You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@impala.apache.org by "Csaba Ringhofer (JIRA)" <ji...@apache.org> on 2018/01/18 14:14:00 UTC

[jira] [Resolved] (IMPALA-4315) USE statement throws auth error if user only has column privileges

     [ https://issues.apache.org/jira/browse/IMPALA-4315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Csaba Ringhofer resolved IMPALA-4315.
-------------------------------------
       Resolution: Fixed
    Fix Version/s: Impala 2.12.0

commit: dcc7be0ed483b332dac22d6596f56ff2a6cfdaa3

IMPALA-4315: Allow USE and SHOW TABLES if the user has only column privileges

USE and SHOW TABLES should be allowed if there is at least one
table in a database where the user has table or column
privileges. Impala incorrectly checked only for table privileges.

To test this issue in AuthorizationTest.java, 'functional_avro'
is added as a test database with only column level permissions.

Change-Id: Ia69756a18cb1db304d2bb8c92288612cbd1164d8
Reviewed-on: http://gerrit.cloudera.org:8080/8973
Reviewed-by: Alex Behm <al...@cloudera.com>
Tested-by: Impala Public Jenkins

> USE <db> statement throws auth error if user only has column privileges
> -----------------------------------------------------------------------
>
>                 Key: IMPALA-4315
>                 URL: https://issues.apache.org/jira/browse/IMPALA-4315
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Frontend
>    Affects Versions: Impala 2.7.0
>            Reporter: Dimitris Tsirogiannis
>            Assignee: Csaba Ringhofer
>            Priority: Major
>              Labels: security, usability
>             Fix For: Impala 2.12.0
>
>
> From an admin account:
> {code}
> USE test_db;
> GRANT SELECT (col_name) ON TABLE foo TO ROLE `test-role`;
> {code}
> If that's the only permission that role 'test-role' has, then any account that belongs to that role cannot run a "USE test_db" statement:
> {code}
> USE test_db;
> AuthorizationException: User 'testuser' does not have privileges to access: test_db.*
> {code}
> The following statement works though:
> {code}
> select col_name from test_db.foo;
> {code}
> The problem is that checking for ANY privileges, when accessing a database during the analysis of a USE statement, does not seem to be taking column level privileges into account.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)