You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafodion.apache.org by "Roberta Marton (JIRA)" <ji...@apache.org> on 2018/09/21 18:14:00 UTC
[jira] [Commented] (TRAFODION-3194) Revoke grant option for all on
objects also revokes all privileges from user/role
[ https://issues.apache.org/jira/browse/TRAFODION-3194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16623991#comment-16623991 ]
Roberta Marton commented on TRAFODION-3194:
-------------------------------------------
We create two sets of bitmaps for an object, one set contains whether the operation has been granted (privs) and the other whether the operations was granted using the with grant option (wgo). During a grant or revoke, Trafodion sets up the bitmaps to match what the user requests. So if the select privilege on table t1 is revoked, the privs and wgo bits associated with SELECT is set. Later, metadata is updated to reflect the change.
The issue occurred because the code was always setting the privs bit to true. Since we are only revoking the "grant option", the only the wgo bit should be set.
Code was changed to pass both the privs and wgo values to the bitmap code instead of defaulting the privs bit to true.
> Revoke grant option for all on objects also revokes all privileges from user/role
> ---------------------------------------------------------------------------------
>
> Key: TRAFODION-3194
> URL: https://issues.apache.org/jira/browse/TRAFODION-3194
> Project: Apache Trafodion
> Issue Type: Bug
> Reporter: Roberta Marton
> Assignee: Roberta Marton
> Priority: Major
>
> 'revoke grant option for all' should only revoke the ability to grant all privileges to another user/role, but now all privileges will be revoked too.
> revoke grant option for single/combined privileges works as expected.
> Test Result :
> ======================================
> SQL>showddl usera_t1;
> CREATE TABLE TRAFODION.TRAFINCSCH1.USERA_T1
> (
> A INT DEFAULT NULL NOT SERIALIZED
> , B VARCHAR(20) CHARACTER SET ISO88591 COLLATE
> DEFAULT DEFAULT NULL NOT SERIALIZED
> )
> ATTRIBUTES ALIGNED FORMAT NAMESPACE 'TRAF_1500000' INCREMENTAL BACKUP
> ;
> -- GRANT SELECT, INSERT, DELETE, UPDATE, REFERENCES ON TRAFODION.TRAFINCSCH1.USERA_T1 TO DB__ROOT WITH GRANT OPTION;
> --- SQL operation complete.
> SQL>grant all on usera_t1 to qauser_sqlqaa with grant option;
> --- SQL operation complete.
> SQL>showddl usera_t1;
> CREATE TABLE TRAFODION.TRAFINCSCH1.USERA_T1
> (
> A INT DEFAULT NULL NOT SERIALIZED
> , B VARCHAR(20) CHARACTER SET ISO88591 COLLATE
> DEFAULT DEFAULT NULL NOT SERIALIZED
> )
> ATTRIBUTES ALIGNED FORMAT NAMESPACE 'TRAF_1500000' INCREMENTAL BACKUP
> ;
> -- GRANT SELECT, INSERT, DELETE, UPDATE, REFERENCES ON TRAFODION.TRAFINCSCH1.USERA_T1 TO DB__ROOT WITH GRANT OPTION;
> GRANT SELECT, INSERT, DELETE, UPDATE, REFERENCES ON
> TRAFODION.TRAFINCSCH1.USERA_T1 TO QAUSER_SQLQAA WITH GRANT OPTION;
> --- SQL operation complete.
> SQL>revoke grant option for all on usera_t1 from qauser_sqlqaa;
> --- SQL operation complete.
> SQL>showddl usera_t1; //qauser_sqlqaa doesn’t have any privilege on the table after revoke
> CREATE TABLE TRAFODION.TRAFINCSCH1.USERA_T1
> (
> A INT DEFAULT NULL NOT SERIALIZED
> , B VARCHAR(20) CHARACTER SET ISO88591 COLLATE
> DEFAULT DEFAULT NULL NOT SERIALIZED
> )
> ATTRIBUTES ALIGNED FORMAT NAMESPACE 'TRAF_1500000' INCREMENTAL BACKUP
> ;
> -- GRANT SELECT, INSERT, DELETE, UPDATE, REFERENCES ON TRAFODION.TRAFINCSCH1.USERA_T1 TO DB__ROOT WITH GRANT OPTION;
> --- SQL operation complete.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)