David Wayne Birdsall created TRAFODION-2599:
-----------------------------------------------
Summary: Restrict who can do EXPLAIN
Key: TRAFODION-2599
URL: https://issues.apache.org/jira/browse/TRAFODION-2599
Project: Apache Trafodion
Issue Type: Improvement
Components: sql-cmp
Affects Versions: any
Reporter: David Wayne Birdsall
JIRA TRAFODION-2294 will fix a security hole in EXPLAIN: One can do an EXPLAIN
of a query, then execute the query because EXPLAIN places the compiled plan in
the query cache. Executing the query finds the cached plan which bypasses the
query cache.
With the fix to that JIRA, anyone will still be able to do an EXPLAIN, but
privileges will always be checked before actually executing the query.
But it is fair to ask: Should anyone be able to do EXPLAIN? An advantage of the
current situation is that a performance analyst can look at query plans without
having access to the data. But query plans do contain some statistical data
which may make a determined hacker able to deduce things about the underlying
data which they cannot directly see.
So, perhaps the ability to do EXPLAIN should itself be a privileged operation.
Perhaps there should be a separate EXPLAIN privilege, either a global privilege
or perhaps on individual tables. A person would be able to do EXPLAIN if they
hold that privilege or if they hold SELECT privilege on the underlying tables.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
