You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
…elf or of a role granted to it
Summary:
Currently, a superuser can remove the superuser status of itself, or any other role granted to it:
```cassandra@cqlsh> alter role cassandra with SUPERUSER = false;```
and
```
cassandra@cqlsh> create role s with SUPERUSER = true;
cassandra@cqlsh> grant s to cassandra;
cassandra@cqlsh> alter role s with SUPERUSER = false;
```
This diff fixes this issue by checking whether the role is trying to modify its own superuser status or the superuser status of any role granted to it directly or through inheritance
This fix also fixes a bug in which we were allowing a non-superuser modify the status of another non-superuser role.
Test Plan: Three new unit tests `TestAuthorization.testAlterOwnSuperuserStatusFails`, `TestAuthorization.testAlterSuperuserStatusOfGrantedRoleFails`, and `TestAuthentication.testAlterSuperuserFieldOfNonSuperuserRole`
Reviewers: amitanand, mikhail, rahuldesirazu, bogdan
Reviewed By: bogdan
Subscribers: ybase
Differential Revision: https://phabricator.dev.yugabyte.com/D7335
…elf or of a role granted to it
Summary:
Currently, a superuser can remove the superuser status of itself, or any other role granted to it:
```cassandra@cqlsh> alter role cassandra with SUPERUSER = false;```
and
```
cassandra@cqlsh> create role s with SUPERUSER = true;
cassandra@cqlsh> grant s to cassandra;
cassandra@cqlsh> alter role s with SUPERUSER = false;
```
This diff fixes this issue by checking whether the role is trying to modify its own superuser status or the superuser status of any role granted to it directly or through inheritance
This fix also fixes a bug in which we were allowing a non-superuser modify the status of another non-superuser role.
Test Plan: Three new unit tests `TestAuthorization.testAlterOwnSuperuserStatusFails`, `TestAuthorization.testAlterSuperuserStatusOfGrantedRoleFails`, and `TestAuthentication.testAlterSuperuserFieldOfNonSuperuserRole`
Reviewers: amitanand, mikhail, rahuldesirazu, bogdan
Reviewed By: bogdan
Subscribers: ybase
Differential Revision: https://phabricator.dev.yugabyte.com/D7335
Currently, a superuser can remove the superuser status of itself, or any other role granted to it:
cassandra@cqlsh> alter role cassandra with SUPERUSER = false;
and
both succeed, but the
ALTER ROLE
statement should fail in both cases.The text was updated successfully, but these errors were encountered: