You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Aleksey Yeschenko (JIRA)" <ji...@apache.org> on 2017/02/28 18:29:45 UTC
[jira] [Commented] (CASSANDRA-13053) GRANT/REVOKE on table without
keyspace performs permissions check incorrectly
[ https://issues.apache.org/jira/browse/CASSANDRA-13053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15888599#comment-15888599 ]
Aleksey Yeschenko commented on CASSANDRA-13053:
-----------------------------------------------
||branch||testall||dtest||
|[13053-2.2|https://github.com/iamaleksey/cassandra/tree/13053-2.2]|[testall|http://cassci.datastax.com/view/Dev/view/iamaleksey/job/iamaleksey-13053-2.2-testall]|[dtest|http://cassci.datastax.com/view/Dev/view/iamaleksey/job/iamaleksey-13053-2.2-dtest]|
|[13053-3.0|https://github.com/iamaleksey/cassandra/tree/13053-3.0]|[testall|http://cassci.datastax.com/view/Dev/view/iamaleksey/job/iamaleksey-13053-3.0-testall]|[dtest|http://cassci.datastax.com/view/Dev/view/iamaleksey/job/iamaleksey-13053-3.0-dtest]|
|[13053-3.11|https://github.com/iamaleksey/cassandra/tree/13053-3.11]|[testall|http://cassci.datastax.com/view/Dev/view/iamaleksey/job/iamaleksey-13053-3.11-testall]|[dtest|http://cassci.datastax.com/view/Dev/view/iamaleksey/job/iamaleksey-13053-3.11-dtest]|
|[13053-4.0|https://github.com/iamaleksey/cassandra/tree/13053-4.0]|[testall|http://cassci.datastax.com/view/Dev/view/iamaleksey/job/iamaleksey-13053-4.0-testall]|[dtest|http://cassci.datastax.com/view/Dev/view/iamaleksey/job/iamaleksey-13053-4.0-dtest]|
Simple patch attached (2.2 merges cleanly upwards). Will kick off a basic CI run and write up a quick unit test in the meantime.
> GRANT/REVOKE on table without keyspace performs permissions check incorrectly
> -----------------------------------------------------------------------------
>
> Key: CASSANDRA-13053
> URL: https://issues.apache.org/jira/browse/CASSANDRA-13053
> Project: Cassandra
> Issue Type: Bug
> Components: CQL
> Reporter: Sam Tunnicliffe
> Assignee: Aleksey Yeschenko
> Priority: Minor
> Fix For: 2.2.x, 3.0.x, 3.11.x
>
>
> When a {{GRANT}} or {{REVOKE}} statement is executed on a table without specifying the keyspace, we attempt to use the client session's keyspace to qualify the resource.
> This is done when validating the statement, which occurs after checking that the user executing the statement has sufficient permissions. This means that the permissions checking uses an incorrect resource, namely a table with a null keyspace. If that user is a superuser, then no error is encountered as superuser privs implicitly grants *all* permissions. If the user is not a superuser, then the {{GRANT}} or {{REVOKE}} fails with an ugly error, regardless of which keyspace the client session is bound to:
> {code}
> Unauthorized: Error from server: code=2100 [Unauthorized] message="User admin has no AUTHORIZE permission on <table null.t1> or any of its parents"
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)