[jira] [Commented] (TRAFODION-2542) Grantor is not correct when granting privileges on behalf of a role

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/TRAFODION-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16450173#comment-16450173
 ] 

ASF GitHub Bot commented on TRAFODION-2542:
-------------------------------------------

Github user DaveBirdsall commented on a diff in the pull request:

    https://github.com/apache/trafodion/pull/1536#discussion_r183796475
  
    --- Diff: core/sql/bin/SqlciErrors.txt ---
    @@ -193,7 +193,7 @@
     1191 ZZZZZ 99999 BEGINNER MAJOR DBADMIN SERIALIZE option is not yet 
supported for $0~string0 datatype.
     1192 ZZZZZ 99999 BEGINNER MAJOR DBADMIN Failed to retrieve data from Hive 
metastore.  Call to $0~string0 returned error $1~string1($0~int0). Cause: 
$2~string2.
     1193 ZZZZZ 99999 UUUUUUUU UUUUU UUUUUUU The $0~string0 specified in the 
$1~string1 clause must be identical to the primary key for a Trafodion table.
    -1194 ZZZZZ 99999 ADVANCED MAJOR DIALOUT --- unused ---
    +1194 ZZZZZ 99999 UUUUUUUU UUUUU UUUUUUU Component operation $0~string0 
does not exist for component $1~string1
    --- End diff --
    
    Please add this message to the Messages Guide.


> Grantor is not correct when granting privileges on behalf of a role 
> --------------------------------------------------------------------
>
>                 Key: TRAFODION-2542
>                 URL: https://issues.apache.org/jira/browse/TRAFODION-2542
>             Project: Apache Trafodion
>          Issue Type: Bug
>          Components: sql-security
>            Reporter: Roberta Marton
>            Assignee: Roberta Marton
>            Priority: Major
>
> Example:
> Admin user:
> register user sql_user1;
> register user sql_user2;
> create role role1;
> create schema abc;
> create table abc.table1 (a int);
> grant select on abc.table1 to role1;
> grant role role1 to sql_user1 with grant option.
> sql_user1 can grant privileges on table abc.table1 through role role1.
> sql_user1 attempts a grant:
> grant select on abc.table1 to sql_user2;
> This works but it shouldn't because sql_user1 does not directly have the 
> privileges to grant select.  At this time, sql_user1 becomes the grantor or 
> the privilege (instead of role1).  If the privilege is later revoked, then it 
> must be revoked by sql_user1 or through an administrator by specifying the 
> GRANTED BY clause:
> revoke select on abc.table1 from sql_user2 granted by sql_user1;
> Instead, the grant should return an error and sql_user1 use the granted by 
> clause:
> grant select on abc.table1 to sql_user2 granted by role1;
> Then anyone who has been granted role1 can revoke the privilege.  Like the 
> grant, the revoke operation would need to include the  GRANTED BY clause:
> revoke select on abc.table1 from sql_user2 granted by role1;
> or shortened to
> revoke select on abc.table1 from sql_user2 by role1;



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)