Kundan Kumar Jha created RANGER-4635:
----------------------------------------
Summary: User with no access can able to replicate schema of a
table using temporary table creation via "LIKE"
Key: RANGER-4635
URL: https://issues.apache.org/jira/browse/RANGER-4635
Project: Ranger
Issue Type: Bug
Components: Ranger
Reporter: Kundan Kumar Jha
*PROBLEM STATEMENT:*
Users which don't have access on any resource can able to create a temporary
table using"LIKE" statement with same schema as another table and extract
schema info of non accessible table.
*STEPS TO REPRODUCE:*
1. Delete all the policies in ranger.
2. Then give all access(*, *, *) to "hive" and "user_1" via hive policy.
3. Then create a database a_db and a table a_db.a_table with schema using user
user_1:
{code:java}
+-----------+------------+----------+
| col_name | data_type | comment |
+-----------+------------+----------+
| id | int | |
| name | string | |
+-----------+------------+----------+ {code}
4. Then kinit as user_2 user(which don't have access to any resource) and
create a temporary table like a_db.a_table using following cmd:
{code:java}
create temporary table temp_t like a_db.a_table; {code}
5. Then run following cmd to describe temporary table temp_t:
{code:java}
desc temp_t;{code}
output:
{code:java}
+-----------+------------+----------+
| col_name | data_type | comment |
+-----------+------------+----------+
| id | int | |
| name | string | |
+-----------+------------+----------+ {code}
*CURRENT BEHAVIOUR:*
The temp table "temp_t" got created successfully with same schema as "a_table"
and the user user_2 with no access can able to view the schema of a non
accessible table.
*EXPECTED BEHAVIOUR:*
The user which doesn't have access on a table should not able to create a
temporary table with it using "LIKE" query.
*OCCURRENCE:*
manual testing
*IMPACT:*
User can access the schema of a non accessible table.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
