Details
-
Bug
-
Resolution: Fixed
-
Major
-
7.6.0, 7.2.5, 7.6.2
-
Untriaged
-
0
-
Unknown
Description
DELETE on system:tasks_cache can be performed by user without correct RBAC.
This means that any user can cancel any scheduled/running tasks.
For example, active ADVISOR sessions can be cancelled by any user.
Steps to repro:
1. Create a user without any roles assigned to it.
2. As the created user, run the statement below:
DELETE FROM system:tasks_cache;
|
The statement successfully executes which is incorrect. The user should have query_system_catalog role to perform the DELETE statement.
Attachments
For Gerrit Dashboard: MB-62622 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
212370,2 | MB-62622: Add PRIV_SYSTEM_READ privilege requirement for... | trinity | query | Status: MERGED | +2 | +1 |