[
https://issues.apache.org/jira/browse/TRAFODION-2330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15625530#comment-15625530
]
ASF GitHub Bot commented on TRAFODION-2330:
-------------------------------------------
Github user sureshsubbiah commented on a diff in the pull request:
https://github.com/apache/incubator-trafodion/pull/806#discussion_r85935717
--- Diff: core/sql/arkcmp/CmpContext.cpp ---
@@ -1157,4 +1157,16 @@ void CmpContext::resetLogmxEventSqlText()
delete sqlTextBuf_ ;
sqlTextBuf_ = NULL ;
}
+
+void CmpContext::clearAllCaches()
+{
+ qcache_->makeEmpty();
--- End diff --
The constructor for CmpContext seems to initialize histogramCache_ the same
as qcache_. Is it possible qcache_ can be NULL at some point? It may be safer
to guard it, this is a really minor nit to be handled later if necessary.
There is one more cache, optPCodeCache_ . Now this cache may not cause any
priv violations I suppose. So a comment later here may be all we need, that
PCode cache is not addressed by this method.
> Using trafci, a select from a table succeeds even if the user does not have
> the priv
> ------------------------------------------------------------------------------------
>
> Key: TRAFODION-2330
> URL: https://issues.apache.org/jira/browse/TRAFODION-2330
> Project: Apache Trafodion
> Issue Type: Bug
> Components: sql-general
> Reporter: Roberta Marton
> Assignee: Roberta Marton
>
> When connecting to Trafodion through trafci, an available mxosrvr is found
> and a new session is started. If the previous session was associated with a
> user other than the current user, the caches are not invalidated. There is a
> potential for the current user to be able to perform that same queries as the
> previous user whether or not they have the correct privileges.
> To recreate:
> enable security
> set number of mxosrvr to 1 in the conf file.
> restart dcs
> bring up a trafci session and perform queries for sql_user1
> stop trafci and bring up trafci as sql_user2
> sql_user2 can perform the same queries as sql_user1
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)