You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@impala.apache.org by "Csaba Ringhofer (JIRA)" <ji...@apache.org> on 2018/01/18 14:14:00 UTC
[jira] [Resolved] (IMPALA-4315) USE statement throws auth
error if user only has column privileges
[ https://issues.apache.org/jira/browse/IMPALA-4315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Csaba Ringhofer resolved IMPALA-4315.
-------------------------------------
Resolution: Fixed
Fix Version/s: Impala 2.12.0
commit: dcc7be0ed483b332dac22d6596f56ff2a6cfdaa3
IMPALA-4315: Allow USE and SHOW TABLES if the user has only column privileges
USE and SHOW TABLES should be allowed if there is at least one
table in a database where the user has table or column
privileges. Impala incorrectly checked only for table privileges.
To test this issue in AuthorizationTest.java, 'functional_avro'
is added as a test database with only column level permissions.
Change-Id: Ia69756a18cb1db304d2bb8c92288612cbd1164d8
Reviewed-on: http://gerrit.cloudera.org:8080/8973
Reviewed-by: Alex Behm <al...@cloudera.com>
Tested-by: Impala Public Jenkins
> USE <db> statement throws auth error if user only has column privileges
> -----------------------------------------------------------------------
>
> Key: IMPALA-4315
> URL: https://issues.apache.org/jira/browse/IMPALA-4315
> Project: IMPALA
> Issue Type: Bug
> Components: Frontend
> Affects Versions: Impala 2.7.0
> Reporter: Dimitris Tsirogiannis
> Assignee: Csaba Ringhofer
> Priority: Major
> Labels: security, usability
> Fix For: Impala 2.12.0
>
>
> From an admin account:
> {code}
> USE test_db;
> GRANT SELECT (col_name) ON TABLE foo TO ROLE `test-role`;
> {code}
> If that's the only permission that role 'test-role' has, then any account that belongs to that role cannot run a "USE test_db" statement:
> {code}
> USE test_db;
> AuthorizationException: User 'testuser' does not have privileges to access: test_db.*
> {code}
> The following statement works though:
> {code}
> select col_name from test_db.foo;
> {code}
> The problem is that checking for ANY privileges, when accessing a database during the analysis of a USE statement, does not seem to be taking column level privileges into account.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)