[jira] [Assigned] (TRAFODION-3218) User still has privilege after user's role has been revoked or privilege has been revoked from the user's role

Wed, 03 Oct 2018 08:38:06 -0700 


     [ 
https://issues.apache.org/jira/browse/TRAFODION-3218?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Roberta Marton reassigned TRAFODION-3218:
-----------------------------------------

    Assignee: Roberta Marton

This is a problem with query invalidation and column level privileges.

> User still has privilege after user's role has been revoked or privilege has 
> been revoked from the user's role
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: TRAFODION-3218
>                 URL: https://issues.apache.org/jira/browse/TRAFODION-3218
>             Project: Apache Trafodion
>          Issue Type: Bug
>          Components: sql-security
>            Reporter: Roberta Marton
>            Assignee: Roberta Marton
>            Priority: Major
>
> Grant a select column privilege on a table to a user and then grant select 
> object privilege to one of the user’s role to the same table.  User can 
> select all columns from the table.  Next revoke object select privilege from 
> the role (or revoke role from user), the user still has the select object 
> privilege on the table.
> The issue can’t be reproduced if there is no column priv granted to the user.
> Steps to recreate:
> Start a session for db__root
> register user sql_user1;
> create role role1;
> grant role role1 to sql_user1;
> create schema traf_ht;
> set schema traf_ht;
> create table traft1(a varchar(10) not null primary key, b varchar(20));
> grant select(a) on traft1 to sql_user1;
> grant select on traft1 to role1;
> showddl traft1;
> Start a session for sql_user1:
> set schema traf_ht;
> prepare s1 from select * from traft1;
> explain s1;
> Go to db__root session:
> revoke select on traft1 from role_a;
> Go to sql_user1 session:
> set schema traf_ht;
> select * from traft1;  -> should fail because no longer has select priv, but 
> it works
> Log out and reconnect as sql_user1 and the request fails as expected.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to