Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-13053

GRANT/REVOKE on table without keyspace performs permissions check incorrectly

    XMLWordPrintableJSON

Details

    • Low

    Description

      When a GRANT or REVOKE statement is executed on a table without specifying the keyspace, we attempt to use the client session's keyspace to qualify the resource.

      This is done when validating the statement, which occurs after checking that the user executing the statement has sufficient permissions. This means that the permissions checking uses an incorrect resource, namely a table with a null keyspace. If that user is a superuser, then no error is encountered as superuser privs implicitly grants all permissions. If the user is not a superuser, then the GRANT or REVOKE fails with an ugly error, regardless of which keyspace the client session is bound to:

      Unauthorized: Error from server: code=2100 [Unauthorized] message="User admin has no AUTHORIZE permission on <table null.t1> or any of its parents"
      

      Attachments

        Activity

          People

            aleksey Aleksey Yeschenko
            samt Sam Tunnicliffe
            Aleksey Yeschenko
            Sam Tunnicliffe
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: