[jira] [Commented] (IMPALA-6086) Use of permanent function should require SELECT privilege on DB

Fri, 13 Jul 2018 15:48:13 -0700 


    [ 
https://issues.apache.org/jira/browse/IMPALA-6086?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16543836#comment-16543836
 ] 

ASF subversion and git services commented on IMPALA-6086:
---------------------------------------------------------

Commit 408e0255c52edfe89585f324d372e4d8a12263ed in impala's branch 
refs/heads/master from [~zoram]
[ https://git-wip-us.apache.org/repos/asf?p=impala.git;h=408e025 ]

IMPALA-6086: Use of permanent function should require SELECT privilege
on DB

To use a permanent UDF should require at least SELECT privilege on the
database. Functions that have constant arguments get constant-folded
into string literals, losing their privilege requests in the process.

This patch saves the privilege requests found during the first phase
of query analysis, where all the objects and the privileges required
to access them are identified. The requests are added back to the
new analyzer created for re-analysis post expression rewrite.

Testing:
New FE test cases have been added to AuthorizationStmtTest.

Manual tests were also done to identify the bug, as well as to test
the fix.

Ran exhaustive and covering tests.

Change-Id: Iee70f15e4c04f7daaed9cac2400ec626e1fb0e57
Reviewed-on: http://gerrit.cloudera.org:8080/10850
Reviewed-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>


> Use of permanent function should require SELECT privilege on DB
> ---------------------------------------------------------------
>
>                 Key: IMPALA-6086
>                 URL: https://issues.apache.org/jira/browse/IMPALA-6086
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Catalog, Security
>    Affects Versions: Impala 2.9.0, Impala 3.1.0
>            Reporter: Zoram Thanga
>            Assignee: Zoram Thanga
>            Priority: Minor
>              Labels: security
>
> A user that has no privilege on a database should not be able to execute any 
> permanent functions in that database. This is currently possible, and should 
> be fixed, so that the user must have SELECT privilege to execute permanent 
> functions.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org

Reply via email to