You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafodion.apache.org by "Roberta Marton (JIRA)" <ji...@apache.org> on 2017/04/27 23:18:04 UTC

[jira] [Commented] (TRAFODION-2599) Restrict who can do EXPLAIN

    [ https://issues.apache.org/jira/browse/TRAFODION-2599?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15987867#comment-15987867 ] 

Roberta Marton commented on TRAFODION-2599:
-------------------------------------------

EXPLAIN needs to have similar privileges as SHOWDDL and SHOW STATISTICS.  Today, we have a component privilege called SHOW.  If granted SHOW, then the user can do both SHOWDDL and SHOW STATS.  We should still allow EXPLAIN if you have SELECT on all objects in the query.
 
The OSIM support has similar requirements.  To use OSIM, you need SHOWDDL and SHOW STATS privilege.  Whatever we choose to do for OSIM we should do for SHOW STATS.

> Restrict who can do EXPLAIN
> ---------------------------
>
>                 Key: TRAFODION-2599
>                 URL: https://issues.apache.org/jira/browse/TRAFODION-2599
>             Project: Apache Trafodion
>          Issue Type: Improvement
>          Components: sql-cmp, sql-security
>    Affects Versions: any
>            Reporter: David Wayne Birdsall
>
> JIRA TRAFODION-2294 will fix a security hole in EXPLAIN: One can do an EXPLAIN of a query, then execute the query because EXPLAIN places the compiled plan in the query cache. Executing the query finds the cached plan which bypasses the query cache.
> With the fix to that JIRA, anyone will still be able to do an EXPLAIN, but privileges will always be checked before actually executing the query.
> But it is fair to ask: Should anyone be able to do EXPLAIN? An advantage of the current situation is that a performance analyst can look at query plans without having access to the data. But query plans do contain some statistical data which may make a determined hacker able to deduce things about the underlying data which they cannot directly see.
> So, perhaps the ability to do EXPLAIN should itself be a privileged operation. Perhaps there should be a separate EXPLAIN privilege, either a global privilege or perhaps on individual tables. A person would be able to do EXPLAIN if they hold that privilege or if they hold SELECT privilege on the underlying tables.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)