Owner of the schema loses rights if assumes the monetdb role. #3771
Last updated: 2015-10-17 12:40:53 +0200
Date: 2015-07-19 23:29:12 +0200
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0
When a schema owner (which always has the right to SELECT, INSERT, CREATE, etc.) also assumes the monetdb role, it loses the right to SELECT, INSERT, UPDATE and DELETE, but it can still CREATE, ALTER or DROP tables. This only happens for schema owners and not for regular users. If a regular user assumes the monetdb role, he does get all the privileges on tables.
Date: 2015-07-20 21:41:46 +0200
For complete details, see http//devmonetdborg/hg/MonetDB?cmd=changeset;node=af031cf381f1
Date: 2015-07-22 22:31:19 +0200
fixed, ie both role and user id's are used to check for schema ownership
Date: 2015-08-25 14:06:09 +0200
Although the bug is fixed for user created schemas, it doesn't work with the default "sys" schema. Re-open it. The existing corresponding test will be extended to cover the new case as well.
Date: 2015-09-29 14:35:35 +0200
Jennie, did you extend the test as promised?
Date: 2015-09-30 22:00:05 +0200
Sorry, it was actually Vera who said she will extend the test. Guess it was lost among the many things she was trying to do during the wrap up. I need to dig in the old communications how to extend the test. I put this on the top of my list.
Date: 2015-10-17 12:40:53 +0200
Checked with Niels, that similar queries don't work with the "sys" schema is a correct behaviour, not a bug. Therefore, change the status to resolved & fixed. Niels' earlier fix for the not-pre-created-schemas is already released in Jul2015.
The owner of the "sys" schema is the user "monetdb", hence, granting the role "monetDB" to another user doesn't give that user any rights about the "sys" schema. To pass admin rights to a user, the role "sysadmin" should be granted. Then the user will be able to create/drop/update/alter/etc tables in the "sys" schema.
To avoid future confusion, we should disallow granting a role which was automatically created for each user (with the same name as the user name).
The text was updated successfully, but these errors were encountered: