[jira] [Commented] (TRAFODION-2330) Using trafci, a select from a table succeeds even if the user does not have the priv

Tue, 01 Nov 2016 07:14:45 -0700 

    [ 
https://issues.apache.org/jira/browse/TRAFODION-2330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15625530#comment-15625530
 ] 

ASF GitHub Bot commented on TRAFODION-2330:
-------------------------------------------

Github user sureshsubbiah commented on a diff in the pull request:

    https://github.com/apache/incubator-trafodion/pull/806#discussion_r85935717
  
    --- Diff: core/sql/arkcmp/CmpContext.cpp ---
    @@ -1157,4 +1157,16 @@ void CmpContext::resetLogmxEventSqlText()
        delete sqlTextBuf_ ;
        sqlTextBuf_ = NULL ;
     }
    +
    +void CmpContext::clearAllCaches()
    +{
    +   qcache_->makeEmpty();
    --- End diff --
    
    The constructor for CmpContext seems to initialize histogramCache_ the same 
as qcache_. Is it possible qcache_ can be NULL at some point? It may be safer 
to guard it, this is a really minor nit to be handled later if necessary.
    
    There is one more cache, optPCodeCache_ . Now this cache may not cause any 
priv violations I suppose. So a comment later here may be all we need, that 
PCode cache is not addressed by this method.


> Using trafci, a select from a table succeeds even if the user does not have 
> the priv
> ------------------------------------------------------------------------------------
>
>                 Key: TRAFODION-2330
>                 URL: https://issues.apache.org/jira/browse/TRAFODION-2330
>             Project: Apache Trafodion
>          Issue Type: Bug
>          Components: sql-general
>            Reporter: Roberta Marton
>            Assignee: Roberta Marton
>
> When connecting to Trafodion through trafci, an available mxosrvr is found 
> and a new session is started.  If the previous session was associated with a 
> user other than the current user, the caches are not invalidated.  There is a 
> potential for the current user to be able to perform that same queries as the 
> previous user whether or not they have the correct privileges.
> To recreate:
> enable security
> set number of mxosrvr to 1 in the conf file.
> restart dcs
> bring up a trafci session and perform queries for sql_user1
> stop trafci and bring up trafci as sql_user2
> sql_user2 can perform the same queries as sql_user1



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to