[jira] [Commented] (SENTRY-2264) It is possible to elevate privileges from DROP using alter table rename

Mon, 25 Jun 2018 21:23:56 -0700 


    [ 
https://issues.apache.org/jira/browse/SENTRY-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16523163#comment-16523163
 ] 

Na Li commented on SENTRY-2264:
-------------------------------

[~spena] The ALL privilege will be required for source table to avoid elevating 
privilege when renaming table cross databases. Only create privilege is 
required on destination database.

Can we handle owner privilege related issue in another jira? This one focuses 
on tighten privilege requirement for source table for table rename.






> It is possible to elevate privileges from DROP using alter table rename
> -----------------------------------------------------------------------
>
>                 Key: SENTRY-2264
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2264
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 2.1.0
>            Reporter: Na Li
>            Assignee: Na Li
>            Priority: Major
>         Attachments: SENTRY-2264.001.patch, SENTRY-2264.002.patch, 
> SENTRY-2264.003.patch, SENTRY-2264.004.patch
>
>
> After introducing FGP, a user with only DROP on a database db1 and at least 
> CREATE on db2 can run ALTER TABLE RENAME db1.table1 db2.table2, and thus 
> elevate their privileges.
> To reproduce:
> As admin (e.g. hive):
> 1. Create db1, db1.table1, db2, role r1.
> 2. Grant DROP on db1 to role r1.
> 3. Grant ALL on db2 to role r1
> 4. Grant role r1 to user testuser1.
> As testuser1:
> 1. use db1; alter table db1.table1 rename to db2.table1
> 2. select * from db2. table1
> Result: the select command succeeds.
> Desired behavior:
> we should at least require following privileges to execute the table rename 
> command:
> table level "ALL" at source
> database level "CREATE" at destination.
> The reason we don't require "alter, insert" for destination DB is that 
> "alter" and "insert" is table level privileges and when "alter table rename" 
> command is executed, there is no table in destination DB. So we cannot 
> enforce these table level privileges. Therefore the only change is add 
> table-level "ALL" privilege in required input privileges to avoid elevate 
> privilege by moving table cross DB



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to