[jira] [Created] (TRAFODION-2294) need add privilege checking for explain statement

Wed, 19 Oct 2016 01:30:23 -0700 

Gao, Rui-Xian created TRAFODION-2294:
----------------------------------------

             Summary: need add privilege checking for explain statement
                 Key: TRAFODION-2294
                 URL: https://issues.apache.org/jira/browse/TRAFODION-2294
             Project: Apache Trafodion
          Issue Type: Bug
          Components: sql-security
         Environment: CDH5.4.8
Centos6.7
            Reporter: Gao, Rui-Xian
            Assignee: Roberta Marton


we don't have privilege checking for 'explain' statements.If a user doesn't 
have privilege to execute a statement, then after explain, the user will be 
able to execute the statement.

Testuser1:
SQL>create schema testsch1;
 
--- SQL operation complete.
 
SQL>set schema testsch1;
 
--- SQL operation complete.
 
SQL>create table tab1(a int, b int);
 
--- SQL operation complete.
 
SQL>insert into tab1 values(1,1);
 
--- 1 row(s) inserted.
 
SQL>select * from tab1;
 
A           B
----------- -----------
          1           1
 
--- 1 row(s) selected.
 
Tesuser2:
SQL>set schema testsch1;
 
--- SQL operation complete.
 
SQL>get tables;
 
Tables in Schema TRAFODION.TESTSCH1
===================================
 
SB_HISTOGRAMS
SB_HISTOGRAM_INTERVALS
SB_PERSISTENT_SAMPLES
TAB1
 
--- SQL operation complete.
 
SQL>select * from tab1;
 
*** ERROR[4481] The user does not have SELECT privilege on table or view 
TRAFODION.TESTSCH1.TAB1. [2016-10-18 09:07:32]
 
SQL>explain options 'f' select * from tab1;
 
 
LC   RC   OP   OPERATOR              OPT       DESCRIPTION           CARD
---- ---- ---- --------------------  --------  --------------------  ---------
 
1    .    2    root                                                  1.00E+002
.    .    1    trafodion_scan                  TAB1                  1.00E+002
 
--- SQL operation complete.
 
SQL>select * from tab1;
 
A           B
----------- -----------
          1           1
 
--- 1 row(s) selected.
 
SQL>insert into tab1 values(20,20);
 
*** ERROR[4481] The user does not have INSERT privilege on table or view 
TRAFODION.TESTSCH1.TAB1. [2016-10-18 09:11:03]
 
SQL>explain options 'f' insert into tab1 values(20,20);
 
 
LC   RC   OP   OPERATOR              OPT       DESCRIPTION           CARD
---- ---- ---- --------------------  --------  --------------------  ---------
 
1    .    2    root                  o                               1.00E+000
.    .    1    trafodion_insert                TAB1                  1.00E+000
 
--- SQL operation complete.
 
SQL>insert into tab1 values(20,20);
 
--- 1 row(s) inserted.
 
SQL>select * from tab1;
 
A           B
----------- -----------
         20          20
          1           1
 
--- 2 row(s) selected.
 
SQL>showddl tab1;
 
 
CREATE TABLE TRAFODION.TESTSCH1.TAB1
  (
    A                                INT DEFAULT NULL SERIALIZED
  , B                                INT DEFAULT NULL SERIALIZED
  )
;
 
-- GRANT SELECT, INSERT, DELETE, UPDATE, REFERENCES ON TRAFODION.TESTSCH1.TAB1 
TO TESTUSER1 WITH GRANT OPTION;
 
--- SQL operation complete.
 




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to