[jira] [Updated] (CASSANDRA-13053) GRANT/REVOKE on table without keyspace performs permissions check incorrectly
[ https://issues.apache.org/jira/browse/CASSANDRA-13053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Aleksey Yeschenko updated CASSANDRA-13053: -- Fix Version/s: (was: 3.11.x) (was: 3.0.x) (was: 2.2.x) 3.11.0 3.0.13 2.2.10 > GRANT/REVOKE on table without keyspace performs permissions check incorrectly > - > > Key: CASSANDRA-13053 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13053 > Project: Cassandra > Issue Type: Bug > Components: CQL >Reporter: Sam Tunnicliffe >Assignee: Aleksey Yeschenko >Priority: Minor > Fix For: 2.2.10, 3.0.13, 3.11.0 > > > When a {{GRANT}} or {{REVOKE}} statement is executed on a table without > specifying the keyspace, we attempt to use the client session's keyspace to > qualify the resource. > This is done when validating the statement, which occurs after checking that > the user executing the statement has sufficient permissions. This means that > the permissions checking uses an incorrect resource, namely a table with a > null keyspace. If that user is a superuser, then no error is encountered as > superuser privs implicitly grants *all* permissions. If the user is not a > superuser, then the {{GRANT}} or {{REVOKE}} fails with an ugly error, > regardless of which keyspace the client session is bound to: > {code} > Unauthorized: Error from server: code=2100 [Unauthorized] message="User admin > has no AUTHORIZE permission on or any of its parents" > {code} -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (CASSANDRA-13053) GRANT/REVOKE on table without keyspace performs permissions check incorrectly
[ https://issues.apache.org/jira/browse/CASSANDRA-13053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Aleksey Yeschenko updated CASSANDRA-13053: -- Resolution: Fixed Reproduced In: 3.10, 3.0.11, 2.2.9 (was: 2.2.9, 3.0.11, 3.10) Status: Resolved (was: Ready to Commit) > GRANT/REVOKE on table without keyspace performs permissions check incorrectly > - > > Key: CASSANDRA-13053 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13053 > Project: Cassandra > Issue Type: Bug > Components: CQL >Reporter: Sam Tunnicliffe >Assignee: Aleksey Yeschenko >Priority: Minor > Fix For: 2.2.x, 3.0.x, 3.11.x > > > When a {{GRANT}} or {{REVOKE}} statement is executed on a table without > specifying the keyspace, we attempt to use the client session's keyspace to > qualify the resource. > This is done when validating the statement, which occurs after checking that > the user executing the statement has sufficient permissions. This means that > the permissions checking uses an incorrect resource, namely a table with a > null keyspace. If that user is a superuser, then no error is encountered as > superuser privs implicitly grants *all* permissions. If the user is not a > superuser, then the {{GRANT}} or {{REVOKE}} fails with an ugly error, > regardless of which keyspace the client session is bound to: > {code} > Unauthorized: Error from server: code=2100 [Unauthorized] message="User admin > has no AUTHORIZE permission on or any of its parents" > {code} -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (CASSANDRA-13053) GRANT/REVOKE on table without keyspace performs permissions check incorrectly
[ https://issues.apache.org/jira/browse/CASSANDRA-13053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sam Tunnicliffe updated CASSANDRA-13053: Status: Ready to Commit (was: Patch Available) > GRANT/REVOKE on table without keyspace performs permissions check incorrectly > - > > Key: CASSANDRA-13053 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13053 > Project: Cassandra > Issue Type: Bug > Components: CQL >Reporter: Sam Tunnicliffe >Assignee: Aleksey Yeschenko >Priority: Minor > Fix For: 2.2.x, 3.0.x, 3.11.x > > > When a {{GRANT}} or {{REVOKE}} statement is executed on a table without > specifying the keyspace, we attempt to use the client session's keyspace to > qualify the resource. > This is done when validating the statement, which occurs after checking that > the user executing the statement has sufficient permissions. This means that > the permissions checking uses an incorrect resource, namely a table with a > null keyspace. If that user is a superuser, then no error is encountered as > superuser privs implicitly grants *all* permissions. If the user is not a > superuser, then the {{GRANT}} or {{REVOKE}} fails with an ugly error, > regardless of which keyspace the client session is bound to: > {code} > Unauthorized: Error from server: code=2100 [Unauthorized] message="User admin > has no AUTHORIZE permission on or any of its parents" > {code} -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (CASSANDRA-13053) GRANT/REVOKE on table without keyspace performs permissions check incorrectly
[ https://issues.apache.org/jira/browse/CASSANDRA-13053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Aleksey Yeschenko updated CASSANDRA-13053: -- Reviewer: Sam Tunnicliffe Reproduced In: 3.10, 3.0.11, 2.2.9 (was: 2.2.9, 3.0.11, 3.10) Status: Patch Available (was: In Progress) > GRANT/REVOKE on table without keyspace performs permissions check incorrectly > - > > Key: CASSANDRA-13053 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13053 > Project: Cassandra > Issue Type: Bug > Components: CQL >Reporter: Sam Tunnicliffe >Assignee: Aleksey Yeschenko >Priority: Minor > Fix For: 2.2.x, 3.0.x, 3.11.x > > > When a {{GRANT}} or {{REVOKE}} statement is executed on a table without > specifying the keyspace, we attempt to use the client session's keyspace to > qualify the resource. > This is done when validating the statement, which occurs after checking that > the user executing the statement has sufficient permissions. This means that > the permissions checking uses an incorrect resource, namely a table with a > null keyspace. If that user is a superuser, then no error is encountered as > superuser privs implicitly grants *all* permissions. If the user is not a > superuser, then the {{GRANT}} or {{REVOKE}} fails with an ugly error, > regardless of which keyspace the client session is bound to: > {code} > Unauthorized: Error from server: code=2100 [Unauthorized] message="User admin > has no AUTHORIZE permission on or any of its parents" > {code} -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (CASSANDRA-13053) GRANT/REVOKE on table without keyspace performs permissions check incorrectly
[ https://issues.apache.org/jira/browse/CASSANDRA-13053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Aleksey Yeschenko updated CASSANDRA-13053: -- Priority: Minor (was: Major) > GRANT/REVOKE on table without keyspace performs permissions check incorrectly > - > > Key: CASSANDRA-13053 > URL: https://issues.apache.org/jira/browse/CASSANDRA-13053 > Project: Cassandra > Issue Type: Bug > Components: CQL >Reporter: Sam Tunnicliffe >Assignee: Aleksey Yeschenko >Priority: Minor > Fix For: 2.2.x, 3.0.x, 3.11.x > > > When a {{GRANT}} or {{REVOKE}} statement is executed on a table without > specifying the keyspace, we attempt to use the client session's keyspace to > qualify the resource. > This is done when validating the statement, which occurs after checking that > the user executing the statement has sufficient permissions. This means that > the permissions checking uses an incorrect resource, namely a table with a > null keyspace. If that user is a superuser, then no error is encountered as > superuser privs implicitly grants *all* permissions. If the user is not a > superuser, then the {{GRANT}} or {{REVOKE}} fails with an ugly error, > regardless of which keyspace the client session is bound to: > {code} > Unauthorized: Error from server: code=2100 [Unauthorized] message="User admin > has no AUTHORIZE permission on or any of its parents" > {code} -- This message was sent by Atlassian JIRA (v6.3.15#6346)