-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
非数据方能对数据进行查询吗? #120
Comments
原因:当前的PLAINTEXT_AFTER_JOIN有特殊限制(其它的没有):只有数据提供方能获得join后的plaintext权限。主要是出于安全上的考量,因为join后相当于交集对对方可见。 |
我们可能存在如下业务场景: |
我能否修改SCDB的代码取消这个限制,能否告知在哪里修改?要修改的地方多吗 |
感谢反馈。我们内部也会进行沟通,判断下提供配置开关取消限制。 |
补充下安全性上的风险:如果不限定数据参与方,只要经过join操作就放开ccl.Join的话,会有这种风险:carol 通过 alice的表自join,直接获取id列的所有信息:select t1.id from ta as t1 INNER JOIN ta as t2 on t1.id=t1.id; |
原来是这方面考虑,0.0,了解了,感谢解答。 |
好的,我研究一下感谢🙏 |
比如
Alice有表ta,有一列ID,执行授权:
GRANT SELECT PLAINTEXT_AFTER_JOIN(id) ON demo.ta TO carol
GRANT SELECT PLAINTEXT_AFTER_JOIN(id) ON demo.ta TO bob
Bob有表tb,有一列ID,执行授权:
GRANT SELECT PLAINTEXT_AFTER_JOIN(id) ON demo.tb TO carol
GRANT SELECT PLAINTEXT_AFTER_JOIN(id) ON demo.tb TO alice
Carol没有表,提交sql:select ta.id from ta INNER JOIN tb on ta.id=tb.id;
我试验报错:
[demo]carol> select ta.id from ta INNER JOIN tb on ta.id=tb.id
[fetch]err: Code: 300, message:ccl check failed: the 1th column demo.ta.id in the result is not visibile (PLAINTEXT_AFTER_JOIN) to party carol
上面这个场景理论上可行吗?是不是我的配置错了
The text was updated successfully, but these errors were encountered: