You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Daniel John Debrunner (JIRA)" <ji...@apache.org> on 2007/07/03 19:39:04 UTC
[jira] Created: (DERBY-2893) INSERT and UPDATES succeed when
permission has not been granted.
INSERT and UPDATES succeed when permission has not been granted.
----------------------------------------------------------------
Key: DERBY-2893
URL: https://issues.apache.org/jira/browse/DERBY-2893
Project: Derby
Issue Type: Bug
Components: Security, SQL
Affects Versions: 10.4.0.0
Reporter: Daniel John Debrunner
Priority: Critical
GrantRevokeTest had assert methods (assertInsertPrivilege etc.) of the form
try {
s.execute(command)
} catch (SQLException sqle)
{
if (!hasPrivilege)
assertSQLState("42502", e);
else
fail(...);
}
Note that no fail() assert was in the try portion after the SQL execution. The statement should not work if hasPrivilege is false, but the test will incorrectly pass if the statement succeeds. I added fail asserts with revision 552922 like:
if (!hasPrivilege)
fail("expected no INSERT permission on table");
but these two for INSERT and UPDATE caused the test to fail (about 6 fixtures fail) indicating that the statement succeeds even if the permission is not granted.
It could be a test problem but needs some investigation.
The asserts for assertInsertPrivilege and asserUpdatePrivilege are commented out to stop the test failing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Re: [jira] Updated: (DERBY-2893) INSERT and UPDATES succeed when
permission has not been granted.
Posted by Daniel John Debrunner <dj...@apache.org>.
Myrna van Lunteren wrote:
> On 7/5/07, Daniel John Debrunner (JIRA) <ji...@apache.org> wrote:
>> I messed up my testing in 10.3 branch, the bug does exist there.
>> I unchecked the regression flag because I don't know if it's a
>> regression or not.
>> I haven't tried against 10.2 which is where the Grant/Revoke
>> functionality was introduced.
>
> I was afraid of something like this, couldn't imagine what changes
> would have caused a difference; there haven't been that many. :-)
> I saw you lowered the priority, so, this is not a blocker for 10.3...
I'm not really sure, I marked it as blocker (for 10.4) when I thought it
was a regression from 10.3. If it's not a regression from 10.2 then at
least 10.3 is not worse than 10.2 in this respect, though in all honesty
it's a serious bug.
> Did you plan to test against 10.2 or not at this point?
Not in the next few days.
Dan.
Re: [jira] Updated: (DERBY-2893) INSERT and UPDATES succeed when permission has not been granted.
Posted by Myrna van Lunteren <m....@gmail.com>.
On 7/5/07, Daniel John Debrunner (JIRA) <ji...@apache.org> wrote:
> I messed up my testing in 10.3 branch, the bug does exist there.
> I unchecked the regression flag because I don't know if it's a regression or not.
> I haven't tried against 10.2 which is where the Grant/Revoke functionality was introduced.
I was afraid of something like this, couldn't imagine what changes
would have caused a difference; there haven't been that many. :-)
I saw you lowered the priority, so, this is not a blocker for 10.3...
Did you plan to test against 10.2 or not at this point?
Myrna
[jira] Commented: (DERBY-2893) INSERT and UPDATES succeed when
permission has not been granted.
Posted by "Daniel John Debrunner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12510407 ]
Daniel John Debrunner commented on DERBY-2893:
----------------------------------------------
Doing a little investigation on this seems to show the problem does not exist on 10.3. I merged up the test changes for GrantRevokeTest and uncommented the asserts and the test passes there. Will investigate some more before commiting those changes.
> INSERT and UPDATES succeed when permission has not been granted.
> ----------------------------------------------------------------
>
> Key: DERBY-2893
> URL: https://issues.apache.org/jira/browse/DERBY-2893
> Project: Derby
> Issue Type: Bug
> Components: Security, SQL
> Affects Versions: 10.4.0.0
> Reporter: Daniel John Debrunner
> Priority: Critical
>
> GrantRevokeTest had assert methods (assertInsertPrivilege etc.) of the form
> try {
> s.execute(command)
> } catch (SQLException sqle)
> {
> if (!hasPrivilege)
> assertSQLState("42502", e);
> else
> fail(...);
> }
> Note that no fail() assert was in the try portion after the SQL execution. The statement should not work if hasPrivilege is false, but the test will incorrectly pass if the statement succeeds. I added fail asserts with revision 552922 like:
> if (!hasPrivilege)
> fail("expected no INSERT permission on table");
> but these two for INSERT and UPDATE caused the test to fail (about 6 fixtures fail) indicating that the statement succeeds even if the permission is not granted.
> It could be a test problem but needs some investigation.
> The asserts for assertInsertPrivilege and asserUpdatePrivilege are commented out to stop the test failing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2893) INSERT and UPDATES succeed when
permission has not been granted.
Posted by "Kathey Marsden (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12511621 ]
Kathey Marsden commented on DERBY-2893:
---------------------------------------
porting the test and in fact copying the test verbatim to 10.3, I see the update case failing, where it passes on trunk. . I am investigating that:
1) testColumnPrivileges(org.apache.derbyTesting.functionTests.tests.lang.GrantRevokeTest)junit.framework.Assertio
Error: expected no UPDATE permission on table
at org.apache.derbyTesting.functionTests.tests.lang.GrantRevokeTest.assertUpdatePrivilege(GrantRevokeTest
133)
at org.apache.derbyTesting.functionTests.tests.lang.GrantRevokeTest.testColumnPrivileges(GrantRevokeTest.
0)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at org.apache.derbyTesting.junit.BaseTestCase.runBare(BaseTestCase.java:88)
at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
at junit.extensions.TestSetup.run(TestSetup.java:23)
at org.apache.derbyTesting.junit.BaseTestSetup.run(BaseTestSetup.java:57)
at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
at junit.extensions.TestSetup.run(TestSetup.java:23)
at org.apache.derbyTesting.junit.BaseTestSetup.run(BaseTestSetup.java:57)
at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
at junit.extensions.TestSetup.run(TestSetup.java:23)
at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
at junit.extensions.TestSetup.run(TestSetup.java:23)
at org.apache.derbyTesting.junit.BaseTestSetup.run(BaseTestSetup.java:57)
at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
at junit.extensions.TestSetup.run(TestSetup.java:23)
at org.apache.derbyTesting.junit.BaseTestSetup.run(BaseTestSetup.java:57)
at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
at junit.extensions.TestSetup.run(TestSetup.java:23)
at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
at junit.extensions.TestSetup.run(TestSetup.java:23)
FAILURES!!!
> INSERT and UPDATES succeed when permission has not been granted.
> ----------------------------------------------------------------
>
> Key: DERBY-2893
> URL: https://issues.apache.org/jira/browse/DERBY-2893
> Project: Derby
> Issue Type: Bug
> Components: Test
> Affects Versions: 10.3.0.0, 10.3.1.0, 10.4.0.0
> Reporter: Daniel John Debrunner
> Attachments: DERBY-2893_diff.txt
>
>
> GrantRevokeTest had assert methods (assertInsertPrivilege etc.) of the form
> try {
> s.execute(command)
> } catch (SQLException sqle)
> {
> if (!hasPrivilege)
> assertSQLState("42502", e);
> else
> fail(...);
> }
> Note that no fail() assert was in the try portion after the SQL execution. The statement should not work if hasPrivilege is false, but the test will incorrectly pass if the statement succeeds. I added fail asserts with revision 552922 like:
> if (!hasPrivilege)
> fail("expected no INSERT permission on table");
> but these two for INSERT and UPDATE caused the test to fail (about 6 fixtures fail) indicating that the statement succeeds even if the permission is not granted.
> It could be a test problem but needs some investigation.
> The asserts for assertInsertPrivilege and asserUpdatePrivilege are commented out to stop the test failing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (DERBY-2893) INSERT and UPDATES succeed when
permission has not been granted.
Posted by "Kathey Marsden (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2893?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kathey Marsden closed DERBY-2893.
---------------------------------
> INSERT and UPDATES succeed when permission has not been granted.
> ----------------------------------------------------------------
>
> Key: DERBY-2893
> URL: https://issues.apache.org/jira/browse/DERBY-2893
> Project: Derby
> Issue Type: Bug
> Components: Test
> Affects Versions: 10.3.1.4, 10.4.0.0
> Reporter: Daniel John Debrunner
> Assignee: Kathey Marsden
> Fix For: 10.3.1.4
>
> Attachments: DERBY-2893_diff.txt
>
>
> GrantRevokeTest had assert methods (assertInsertPrivilege etc.) of the form
> try {
> s.execute(command)
> } catch (SQLException sqle)
> {
> if (!hasPrivilege)
> assertSQLState("42502", e);
> else
> fail(...);
> }
> Note that no fail() assert was in the try portion after the SQL execution. The statement should not work if hasPrivilege is false, but the test will incorrectly pass if the statement succeeds. I added fail asserts with revision 552922 like:
> if (!hasPrivilege)
> fail("expected no INSERT permission on table");
> but these two for INSERT and UPDATE caused the test to fail (about 6 fixtures fail) indicating that the statement succeeds even if the permission is not granted.
> It could be a test problem but needs some investigation.
> The asserts for assertInsertPrivilege and asserUpdatePrivilege are commented out to stop the test failing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2893) INSERT and UPDATES succeed when
permission has not been granted.
Posted by "Daniel John Debrunner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12510472 ]
Daniel John Debrunner commented on DERBY-2893:
----------------------------------------------
This means this might still be a test issue and not a bug with grant/revoke.
> INSERT and UPDATES succeed when permission has not been granted.
> ----------------------------------------------------------------
>
> Key: DERBY-2893
> URL: https://issues.apache.org/jira/browse/DERBY-2893
> Project: Derby
> Issue Type: Bug
> Components: Security, SQL
> Affects Versions: 10.3.0.0, 10.3.1.0, 10.4.0.0
> Reporter: Daniel John Debrunner
> Priority: Critical
>
> GrantRevokeTest had assert methods (assertInsertPrivilege etc.) of the form
> try {
> s.execute(command)
> } catch (SQLException sqle)
> {
> if (!hasPrivilege)
> assertSQLState("42502", e);
> else
> fail(...);
> }
> Note that no fail() assert was in the try portion after the SQL execution. The statement should not work if hasPrivilege is false, but the test will incorrectly pass if the statement succeeds. I added fail asserts with revision 552922 like:
> if (!hasPrivilege)
> fail("expected no INSERT permission on table");
> but these two for INSERT and UPDATE caused the test to fail (about 6 fixtures fail) indicating that the statement succeeds even if the permission is not granted.
> It could be a test problem but needs some investigation.
> The asserts for assertInsertPrivilege and asserUpdatePrivilege are commented out to stop the test failing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2893) INSERT and UPDATES succeed when
permission has not been granted.
Posted by "Daniel John Debrunner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12510441 ]
Daniel John Debrunner commented on DERBY-2893:
----------------------------------------------
Merged the GrantRevokeTest changes up to 10.3 and removed the commented out fail asserts (in 10.3 only) that were added for this bug.
Thus this bug is only in the trunk.
> INSERT and UPDATES succeed when permission has not been granted.
> ----------------------------------------------------------------
>
> Key: DERBY-2893
> URL: https://issues.apache.org/jira/browse/DERBY-2893
> Project: Derby
> Issue Type: Bug
> Components: Security, SQL
> Affects Versions: 10.4.0.0
> Reporter: Daniel John Debrunner
> Priority: Blocker
>
> GrantRevokeTest had assert methods (assertInsertPrivilege etc.) of the form
> try {
> s.execute(command)
> } catch (SQLException sqle)
> {
> if (!hasPrivilege)
> assertSQLState("42502", e);
> else
> fail(...);
> }
> Note that no fail() assert was in the try portion after the SQL execution. The statement should not work if hasPrivilege is false, but the test will incorrectly pass if the statement succeeds. I added fail asserts with revision 552922 like:
> if (!hasPrivilege)
> fail("expected no INSERT permission on table");
> but these two for INSERT and UPDATE caused the test to fail (about 6 fixtures fail) indicating that the statement succeeds even if the permission is not granted.
> It could be a test problem but needs some investigation.
> The asserts for assertInsertPrivilege and asserUpdatePrivilege are commented out to stop the test failing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (DERBY-2893) INSERT and UPDATES succeed when
permission has not been granted.
Posted by "Kathey Marsden (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2893?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kathey Marsden resolved DERBY-2893.
-----------------------------------
Resolution: Fixed
Assignee: Kathey Marsden
Fixed issues with the test. This was not a product bug.
> INSERT and UPDATES succeed when permission has not been granted.
> ----------------------------------------------------------------
>
> Key: DERBY-2893
> URL: https://issues.apache.org/jira/browse/DERBY-2893
> Project: Derby
> Issue Type: Bug
> Components: Test
> Affects Versions: 10.3.0.0, 10.3.1.0, 10.4.0.0
> Reporter: Daniel John Debrunner
> Assignee: Kathey Marsden
> Attachments: DERBY-2893_diff.txt
>
>
> GrantRevokeTest had assert methods (assertInsertPrivilege etc.) of the form
> try {
> s.execute(command)
> } catch (SQLException sqle)
> {
> if (!hasPrivilege)
> assertSQLState("42502", e);
> else
> fail(...);
> }
> Note that no fail() assert was in the try portion after the SQL execution. The statement should not work if hasPrivilege is false, but the test will incorrectly pass if the statement succeeds. I added fail asserts with revision 552922 like:
> if (!hasPrivilege)
> fail("expected no INSERT permission on table");
> but these two for INSERT and UPDATE caused the test to fail (about 6 fixtures fail) indicating that the statement succeeds even if the permission is not granted.
> It could be a test problem but needs some investigation.
> The asserts for assertInsertPrivilege and asserUpdatePrivilege are commented out to stop the test failing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-2893) INSERT and UPDATES succeed when
permission has not been granted.
Posted by "Kathey Marsden (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2893?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kathey Marsden updated DERBY-2893:
----------------------------------
Component/s: (was: Security)
(was: SQL)
Test
Priority: Major (was: Critical)
Downgrading this to a major test issue from critical bug.
> INSERT and UPDATES succeed when permission has not been granted.
> ----------------------------------------------------------------
>
> Key: DERBY-2893
> URL: https://issues.apache.org/jira/browse/DERBY-2893
> Project: Derby
> Issue Type: Bug
> Components: Test
> Affects Versions: 10.3.0.0, 10.3.1.0, 10.4.0.0
> Reporter: Daniel John Debrunner
> Attachments: DERBY-2893_diff.txt
>
>
> GrantRevokeTest had assert methods (assertInsertPrivilege etc.) of the form
> try {
> s.execute(command)
> } catch (SQLException sqle)
> {
> if (!hasPrivilege)
> assertSQLState("42502", e);
> else
> fail(...);
> }
> Note that no fail() assert was in the try portion after the SQL execution. The statement should not work if hasPrivilege is false, but the test will incorrectly pass if the statement succeeds. I added fail asserts with revision 552922 like:
> if (!hasPrivilege)
> fail("expected no INSERT permission on table");
> but these two for INSERT and UPDATE caused the test to fail (about 6 fixtures fail) indicating that the statement succeeds even if the permission is not granted.
> It could be a test problem but needs some investigation.
> The asserts for assertInsertPrivilege and asserUpdatePrivilege are commented out to stop the test failing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2893) INSERT and UPDATES succeed when
permission has not been granted.
Posted by "Kathey Marsden (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12511626 ]
Kathey Marsden commented on DERBY-2893:
---------------------------------------
Looking at the test, we have:
public void testColumnPrivileges() throws Exception {
grant("select(c1),update(c3,c2),references(c3,c1,c2)", "s1", "t1", users[4]);
,,,,
assertUpdatePrivilege(false, users[4], "S1", "T1", new String[] {"C2", "C3"});
}
But if I read the grant statement correctly, the first argument to assertUpdatePrivilege should be true, because we granted update to c3,c2.
So, it makes sense why it was failing for Dan on trunk, for me on 10.3, but not why I saw it pass on trunk with this set to false. Setting the first argument to true passes the test on both trunk and 10.3, so I think still we are dealing with a test issue, not a code issue if my logic that indeed user[4] was granted update permission on C2, and C3.
> INSERT and UPDATES succeed when permission has not been granted.
> ----------------------------------------------------------------
>
> Key: DERBY-2893
> URL: https://issues.apache.org/jira/browse/DERBY-2893
> Project: Derby
> Issue Type: Bug
> Components: Test
> Affects Versions: 10.3.0.0, 10.3.1.0, 10.4.0.0
> Reporter: Daniel John Debrunner
> Attachments: DERBY-2893_diff.txt
>
>
> GrantRevokeTest had assert methods (assertInsertPrivilege etc.) of the form
> try {
> s.execute(command)
> } catch (SQLException sqle)
> {
> if (!hasPrivilege)
> assertSQLState("42502", e);
> else
> fail(...);
> }
> Note that no fail() assert was in the try portion after the SQL execution. The statement should not work if hasPrivilege is false, but the test will incorrectly pass if the statement succeeds. I added fail asserts with revision 552922 like:
> if (!hasPrivilege)
> fail("expected no INSERT permission on table");
> but these two for INSERT and UPDATE caused the test to fail (about 6 fixtures fail) indicating that the statement succeeds even if the permission is not granted.
> It could be a test problem but needs some investigation.
> The asserts for assertInsertPrivilege and asserUpdatePrivilege are commented out to stop the test failing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-2893) INSERT and UPDATES succeed when
permission has not been granted.
Posted by "Daniel John Debrunner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2893?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel John Debrunner updated DERBY-2893:
-----------------------------------------
Priority: Critical (was: Blocker)
Derby Info: (was: [Regression])
Affects Version/s: 10.3.1.0
10.3.0.0
I messed up my testing in 10.3 branch, the bug does exist there.
I unchecked the regression flag because I don't know if it's a regression or not.
I haven't tried against 10.2 which is where the Grant/Revoke functionality was introduced.
> INSERT and UPDATES succeed when permission has not been granted.
> ----------------------------------------------------------------
>
> Key: DERBY-2893
> URL: https://issues.apache.org/jira/browse/DERBY-2893
> Project: Derby
> Issue Type: Bug
> Components: Security, SQL
> Affects Versions: 10.3.0.0, 10.3.1.0, 10.4.0.0
> Reporter: Daniel John Debrunner
> Priority: Critical
>
> GrantRevokeTest had assert methods (assertInsertPrivilege etc.) of the form
> try {
> s.execute(command)
> } catch (SQLException sqle)
> {
> if (!hasPrivilege)
> assertSQLState("42502", e);
> else
> fail(...);
> }
> Note that no fail() assert was in the try portion after the SQL execution. The statement should not work if hasPrivilege is false, but the test will incorrectly pass if the statement succeeds. I added fail asserts with revision 552922 like:
> if (!hasPrivilege)
> fail("expected no INSERT permission on table");
> but these two for INSERT and UPDATE caused the test to fail (about 6 fixtures fail) indicating that the statement succeeds even if the permission is not granted.
> It could be a test problem but needs some investigation.
> The asserts for assertInsertPrivilege and asserUpdatePrivilege are commented out to stop the test failing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-2893) INSERT and UPDATES succeed when
permission has not been granted.
Posted by "Daniel John Debrunner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2893?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel John Debrunner updated DERBY-2893:
-----------------------------------------
Priority: Blocker (was: Critical)
Derby Info: [Regression]
I confirmed that adding fail() asserts in the try portion for the assert cases for UPDATE and INSERT when the privilege was expected not be granted fail on trunk, prior to my cleanup of the test with revision 552922.
This is an example where test code like this allowed a serious regression:
try {
s.execute(command);
}
catch (SQLException e)
{
assertSQLState("42502", e);
}
That is the test passes if the execution of the statement does not thrown the expected exception, which should be a failure.
> INSERT and UPDATES succeed when permission has not been granted.
> ----------------------------------------------------------------
>
> Key: DERBY-2893
> URL: https://issues.apache.org/jira/browse/DERBY-2893
> Project: Derby
> Issue Type: Bug
> Components: Security, SQL
> Affects Versions: 10.4.0.0
> Reporter: Daniel John Debrunner
> Priority: Blocker
>
> GrantRevokeTest had assert methods (assertInsertPrivilege etc.) of the form
> try {
> s.execute(command)
> } catch (SQLException sqle)
> {
> if (!hasPrivilege)
> assertSQLState("42502", e);
> else
> fail(...);
> }
> Note that no fail() assert was in the try portion after the SQL execution. The statement should not work if hasPrivilege is false, but the test will incorrectly pass if the statement succeeds. I added fail asserts with revision 552922 like:
> if (!hasPrivilege)
> fail("expected no INSERT permission on table");
> but these two for INSERT and UPDATE caused the test to fail (about 6 fixtures fail) indicating that the statement succeeds even if the permission is not granted.
> It could be a test problem but needs some investigation.
> The asserts for assertInsertPrivilege and asserUpdatePrivilege are commented out to stop the test failing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2893) INSERT and UPDATES succeed when
permission has not been granted.
Posted by "Kathey Marsden (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12511293 ]
Kathey Marsden commented on DERBY-2893:
---------------------------------------
I wonder if the order of the decorators in the setup of this test has anything to do with the issue.
We have:
public static Test basesuite() {
Test basesuite = new TestSuite(GrantRevokeTest.class);
Test clean = new CleanDatabaseTestSetup(basesuite) {
protected void decorateSQL(Statement s) throws SQLException {
s.execute("create schema s1");
s.execute("create schema s2");
....
}
Test test = DatabasePropertyTestSetup.builtinAuthentication(
clean, users, "grantrevoke");
test = TestConfiguration.sqlAuthorizationDecorator(test);
Does this mean that decorateSQL will run before sqlAuthorization is enabled, meaning the tables don't have the necessary permission restrictions? I haven't yet gotten the order successfully reversed but this is my current theory.
I verified manually that grant/revoke on all privileges (which is one of the cases failing) works ok, so I tend to think it is a test issue, but have not completely confirmed this yet.
> INSERT and UPDATES succeed when permission has not been granted.
> ----------------------------------------------------------------
>
> Key: DERBY-2893
> URL: https://issues.apache.org/jira/browse/DERBY-2893
> Project: Derby
> Issue Type: Bug
> Components: Security, SQL
> Affects Versions: 10.3.0.0, 10.3.1.0, 10.4.0.0
> Reporter: Daniel John Debrunner
> Priority: Critical
>
> GrantRevokeTest had assert methods (assertInsertPrivilege etc.) of the form
> try {
> s.execute(command)
> } catch (SQLException sqle)
> {
> if (!hasPrivilege)
> assertSQLState("42502", e);
> else
> fail(...);
> }
> Note that no fail() assert was in the try portion after the SQL execution. The statement should not work if hasPrivilege is false, but the test will incorrectly pass if the statement succeeds. I added fail asserts with revision 552922 like:
> if (!hasPrivilege)
> fail("expected no INSERT permission on table");
> but these two for INSERT and UPDATE caused the test to fail (about 6 fixtures fail) indicating that the statement succeeds even if the permission is not granted.
> It could be a test problem but needs some investigation.
> The asserts for assertInsertPrivilege and asserUpdatePrivilege are commented out to stop the test failing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-2893) INSERT and UPDATES succeed when
permission has not been granted.
Posted by "Kathey Marsden (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2893?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kathey Marsden updated DERBY-2893:
----------------------------------
Fix Version/s: 10.3.1.4
> INSERT and UPDATES succeed when permission has not been granted.
> ----------------------------------------------------------------
>
> Key: DERBY-2893
> URL: https://issues.apache.org/jira/browse/DERBY-2893
> Project: Derby
> Issue Type: Bug
> Components: Test
> Affects Versions: 10.3.1.4, 10.4.0.0
> Reporter: Daniel John Debrunner
> Assignee: Kathey Marsden
> Fix For: 10.3.1.4
>
> Attachments: DERBY-2893_diff.txt
>
>
> GrantRevokeTest had assert methods (assertInsertPrivilege etc.) of the form
> try {
> s.execute(command)
> } catch (SQLException sqle)
> {
> if (!hasPrivilege)
> assertSQLState("42502", e);
> else
> fail(...);
> }
> Note that no fail() assert was in the try portion after the SQL execution. The statement should not work if hasPrivilege is false, but the test will incorrectly pass if the statement succeeds. I added fail asserts with revision 552922 like:
> if (!hasPrivilege)
> fail("expected no INSERT permission on table");
> but these two for INSERT and UPDATE caused the test to fail (about 6 fixtures fail) indicating that the statement succeeds even if the permission is not granted.
> It could be a test problem but needs some investigation.
> The asserts for assertInsertPrivilege and asserUpdatePrivilege are commented out to stop the test failing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-2893) INSERT and UPDATES succeed when
permission has not been granted.
Posted by "Kathey Marsden (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2893?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kathey Marsden updated DERBY-2893:
----------------------------------
Attachment: DERBY-2893_diff.txt
OK. I think I have it now. Here is the patch to fix the test. The problem was that for assertInsertPrivilege we had
Connection c = openUserConnection(users[0]);
instead of
Connection c = openUserConnection(user);
So since users[0] was the DBO the insert succeeded. Also the error SQLState was different than the one expected in the test, 42500 instead of 42502. I think 42500 user does not have permission on table is correct.
For the updates I simply uncommented the DERBY-2893 comment and it seemed to work. So I am not sure what the original problem was there.
> INSERT and UPDATES succeed when permission has not been granted.
> ----------------------------------------------------------------
>
> Key: DERBY-2893
> URL: https://issues.apache.org/jira/browse/DERBY-2893
> Project: Derby
> Issue Type: Bug
> Components: Security, SQL
> Affects Versions: 10.3.0.0, 10.3.1.0, 10.4.0.0
> Reporter: Daniel John Debrunner
> Priority: Critical
> Attachments: DERBY-2893_diff.txt
>
>
> GrantRevokeTest had assert methods (assertInsertPrivilege etc.) of the form
> try {
> s.execute(command)
> } catch (SQLException sqle)
> {
> if (!hasPrivilege)
> assertSQLState("42502", e);
> else
> fail(...);
> }
> Note that no fail() assert was in the try portion after the SQL execution. The statement should not work if hasPrivilege is false, but the test will incorrectly pass if the statement succeeds. I added fail asserts with revision 552922 like:
> if (!hasPrivilege)
> fail("expected no INSERT permission on table");
> but these two for INSERT and UPDATE caused the test to fail (about 6 fixtures fail) indicating that the statement succeeds even if the permission is not granted.
> It could be a test problem but needs some investigation.
> The asserts for assertInsertPrivilege and asserUpdatePrivilege are commented out to stop the test failing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2893) INSERT and UPDATES succeed when
permission has not been granted.
Posted by "Daniel John Debrunner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12511295 ]
Daniel John Debrunner commented on DERBY-2893:
----------------------------------------------
Looking at the above code the order will be
sqlAuthorizationDecorator setUp
builtinAuthentication setup
CleanDatabaseTestSetup setup
CleanDatabaseTestSetup.decorateSQL
> INSERT and UPDATES succeed when permission has not been granted.
> ----------------------------------------------------------------
>
> Key: DERBY-2893
> URL: https://issues.apache.org/jira/browse/DERBY-2893
> Project: Derby
> Issue Type: Bug
> Components: Security, SQL
> Affects Versions: 10.3.0.0, 10.3.1.0, 10.4.0.0
> Reporter: Daniel John Debrunner
> Priority: Critical
>
> GrantRevokeTest had assert methods (assertInsertPrivilege etc.) of the form
> try {
> s.execute(command)
> } catch (SQLException sqle)
> {
> if (!hasPrivilege)
> assertSQLState("42502", e);
> else
> fail(...);
> }
> Note that no fail() assert was in the try portion after the SQL execution. The statement should not work if hasPrivilege is false, but the test will incorrectly pass if the statement succeeds. I added fail asserts with revision 552922 like:
> if (!hasPrivilege)
> fail("expected no INSERT permission on table");
> but these two for INSERT and UPDATE caused the test to fail (about 6 fixtures fail) indicating that the statement succeeds even if the permission is not granted.
> It could be a test problem but needs some investigation.
> The asserts for assertInsertPrivilege and asserUpdatePrivilege are commented out to stop the test failing.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.