[
https://issues.apache.org/jira/browse/TRAFODION-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16449085#comment-16449085
]
ASF GitHub Bot commented on TRAFODION-2542:
-------------------------------------------
GitHub user robertamarton opened a pull request:
https://github.com/apache/trafodion/pull/1536
[TRAFODION-2542] Grantor is not correct when granting privileges for …
…a role
When granting privileges and the authorization ID is not the current user
but
one of roles granted to the current user, then the "granted by" clause is
required. In addition, the grantor of the privileges becomes the role
specified
in the grant statement instead of the current user.
Added a CQD ALLOW_WGO_FOR_ROLES that will return an error if the user tries
to
grant a privilege as a role.
Added error message (1194) when a component operation is not defined.
Added a check to not allow the WITH GRANT OPTION when granting privileges
to public
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/robertamarton/incubator-trafodion jira-2542
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/trafodion/pull/1536.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1536
----
commit 03a96998cf1cd872596808c0628a367d66427e5e
Author: Roberta Marton <roberta.marton@...>
Date: 2018-04-24T00:20:54Z
[TRAFODION-2542] Grantor is not correct when granting privileges for a role
When granting privileges and the authorization ID is not the current user
but
one of roles granted to the current user, then the "granted by" clause is
required. In addition, the grantor of the privileges becomes the role
specified
in the grant statement instead of the current user.
Added a CQD ALLOW_WGO_FOR_ROLES that will return an error if the user tries
to
grant a privilege as a role.
Added error message (1194) when a component operation is not defined.
Added a check to not allow the WITH GRANT OPTION when granting privileges
to public
----
> Grantor is not correct when granting privileges on behalf of a role
> --------------------------------------------------------------------
>
> Key: TRAFODION-2542
> URL: https://issues.apache.org/jira/browse/TRAFODION-2542
> Project: Apache Trafodion
> Issue Type: Bug
> Components: sql-security
> Reporter: Roberta Marton
> Assignee: Roberta Marton
> Priority: Major
>
> Example:
> Admin user:
> register user sql_user1;
> register user sql_user2;
> create role role1;
> create schema abc;
> create table abc.table1 (a int);
> grant select on abc.table1 to role1;
> grant role role1 to sql_user1 with grant option.
> sql_user1 can grant privileges on table abc.table1 through role role1.
> sql_user1 attempts a grant:
> grant select on abc.table1 to sql_user2;
> This works but it shouldn't because sql_user1 does not directly have the
> privileges to grant select. At this time, sql_user1 becomes the grantor or
> the privilege (instead of role1). If the privilege is later revoked, then it
> must be revoked by sql_user1 or through an administrator by specifying the
> GRANTED BY clause:
> revoke select on abc.table1 from sql_user2 granted by sql_user1;
> Instead, the grant should return an error and sql_user1 use the granted by
> clause:
> grant select on abc.table1 to sql_user2 granted by role1;
> Then anyone who has been granted role1 can revoke the privilege. Like the
> grant, the revoke operation would need to include the GRANTED BY clause:
> revoke select on abc.table1 from sql_user2 granted by role1;
> or shortened to
> revoke select on abc.table1 from sql_user2 by role1;
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
