Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[YCQL] Cannot DROP TYPE when user has DROP permissions #2373

Closed
jameshartig opened this issue Sep 19, 2019 · 1 comment
Closed

[YCQL] Cannot DROP TYPE when user has DROP permissions #2373

jameshartig opened this issue Sep 19, 2019 · 1 comment
Assignees
Labels
community/request Issues created by external users

Comments

@jameshartig
Copy link
Contributor

A user that has DROP permissions on a keyspace cannot DROP types, but can drop tables fine. This was discussed with @hectorgcr on Slack.

The user has the following permissions:

GRANT CREATE ON ALL KEYSPACES TO accounts_api;

Then as accounts_api create a keyspace and a type, then try to drop the type. Since accounts_api is creating the keyspace it should get full permissions on that keyspace.

CREATE KEYSPACE accounts_api_test;
CREATE TYPE IF NOT EXISTS accounts_api_test.mytype (id TEXT);
DROP TYPE accounts_api_test.mytype;

Gives an error:

Unauthorized: Error from server: code=2100 [Unauthorized] message="Unauthorized. User accounts_api has no DROP permission on <all keyspaces> or any of its parents
DROP TYPE accounts_api_test.mytype;
^^^^
 (ql error -4)"

But the user has DROP permissions on that keyspace:

> SELECT * FROM system_auth.role_permissions WHERE resource = 'data/accounts_api_test';

 role         | resource               | permissions
--------------+------------------------+--------------------------------------------------------------
 accounts_api | data/accounts_api_test | ['ALTER', 'AUTHORIZE', 'CREATE', 'DROP', 'MODIFY', 'SELECT'] 

(1 rows)

Workaround for now is to give the user global DROP privileges as well as CREATE privileges.

@yugabyte-ci yugabyte-ci added the community/request Issues created by external users label Sep 19, 2019
@hectorgcr
Copy link
Contributor

We currently check for DROP TYPE permissions in two places:

PTDropStmt::Analyze and in QLProcessor::CheckPermissions.

In PTDropStmt::Analyze we do the check:

case OBJECT_TYPE:
        RETURN_NOT_OK(sem_context->CheckHasAllKeyspacesPermission(loc(),
            PermissionType::DROP_PERMISSION));

This needs to be changed so that we only check that the current role has the DROP permission on the keyspace the type belongs to instead of checking that the role has the DROP permission on ALL KEYSPACES. We need to do the same check in QLProcessor::CheckPermissions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
community/request Issues created by external users
Projects
None yet
Development

No branches or pull requests

4 participants