[jira] [Commented] (TRAFODION-1856) Revoke - object and column privilege checks not integrated for constraints

Mon, 29 Feb 2016 13:43:18 -0800 

    [ 
https://issues.apache.org/jira/browse/TRAFODION-1856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15172664#comment-15172664
 ] 

ASF GitHub Bot commented on TRAFODION-1856:
-------------------------------------------

Github user DaveBirdsall commented on a diff in the pull request:

    https://github.com/apache/incubator-trafodion/pull/349#discussion_r54483042
  
    --- Diff: core/sql/sqlcomp/PrivMgrMD.h ---
    @@ -110,12 +106,35 @@ typedef struct {
     
     } ViewUsage;
     
    -typedef struct {
    +// -----------------------------------------------------------------------
    +// Class definitions
    +// -----------------------------------------------------------------------
    +class ObjectReference
    +{
    +  public:
    +
    +  ObjectReference()
    +  : objectUID(0),
    +    objectOwner(NA_UserIdDefault),
    +    objectType(COM_UNKNOWN_OBJECT),
    +    columnReferences(NULL),
    +    updatedPrivs()
    +  {}
    +    
    +  virtual ~ObjectReference ( void )
    +  {
    +    while(!columnReferences->empty())
    +      delete columnReferences->back(), columnReferences->pop_back();
    --- End diff --
    
    Unusual coding technique (comma expression). Allows you to save some braces.


> Revoke - object and column privilege checks not integrated for constraints
> --------------------------------------------------------------------------
>
>                 Key: TRAFODION-1856
>                 URL: https://issues.apache.org/jira/browse/TRAFODION-1856
>             Project: Apache Trafodion
>          Issue Type: Bug
>          Components: sql-security
>            Reporter: Roberta Marton
>            Assignee: Roberta Marton
>
> Today, when revoking the object REFERENCES privilege, the revoke fails if 
> there
> are any RI constraints that require the privilege.  However, there may be 
> column
> level privileges that exist that would still allow the constraint to be 
> present.
> Conversely, when revoking column REFERENCES privilege, the revoke does not
> check to see if REFERENCES privilege has been granted at the object level.
> In fact, the revoke operation does not check for dependencies on constraints
> correctly.
> For example:
>  user1:
>   create table dept( dept_no int not null primary key, dept_name char(50));
>   grant references on table dept to user2;
>   grant references(dept_no) to user2;
>  user2:
>   create table empl(empl_no int not null primary key, dept_no int not null);
>   alter table empl add constraint empl_dept
>     foreign key (dept_no) references dept;
> user1 should be able to "revoke references on table dept from user2"  because 
> user2 still has the references privileges on column dept_no.  Vice versa, 
> user1 
> should be able to "revoke references(dept_no) on dept from user2" because 
> user2 
> still has the references privilege on table dept.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to