[
https://issues.apache.org/jira/browse/TRAFODION-2330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15624414#comment-15624414
]
ASF GitHub Bot commented on TRAFODION-2330:
-------------------------------------------
GitHub user robertamarton opened a pull request:
https://github.com/apache/incubator-trafodion/pull/806
TRAFODION-2330 Using trafci, a select from a table succeeds even if t…
…he user
does not have the priv
There is a problem when the session user changes in a mxosrvr process. The
existing compiler caches are not getting cleared so the new user will be
accessing the previous users' caches. This could lead to allowing someone
that does not have privileges to gain access to an object.
The change is to clear all caches during a session user change operation.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/robertamarton/incubator-trafodion traf-2330
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-trafodion/pull/806.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #806
----
commit 6cd6be853fb1508e7b33d8e12c0fea0a0a8ef044
Author: Roberta Marton <[email protected]>
Date: 2016-11-01T05:22:44Z
TRAFODION-2330 Using trafci, a select from a table succeeds even if the user
does not have the priv
There is a problem when the session user changes in a mxosrvr process. The
existing compiler caches are not getting cleared so the new user will be
accessing the previous users' caches. This could lead to allowing someone
that does not have privileges to gain access to an object.
The change is to clear all caches during a session user change operation.
----
> Using trafci, a select from a table succeeds even if the user does not have
> the priv
> ------------------------------------------------------------------------------------
>
> Key: TRAFODION-2330
> URL: https://issues.apache.org/jira/browse/TRAFODION-2330
> Project: Apache Trafodion
> Issue Type: Bug
> Components: sql-general
> Reporter: Roberta Marton
> Assignee: Roberta Marton
>
> When connecting to Trafodion through trafci, an available mxosrvr is found
> and a new session is started. If the previous session was associated with a
> user other than the current user, the caches are not invalidated. There is a
> potential for the current user to be able to perform that same queries as the
> previous user whether or not they have the correct privileges.
> To recreate:
> enable security
> set number of mxosrvr to 1 in the conf file.
> restart dcs
> bring up a trafci session and perform queries for sql_user1
> stop trafci and bring up trafci as sql_user2
> sql_user2 can perform the same queries as sql_user1
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
