Sam Tunnicliffe created CASSANDRA-13053:
-------------------------------------------
Summary: GRANT/REVOKE on table without keyspace performs
permissions check incorrectly
Key: CASSANDRA-13053
URL: https://issues.apache.org/jira/browse/CASSANDRA-13053
Project: Cassandra
Issue Type: Bug
Components: CQL
Reporter: Sam Tunnicliffe
Fix For: 2.2.x, 3.0.x, 3.x
When a {{GRANT}} or {{REVOKE}} statement is executed on a table without
specifying the keyspace, we attempt to use the client session's keyspace to
qualify the resource.
This is done when validating the statement, which occurs after checking that
the user executing the statement has sufficient permissions. This means that
the permissions checking uses an incorrect resource, namely a table with a null
keyspace. If that user is a superuser, then no error is encountered as
superuser privs implicitly grants *all* permissions. If the user is not a
superuser, then the {{GRANT}} or {{REVOKE}} fails with an ugly error,
regardless of which keyspace the client session is bound to:
{code}
Unauthorized: Error from server: code=2100 [Unauthorized] message="User admin
has no AUTHORIZE permission on <table null.t1> or any of its parents"
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
