[
https://issues.apache.org/jira/browse/TRAFODION-2538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15925230#comment-15925230
]
ASF GitHub Bot commented on TRAFODION-2538:
-------------------------------------------
GitHub user robertamarton opened a pull request:
https://github.com/apache/incubator-trafodion/pull/1010
TRAFODION-2538 Revoking privileges from role not invoking query inval…
…idation
Fixed a issue where query invalidation keys were not being sent correctly
when
a privilege was revoked from a role.
When a table is cached, a list of all the query invalidation keys for the
user
are stored. Later, when a query is run, the compiler picks the relevant
keys
and places them in the plan. When a revoke occurs, a key is sent to RMS and
the executor processes check for keys at the next execution. If the key
affects
any caches, the cache entries are refreshed and plans recompiled.
Incorrect keys were being created when privileges were revoked from roles,
so
queries continued to work even though the user had no more privileges.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/robertamarton/incubator-trafodion rroleprivs
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-trafodion/pull/1010.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1010
----
commit a78064b89afce13e12cc70024ca110b17b68c792
Author: Roberta Marton <[email protected]>
Date: 2017-03-14T23:14:28Z
TRAFODION-2538 Revoking privileges from role not invoking query invalidation
Fixed a issue where query invalidation keys were not being sent correctly
when
a privilege was revoked from a role.
When a table is cached, a list of all the query invalidation keys for the
user
are stored. Later, when a query is run, the compiler picks the relevant
keys
and places them in the plan. When a revoke occurs, a key is sent to RMS and
the executor processes check for keys at the next execution. If the key
affects
any caches, the cache entries are refreshed and plans recompiled.
Incorrect keys were being created when privileges were revoked from roles,
so
queries continued to work even though the user had no more privileges.
----
> Revoking privileges from role not invoking query invalidation
> -------------------------------------------------------------
>
> Key: TRAFODION-2538
> URL: https://issues.apache.org/jira/browse/TRAFODION-2538
> Project: Apache Trafodion
> Issue Type: Bug
> Components: sql-cmp, sql-security
> Reporter: Roberta Marton
> Assignee: Roberta Marton
>
> Privilege information is cached. When a revoke is performed, query
> invalidation occurs. Query invalidation sends the revoke operation to RMS
> and each executor process checks for keys. If the key affect cache, the
> cache entry is refreshed.
> Query invalidation keys are not be created for revoke privileges from roles.
> Create a table
> create a role
> grant select, insert on table to role;
> grant role to user1.
> as user1, select and insert into table
> in another session, revoke insert from role
> user1 should no longer be able to insert
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
