You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Fredy Wijaya (JIRA)" <ji...@apache.org> on 2018/06/27 19:39:00 UTC
[jira] [Updated] (IMPALA-7217) UPDATE/DELETE statement with SELECT
privilege can reveal the existence of a table
[ https://issues.apache.org/jira/browse/IMPALA-7217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fredy Wijaya updated IMPALA-7217:
---------------------------------
Description:
For UPDATE/DELETE statement, ALL privilege on SERVER is required. However, having a SELECT privilege when executing UPDATE can reveal the existence of a table, i.e. an AnalysisException is thrown instead of AuthorizationException.
{noformat}
[localhost:21000] default> grant select on server to role foo_role;
+---------------------------------+
| summary |
+---------------------------------+
| Privilege(s) have been granted. |
+---------------------------------+
Fetched 1 row(s) in 0.02s
[localhost:21000] default> update doesntexist set a = 1;
ERROR: AnalysisException: Could not resolve table reference: 'doesntexist'
[localhost:21000] default> delete from doesntexist;
ERROR: AnalysisException: Could not resolve table reference: 'doesntexist'
{noformat}
Let's contrast this with UPSERT.
{noformat}
[localhost:21000] default> upsert into table doesntexist(id, name) values(1, 'a');
ERROR: AuthorizationException: User 'impdev' does not have privileges to access: default.doesntexist
{noformat}
was:
For UPDATE statement, ALL privilege on SERVER is required. However, having a SELECT privilege when executing UPDATE can reveal the existence of a table, i.e. an AnalysisException is thrown instead of AuthorizationException.
{noformat}
[localhost:21000] default> grant select on server to role foo_role;
+---------------------------------+
| summary |
+---------------------------------+
| Privilege(s) have been granted. |
+---------------------------------+
Fetched 1 row(s) in 0.02s
[localhost:21000] default> update doesntexist set a = 1;
ERROR: AnalysisException: Could not resolve table reference: 'doesntexist'
{noformat}
Let's contrast this with UPSERT.
{noformat}
[localhost:21000] default> upsert into table doesntexist(id, name) values(1, 'a');
ERROR: AuthorizationException: User 'impdev' does not have privileges to access: default.doesntexist
{noformat}
> UPDATE/DELETE statement with SELECT privilege can reveal the existence of a table
> ---------------------------------------------------------------------------------
>
> Key: IMPALA-7217
> URL: https://issues.apache.org/jira/browse/IMPALA-7217
> Project: IMPALA
> Issue Type: Bug
> Components: Frontend
> Affects Versions: Impala 3.0, Impala 2.12.0
> Reporter: Fredy Wijaya
> Priority: Major
> Labels: security
>
> For UPDATE/DELETE statement, ALL privilege on SERVER is required. However, having a SELECT privilege when executing UPDATE can reveal the existence of a table, i.e. an AnalysisException is thrown instead of AuthorizationException.
> {noformat}
> [localhost:21000] default> grant select on server to role foo_role;
> +---------------------------------+
> | summary |
> +---------------------------------+
> | Privilege(s) have been granted. |
> +---------------------------------+
> Fetched 1 row(s) in 0.02s
> [localhost:21000] default> update doesntexist set a = 1;
> ERROR: AnalysisException: Could not resolve table reference: 'doesntexist'
> [localhost:21000] default> delete from doesntexist;
> ERROR: AnalysisException: Could not resolve table reference: 'doesntexist'
> {noformat}
> Let's contrast this with UPSERT.
> {noformat}
> [localhost:21000] default> upsert into table doesntexist(id, name) values(1, 'a');
> ERROR: AuthorizationException: User 'impdev' does not have privileges to access: default.doesntexist
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org