You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Fredy Wijaya (JIRA)" <ji...@apache.org> on 2018/06/27 19:31:00 UTC

[jira] [Created] (IMPALA-7217) UPDATE statement with SELECT privilege can reveal the existence of a table

Fredy Wijaya created IMPALA-7217:
------------------------------------

             Summary: UPDATE statement with SELECT privilege can reveal the existence of a table
                 Key: IMPALA-7217
                 URL: https://issues.apache.org/jira/browse/IMPALA-7217
             Project: IMPALA
          Issue Type: Bug
          Components: Frontend
    Affects Versions: Impala 2.12.0, Impala 3.0
            Reporter: Fredy Wijaya


Having a SELECT privilege when executing UPDATE can reveal the existence of a table, i.e. an AnalysisException is thrown instead of AuthorizationException.

{noformat}
[localhost:21000] default> grant select on server to role foo_role;
+---------------------------------+
| summary                         |
+---------------------------------+
| Privilege(s) have been granted. |
+---------------------------------+
Fetched 1 row(s) in 0.02s
[localhost:21000] default> update doesntexist set a = 1;
ERROR: AnalysisException: Could not resolve table reference: 'doesntexist'
{noformat}

Let's contrast this with UPSERT.
{noformat}
[localhost:21000] default> upsert into table doesntexist(id, name) values(1, 'a');
ERROR: AuthorizationException: User 'impdev' does not have privileges to access: default.doesntexist
{noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org