You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafodion.apache.org by Selva Govindarajan <se...@esgyn.com> on 2017/04/26 23:19:35 UTC

RE: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

One can get explain of current running query via RMS. Do you think we need to restrict it also? 

Selva

-----Original Message-----
From: David Wayne Birdsall (JIRA) [mailto:jira@apache.org] 
Sent: Wednesday, April 26, 2017 3:27 PM
To: issues@trafodion.incubator.apache.org
Subject: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

David Wayne Birdsall created TRAFODION-2599:
-----------------------------------------------

             Summary: Restrict who can do EXPLAIN
                 Key: TRAFODION-2599
                 URL: https://issues.apache.org/jira/browse/TRAFODION-2599
             Project: Apache Trafodion
          Issue Type: Improvement
          Components: sql-cmp
    Affects Versions: any
            Reporter: David Wayne Birdsall


JIRA TRAFODION-2294 will fix a security hole in EXPLAIN: One can do an EXPLAIN of a query, then execute the query because EXPLAIN places the compiled plan in the query cache. Executing the query finds the cached plan which bypasses the query cache.

With the fix to that JIRA, anyone will still be able to do an EXPLAIN, but privileges will always be checked before actually executing the query.

But it is fair to ask: Should anyone be able to do EXPLAIN? An advantage of the current situation is that a performance analyst can look at query plans without having access to the data. But query plans do contain some statistical data which may make a determined hacker able to deduce things about the underlying data which they cannot directly see.

So, perhaps the ability to do EXPLAIN should itself be a privileged operation. Perhaps there should be a separate EXPLAIN privilege, either a global privilege or perhaps on individual tables. A person would be able to do EXPLAIN if they hold that privilege or if they hold SELECT privilege on the underlying tables.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

RE: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

Posted by Selva Govindarajan <se...@esgyn.com>.
I would think component level privilege might be ok for RMS commands rather than expecting the user to have access level privileges even for explain. Expecting access level privilege might be too restrictive.

Selva
-----Original Message-----
From: Roberta Marton [mailto:roberta.marton@esgyn.com] 
Sent: Wednesday, April 26, 2017 4:25 PM
To: dev@trafodion.incubator.apache.org; issues@trafodion.incubator.apache.org
Subject: RE: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

Adding privilege checks for RMS commands is something we need to look into.  It is on the list of commands, like explain, that we need to review to make sure we are not exposing too many details.

     Roberta

-----Original Message-----
From: Selva Govindarajan [mailto:selva.govindarajan@esgyn.com] 
Sent: Wednesday, April 26, 2017 4:20 PM
To: dev@trafodion.incubator.apache.org; issues@trafodion.incubator.apache.org
Subject: RE: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

One can get explain of current running query via RMS. Do you think we need to restrict it also? 

Selva

-----Original Message-----
From: David Wayne Birdsall (JIRA) [mailto:jira@apache.org] 
Sent: Wednesday, April 26, 2017 3:27 PM
To: issues@trafodion.incubator.apache.org
Subject: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

David Wayne Birdsall created TRAFODION-2599:
-----------------------------------------------

             Summary: Restrict who can do EXPLAIN
                 Key: TRAFODION-2599
                 URL: https://issues.apache.org/jira/browse/TRAFODION-2599
             Project: Apache Trafodion
          Issue Type: Improvement
          Components: sql-cmp
    Affects Versions: any
            Reporter: David Wayne Birdsall


JIRA TRAFODION-2294 will fix a security hole in EXPLAIN: One can do an EXPLAIN of a query, then execute the query because EXPLAIN places the compiled plan in the query cache. Executing the query finds the cached plan which bypasses the query cache.

With the fix to that JIRA, anyone will still be able to do an EXPLAIN, but privileges will always be checked before actually executing the query.

But it is fair to ask: Should anyone be able to do EXPLAIN? An advantage of the current situation is that a performance analyst can look at query plans without having access to the data. But query plans do contain some statistical data which may make a determined hacker able to deduce things about the underlying data which they cannot directly see.

So, perhaps the ability to do EXPLAIN should itself be a privileged operation. Perhaps there should be a separate EXPLAIN privilege, either a global privilege or perhaps on individual tables. A person would be able to do EXPLAIN if they hold that privilege or if they hold SELECT privilege on the underlying tables.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

RE: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

Posted by Selva Govindarajan <se...@esgyn.com>.
I would think component level privilege might be ok for RMS commands rather than expecting the user to have access level privileges even for explain. Expecting access level privilege might be too restrictive.

Selva
-----Original Message-----
From: Roberta Marton [mailto:roberta.marton@esgyn.com] 
Sent: Wednesday, April 26, 2017 4:25 PM
To: dev@trafodion.incubator.apache.org; issues@trafodion.incubator.apache.org
Subject: RE: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

Adding privilege checks for RMS commands is something we need to look into.  It is on the list of commands, like explain, that we need to review to make sure we are not exposing too many details.

     Roberta

-----Original Message-----
From: Selva Govindarajan [mailto:selva.govindarajan@esgyn.com] 
Sent: Wednesday, April 26, 2017 4:20 PM
To: dev@trafodion.incubator.apache.org; issues@trafodion.incubator.apache.org
Subject: RE: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

One can get explain of current running query via RMS. Do you think we need to restrict it also? 

Selva

-----Original Message-----
From: David Wayne Birdsall (JIRA) [mailto:jira@apache.org] 
Sent: Wednesday, April 26, 2017 3:27 PM
To: issues@trafodion.incubator.apache.org
Subject: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

David Wayne Birdsall created TRAFODION-2599:
-----------------------------------------------

             Summary: Restrict who can do EXPLAIN
                 Key: TRAFODION-2599
                 URL: https://issues.apache.org/jira/browse/TRAFODION-2599
             Project: Apache Trafodion
          Issue Type: Improvement
          Components: sql-cmp
    Affects Versions: any
            Reporter: David Wayne Birdsall


JIRA TRAFODION-2294 will fix a security hole in EXPLAIN: One can do an EXPLAIN of a query, then execute the query because EXPLAIN places the compiled plan in the query cache. Executing the query finds the cached plan which bypasses the query cache.

With the fix to that JIRA, anyone will still be able to do an EXPLAIN, but privileges will always be checked before actually executing the query.

But it is fair to ask: Should anyone be able to do EXPLAIN? An advantage of the current situation is that a performance analyst can look at query plans without having access to the data. But query plans do contain some statistical data which may make a determined hacker able to deduce things about the underlying data which they cannot directly see.

So, perhaps the ability to do EXPLAIN should itself be a privileged operation. Perhaps there should be a separate EXPLAIN privilege, either a global privilege or perhaps on individual tables. A person would be able to do EXPLAIN if they hold that privilege or if they hold SELECT privilege on the underlying tables.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

RE: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

Posted by Roberta Marton <ro...@esgyn.com>.
Adding privilege checks for RMS commands is something we need to look into.  It is on the list of commands, like explain, that we need to review to make sure we are not exposing too many details.

     Roberta

-----Original Message-----
From: Selva Govindarajan [mailto:selva.govindarajan@esgyn.com] 
Sent: Wednesday, April 26, 2017 4:20 PM
To: dev@trafodion.incubator.apache.org; issues@trafodion.incubator.apache.org
Subject: RE: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

One can get explain of current running query via RMS. Do you think we need to restrict it also? 

Selva

-----Original Message-----
From: David Wayne Birdsall (JIRA) [mailto:jira@apache.org] 
Sent: Wednesday, April 26, 2017 3:27 PM
To: issues@trafodion.incubator.apache.org
Subject: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

David Wayne Birdsall created TRAFODION-2599:
-----------------------------------------------

             Summary: Restrict who can do EXPLAIN
                 Key: TRAFODION-2599
                 URL: https://issues.apache.org/jira/browse/TRAFODION-2599
             Project: Apache Trafodion
          Issue Type: Improvement
          Components: sql-cmp
    Affects Versions: any
            Reporter: David Wayne Birdsall


JIRA TRAFODION-2294 will fix a security hole in EXPLAIN: One can do an EXPLAIN of a query, then execute the query because EXPLAIN places the compiled plan in the query cache. Executing the query finds the cached plan which bypasses the query cache.

With the fix to that JIRA, anyone will still be able to do an EXPLAIN, but privileges will always be checked before actually executing the query.

But it is fair to ask: Should anyone be able to do EXPLAIN? An advantage of the current situation is that a performance analyst can look at query plans without having access to the data. But query plans do contain some statistical data which may make a determined hacker able to deduce things about the underlying data which they cannot directly see.

So, perhaps the ability to do EXPLAIN should itself be a privileged operation. Perhaps there should be a separate EXPLAIN privilege, either a global privilege or perhaps on individual tables. A person would be able to do EXPLAIN if they hold that privilege or if they hold SELECT privilege on the underlying tables.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

RE: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

Posted by Dave Birdsall <da...@esgyn.com>.
Maybe so!

-----Original Message-----
From: Selva Govindarajan [mailto:selva.govindarajan@esgyn.com] 
Sent: Wednesday, April 26, 2017 4:20 PM
To: dev@trafodion.incubator.apache.org; issues@trafodion.incubator.apache.org
Subject: RE: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

One can get explain of current running query via RMS. Do you think we need to restrict it also? 

Selva

-----Original Message-----
From: David Wayne Birdsall (JIRA) [mailto:jira@apache.org] 
Sent: Wednesday, April 26, 2017 3:27 PM
To: issues@trafodion.incubator.apache.org
Subject: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

David Wayne Birdsall created TRAFODION-2599:
-----------------------------------------------

             Summary: Restrict who can do EXPLAIN
                 Key: TRAFODION-2599
                 URL: https://issues.apache.org/jira/browse/TRAFODION-2599
             Project: Apache Trafodion
          Issue Type: Improvement
          Components: sql-cmp
    Affects Versions: any
            Reporter: David Wayne Birdsall


JIRA TRAFODION-2294 will fix a security hole in EXPLAIN: One can do an EXPLAIN of a query, then execute the query because EXPLAIN places the compiled plan in the query cache. Executing the query finds the cached plan which bypasses the query cache.

With the fix to that JIRA, anyone will still be able to do an EXPLAIN, but privileges will always be checked before actually executing the query.

But it is fair to ask: Should anyone be able to do EXPLAIN? An advantage of the current situation is that a performance analyst can look at query plans without having access to the data. But query plans do contain some statistical data which may make a determined hacker able to deduce things about the underlying data which they cannot directly see.

So, perhaps the ability to do EXPLAIN should itself be a privileged operation. Perhaps there should be a separate EXPLAIN privilege, either a global privilege or perhaps on individual tables. A person would be able to do EXPLAIN if they hold that privilege or if they hold SELECT privilege on the underlying tables.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

RE: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

Posted by Roberta Marton <ro...@esgyn.com>.
Adding privilege checks for RMS commands is something we need to look into.  It is on the list of commands, like explain, that we need to review to make sure we are not exposing too many details.

     Roberta

-----Original Message-----
From: Selva Govindarajan [mailto:selva.govindarajan@esgyn.com] 
Sent: Wednesday, April 26, 2017 4:20 PM
To: dev@trafodion.incubator.apache.org; issues@trafodion.incubator.apache.org
Subject: RE: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

One can get explain of current running query via RMS. Do you think we need to restrict it also? 

Selva

-----Original Message-----
From: David Wayne Birdsall (JIRA) [mailto:jira@apache.org] 
Sent: Wednesday, April 26, 2017 3:27 PM
To: issues@trafodion.incubator.apache.org
Subject: [jira] [Created] (TRAFODION-2599) Restrict who can do EXPLAIN

David Wayne Birdsall created TRAFODION-2599:
-----------------------------------------------

             Summary: Restrict who can do EXPLAIN
                 Key: TRAFODION-2599
                 URL: https://issues.apache.org/jira/browse/TRAFODION-2599
             Project: Apache Trafodion
          Issue Type: Improvement
          Components: sql-cmp
    Affects Versions: any
            Reporter: David Wayne Birdsall


JIRA TRAFODION-2294 will fix a security hole in EXPLAIN: One can do an EXPLAIN of a query, then execute the query because EXPLAIN places the compiled plan in the query cache. Executing the query finds the cached plan which bypasses the query cache.

With the fix to that JIRA, anyone will still be able to do an EXPLAIN, but privileges will always be checked before actually executing the query.

But it is fair to ask: Should anyone be able to do EXPLAIN? An advantage of the current situation is that a performance analyst can look at query plans without having access to the data. But query plans do contain some statistical data which may make a determined hacker able to deduce things about the underlying data which they cannot directly see.

So, perhaps the ability to do EXPLAIN should itself be a privileged operation. Perhaps there should be a separate EXPLAIN privilege, either a global privilege or perhaps on individual tables. A person would be able to do EXPLAIN if they hold that privilege or if they hold SELECT privilege on the underlying tables.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)