[
https://issues.apache.org/jira/browse/TRAFODION-3195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16624033#comment-16624033
]
Roberta Marton commented on TRAFODION-3195:
-------------------------------------------
Changed GET commands to work consistently for users and roles and verified that
headings are correct.
If the GET request contains a FOR USER clause, then the name specified must be
a user
If the GET request contains a FOR ROLE clause then the name specified must be a
role or PUBLIC
If you specify FOR USER, then objects where that user has been granted a
privilege is returned. In addition any object that has been granted a privilege
on any of the user's roles is also returned. Component privileges differ as
explained later.
If you are a elevated user (DB__ROOT or granted the SHOW privilege) then you
can run GET commands for any user or role.
If you are not an elevated user and you specify a FOR USER clause, then the
current user must be the name specified in the request. For example, if you
connect as USER1 you cannot get roles for USER2.
If you are not an elevated user and specify a FOR ROLE clause, then the current
user must have been granted the role.
FOR USER and FOR ROLE clauses exist for schemas, tables, indexes, views,
libraries, all types of routines, privileges, users for role, roles for user.
There is currently no support for sequences.
Component privileges work a bit differently. The GET syntax does not require
you to specify FOR USER or FOR ROLE. In this case, the specified name must be
a user, role, or PUBLIC. In addition, if you want roles associated with the
user to be considered, the CASCADE option must be specified. For example:
GET PRIVILEGES ON COMPONENT sql_operations FOR user1 CASCADE;
> Get schemas for role and get schemas for user working incorrectly
> -----------------------------------------------------------------
>
> Key: TRAFODION-3195
> URL: https://issues.apache.org/jira/browse/TRAFODION-3195
> Project: Apache Trafodion
> Issue Type: Bug
> Reporter: Roberta Marton
> Assignee: Roberta Marton
> Priority: Major
>
> Various issues with get schema for <authtype> <authid> command:
> * Get schemas for role is reporting incorrect heading (User instead of Role)
> ** create schema abc authorization db__rootrole;
> ** get schemas for role db__rootrole;
> ** Schemas for User DB__ROOTROLE
> * get schemas for role <userid> returns schemas owned by userID
> * get schemas for user <roleid> returns schemas owned by roleID
> * Privilege checks missing on get schema for role and get schema for user
> commands
> ** revoke component privilege "SHOW" on sql_operations from "PUBLIC"
> ** sqlci -u sql_user1
> ** get schemas for role db__rootrole -> returns schemas that sql_user1 has
> no privs
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
