sentry-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Na Li (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SENTRY-2264) It is possible to elevate privileges from DROP using alter table rename
Date Tue, 26 Jun 2018 18:26:00 GMT

     [ https://issues.apache.org/jira/browse/SENTRY-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Na Li updated SENTRY-2264:
--------------------------
    Resolution: Fixed
        Status: Resolved  (was: Patch Available)

> It is possible to elevate privileges from DROP using alter table rename
> -----------------------------------------------------------------------
>
>                 Key: SENTRY-2264
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2264
>             Project: Sentry
>          Issue Type: Bug
>          Components: Sentry
>    Affects Versions: 2.1.0
>            Reporter: Na Li
>            Assignee: Na Li
>            Priority: Major
>         Attachments: SENTRY-2264.001.patch, SENTRY-2264.002.patch, SENTRY-2264.003.patch,
SENTRY-2264.004.patch, SENTRY-2264.004.patch
>
>
> After introducing FGP, a user with only DROP on a database db1 and at least CREATE on
db2 can run ALTER TABLE RENAME db1.table1 db2.table2, and thus elevate their privileges.
> To reproduce:
> As admin (e.g. hive):
> 1. Create db1, db1.table1, db2, role r1.
> 2. Grant DROP on db1 to role r1.
> 3. Grant ALL on db2 to role r1
> 4. Grant role r1 to user testuser1.
> As testuser1:
> 1. use db1; alter table db1.table1 rename to db2.table1
> 2. select * from db2. table1
> Result: the select command succeeds.
> Desired behavior:
> we should at least require following privileges to execute the table rename command:
> table level "ALL" at source
> database level "CREATE" at destination.
> The reason we don't require "alter, insert" for destination DB is that "alter" and "insert"
is table level privileges and when "alter table rename" command is executed, there is no table
in destination DB. So we cannot enforce these table level privileges. Therefore the only change
is add table-level "ALL" privilege in required input privileges to avoid elevate privilege
by moving table cross DB



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message