[jira] [Commented] (SENTRY-2264) It is possible to elevate privileges from DROP using alter table rename

[Hadoop QA (JIRA)]

    [ 
https://issues.apache.org/jira/browse/SENTRY-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16523116#comment-16523116
 ] 

Hadoop QA commented on SENTRY-2264:
-----------------------------------

Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12929103/SENTRY-2264.003.patch 
against master.

{color:red}Overall:{color} -1 due to 3 errors

{color:red}ERROR:{color} mvn test exited 1
{color:red}ERROR:{color} Failed: 
org.apache.sentry.tests.e2e.dbprovider.TestDbOperationsPart2
{color:red}ERROR:{color} Failed: 
org.apache.sentry.tests.e2e.dbprovider.TestDbOperationsPart2

Console output: 
https://builds.apache.org/job/PreCommit-SENTRY-Build/3921/console

This message is automatically generated.

> It is possible to elevate privileges from DROP using alter table rename
> -----------------------------------------------------------------------
>
>                 Key: SENTRY-2264
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2264
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 2.1.0
>            Reporter: Na Li
>            Assignee: Na Li
>            Priority: Major
>         Attachments: SENTRY-2264.001.patch, SENTRY-2264.002.patch, 
> SENTRY-2264.003.patch
>
>
> After introducing FGP, a user with only DROP on a database db1 and at least 
> CREATE on db2 can run ALTER TABLE RENAME db1.table1 db2.table2, and thus 
> elevate their privileges.
> To reproduce:
> As admin (e.g. hive):
> 1. Create db1, db1.table1, db2, role r1.
> 2. Grant DROP on db1 to role r1.
> 3. Grant ALL on db2 to role r1
> 4. Grant role r1 to user testuser1.
> As testuser1:
> 1. use db1; alter table db1.table1 rename to db2.table1
> 2. select * from db2. table1
> Result: the select command succeeds.
> Desired behavior:
> we should at least require following privileges to execute the table rename 
> command:
> table level "ALL" at source
> database level "CREATE" at destination.
> The reason we don't require "alter, insert" for destination DB is that 
> "alter" and "insert" is table level privileges and when "alter table rename" 
> command is executed, there is no table in destination DB. So we cannot 
> enforce these table level privileges. Therefore the only change is add 
> table-level "ALL" privilege in required input privileges to avoid elevate 
> privilege by moving table cross DB



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)