GitHub user robertamarton opened a pull request:

    https://github.com/apache/trafodion/pull/1520

    [TRAFODION-2600] Unable to create view ... but user has SELECT privilege

    Query invalidation is not resetting the role list when a user is granted a 
role.
    For DML operations, we always retry the request once, and between retries, 
the
    role list is reset.  So DML works on a retry.
    However, DDL operations are not retried, so the role list is not reset and 
the
    create view fails.
    
    An analogous issue exists when the role is revoked from a user and the role
    list is not reset.  In this case, the user can still create views even 
though
    they no longer have the privilege.
    
    Changes:
    - Grant role: sends a new query invalidation key
    - Revoke role: forces a query invalidation check even if the key is not 
present
    - Displays query invalidation keys when debug option DBUSER_DEBUG is set, 
e.g:
       set envvar DBUSER_DEBUG 1;

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/robertamarton/incubator-trafodion jira-2600

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/trafodion/pull/1520.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1520
    
----
commit f9820b26144a45b7c7cbdedaeefc832f150f5d45
Author: Roberta Marton <roberta.marton@...>
Date:   2018-04-16T22:26:07Z

    [TRAFODION-2600] Unable to create view ... but user has SELECT privilege
    
    Query invalidation is not resetting the role list when a user is granted a 
role.
    For DML operations, we always retry the request once, and between retries, 
the
    role list is reset.  So DML works on a retry.
    However, DDL operations are not retried, so the role list is not reset and 
the
    create view fails.
    
    An analogous issue exists when the role is revoked from a user and the role
    list is not reset.  In this case, the user can still create views even 
though
    they no longer have the privilege.
    
    Changes:
    - Grant role: sends a new query invalidation key
    - Revoke role: forces a query invalidation check even if the key is not 
present
    - Displays query invalidation keys when debug option DBUSER_DEBUG is set, 
e.g:
       set envvar DBUSER_DEBUG 1;

----


---

Reply via email to