[jira] [Commented] (TRAFODION-2542) Grantor is not correct when granting privileges on behalf of a role

Tue, 24 Apr 2018 09:36:23 -0700 

    [ 
https://issues.apache.org/jira/browse/TRAFODION-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16450175#comment-16450175
 ] 

ASF GitHub Bot commented on TRAFODION-2542:
-------------------------------------------

Github user DaveBirdsall commented on a diff in the pull request:

    https://github.com/apache/trafodion/pull/1536#discussion_r183798490
  
    --- Diff: core/sql/sqlcomp/PrivMgrComponentPrivileges.cpp ---
    @@ -840,11 +840,12 @@ PrivStatus PrivMgrComponentPrivileges::grantPrivilege(
           // more items in the list fail and in cases of "ALL".                
                             
           if (!componentOperations.nameExists(componentUID,operationName))
           {
    -         *pDiags_ << DgSqlCode(-CAT_TABLE_DOES_NOT_EXIST_ERROR)
    -                  << DgTableName(operationName.c_str());
    +         *pDiags_ << DgSqlCode(-CAT_INVALID_COMPONENT_PRIVILEGE)
    --- End diff --
    
    Looks like we were using the wrong error message before? Thanks for fixing 
this.


> Grantor is not correct when granting privileges on behalf of a role 
> --------------------------------------------------------------------
>
>                 Key: TRAFODION-2542
>                 URL: https://issues.apache.org/jira/browse/TRAFODION-2542
>             Project: Apache Trafodion
>          Issue Type: Bug
>          Components: sql-security
>            Reporter: Roberta Marton
>            Assignee: Roberta Marton
>            Priority: Major
>
> Example:
> Admin user:
> register user sql_user1;
> register user sql_user2;
> create role role1;
> create schema abc;
> create table abc.table1 (a int);
> grant select on abc.table1 to role1;
> grant role role1 to sql_user1 with grant option.
> sql_user1 can grant privileges on table abc.table1 through role role1.
> sql_user1 attempts a grant:
> grant select on abc.table1 to sql_user2;
> This works but it shouldn't because sql_user1 does not directly have the 
> privileges to grant select.  At this time, sql_user1 becomes the grantor or 
> the privilege (instead of role1).  If the privilege is later revoked, then it 
> must be revoked by sql_user1 or through an administrator by specifying the 
> GRANTED BY clause:
> revoke select on abc.table1 from sql_user2 granted by sql_user1;
> Instead, the grant should return an error and sql_user1 use the granted by 
> clause:
> grant select on abc.table1 to sql_user2 granted by role1;
> Then anyone who has been granted role1 can revoke the privilege.  Like the 
> grant, the revoke operation would need to include the  GRANTED BY clause:
> revoke select on abc.table1 from sql_user2 granted by role1;
> or shortened to
> revoke select on abc.table1 from sql_user2 by role1;



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to