[jira] [Commented] (TRAFODION-2203) a user can grant privileges that he doesn’t have to other users/roles successfully

Thu, 01 Sep 2016 16:30:00 -0700 

    [ 
https://issues.apache.org/jira/browse/TRAFODION-2203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15456938#comment-15456938
 ] 

Roberta Marton commented on TRAFODION-2203:
-------------------------------------------

After performing the grant statement, perform a "showddl tab1;".  You will 
notice that only the insert privilege was added.  ANSI states that "warning 
<privilege not granted>" should be displayed for each combination of 
grantee<=>privilege that was not granted.   However, privileges that can be 
successfully granted should be granted. The grant code does not grant any 
privileges it cannot grant but is not reporting this condition.

Conversely, if you did a revoke select, insert on tab1 from role1; you see the 
following warning returned: "*** WARNING[1015] Some of the specified privileges 
could not be revoked.". In this case, the insert privilege is removed.

The warning tells the user that not all privilege were revoked and we can add 
similar code to grant.  However, to follow ANSI rules, we should report a 
warning for each privilege not granted. As part of the warning, we should 
include the privilege.

This is also true if the user: "grant all privileges on tab1 to role1;".  In 
this case, only the insert privilege is granted.  ANSI states that a "warning 
<privilege not granted>"  should also be returned for each privilege not 
granted.  Similar change is needed for revoke.

>  a user can grant privileges that he doesn’t have to other users/roles 
> successfully
> -----------------------------------------------------------------------------------
>
>                 Key: TRAFODION-2203
>                 URL: https://issues.apache.org/jira/browse/TRAFODION-2203
>             Project: Apache Trafodion
>          Issue Type: Bug
>          Components: sql-security
>         Environment: Centos6.7
> EsgynDB R2.2 0825daily
>            Reporter: Gao, Rui-Xian
>            Assignee: Roberta Marton
>
> a  user can grant privileges that he doesn’t have to other users/roles 
> successfully.
> To reproduce --
> root user --
> create role role1;
> create schema mysch;
> set schema mysch;
> create table tab1(a int, b int)no partition;
> grant insert on tab1 to testuser1 with grant option;
> connect as testuser1 --
> set schema mysch;
> SQL>grant select on tab1 to role1;
> *** ERROR[1012] No privileges were granted.  You lack grant option on the 
> specified privileges. [2016-09-01 15:31:33] //Rachel: this is expected
> SQL>grant insert ,select on tab1 to role1;
> --- SQL operation complete.   // should return error, testuser1 doesn’t have 
> select privilege on tab1



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to