive warehouse. Any privilege that can be granted is associated with a level in the object hierarchy. If a privilege is granted on a container object in the hierarchy, the base object automatically inherits it. For instance, if a user has ALL privileges on the database scope, then (s)he has ALL privileges on all of the base objects contained within that scope.

The privileges are always positive, not negative - you start from nothing by default, and add privileges.

So if you have a privilege at a higher level in the hierarchy ( e.g. server), you cannot take anything away from this privilege at a lower level (such as database). You can only add finer-grained privileges at the lower levels.

Concrete example: suppose we have a server which currently has two databases, A and B. Any privilege granted at the server level will apply to A and B, and to any new databases that are created. Let's say we grant SELECT at the server level:

   Server-level    Database-level   Result
A  SELECT          -                SELECT
B  SELECT          -                SELECT   

Then we could add finer-grained privileges at the database level, e.g. INSERT on database B:

   Server-level    Database-level   Result
A  SELECT          -                SELECT
B  SELECT          INSERT           SELECT,INSERT   

Then if we revoked all database-level privileges on database B, we are back to where we started:

   Server-level    Database-level   Result
A  SELECT          -                SELECT
B  SELECT          -                SELECT

Changing lower-level privileges has no effect on the higher levels, which are inherited by the lower levels.