You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafodion.apache.org by "Suresh Subbiah (JIRA)" <ji...@apache.org> on 2015/10/08 07:07:26 UTC
[jira] [Assigned] (TRAFODION-1275) LP Bug: 1465776 - Schema owner
in private schema is not the only user able to grant access to object
[ https://issues.apache.org/jira/browse/TRAFODION-1275?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Suresh Subbiah reassigned TRAFODION-1275:
-----------------------------------------
Assignee: Roberta Marton (was: Cliff Gray)
> LP Bug: 1465776 - Schema owner in private schema is not the only user able to grant access to object
> ----------------------------------------------------------------------------------------------------
>
> Key: TRAFODION-1275
> URL: https://issues.apache.org/jira/browse/TRAFODION-1275
> Project: Apache Trafodion
> Issue Type: Bug
> Components: sql-security
> Reporter: Paul Low
> Assignee: Roberta Marton
> Priority: Critical
> Fix For: 2.0-incubating
>
>
> In a private schema, only the schema owner should be able to grant access to objects in the schema.
> In the scenario below, a user (not owner of the schema) created an object on a private schema. Unexpectedly, the user is able to grant privileges on the object to another user:
> SQL>grant all on tab2 to username4;
> --- SQL operation complete.
> Daily build: 20150613.
> Security is enabled on the instance.
> SQL>connect username1/password1;
> Connected to Trafodion
> SQL>create schema schema2;
> --- SQL operation complete.
> SQL>grant component privilege "CREATE" on sql_operations to username3;
> --- SQL operation complete.
> SQL>connect username3/password3;
> Connected to Trafodion
> SQL>set schema schema2;
> --- SQL operation complete.
> SQL>create table tab2(a int, b int) no partition;
> --- SQL operation complete.
> SQL>grant all on tab2 to username4;
> --- SQL operation complete.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)