architlatkar27 opened a new issue, #11599:
URL: https://github.com/apache/gravitino/issues/11599
### Version
main branch
### Describe what's wrong
I created a role that gives DENY to a user to MODIFY_TABLE for a table. The
role also gives ALLOW to the user to SELECT_TABLE.
Now when i run a query like `insert into catalog.schema.table...` i would
expect the user to get a deny since they are not allowed to modify table.
However the query goes through fine.
### Error message and/or stacktrace
NA
Ideally it should have printed an error something like user is forbidden to
modify table
### How to reproduce
1. Create a relational catalog that contains a schema and table
2. Create a role like this -
```
{
"name": "select_allow_modify_deny",
"properties": {},
"securableObjects": [
{
"fullName": "mycatalog.myschema.mytable",
"type": "TABLE",
"privileges": [
{ "name": "SELECT_TABLE", "condition": "ALLOW" },
{ "name": "MODIFY_TABLE", "condition": "DENY" }
]
}
]
}
```
and assign this role to a user
3. From trino, login as this user and run a insert query against the table
The query should run without problem
### Additional context
I did some digging into the code and found the trino connector side method
which loads table
```
/**
* Retrieves the Gravitino table for the specified name.
*
* @param schemaName the name of the schema
* @param tableName the name of the table
* @return the Gravitino table
* @throws TrinoException if the table is not found
*/
public GravitinoTable getTable(String schemaName, String tableName) {
try {
Table table = tableCatalog.loadTable(NameIdentifier.of(schemaName,
tableName));
return new GravitinoTable(schemaName, tableName, table);
} catch (NoSuchTableException e) {
throw new TrinoException(
GravitinoErrorCode.GRAVITINO_TABLE_NOT_EXISTS, "Table does not
exist", e);
}
}
```
I think that the expectation is that the connector must specify the intent
of access - like select or modify. Depending on that one of the two conditions
-
```
"""
ANY(OWNER, METALAKE, CATALOG) ||
SCHEMA_OWNER_WITH_USE_CATALOG ||
ANY_USE_CATALOG && ANY_USE_SCHEMA && (TABLE::OWNER ||
ANY_SELECT_TABLE || ANY_MODIFY_TABLE)
""";
```
or
```
"""
ANY(OWNER, METALAKE, CATALOG) ||
SCHEMA_OWNER_WITH_USE_CATALOG ||
ANY_USE_CATALOG && ANY_USE_SCHEMA && (TABLE::OWNER ||
ANY_MODIFY_TABLE)
""";
```
But the first condition is being triggered everytime; even if the query is
for insert
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
