You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Alex Rodoni (JIRA)" <ji...@apache.org> on 2018/10/10 18:12:00 UTC

[jira] [Commented] (IMPALA-7676) DESCRIBE on table should require VIEW_METADATA privilege

    [ https://issues.apache.org/jira/browse/IMPALA-7676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16645357#comment-16645357 ] 

Alex Rodoni commented on IMPALA-7676:
-------------------------------------

[~fredyw] Will this fix require a doc update?

> DESCRIBE on table should require VIEW_METADATA privilege
> --------------------------------------------------------
>
>                 Key: IMPALA-7676
>                 URL: https://issues.apache.org/jira/browse/IMPALA-7676
>             Project: IMPALA
>          Issue Type: Bug
>    Affects Versions: Impala 3.0, Impala 2.12.0
>            Reporter: Fredy Wijaya
>            Assignee: Fredy Wijaya
>            Priority: Major
>              Labels: security
>             Fix For: Impala 3.1.0
>
>
> Assume there exists a table foo.bar.
> {noformat}
> [localhost:21000] default> create role foo_role;
> [localhost:21000] default> grant role to group test_user;
> [localhost:21000] default> grant create on database foo to role foo_role;
> [localhost:21000] default> describe foo.bar;
> Query: describe foo.bar
> Fetched 0 row(s) in 0.01s
> {noformat}
> Let's contrast this with "describe database".
> {noformat}
> [localhost:21000] default> grant create on server to role foo_role;
> [localhost:21000] default> describe database functional;
> Query: describe database functional
> ERROR: AuthorizationException: User 'test_user' does not have privileges to access: functional
> {noformat}
> The "describe table" behavior is inconsistent with "describe database" and it's also not a good idea having "create" privilege on a particular table to allow issuing "describe table" on another table although no information is shown on another table. This is also to make the behavior consistent with Hive.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org