Details
Description
For UPDATE/DELETE statement, ALL privilege on SERVER is required. However, having a SELECT privilege when executing UPDATE can reveal the existence of a table, i.e. an AnalysisException is thrown instead of AuthorizationException.
[localhost:21000] default> grant select on server to role foo_role; +---------------------------------+ | summary | +---------------------------------+ | Privilege(s) have been granted. | +---------------------------------+ Fetched 1 row(s) in 0.02s [localhost:21000] default> update doesntexist set a = 1; ERROR: AnalysisException: Could not resolve table reference: 'doesntexist' [localhost:21000] default> delete from doesntexist; ERROR: AnalysisException: Could not resolve table reference: 'doesntexist'
Let's contrast this with UPSERT.
[localhost:21000] default> upsert into table doesntexist(id, name) values(1, 'a'); ERROR: AuthorizationException: User 'impdev' does not have privileges to access: default.doesntexist