You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafodion.apache.org by "Roberta Marton (JIRA)" <ji...@apache.org> on 2015/11/13 18:04:11 UTC

[jira] [Closed] (TRAFODION-1275) LP Bug: 1465776 - Schema owner in private schema is not the only user able to grant access to object

     [ https://issues.apache.org/jira/browse/TRAFODION-1275?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Roberta Marton closed TRAFODION-1275.
-------------------------------------
    Resolution: Fixed

Remove check for mvn in path in sqenvcom.sh.  mvn is only required during build.  the file bldenvchk.sh already checks for this.

> LP Bug: 1465776 - Schema owner in private schema is not the only user able to grant access to object
> ----------------------------------------------------------------------------------------------------
>
>                 Key: TRAFODION-1275
>                 URL: https://issues.apache.org/jira/browse/TRAFODION-1275
>             Project: Apache Trafodion
>          Issue Type: Bug
>          Components: sql-security
>            Reporter: Paul Low
>            Assignee: Roberta Marton
>            Priority: Critical
>             Fix For: 2.0-incubating
>
>
> In a private schema, only the schema owner should be able to grant access to objects in the schema.
> In the scenario below, a user (not owner of the schema) created an object on a private schema.  Unexpectedly, the user is able to grant privileges on the object to another user:
> SQL>grant all on tab2 to username4;
> --- SQL operation complete.
> Daily build: 20150613.
> Security is enabled on the instance.
> SQL>connect username1/password1;
> Connected to Trafodion 
> SQL>create schema schema2;
> --- SQL operation complete.
> SQL>grant component privilege "CREATE" on sql_operations to username3;
> --- SQL operation complete.
> SQL>connect username3/password3;
> Connected to Trafodion 
> SQL>set schema schema2;
> --- SQL operation complete.
> SQL>create table tab2(a int, b int) no partition;
> --- SQL operation complete.
> SQL>grant all on tab2 to username4;
> --- SQL operation complete.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)