[ https://issues.apache.org/jira/browse/TRAFODION-2441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15864658#comment-15864658 ]
ASF GitHub Bot commented on TRAFODION-2441: ------------------------------------------- GitHub user robertamarton opened a pull request: https://github.com/apache/incubator-trafodion/pull/957 TRAFODION-2441 user has only select privilege on a table can do ... TRAFODION-2409 support privilege control(column privileges) for hive tables TRAFODION-2423 any user can perform 'initialize trafodion, drop' TRAFODION-2435 Any user can perform TRUNCATE on native Hive tables. TRAFODION-2463 Hive: Any user can do update statistics for hive tables Fixed issues found while testing privileges with native Hive. TRAFODION-2441: changed code that initializes owner privileges for views. TRAFODION-2409: returning error message 1328 during attempt to grant unsupported column level privilege on hive table. TRAFODION 2423: added privilege checks for all initialize commands, error 1017 is returned if not DB__ROOT TRAFODION-2435: Returning error 1051 if TRUNCATE is attempted on a hive table where the current user has no privilege TRAFODION-2463: Privilege checks added for Hive table during update statistics You can merge this pull request into a Git repository by running: $ git pull https://github.com/robertamarton/incubator-trafodion jira-2409 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/incubator-trafodion/pull/957.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #957 ---- commit db14e3922cb2d0722d0885f5c248cac2af2b904d Author: Roberta Marton <rmarton@edev07.esgyn.local> Date: 2017-02-13T23:20:54Z TRAFODION-2441 user has only select privilege on a table can do ... TRAFODION-2409 support privilege control(column privileges) for hive tables TRAFODION-2423 any user can perform 'initialize trafodion, drop' TRAFODION-2435 Any user can perform TRUNCATE on native Hive tables. TRAFODION-2463 Hive: Any user can do update statistics for hive tables Fixed issues found while testing privileges with native Hive. TRAFODION-2441: changed code that initializes owner privileges for views. TRAFODION-2409: returning error message 1328 during attempt to grant unsupported column level privilege on hive table. TRAFODION 2423: added privilege checks for all initialize commands, error 1017 is returned if not DB__ROOT TRAFODION-2435: Returning error 1051 if TRUNCATE is attempted on a hive table where the current user has no privilege TRAFODION-2463: Privilege checks added for Hive table during update statistics ---- > user has only select privilege on a table can do insert/update/delete on the > view > --------------------------------------------------------------------------------- > > Key: TRAFODION-2441 > URL: https://issues.apache.org/jira/browse/TRAFODION-2441 > Project: Apache Trafodion > Issue Type: Bug > Components: sql-security > Affects Versions: 2.2-incubating > Environment: hadoop - CDH 5.6 > OS -- CentOS 6.7 > Reporter: Gao, Rui-Xian > Assignee: Roberta Marton > > a user has only select privilege on the table can do insert/update/delete on > the view, then data in base table also get inserted/updated/deleted > Reproduce Steps > ======================================= > 1. connect as trafodion -- > create table testtab1(a int, b int); > select * from testtab1; > grant select on testtab1 to qauser_sqlqaa; > showddl testtab1; > 2. connect as qauser_sqlqaa -- > select * from testtab1; > create view v_tab1 as select * from testtab1; > showddl v_tab1; > insert into v_tab1 values(1,1); > select * from v_tab1; > select * from testtab1; > delete from testtab1; > delete from v_tab1; > select * from testtab1; > Test OutPut > ======================================== > User Name: trafodion > Password: > Role Name [Primary Role]: > Connected to EsgynDB Advanced > SQL>create table testtab1(a int, b int); > --- SQL operation complete. > SQL>select * from testtab1; > --- 0 row(s) selected. > SQL>grant select on testtab1 to qauser_sqlqaa; > --- SQL operation complete. > SQL>showddl testtab1; > CREATE TABLE TRAFODION.SEABASE.TESTTAB1 > ( > A INT DEFAULT NULL NOT SERIALIZED > , B INT DEFAULT NULL NOT SERIALIZED > ) > ATTRIBUTES ALIGNED FORMAT > ; > -- GRANT SELECT, INSERT, DELETE, UPDATE, REFERENCES ON > TRAFODION.SEABASE.TESTTAB1 TO DB__ROOT WITH GRANT OPTION; > GRANT SELECT ON TRAFODION.SEABASE.TESTTAB1 TO QAUSER_SQLQAA; > --- SQL operation complete. > SQL>connect qauser_sqlqaa/QAPassword; > Connected to EsgynDB Advanced > SQL>select * from testtab1; > --- 0 row(s) selected. > SQL>create view v_tab1 as select * from testtab1; > --- SQL operation complete. > SQL>showddl v_tab1; // user only has SELECT privilege on the view > CREATE VIEW TRAFODION.SEABASE.V_TAB1 AS > SELECT TRAFODION.SEABASE.TESTTAB1.A, TRAFODION.SEABASE.TESTTAB1.B FROM > TRAFODION.SEABASE.TESTTAB1 ; > -- GRANT SELECT ON TRAFODION.SEABASE.V_TAB1 TO QAUSER_SQLQAA; > --- SQL operation complete. > SQL>insert into v_tab1 values(1,1); // user can insert data into view > --- 1 row(s) inserted. > SQL>select * from v_tab1; > A B > ----------- ----------- > 1 1 > --- 1 row(s) selected. > SQL>select * from testtab1; // data in base table > A B > ----------- ----------- > 1 1 > --- 1 row(s) selected. > SQL>delete from testtab1; // expected, user doesn’t have privilege to delete > data from base table > *** ERROR[4481] The user does not have DELETE privilege on table or view > TRAFODION.SEABASE.TESTTAB1. [2017-01-12 10:39:11] > SQL>delete from v_tab1; // user doesn’t have delete privilege but can delete > data from the view > --- 1 row(s) deleted. > SQL>select * from testtab1; // data in base table got deleted > --- 0 row(s) selected. -- This message was sent by Atlassian JIRA (v6.3.15#6346)