cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua McKenzie (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (CASSANDRA-13053) GRANT/REVOKE on table without keyspace performs permissions check incorrectly
Date Thu, 23 Feb 2017 14:48:44 GMT

     [ https://issues.apache.org/jira/browse/CASSANDRA-13053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Joshua McKenzie reassigned CASSANDRA-13053:
-------------------------------------------

    Assignee: Aleksey Yeschenko

> GRANT/REVOKE on table without keyspace performs permissions check incorrectly
> -----------------------------------------------------------------------------
>
>                 Key: CASSANDRA-13053
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-13053
>             Project: Cassandra
>          Issue Type: Bug
>          Components: CQL
>            Reporter: Sam Tunnicliffe
>            Assignee: Aleksey Yeschenko
>             Fix For: 2.2.x, 3.0.x, 3.11.x
>
>
> When a {{GRANT}} or {{REVOKE}} statement is executed on a table without specifying the
keyspace, we attempt to use the client session's keyspace to qualify the resource. 
> This is done when validating the statement, which occurs after checking that the user
executing the statement has sufficient permissions. This means that the permissions checking
uses an incorrect resource, namely a table with a null keyspace. If that user is a superuser,
then no error is encountered as superuser privs implicitly grants *all* permissions. If the
user is not a superuser, then the {{GRANT}} or {{REVOKE}} fails with an ugly error, regardless
of which keyspace the client session is bound to:
> {code}
> Unauthorized: Error from server: code=2100 [Unauthorized] message="User admin has no
AUTHORIZE permission on <table null.t1> or any of its parents"
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message