You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafodion.apache.org by "Roberta Marton (JIRA)" <ji...@apache.org> on 2018/04/20 21:19:00 UTC
[jira] [Work started] (TRAFODION-2542) Grantor is not correct when
granting privileges on behalf of a role
[ https://issues.apache.org/jira/browse/TRAFODION-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Work on TRAFODION-2542 started by Roberta Marton.
-------------------------------------------------
> Grantor is not correct when granting privileges on behalf of a role
> --------------------------------------------------------------------
>
> Key: TRAFODION-2542
> URL: https://issues.apache.org/jira/browse/TRAFODION-2542
> Project: Apache Trafodion
> Issue Type: Bug
> Components: sql-security
> Reporter: Roberta Marton
> Assignee: Roberta Marton
> Priority: Major
>
> Example:
> Admin user:
> register user sql_user1;
> register user sql_user2;
> create role role1;
> create schema abc;
> create table abc.table1 (a int);
> grant select on abc.table1 to role1;
> grant role role1 to sql_user1 with grant option.
> sql_user1 can grant privileges on table abc.table1 through role role1.
> sql_user1 attempts a grant:
> grant select on abc.table1 to sql_user2;
> This works but it shouldn't because sql_user1 does not directly have the privileges to grant select. At this time, sql_user1 becomes the grantor or the privilege (instead of role1). If the privilege is later revoked, then it must be revoked by sql_user1 or through an administrator by specifying the GRANTED BY clause:
> revoke select on abc.table1 from sql_user2 granted by sql_user1;
> Instead, the grant should return an error and sql_user1 use the granted by clause:
> grant select on abc.table1 to sql_user2 granted by role1;
> Then anyone who has been granted role1 can revoke the privilege. Like the grant, the revoke operation would need to include the GRANTED BY clause:
> revoke select on abc.table1 from sql_user2 granted by role1;
> or shortened to
> revoke select on abc.table1 from sql_user2 by role1;
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)