|
The usual scenario when a user has SELECT permissions on certain columns but not on the whole table doesn't work with versioned tables.
|
superuser
|
MariaDB [db]> create or replace table t1 (pk int primary key, a int) with system versioning;
|
Query OK, 0 rows affected (0.21 sec)
|
|
MariaDB [db]> create user foo@localhost;
|
Query OK, 0 rows affected (0.00 sec)
|
|
MariaDB [db]> grant select(a) on t1 to foo@localhost;
|
Query OK, 0 rows affected (0.01 sec)
|
|
User foo
|
MariaDB [db]> select a from t1;
|
ERROR 1143 (42000): SELECT command denied to user 'foo'@'localhost' for column 'row_end' in table 't1'
|
Not only does it refuse to perform the operation which should be permitted, but it also reveals information about the table to which the user shouldn't have access (the fact that it's versioned and the name of the column).
Granting SELECT on row_end does solve the problem, but it's a really awkward solution. I don't know what a better solution would be, maybe SELECT on the row-ending column should always be assumed when a user has any permissions to the table?
|