You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafodion.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/02/13 23:24:41 UTC
[jira] [Commented] (TRAFODION-2441) user has only select privilege
on a table can do insert/update/delete on the view
[ https://issues.apache.org/jira/browse/TRAFODION-2441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15864658#comment-15864658 ]
ASF GitHub Bot commented on TRAFODION-2441:
-------------------------------------------
GitHub user robertamarton opened a pull request:
https://github.com/apache/incubator-trafodion/pull/957
TRAFODION-2441 user has only select privilege on a table can do ...
TRAFODION-2409 support privilege control(column privileges) for hive tables
TRAFODION-2423 any user can perform 'initialize trafodion, drop'
TRAFODION-2435 Any user can perform TRUNCATE on native Hive tables.
TRAFODION-2463 Hive: Any user can do update statistics for hive tables
Fixed issues found while testing privileges with native Hive.
TRAFODION-2441:
changed code that initializes owner privileges for views.
TRAFODION-2409:
returning error message 1328 during attempt to grant unsupported column level
privilege on hive table.
TRAFODION 2423:
added privilege checks for all initialize commands, error 1017 is returned if
not DB__ROOT
TRAFODION-2435:
Returning error 1051 if TRUNCATE is attempted on a hive table where the
current user has no privilege
TRAFODION-2463:
Privilege checks added for Hive table during update statistics
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/robertamarton/incubator-trafodion jira-2409
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-trafodion/pull/957.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #957
----
commit db14e3922cb2d0722d0885f5c248cac2af2b904d
Author: Roberta Marton <rm...@edev07.esgyn.local>
Date: 2017-02-13T23:20:54Z
TRAFODION-2441 user has only select privilege on a table can do ...
TRAFODION-2409 support privilege control(column privileges) for hive tables
TRAFODION-2423 any user can perform 'initialize trafodion, drop'
TRAFODION-2435 Any user can perform TRUNCATE on native Hive tables.
TRAFODION-2463 Hive: Any user can do update statistics for hive tables
Fixed issues found while testing privileges with native Hive.
TRAFODION-2441:
changed code that initializes owner privileges for views.
TRAFODION-2409:
returning error message 1328 during attempt to grant unsupported column level
privilege on hive table.
TRAFODION 2423:
added privilege checks for all initialize commands, error 1017 is returned if
not DB__ROOT
TRAFODION-2435:
Returning error 1051 if TRUNCATE is attempted on a hive table where the
current user has no privilege
TRAFODION-2463:
Privilege checks added for Hive table during update statistics
----
> user has only select privilege on a table can do insert/update/delete on the view
> ---------------------------------------------------------------------------------
>
> Key: TRAFODION-2441
> URL: https://issues.apache.org/jira/browse/TRAFODION-2441
> Project: Apache Trafodion
> Issue Type: Bug
> Components: sql-security
> Affects Versions: 2.2-incubating
> Environment: hadoop - CDH 5.6
> OS -- CentOS 6.7
> Reporter: Gao, Rui-Xian
> Assignee: Roberta Marton
>
> a user has only select privilege on the table can do insert/update/delete on the view, then data in base table also get inserted/updated/deleted
> Reproduce Steps
> =======================================
> 1. connect as trafodion --
> create table testtab1(a int, b int);
> select * from testtab1;
> grant select on testtab1 to qauser_sqlqaa;
> showddl testtab1;
> 2. connect as qauser_sqlqaa --
> select * from testtab1;
> create view v_tab1 as select * from testtab1;
> showddl v_tab1;
> insert into v_tab1 values(1,1);
> select * from v_tab1;
> select * from testtab1;
> delete from testtab1;
> delete from v_tab1;
> select * from testtab1;
> Test OutPut
> ========================================
> User Name: trafodion
> Password:
> Role Name [Primary Role]:
> Connected to EsgynDB Advanced
> SQL>create table testtab1(a int, b int);
> --- SQL operation complete.
> SQL>select * from testtab1;
> --- 0 row(s) selected.
> SQL>grant select on testtab1 to qauser_sqlqaa;
> --- SQL operation complete.
> SQL>showddl testtab1;
> CREATE TABLE TRAFODION.SEABASE.TESTTAB1
> (
> A INT DEFAULT NULL NOT SERIALIZED
> , B INT DEFAULT NULL NOT SERIALIZED
> )
> ATTRIBUTES ALIGNED FORMAT
> ;
> -- GRANT SELECT, INSERT, DELETE, UPDATE, REFERENCES ON TRAFODION.SEABASE.TESTTAB1 TO DB__ROOT WITH GRANT OPTION;
> GRANT SELECT ON TRAFODION.SEABASE.TESTTAB1 TO QAUSER_SQLQAA;
> --- SQL operation complete.
> SQL>connect qauser_sqlqaa/QAPassword;
> Connected to EsgynDB Advanced
> SQL>select * from testtab1;
> --- 0 row(s) selected.
> SQL>create view v_tab1 as select * from testtab1;
> --- SQL operation complete.
> SQL>showddl v_tab1; // user only has SELECT privilege on the view
> CREATE VIEW TRAFODION.SEABASE.V_TAB1 AS
> SELECT TRAFODION.SEABASE.TESTTAB1.A, TRAFODION.SEABASE.TESTTAB1.B FROM
> TRAFODION.SEABASE.TESTTAB1 ;
> -- GRANT SELECT ON TRAFODION.SEABASE.V_TAB1 TO QAUSER_SQLQAA;
> --- SQL operation complete.
> SQL>insert into v_tab1 values(1,1); // user can insert data into view
> --- 1 row(s) inserted.
> SQL>select * from v_tab1;
> A B
> ----------- -----------
> 1 1
> --- 1 row(s) selected.
> SQL>select * from testtab1; // data in base table
> A B
> ----------- -----------
> 1 1
> --- 1 row(s) selected.
> SQL>delete from testtab1; // expected, user doesn’t have privilege to delete data from base table
> *** ERROR[4481] The user does not have DELETE privilege on table or view TRAFODION.SEABASE.TESTTAB1. [2017-01-12 10:39:11]
> SQL>delete from v_tab1; // user doesn’t have delete privilege but can delete data from the view
> --- 1 row(s) deleted.
> SQL>select * from testtab1; // data in base table got deleted
> --- 0 row(s) selected.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)