[
https://issues.apache.org/jira/browse/TRAFODION-3194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16623991#comment-16623991
]
Roberta Marton commented on TRAFODION-3194:
-------------------------------------------
We create two sets of bitmaps for an object, one set contains whether the
operation has been granted (privs) and the other whether the operations was
granted using the with grant option (wgo). During a grant or revoke, Trafodion
sets up the bitmaps to match what the user requests. So if the select
privilege on table t1 is revoked, the privs and wgo bits associated with SELECT
is set. Later, metadata is updated to reflect the change.
The issue occurred because the code was always setting the privs bit to true.
Since we are only revoking the "grant option", the only the wgo bit should be
set.
Code was changed to pass both the privs and wgo values to the bitmap code
instead of defaulting the privs bit to true.
> Revoke grant option for all on objects also revokes all privileges from
> user/role
> ---------------------------------------------------------------------------------
>
> Key: TRAFODION-3194
> URL: https://issues.apache.org/jira/browse/TRAFODION-3194
> Project: Apache Trafodion
> Issue Type: Bug
> Reporter: Roberta Marton
> Assignee: Roberta Marton
> Priority: Major
>
> 'revoke grant option for all' should only revoke the ability to grant all
> privileges to another user/role, but now all privileges will be revoked too.
> revoke grant option for single/combined privileges works as expected.
> Test Result :
> ======================================
> SQL>showddl usera_t1;
> CREATE TABLE TRAFODION.TRAFINCSCH1.USERA_T1
> (
> A INT DEFAULT NULL NOT SERIALIZED
> , B VARCHAR(20) CHARACTER SET ISO88591 COLLATE
> DEFAULT DEFAULT NULL NOT SERIALIZED
> )
> ATTRIBUTES ALIGNED FORMAT NAMESPACE 'TRAF_1500000' INCREMENTAL BACKUP
> ;
> -- GRANT SELECT, INSERT, DELETE, UPDATE, REFERENCES ON
> TRAFODION.TRAFINCSCH1.USERA_T1 TO DB__ROOT WITH GRANT OPTION;
> --- SQL operation complete.
> SQL>grant all on usera_t1 to qauser_sqlqaa with grant option;
> --- SQL operation complete.
> SQL>showddl usera_t1;
> CREATE TABLE TRAFODION.TRAFINCSCH1.USERA_T1
> (
> A INT DEFAULT NULL NOT SERIALIZED
> , B VARCHAR(20) CHARACTER SET ISO88591 COLLATE
> DEFAULT DEFAULT NULL NOT SERIALIZED
> )
> ATTRIBUTES ALIGNED FORMAT NAMESPACE 'TRAF_1500000' INCREMENTAL BACKUP
> ;
> -- GRANT SELECT, INSERT, DELETE, UPDATE, REFERENCES ON
> TRAFODION.TRAFINCSCH1.USERA_T1 TO DB__ROOT WITH GRANT OPTION;
> GRANT SELECT, INSERT, DELETE, UPDATE, REFERENCES ON
> TRAFODION.TRAFINCSCH1.USERA_T1 TO QAUSER_SQLQAA WITH GRANT OPTION;
> --- SQL operation complete.
> SQL>revoke grant option for all on usera_t1 from qauser_sqlqaa;
> --- SQL operation complete.
> SQL>showddl usera_t1; //qauser_sqlqaa doesn’t have any privilege on the table
> after revoke
> CREATE TABLE TRAFODION.TRAFINCSCH1.USERA_T1
> (
> A INT DEFAULT NULL NOT SERIALIZED
> , B VARCHAR(20) CHARACTER SET ISO88591 COLLATE
> DEFAULT DEFAULT NULL NOT SERIALIZED
> )
> ATTRIBUTES ALIGNED FORMAT NAMESPACE 'TRAF_1500000' INCREMENTAL BACKUP
> ;
> -- GRANT SELECT, INSERT, DELETE, UPDATE, REFERENCES ON
> TRAFODION.TRAFINCSCH1.USERA_T1 TO DB__ROOT WITH GRANT OPTION;
> --- SQL operation complete.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
