[
https://issues.apache.org/jira/browse/SENTRY-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Na Li updated SENTRY-2264:
--------------------------
Attachment: SENTRY-2264.004.patch
> It is possible to elevate privileges from DROP using alter table rename
> -----------------------------------------------------------------------
>
> Key: SENTRY-2264
> URL: https://issues.apache.org/jira/browse/SENTRY-2264
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
> Affects Versions: 2.1.0
> Reporter: Na Li
> Assignee: Na Li
> Priority: Major
> Attachments: SENTRY-2264.001.patch, SENTRY-2264.002.patch,
> SENTRY-2264.003.patch, SENTRY-2264.004.patch
>
>
> After introducing FGP, a user with only DROP on a database db1 and at least
> CREATE on db2 can run ALTER TABLE RENAME db1.table1 db2.table2, and thus
> elevate their privileges.
> To reproduce:
> As admin (e.g. hive):
> 1. Create db1, db1.table1, db2, role r1.
> 2. Grant DROP on db1 to role r1.
> 3. Grant ALL on db2 to role r1
> 4. Grant role r1 to user testuser1.
> As testuser1:
> 1. use db1; alter table db1.table1 rename to db2.table1
> 2. select * from db2. table1
> Result: the select command succeeds.
> Desired behavior:
> we should at least require following privileges to execute the table rename
> command:
> table level "ALL" at source
> database level "CREATE" at destination.
> The reason we don't require "alter, insert" for destination DB is that
> "alter" and "insert" is table level privileges and when "alter table rename"
> command is executed, there is no table in destination DB. So we cannot
> enforce these table level privileges. Therefore the only change is add
> table-level "ALL" privilege in required input privileges to avoid elevate
> privilege by moving table cross DB
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
