Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15959

Column-level permissions and system versioning don't work well together: permissions for row end are required

    XMLWordPrintable

    Details

      Description

      The usual scenario when a user has SELECT permissions on certain columns but not on the whole table doesn't work with versioned tables.

      superuser

      MariaDB [db]> create or replace table t1 (pk int primary key, a int) with system versioning;
      Query OK, 0 rows affected (0.21 sec)
       
      MariaDB [db]> create user foo@localhost;
      Query OK, 0 rows affected (0.00 sec)
       
      MariaDB [db]> grant select(a) on t1 to foo@localhost;
      Query OK, 0 rows affected (0.01 sec)
      

      User foo

      MariaDB [db]> select a from t1;
      ERROR 1143 (42000): SELECT command denied to user 'foo'@'localhost' for column 'row_end' in table 't1'
      

      Not only does it refuse to perform the operation which should be permitted, but it also reveals information about the table to which the user shouldn't have access (the fact that it's versioned and the name of the column).

      Granting SELECT on row_end does solve the problem, but it's a really awkward solution. I don't know what a better solution would be, maybe SELECT on the row-ending column should always be assumed when a user has any permissions to the table?

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sachin.setiya.007 Sachin Setiya
              Reporter:
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: