[
https://issues.apache.org/jira/browse/SENTRY-848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14712051#comment-14712051
]
Anne Yu commented on SENTRY-848:
--------------------------------
Even only with column level privileges, user can run "DESCRIBE FORMATTED
test_tb" and "DESCRIBE FORMATTED test_tb.s", even if it might expose some
columns user doesn't have privileges.
> [column level privilege] DESCRIBE FORMATTED test_tb.s requires table level
> privilege
> ------------------------------------------------------------------------------------
>
> Key: SENTRY-848
> URL: https://issues.apache.org/jira/browse/SENTRY-848
> Project: Sentry
> Issue Type: Bug
> Affects Versions: 1.5.1
> Reporter: Anne Yu
>
> {code}
> create table test_tb(s string, i int);
> grant select(s) on table test_tb to role test_role;
> grant role test_role to group test_user;
> {code}
> use test_user to login,
> {code}
> describe formatted test_tb s;
> Error: Error while compiling statement: FAILED: SemanticException No valid
> privileges
> Required privileges for this query:
> Server=server1->Db=test_db->Table=test_tb->action=insert;Server=server1->Db=test_db->Table=test_tb->action=select;
> (state=42000,code=40000)
> {code}
> How about describe [formatted] test_tb; do we allow test_user to list his
> permitted columns? for example,
> +-----------+------------+----------+--+
> | col_name | data_type | comment |
> +-----------+------------+----------+--+
> | s | string | |
> +-----------+------------+----------+--+
> 2 rows selected (0.167 seconds)
> However "ANALYZE TABLE test_tb COMPUTE STATISTICS FOR COLUMNS s" is allowed
> for test_user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
