[I] [Bug] [AUTHZ]ALTER operation to change the table name don't require any permission [kyuubi]

Wed, 23 Apr 2025 05:32:25 -0700 


baotran306 opened a new issue, #7040:
URL: https://github.com/apache/kyuubi/issues/7040

   ### Code of Conduct
   
   - [x] I agree to follow this project's [Code of 
Conduct](https://www.apache.org/foundation/policies/conduct)
   
   
   ### Search before asking
   
   - [x] I have searched in the 
[issues](https://github.com/apache/kyuubi/issues?q=is%3Aissue) and found no 
similar issues.
   
   
   ### Describe the bug
   
   Describe the bug
   I'm using Iceberg table version 1.7.2 and try to rename table using `ALTER 
TABLE t1 rename to t2`
   
   
   In my current situation, despite having revoked all my permissions, I am 
still able to change my table name using the `ALTER TABLE RENAME` command. 
Furthermore, I can even move a table from one schema to another using a command 
like `ALTER TABLE schema_a.my_table RENAME TO schema_bb.my_table` without any 
apparent permissions.
   
   I try to another ALTER TABLE command, for example `ALTER TABLE ADD COLUMNS` 
and it deny my command as our expectation. 
   
   **However, the `ALTER TABLE RENAME` command appears to run regardless of 
whether the user has the ALTER permission or not. I believe this constitutes a 
critical security or data governance issue.**
   
   What happens here?
   
   ### Affects Version(s)
   
   v1.8.3
   
   ### Kyuubi Server Log Output
   
   ```logtalk
   
   ```
   
   ### Kyuubi Engine Log Output
   
   ```logtalk
   
   ```
   
   ### Kyuubi Server Configurations
   
   ```yaml
   
   ```
   
   ### Kyuubi Engine Configurations
   
   ```yaml
   
   ```
   
   ### Additional context
   
   _No response_
   
   ### Are you willing to submit PR?
   
   - [ ] Yes. I would be willing to submit a PR with guidance from the Kyuubi 
community to fix.
   - [x] No. I cannot submit a PR at this time.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@kyuubi.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@kyuubi.apache.org
For additional commands, e-mail: notifications-h...@kyuubi.apache.org

Reply via email to