[Impala-ASF-CR] IMPALA-7217: Incorrect UPDATE/DELETE authorization privilege

Wed, 25 Jul 2018 11:26:47 -0700 

Fredy Wijaya has uploaded a new patch set (#4). ( 
http://gerrit.cloudera.org:8080/10966 )

Change subject: IMPALA-7217: Incorrect UPDATE/DELETE authorization privilege
......................................................................

IMPALA-7217: Incorrect UPDATE/DELETE authorization privilege

UPDATE and DELETE statements require ALL privilege on the target table.
In the prior code, UPDATE and DELETE statements use the default FROM
clause which requires SELECT privilege on the target table. This causes
an issue where if a user executes an UPDATE/DELETE statement with only a
SELECT privilege on SERVER or DATABASE, an AnalysisException may be
thrown instead of an AuthorizationException, which may reveal potentially
sensitive information. This patch fixes the issue by requiring the FROM
clause to also require ALL privilege on the target table to be consistent
with the UPDATE/DELETE authorization privilege requirement.

Testing:
- Updated authorization tests
- Ran all FE tests

Change-Id: I69d451f727a7df6c41166a15cf1ed6f5334dc739
---
M fe/src/main/java/org/apache/impala/analysis/AnalysisContext.java
M fe/src/main/java/org/apache/impala/analysis/FromClause.java
M fe/src/main/java/org/apache/impala/analysis/ModifyStmt.java
M fe/src/main/java/org/apache/impala/analysis/TableRef.java
M fe/src/test/java/org/apache/impala/analysis/AuditingTest.java
M fe/src/test/java/org/apache/impala/analysis/AuthorizationStmtTest.java
6 files changed, 74 insertions(+), 24 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/66/10966/4
--
To view, visit http://gerrit.cloudera.org:8080/10966
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I69d451f727a7df6c41166a15cf1ed6f5334dc739
Gerrit-Change-Number: 10966
Gerrit-PatchSet: 4
Gerrit-Owner: Fredy Wijaya <fwij...@cloudera.com>
Gerrit-Reviewer: Adam Holley <ahol...@cloudera.com>
Gerrit-Reviewer: Fredy Wijaya <fwij...@cloudera.com>
Gerrit-Reviewer: Vuk Ercegovac <vercego...@cloudera.com>

Reply via email to