[jira] [Updated] (RANGER-4635) create temporary table via "LIKE" cmd need revisit

Mon, 08 Jan 2024 07:48:05 -0800 


     [ 
https://issues.apache.org/jira/browse/RANGER-4635?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kundan Kumar Jha updated RANGER-4635:
-------------------------------------
    Summary: create temporary table via "LIKE" cmd need revisit  (was: User 
with no access can able to replicate schema of a table using temporary table 
creation via "LIKE")

> create temporary table via "LIKE" cmd need revisit
> --------------------------------------------------
>
>                 Key: RANGER-4635
>                 URL: https://issues.apache.org/jira/browse/RANGER-4635
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Kundan Kumar Jha
>            Priority: Major
>
> *PROBLEM STATEMENT:*
> Users which don't have access on any resource can able to create a temporary 
> table using"LIKE" statement with same schema as another table and extract 
> schema info of non accessible table.
> *STEPS TO REPRODUCE:*
> 1. Delete all the policies in ranger.
> 2. Then give all access(*, *, *) to "hive" and "user_1" via hive policy.
> 3. Then create a database a_db and a table a_db.a_table with schema using 
> user user_1:
> {code:java}
> +-----------+------------+----------+
> | col_name  | data_type  | comment  |
> +-----------+------------+----------+
> | id        | int        |          |
> | name      | string     |          |
> +-----------+------------+----------+ {code}
> 4. Then kinit as user_2 user(which don't have access to any resource) and 
> create a temporary table like a_db.a_table using following cmd:
> {code:java}
> create temporary table temp_t like a_db.a_table; {code}
> 5. Then run following cmd to describe temporary table temp_t:
> {code:java}
> desc temp_t;{code}
> output:
> {code:java}
> +-----------+------------+----------+
> | col_name  | data_type  | comment  |
> +-----------+------------+----------+
> | id        | int        |          |
> | name      | string     |          |
> +-----------+------------+----------+ {code}
> *CURRENT BEHAVIOUR:*
> The temp table "temp_t" got created successfully with same schema as 
> "a_table" and the user user_2 with no access can able to view the schema of a 
> non accessible table.
> *EXPECTED BEHAVIOUR:*
> The user which doesn't have access on a table should not able to create a 
> temporary table with it using "LIKE" query.
> *OCCURRENCE:*
> manual testing 
> *IMPACT:*
> User can access the schema of a non accessible table.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to