You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
User is able to SELECT FROM VIEW that includes a JOIN statement only having select privilege on one of the source tables.
How to reproduce
ClickHouse server version 20.8.1 revision 54438.
CREATE TABLE statements for all tables involved
clicktest :) show create table table0
SHOW CREATE TABLE table0
┌─statement─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ CREATE TABLE default.table0
(
`d` Date,
`a` String,
`b` UInt8,
`x` String,
`y` Int8
)
ENGINE = MergeTree()
ORDER BY d
SETTINGS index_granularity = 8192 │
└───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
1 rows in set. Elapsed: 0.007 sec.
clicktest :) show create table table1
SHOW CREATE TABLE table1
┌─statement─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ CREATE TABLE default.table1
(
`d` Date,
`a` String,
`b` UInt8,
`x` String,
`y` Int8
)
ENGINE = MergeTree()
ORDER BY d
SETTINGS index_granularity = 8192 │
└───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
1 rows in set. Elapsed: 0.005 sec.
clicktest :) show create view0
SHOW CREATE TABLE view0
┌─statement──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ CREATE VIEW default.view0
(
`d` Date,
`a` String,
`b` UInt8,
`x` String,
`y` Int8,
`table1.a` String,
`table1.b` UInt8,
`table1.x` String,
`table1.y` Int8
) AS
SELECT *
FROM default.table0
INNER JOIN default.table1 USING (d) │
└────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
1 rows in set. Elapsed: 0.005 sec.
Queries to run that lead to unexpected result
ClickHouse client version 20.8.1.4447 (official build).
Connecting to localhost:9000 as user user0.
Connected to ClickHouse server version 20.8.1 revision 54438.
clicktest :) select * from view0
SELECT *
FROM view0
Ok.
0 rows in set. Elapsed: 0.017 sec.
Expected behavior
User should be unable to select from a view without full select privelege.
The text was updated successfully, but these errors were encountered:
MyroTk
added
the
bug
Confirmed user-visible misbehaviour in official release
label
Aug 26, 2020
Describe the bug
User is able to SELECT FROM VIEW that includes a
JOIN
statement only having select privilege on one of the source tables.How to reproduce
CREATE TABLE
statements for all tables involvedExpected behavior
User should be unable to select from a view without full select privelege.
The text was updated successfully, but these errors were encountered: