Na Li created SENTRY-2264: ----------------------------- Summary: It is possible to elevate privileges from DROP using alter table rename Key: SENTRY-2264 URL: https://issues.apache.org/jira/browse/SENTRY-2264 Project: Sentry Issue Type: Bug Components: Sentry Affects Versions: 2.1.0 Reporter: Na Li Assignee: Na Li
After introducing FGP, a user with only DROP on a database db1 and at least CREATE on db2 can run ALTER TABLE RENAME db1.table1 db2.table2, and thus elevate their privileges. To reproduce: As admin (e.g. hive): 1. Create db1, db1.table1, db2, role r1. 2. Grant DROP on db1 to role r1. 3. Grant ALL on db2 to role r1 4. Grant role r1 to user testuser1. As testuser1: 1. use db1; alter table db1.table1 rename to db2.table1 2. select * from db2. table1 Result: the select command succeeds. Desired behavior: we should at least require following privileges to execute the table rename command: table level "SELECT" and database level "DELECT" at source database level "CREATE, INSERT, ALTER" at destination. -- This message was sent by Atlassian JIRA (v7.6.3#76005)