bowenliang123 commented on PR #5248:
URL: https://github.com/apache/kyuubi/pull/5248#issuecomment-1715180061
"Permission denied: user [someone] does not have [alter] privilege on
[iceberg_ns/table_select_call_command_table]"
did not contain
"does not have [select] privilege on
[iceberg_ns/table_select_call_command_table], [update] privilege on
[iceberg_ns/table_select_call_command_table]"
PrivilegesBuilder extracted two privilege object for input and output.
But their action type both are `PrivilegeObjectActionType.OTHER` (Possible
value of PrivilegeObjectActionType are OTHER, INSERT, INSERT_OVERWRITE, UPDATE,
DELETE).
Therefore, RuleAuthorization would then treat them as the same privilege
object, and check the `alter` privilege only.
1. it seems we could not distinguish them, by 1 for `select` on input table
and 1 for `alter` on output table. cc @yaooqinn
2. Or let's check alter privilege only, and skip checking `select`
privilege, as the same and only table used in one procedure. @yabola
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
