[ https://issues.apache.org/jira/browse/RANGER-4635?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kundan Kumar Jha updated RANGER-4635: ------------------------------------- Description: Creating temporary table via "Like" cmd is violating auth principles. (was: *PROBLEM STATEMENT:* Users which don't have access on any resource can able to create a temporary table using"LIKE" statement with same schema as another table and extract schema info of non accessible table. *STEPS TO REPRODUCE:* 1. Delete all the policies in ranger. 2. Then give all access(*, *, *) to "hive" and "user_1" via hive policy. 3. Then create a database a_db and a table a_db.a_table with schema using user user_1: {code:java} +-----------+------------+----------+ | col_name | data_type | comment | +-----------+------------+----------+ | id | int | | | name | string | | +-----------+------------+----------+ {code} 4. Then kinit as user_2 user(which don't have access to any resource) and create a temporary table like a_db.a_table using following cmd: {code:java} create temporary table temp_t like a_db.a_table; {code} 5. Then run following cmd to describe temporary table temp_t: {code:java} desc temp_t;{code} output: {code:java} +-----------+------------+----------+ | col_name | data_type | comment | +-----------+------------+----------+ | id | int | | | name | string | | +-----------+------------+----------+ {code} *CURRENT BEHAVIOUR:* The temp table "temp_t" got created successfully with same schema as "a_table" and the user user_2 with no access can able to view the schema of a non accessible table. *EXPECTED BEHAVIOUR:* The user which doesn't have access on a table should not able to create a temporary table with it using "LIKE" query. *OCCURRENCE:* manual testing *IMPACT:* User can access the schema of a non accessible table.) > create temporary table via "LIKE" cmd need revisit > -------------------------------------------------- > > Key: RANGER-4635 > URL: https://issues.apache.org/jira/browse/RANGER-4635 > Project: Ranger > Issue Type: Bug > Components: Ranger > Reporter: Kundan Kumar Jha > Priority: Major > > Creating temporary table via "Like" cmd is violating auth principles. -- This message was sent by Atlassian Jira (v8.20.10#820010)