[jira] [Updated] (RANGER-4635) create temporary table via "LIKE" cmd need revisit

Mon, 08 Jan 2024 07:50:04 -0800 


     [ 
https://issues.apache.org/jira/browse/RANGER-4635?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kundan Kumar Jha updated RANGER-4635:
-------------------------------------
    Description: Creating temporary table via "Like" cmd is violating auth 
principles.  (was: *PROBLEM STATEMENT:*
Users which don't have access on any resource can able to create a temporary 
table using"LIKE" statement with same schema as another table and extract 
schema info of non accessible table.

*STEPS TO REPRODUCE:*
1. Delete all the policies in ranger.

2. Then give all access(*, *, *) to "hive" and "user_1" via hive policy.

3. Then create a database a_db and a table a_db.a_table with schema using user 
user_1:
{code:java}
+-----------+------------+----------+
| col_name  | data_type  | comment  |
+-----------+------------+----------+
| id        | int        |          |
| name      | string     |          |
+-----------+------------+----------+ {code}
4. Then kinit as user_2 user(which don't have access to any resource) and 
create a temporary table like a_db.a_table using following cmd:
{code:java}
create temporary table temp_t like a_db.a_table; {code}
5. Then run following cmd to describe temporary table temp_t:
{code:java}
desc temp_t;{code}
output:
{code:java}
+-----------+------------+----------+
| col_name  | data_type  | comment  |
+-----------+------------+----------+
| id        | int        |          |
| name      | string     |          |
+-----------+------------+----------+ {code}
*CURRENT BEHAVIOUR:*

The temp table "temp_t" got created successfully with same schema as "a_table" 
and the user user_2 with no access can able to view the schema of a non 
accessible table.

*EXPECTED BEHAVIOUR:*
The user which doesn't have access on a table should not able to create a 
temporary table with it using "LIKE" query.

*OCCURRENCE:*
manual testing 

*IMPACT:*
User can access the schema of a non accessible table.)

> create temporary table via "LIKE" cmd need revisit
> --------------------------------------------------
>
>                 Key: RANGER-4635
>                 URL: https://issues.apache.org/jira/browse/RANGER-4635
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Kundan Kumar Jha
>            Priority: Major
>
> Creating temporary table via "Like" cmd is violating auth principles.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to