[MDEV-15959] Column-level permissions and system versioning don't work well together: permissions for row end are required - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.3
Fix Version/s: 10.3.7
Component/s: Authentication and Privilege System, Versioned Tables
Labels:
None

Description

The usual scenario when a user has SELECT permissions on certain columns but not on the whole table doesn't work with versioned tables.

superuser
MariaDB [db]> create or replace table t1 (pk int primary key, a int) with system versioning;
Query OK, 0 rows affected (0.21 sec)

MariaDB [db]> create user foo@localhost;
Query OK, 0 rows affected (0.00 sec)

MariaDB [db]> grant select(a) on t1 to foo@localhost;
Query OK, 0 rows affected (0.01 sec)

User foo
MariaDB [db]> select a from t1;
ERROR 1143 (42000): SELECT command denied to user 'foo'@'localhost' for column 'row_end' in table 't1'

Not only does it refuse to perform the operation which should be permitted, but it also reveals information about the table to which the user shouldn't have access (the fact that it's versioned and the name of the column).

Granting SELECT on row_end does solve the problem, but it's a really awkward solution. I don't know what a better solution would be, maybe SELECT on the row-ending column should always be assumed when a user has any permissions to the table?

Attachments

Issue Links

relates to

MDEV-14853 Grant does not work correctly when table contains SYSTEM_INVISIBLE or COMPLETELY_INVISIBLE

Closed

Activity

People

Assignee:: Sachin Setiya (Inactive)

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2018-04-21 17:40

Updated:: 2018-05-24 14:08

Resolved:: 2018-05-24 14:07

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.