[CASSANDRA-13053] GRANT/REVOKE on table without keyspace performs permissions check incorrectly - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Low
Resolution: Fixed
Fix Version/s: 2.2.10, 3.0.13, 3.11.0
Component/s: Legacy/CQL
Labels:
None

Severity:
Low

Description

When a GRANT or REVOKE statement is executed on a table without specifying the keyspace, we attempt to use the client session's keyspace to qualify the resource.

This is done when validating the statement, which occurs after checking that the user executing the statement has sufficient permissions. This means that the permissions checking uses an incorrect resource, namely a table with a null keyspace. If that user is a superuser, then no error is encountered as superuser privs implicitly grants all permissions. If the user is not a superuser, then the GRANT or REVOKE fails with an ugly error, regardless of which keyspace the client session is bound to:

Unauthorized: Error from server: code=2100 [Unauthorized] message="User admin has no AUTHORIZE permission on <table null.t1> or any of its parents"

Attachments

Activity

People

Assignee:: Aleksey Yeschenko

Reporter:: Sam Tunnicliffe

Authors:: Aleksey Yeschenko

Reviewers:: Sam Tunnicliffe

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 16/Dec/16 19:26

Updated:: 16/Apr/19 09:30

Resolved:: 08/Mar/17 00:26