You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafodion.apache.org by "Roberta Marton (JIRA)" <ji...@apache.org> on 2016/03/10 17:32:40 UTC
[jira] [Closed] (TRAFODION-1856) Revoke - object and column
privilege checks not integrated for constraints
[ https://issues.apache.org/jira/browse/TRAFODION-1856?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Roberta Marton closed TRAFODION-1856.
-------------------------------------
Resolution: Fixed
Fix delivered
> Revoke - object and column privilege checks not integrated for constraints
> --------------------------------------------------------------------------
>
> Key: TRAFODION-1856
> URL: https://issues.apache.org/jira/browse/TRAFODION-1856
> Project: Apache Trafodion
> Issue Type: Bug
> Components: sql-security
> Reporter: Roberta Marton
> Assignee: Roberta Marton
>
> Today, when revoking the object REFERENCES privilege, the revoke fails if there
> are any RI constraints that require the privilege. However, there may be column
> level privileges that exist that would still allow the constraint to be present.
> Conversely, when revoking column REFERENCES privilege, the revoke does not
> check to see if REFERENCES privilege has been granted at the object level.
> In fact, the revoke operation does not check for dependencies on constraints
> correctly.
> For example:
> user1:
> create table dept( dept_no int not null primary key, dept_name char(50));
> grant references on table dept to user2;
> grant references(dept_no) to user2;
> user2:
> create table empl(empl_no int not null primary key, dept_no int not null);
> alter table empl add constraint empl_dept
> foreign key (dept_no) references dept;
> user1 should be able to "revoke references on table dept from user2" because
> user2 still has the references privileges on column dept_no. Vice versa, user1
> should be able to "revoke references(dept_no) on dept from user2" because user2
> still has the references privilege on table dept.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)