yabola commented on PR #5248: URL: https://github.com/apache/kyuubi/pull/5248#issuecomment-1715266331
> ``` > "Permission denied: user [someone] does not have [alter] privilege on [iceberg_ns/table_select_call_command_table]" > did not contain > "does not have [select] privilege on [iceberg_ns/table_select_call_command_table], [update] privilege on [iceberg_ns/table_select_call_command_table]" > ``` > > PrivilegesBuilder extracted two privilege objects for input and output. But their action type both are `PrivilegeObjectActionType.OTHER` (Possible values of PrivilegeObjectActionType are OTHER, INSERT, INSERT_OVERWRITE, UPDATE, DELETE). Therefore, RuleAuthorization would then treat them as the same privilege object, and check the `alter` privilege only. > > 1. it seems we could not distinguish them, by 1 for `select` on input table and 1 for `alter` on output table. cc @yaooqinn > 2. Or let's check alter privilege only, and skip checking `select` privilege, as the same and only table used in one procedure, and no data changed by calling the procedure. @yabola I think having a single authority is more direct and easier for people to understand. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
