Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mitigate issue that Table ACL grants are not atomic #499

Closed
mwojtyczka opened this issue Oct 25, 2023 · 2 comments
Closed

Mitigate issue that Table ACL grants are not atomic #499

mwojtyczka opened this issue Oct 25, 2023 · 2 comments
Assignees
@mwojtyczka
Labels
enhancement New feature or request

Comments

@mwojtyczka
Copy link
Contributor

mwojtyczka commented Oct 25, 2023
edited
Loading

There is a bug in the Grants API for the Table ACLs. It does not support concurrent grant/revoke operations.

TableAcl grant/revoke operations are not atomic. When granting the permissions, the service would first get all existing permissions, append with the new permissions, and set the full list in the database. If there are concurrent grant requests, both requests might succeed and emit the audit logs, but what actually happens could be that the new permission list from one request overrides the other one, causing permission loss.

We won't hit the issue as long as we grant permissions for one securable to one user in one grant/statement. e.g.,
GRANT SELECT, CREATE, MODIFY ON table my_table TO some-user

Possible solutions:

  • Remove threading from Table ACLs
  • Fold actions belonging to the same principal, object type and id into one grant statement (better)

ES ticket for reference.
@github-project-automation github-project-automation bot moved this to Triage in UCX Oct 25, 2023
@mwojtyczka mwojtyczka added the enhancement New feature or request label Oct 25, 2023
@mwojtyczka mwojtyczka self-assigned this Oct 25, 2023
@nfx
Copy link
Collaborator

nfx commented Oct 25, 2023

Make sure to add this as a comment in the code

@mwojtyczka mwojtyczka changed the title Remove threading from Table ACLs Remove threading from Table ACLs to avoid concurrency issue in the Table ACLs Oct 25, 2023
@mwojtyczka mwojtyczka changed the title Remove threading from Table ACLs to avoid concurrency issue in the Table ACLs Remove threading from Table ACLs to avoid concurrency issue in the Grants API Oct 25, 2023
This was referenced Oct 25, 2023
Closed
Merged
@mwojtyczka mwojtyczka changed the title Remove threading from Table ACLs to avoid concurrency issue in the Grants API Fold actions to apply permissions per principal, object type and object id in one transaction Oct 27, 2023
@mwojtyczka mwojtyczka changed the title Fold actions to apply permissions per principal, object type and object id in one transaction Mitigate issue that Table ACL grants are not atomic Oct 27, 2023
@mwojtyczka mwojtyczka mentioned this issue Oct 27, 2023
Merged
@mwojtyczka
Copy link
Contributor Author

Fixed by PR 512

@github-project-automation github-project-automation bot moved this from Triage to Archive in UCX Oct 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mwojtyczka mwojtyczka

Labels
enhancement New feature or request
Projects
UCX
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nfx @mwojtyczka