[jira] [Commented] (TRAFODION-2203) a user can grant privileges that he doesn’t have to other users/roles successfully

Wed, 28 Sep 2016 07:50:31 -0700 

    [ 
https://issues.apache.org/jira/browse/TRAFODION-2203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15529869#comment-15529869
 ] 

ASF GitHub Bot commented on TRAFODION-2203:
-------------------------------------------

Github user robertamarton commented on a diff in the pull request:

    https://github.com/apache/incubator-trafodion/pull/729#discussion_r80933596
  
    --- Diff: core/sql/sqlcomp/PrivMgrDesc.cpp ---
    @@ -550,14 +554,28 @@ void PrivMgrCoreDesc::interpretChanges( const bool 
before,       // in
     // 
----------------------------------------------------------------------------
     bool PrivMgrDesc::limitToGrantable( const PrivMgrDesc& other )
     {
    -
       bool result = false;
    -  PrivMgrCoreDesc logicalTablePrivs(other.tableLevel_);
    -  // TDB - include column level privileges
    -
    - if ( tableLevel_.limitToGrantable(logicalTablePrivs) )
    -    result = TRUE;
    +  if ( tableLevel_.limitToGrantable(other.tableLevel_) )
    +    result = true;
     
    -   return result;
    +  // Consider table level privileges when checking column privs
    +  PrivMgrCoreDesc temp = other.tableLevel_;
    +  for (int i = 0; i < columnLevel_.entries(); i++)
    +  {
    +    // Find associated column in other Desc list
    +    int index = other.getColumnPriv(columnLevel_[i].getColumnOrdinal());
    +    if (index >= 0)
    +    {
    +      temp.unionOfPrivs(other.columnLevel_[index]);
    +      if (columnLevel_[i].limitToGrantable(temp))
    +        result = true;
    +    }
    +    else
    +    {
    +      if (columnLevel_[i].limitToGrantable(temp))
    --- End diff --
    
    You are correct, the else is not needed, will fix it in the next checkin.


>  a user can grant privileges that he doesn’t have to other users/roles 
> successfully
> -----------------------------------------------------------------------------------
>
>                 Key: TRAFODION-2203
>                 URL: https://issues.apache.org/jira/browse/TRAFODION-2203
>             Project: Apache Trafodion
>          Issue Type: Bug
>          Components: sql-security
>         Environment: Centos6.7
> EsgynDB R2.2 0825daily
>            Reporter: Gao, Rui-Xian
>            Assignee: Roberta Marton
>
> a  user can grant privileges that he doesn’t have to other users/roles 
> successfully.
> To reproduce --
> root user --
> create role role1;
> create schema mysch;
> set schema mysch;
> create table tab1(a int, b int)no partition;
> grant insert on tab1 to testuser1 with grant option;
> connect as testuser1 --
> set schema mysch;
> SQL>grant select on tab1 to role1;
> *** ERROR[1012] No privileges were granted.  You lack grant option on the 
> specified privileges. [2016-09-01 15:31:33] //Rachel: this is expected
> SQL>grant insert ,select on tab1 to role1;
> --- SQL operation complete.   // should return error, testuser1 doesn’t have 
> select privilege on tab1



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to