orbisai0security commented on PR #40454: URL: https://github.com/apache/superset/pull/40454#issuecomment-4701231688
Thanks for the consistent feedback across both #39646 and this PR; the threat model reasoning is clear. I aim to meet the bar you've set. Before I invest time auditing the capability matrix, a quick clarifying question: for the Impala cancel_query path specifically, the host comes from query.database.url_object.host, and the trigger is POST /api/v1/query/stop. Is can_stop_query gated exclusively to Alpha/Admin roles, or can a Gamma/sql_lab user stop their own queries? If a Gamma user can call /api/v1/query/stop on a query tied to a database whose host an admin configured, the Gamma user doesn't control the host. Still, they're the ones whose action fires the outbound request to wherever the admin pointed it. I want to understand whether that scenario (unprivileged trigger, privileged-configured host) counts as crossing a privilege boundary in your model, or whether the host having been set by a trusted principal is sufficient to close it. If the answer is that the trigger must also be unprivileged-controllable, I'll audit the stop-query permission chain and come back with specifics. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
