[AUTHZ][Improvement] insert into table should check the update privilege for table
liujiayi771 opened this issue · 6 comments
liujiayi771 commented
Code of Conduct
- I agree to follow this project's Code of Conduct
Search before asking
- I have searched in the issues and found no similar issues.
What would you like to be improved?
Currently, Authz will check the update privilege for the column of the table. I think it is better to check the update privilege for the table.
insert into test values(1);
user [xxx] does not have [update] privilege on [database=testdb/table=test/column=id]
How should we improve?
check the update privilege for the table.
Are you willing to submit PR?
- Yes. I would be willing to submit a PR with guidance from the Kyuubi community to improve.
- No. I cannot submit a PR at this time.
github-actions commented
Hello @liujiayi771,
Thanks for finding the time to report the issue!
We really appreciate the community's efforts to improve Apache Kyuubi.
liujiayi771 commented
Hi @pan3793. How do you think?
liujiayi771 commented
cc @yaooqinn, thanks.
pan3793 commented
sounds reasonable to me, but can we double check other DBs implementations?
liujiayi771 commented
@pan3793 I have tested Hive and Trino ranger plugin. They all check the privilege of table when insert into table.
Hive:
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [ranger] does not have [UPDATE] privilege on [database=testdb/table=test] (state=42000,code=40000)
Trino:
trino:testdb> insert into test values(1);
Query 20240729_135814_00054_g5bf9 failed: Access Denied: Cannot insert into table test
So I will submit a PR for this change.
pan3793 commented
Thanks for checking, please go ahead to submit PR to fix it.