Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
Example:
Admin user:
register user sql_user1;
register user sql_user2;
create role role1;
create schema abc;
create table abc.table1 (a int);
grant select on abc.table1 to role1;
grant role role1 to sql_user1 with grant option.
sql_user1 can grant privileges on table abc.table1 through role role1.
sql_user1 attempts a grant:
grant select on abc.table1 to sql_user2;
This works but it shouldn't because sql_user1 does not directly have the privileges to grant select. At this time, sql_user1 becomes the grantor or the privilege (instead of role1). If the privilege is later revoked, then it must be revoked by sql_user1 or through an administrator by specifying the GRANTED BY clause:
revoke select on abc.table1 from sql_user2 granted by sql_user1;
Instead, the grant should return an error and sql_user1 use the granted by clause:
grant select on abc.table1 to sql_user2 granted by role1;
Then anyone who has been granted role1 can revoke the privilege. Like the grant, the revoke operation would need to include the GRANTED BY clause:
revoke select on abc.table1 from sql_user2 granted by role1;
or shortened to
revoke select on abc.table1 from sql_user2 by role1;
Attachments
Issue Links
- links to
