• Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.0
    • Fix Version/s: 2.1.0
    • Component/s: Sentry
    • Labels:


      After introducing FGP, a user with only DROP on a database db1 and at least CREATE on db2 can run ALTER TABLE RENAME db1.table1 db2.table2, and thus elevate their privileges.

      To reproduce:

      As admin (e.g. hive):
      1. Create db1, db1.table1, db2, role r1.
      2. Grant DROP on db1 to role r1.
      3. Grant ALL on db2 to role r1
      4. Grant role r1 to user testuser1.
      As testuser1:
      1. use db1; alter table db1.table1 rename to db2.table1
      2. select * from db2. table1
      Result: the select command succeeds.

      Desired behavior:
      we should at least require following privileges to execute the table rename command:

      table level "ALL" at source
      database level "CREATE" at destination.

      The reason we don't require "alter, insert" for destination DB is that "alter" and "insert" is table level privileges and when "alter table rename" command is executed, there is no table in destination DB. So we cannot enforce these table level privileges. Therefore the only change is add table-level "ALL" privilege in required input privileges to avoid elevate privilege by moving table cross DB


        1. SENTRY-2264.004.patch
          12 kB
          Na Li
        2. SENTRY-2264.004.patch
          12 kB
          Na Li
        3. SENTRY-2264.003.patch
          13 kB
          Na Li
        4. SENTRY-2264.002.patch
          4 kB
          Na Li
        5. SENTRY-2264.001.patch
          1 kB
          Na Li

          Issue Links



              • Assignee:
                LinaAtAustin Na Li
                LinaAtAustin Na Li
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: