Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[YCQL] Cannot CREATE TYPE when user has CREATE permissions for keyspace #2556

Closed
jameshartig opened this issue Oct 10, 2019 · 1 comment
Closed

[YCQL] Cannot CREATE TYPE when user has CREATE permissions for keyspace #2556

jameshartig opened this issue Oct 10, 2019 · 1 comment
Assignees
@hectorgcr @OlegLoginov
Labels
community/request Issues created by external users

Comments

@jameshartig
Copy link
Contributor

A user that has CREATE permissions on a keyspace cannot CREATE types, but can create tables fine. This is potentially similar to the issue in #2373.

The user has the following permissions:

GRANT CREATE ON KEYSPACE accounts_api TO accounts_api;

Then as accounts_api try to create a type in that keyspace:

CREATE TYPE IF NOT EXISTS accounts_api.mytype (id TEXT);

Gives an error:

Unauthorized: Error from server: code=2100 [Unauthorized] message="Unauthorized. User accounts_api has no CREATE permission on <all keyspaces> or any of its parents
CREATE TYPE IF NOT EXISTS accounts_api.mytype (id TEXT);
^^^^^^
 (ql error -4)"

But the user has CREATE permissions on that keyspace:

> SELECT * FROM system_auth.role_permissions WHERE resource = 'data/accounts_api';

 role         | resource          | permissions
--------------+-------------------+--------------------------------------------------------------
    cassandra | data/accounts_api | ['ALTER', 'AUTHORIZE', 'CREATE', 'DROP', 'MODIFY', 'SELECT']
 accounts_api | data/accounts_api |                      ['SELECT', 'MODIFY', 'CREATE', 'ALTER']

(2 rows)
@yugabyte-ci yugabyte-ci added the community/request Issues created by external users label Oct 10, 2019
@ddorian ddorian added area/ysql Yugabyte SQL (YSQL) and removed area/ysql Yugabyte SQL (YSQL) labels Oct 10, 2019
OlegLoginov added a commit that referenced this issue Oct 17, 2019
@OlegLoginov
[YCQL] #2556: Fixed: Cannot CREATE TYPE when user has CREATE permissi…
34d538c 
…ons for keyspace.

Summary:
Fixed permissions check for CREATE TYPE in the CQL parser tree node.
Fixed permissions check for CREATE/DROP TYPE in PreparedStatement.

Note: similar fix for DROP TYPE (diff D7254) was done before:
ddorian@2ec2e22

Test Plan:
ybd --java-test org.yb.cql.TestAuthorizationEnforcement#testDropTypeWithAllKeyspacesPermission
ybd --java-test org.yb.cql.TestAuthorizationEnforcement#testCreateTypeWithKeyspacePermission
ybd --java-test org.yb.cql.TestAuthorizationEnforcement#testPreparedCreateDropTypeWithAllKeyspacesPermission
ybd --java-test org.yb.cql.TestAuthorizationEnforcement#testPreparedCreateDropTypeWithKeyspacePermission

Reviewers: hector

Reviewed By: hector

Subscribers: kannan, yql

Differential Revision: https://phabricator.dev.yugabyte.com/D7373
@OlegLoginov
Copy link
Contributor

Fixed by the commit above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hectorgcr hectorgcr

@OlegLoginov OlegLoginov

Labels
community/request Issues created by external users
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jameshartig @ddorian @yugabyte-ci @hectorgcr @OlegLoginov