You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Adam Holley (JIRA)" <ji...@apache.org> on 2018/08/02 05:10:00 UTC
[jira] [Comment Edited] (IMPALA-6891) AuthorizationException in
CROSS JOIN
[ https://issues.apache.org/jira/browse/IMPALA-6891?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16566185#comment-16566185 ]
Adam Holley edited comment on IMPALA-6891 at 8/2/18 5:09 AM:
-------------------------------------------------------------
I propose to not fix this. The statements that cause this scenario, while technically may be valid SQL, are probably unintentional SQL. Basically, when there is a table in the fromClause, that is not referenced in SELECT or WHERE, and the user only has SELECT on all columns of the table and not the table itself, they will receive this incorrect error.
There might be multiple ways of fixing this, but at best we'd need to just add PrivilegeRequests to all the columns of the unreferenced table, which would add overhead for no benefit. The more columns in the table, the more overhead.
If it's fixed to be an AnalysisError, that's not really correct, since the SQL is technically valid.
As it stands, we have a short circuit error to catch SQL that is most likely unintentional.
was (Author: aholley):
I'd propose to not fix this. The statements that cause this scenario, while technically may be valid SQL, are probably unintentional SQL. Basically, when there is a table in the fromClause, that is not referenced in SELECT or WHERE, that a user only has SELECT on all columns of the table, they will receive this incorrect error.
There might be multiple ways of fixing this, but at best we'd need to just add PrivilegeRequests to all the columns of the unreferenced table, which would add overhead for no benefit. The more columns in the table, the more overhead.
If it's fixed to be an AnalysisError, that's not really correct, since the SQL is technically valid.
As it stands, we have a short circuit error to catch SQL that is most likely unintentional.
> AuthorizationException in CROSS JOIN
> ------------------------------------
>
> Key: IMPALA-6891
> URL: https://issues.apache.org/jira/browse/IMPALA-6891
> Project: IMPALA
> Issue Type: Bug
> Components: Frontend
> Affects Versions: Impala 2.9.0, Impala 2.10.0, Impala 2.11.0
> Reporter: Fredy Wijaya
> Assignee: Adam Holley
> Priority: Minor
> Labels: security
>
> {noformat}
> [localhost:21000] foo> create table t1(i int, j int);
> [localhost:21000] foo> create table t2(i int, j int);
> [localhost:21000] foo> grant select(i) on table foo.t1 to role test_role;
> [localhost:21000] foo> grant select(j) on table foo.t1 to role test_role;
> [localhost:21000] foo> grant select(i) on table foo.t2 to role test_role;
> [localhost:21000] foo> grant select(j) on table foo.t2 to role test_role;{noformat}
> {noformat}
> [localhost:21000] foo> select * from foo.t1 a cross join foo.t2 b;
> Fetched 0 row(s) in 0.14s
> [localhost:21000] foo> select a.* from foo.t1 a cross join foo.t2 b;
> ERROR: AuthorizationException: User 'xyz' does not have privileges to execute 'SELECT' on: foo.t2{noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org