[jira] [Commented] (TRAFODION-2542) Grantor is not correct when granting privileges on behalf of a role

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/TRAFODION-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16450174#comment-16450174
 ] 

ASF GitHub Bot commented on TRAFODION-2542:
-------------------------------------------

Github user DaveBirdsall commented on a diff in the pull request:

    https://github.com/apache/trafodion/pull/1536#discussion_r183796404
  
    --- Diff: core/sql/bin/SqlciErrors.txt ---
    @@ -11,7 +11,7 @@
     1009 ZZZZZ 99999 BEGINNER MINOR DBADMIN Column $0~ColumnName does not 
exist in the specified table.
     1010 0A000 99999 ADVANCED MINOR DBADMIN The statement just entered is 
currently not supported.
     1011 ZZZZZ 99999 ADVANCED MINOR DBADMIN Only one grantee per grant or 
revoke is allowed.
    -1012 01007 99999 BEGINNER MAJOR DBADMIN No privileges were granted.  You 
lack grant option on the specified privileges.
    +1012 01007 99999 BEGINNER MAJOR DBADMIN No privileges were granted.  
$0~String0 lacks grant option on the specified privileges. $1~String1
    --- End diff --
    
    Please update the description of this message in the Messages Guide as well.


> Grantor is not correct when granting privileges on behalf of a role 
> --------------------------------------------------------------------
>
>                 Key: TRAFODION-2542
>                 URL: https://issues.apache.org/jira/browse/TRAFODION-2542
>             Project: Apache Trafodion
>          Issue Type: Bug
>          Components: sql-security
>            Reporter: Roberta Marton
>            Assignee: Roberta Marton
>            Priority: Major
>
> Example:
> Admin user:
> register user sql_user1;
> register user sql_user2;
> create role role1;
> create schema abc;
> create table abc.table1 (a int);
> grant select on abc.table1 to role1;
> grant role role1 to sql_user1 with grant option.
> sql_user1 can grant privileges on table abc.table1 through role role1.
> sql_user1 attempts a grant:
> grant select on abc.table1 to sql_user2;
> This works but it shouldn't because sql_user1 does not directly have the 
> privileges to grant select.  At this time, sql_user1 becomes the grantor or 
> the privilege (instead of role1).  If the privilege is later revoked, then it 
> must be revoked by sql_user1 or through an administrator by specifying the 
> GRANTED BY clause:
> revoke select on abc.table1 from sql_user2 granted by sql_user1;
> Instead, the grant should return an error and sql_user1 use the granted by 
> clause:
> grant select on abc.table1 to sql_user2 granted by role1;
> Then anyone who has been granted role1 can revoke the privilege.  Like the 
> grant, the revoke operation would need to include the  GRANTED BY clause:
> revoke select on abc.table1 from sql_user2 granted by role1;
> or shortened to
> revoke select on abc.table1 from sql_user2 by role1;



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)