Fredy Wijaya has uploaded this change for review. ( http://gerrit.cloudera.org:8080/10966
Change subject: IMPALA-7217: Incorrect UPDATE/DELETE authorization privilege ...................................................................... IMPALA-7217: Incorrect UPDATE/DELETE authorization privilege UPDATE and DELETE statements require ALL privilege on the target table. In the prior code, UPDATE and DELETE statements use the default FROM clause which requires SELECT privilege on the target table. This causes an issue where if a user executes an UPDATE/DELETE statement with only a SELECT privilege on SERVER or DATABASE, an AnalysisException may be thrown instead of an AuthorizationException, which may reveal potentially sensitive information. This patch fixes the issue by requiring the FROM clause to also require ALL privilege on the target table to be consistent with the UPDATE/DELETE authorization privilege requirement. Testing: - Updated authorization tests - Ran all FE tests Change-Id: I69d451f727a7df6c41166a15cf1ed6f5334dc739 --- M fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java M fe/src/main/java/org/apache/impala/analysis/FromClause.java M fe/src/main/java/org/apache/impala/analysis/ModifyStmt.java M fe/src/main/java/org/apache/impala/analysis/TableRef.java M fe/src/test/java/org/apache/impala/analysis/AuditingTest.java M fe/src/test/java/org/apache/impala/analysis/AuthorizationStmtTest.java 6 files changed, 74 insertions(+), 24 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/66/10966/3 -- To view, visit http://gerrit.cloudera.org:8080/10966 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I69d451f727a7df6c41166a15cf1ed6f5334dc739 Gerrit-Change-Number: 10966 Gerrit-PatchSet: 3 Gerrit-Owner: Fredy Wijaya <fwij...@cloudera.com>