[
https://issues.apache.org/jira/browse/TRAFODION-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16450176#comment-16450176
]
ASF GitHub Bot commented on TRAFODION-2542:
-------------------------------------------
Github user DaveBirdsall commented on a diff in the pull request:
https://github.com/apache/trafodion/pull/1536#discussion_r183800593
--- Diff: core/sql/sqlcomp/PrivMgrPrivileges.cpp ---
@@ -4445,6 +4503,50 @@ PrivStatus
PrivMgrPrivileges::getPrivsFromAllGrantors(
}
+//
----------------------------------------------------------------------------
+// method: getRolesToCheck
+//
+// This method checks all the roles granted to the user and returns a comma
+// separated list of those roles that have privileges on the target object.
+//
----------------------------------------------------------------------------
+PrivStatus PrivMgrPrivileges::getRolesToCheck(
+ const int32_t grantorID,
+ const std::vector<int32_t> & roleIDs,
+ const ComObjectType objectType,
+ std::string &rolesWithPrivs)
+{
+ int32_t length;
+ char roleName[MAX_DBUSERNAME_LEN + 1];
+ std::vector<int_32> emptyRoleIDs;
+ bool hasManagePrivPriv = false;
+
+ for (size_t r = 0; r < roleIDs.size(); r++)
+ {
+ PrivMgrDesc privsOfTheRole(roleIDs[r],true);
+ if (getUserPrivs(objectType, roleIDs[r], emptyRoleIDs, privsOfTheRole,
+ hasManagePrivPriv) != STATUS_GOOD)
+ return STATUS_ERROR;
+
+ if (!privsOfTheRole.isNull())
+ {
+ // just return what getAuthNameFromAuthID returns
+ ComUser::getAuthNameFromAuthID(roleIDs[r],roleName,
sizeof(roleName),length);
+ if (r > 0)
--- End diff --
This doesn't look correct. I think you want a comma if you've already added
a role to rolesWithPrivs. r > 0 means only that you've already processed one of
the roleIDs array members. I think this code gives the wrong result if
privsOfTheRole.isNull() is true for roleIDs[0].
> Grantor is not correct when granting privileges on behalf of a role
> --------------------------------------------------------------------
>
> Key: TRAFODION-2542
> URL: https://issues.apache.org/jira/browse/TRAFODION-2542
> Project: Apache Trafodion
> Issue Type: Bug
> Components: sql-security
> Reporter: Roberta Marton
> Assignee: Roberta Marton
> Priority: Major
>
> Example:
> Admin user:
> register user sql_user1;
> register user sql_user2;
> create role role1;
> create schema abc;
> create table abc.table1 (a int);
> grant select on abc.table1 to role1;
> grant role role1 to sql_user1 with grant option.
> sql_user1 can grant privileges on table abc.table1 through role role1.
> sql_user1 attempts a grant:
> grant select on abc.table1 to sql_user2;
> This works but it shouldn't because sql_user1 does not directly have the
> privileges to grant select. At this time, sql_user1 becomes the grantor or
> the privilege (instead of role1). If the privilege is later revoked, then it
> must be revoked by sql_user1 or through an administrator by specifying the
> GRANTED BY clause:
> revoke select on abc.table1 from sql_user2 granted by sql_user1;
> Instead, the grant should return an error and sql_user1 use the granted by
> clause:
> grant select on abc.table1 to sql_user2 granted by role1;
> Then anyone who has been granted role1 can revoke the privilege. Like the
> grant, the revoke operation would need to include the GRANTED BY clause:
> revoke select on abc.table1 from sql_user2 granted by role1;
> or shortened to
> revoke select on abc.table1 from sql_user2 by role1;
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
