[ https://issues.apache.org/jira/browse/TRAFODION-2538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15925230#comment-15925230 ]
ASF GitHub Bot commented on TRAFODION-2538: ------------------------------------------- GitHub user robertamarton opened a pull request: https://github.com/apache/incubator-trafodion/pull/1010 TRAFODION-2538 Revoking privileges from role not invoking query inval… …idation Fixed a issue where query invalidation keys were not being sent correctly when a privilege was revoked from a role. When a table is cached, a list of all the query invalidation keys for the user are stored. Later, when a query is run, the compiler picks the relevant keys and places them in the plan. When a revoke occurs, a key is sent to RMS and the executor processes check for keys at the next execution. If the key affects any caches, the cache entries are refreshed and plans recompiled. Incorrect keys were being created when privileges were revoked from roles, so queries continued to work even though the user had no more privileges. You can merge this pull request into a Git repository by running: $ git pull https://github.com/robertamarton/incubator-trafodion rroleprivs Alternatively you can review and apply these changes as the patch at: https://github.com/apache/incubator-trafodion/pull/1010.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1010 ---- commit a78064b89afce13e12cc70024ca110b17b68c792 Author: Roberta Marton <rmarton@edev07.esgyn.local> Date: 2017-03-14T23:14:28Z TRAFODION-2538 Revoking privileges from role not invoking query invalidation Fixed a issue where query invalidation keys were not being sent correctly when a privilege was revoked from a role. When a table is cached, a list of all the query invalidation keys for the user are stored. Later, when a query is run, the compiler picks the relevant keys and places them in the plan. When a revoke occurs, a key is sent to RMS and the executor processes check for keys at the next execution. If the key affects any caches, the cache entries are refreshed and plans recompiled. Incorrect keys were being created when privileges were revoked from roles, so queries continued to work even though the user had no more privileges. ---- > Revoking privileges from role not invoking query invalidation > ------------------------------------------------------------- > > Key: TRAFODION-2538 > URL: https://issues.apache.org/jira/browse/TRAFODION-2538 > Project: Apache Trafodion > Issue Type: Bug > Components: sql-cmp, sql-security > Reporter: Roberta Marton > Assignee: Roberta Marton > > Privilege information is cached. When a revoke is performed, query > invalidation occurs. Query invalidation sends the revoke operation to RMS > and each executor process checks for keys. If the key affect cache, the > cache entry is refreshed. > Query invalidation keys are not be created for revoke privileges from roles. > Create a table > create a role > grant select, insert on table to role; > grant role to user1. > as user1, select and insert into table > in another session, revoke insert from role > user1 should no longer be able to insert -- This message was sent by Atlassian JIRA (v6.3.15#6346)