Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with Lake Formation permissions - Users can see referenced tables when granted access to views #4453

Open
1 task
ElearG opened this issue Feb 27, 2025 · 0 comments
Open
1 task

Issue with Lake Formation permissions - Users can see referenced tables when granted access to views #4453

ElearG opened this issue Feb 27, 2025 · 0 comments
Labels
bug This issue is a confirmed bug. needs-triage This issue or PR still needs to be triaged.

Comments

@ElearG
Copy link

ElearG commented Feb 27, 2025

Describe the bug

I've encountered what appears to be a bug with Lake Formation permissions when working with views and their referenced tables. According to AWS documentation, the SELECT permission should only allow users to query a table but not view its schema or metadata, while DESCRIBE permission is needed for those capabilities.

This issue creates significant problems for our data governance model:

Users see many tables they shouldn't directly interact with
It becomes difficult to implement a true abstraction layer using views
It violates our least-privilege access model
Creates confusion among end users who see more resources than they should

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

When a user is granted only SELECT permission on tables referenced by a view:

The user should be able to query the view successfully
The user should NOT see the referenced tables in Athena's interface
The user should NOT be able to list the schema or view the structure of the referenced tables

Current Behavior

When a user is granted only SELECT permission on tables referenced by a view:

The user can query the view (as expected)
The user can see ALL referenced tables in Athena's interface
The user can list the schema and examine the structure of the referenced tables

This appears to be a bug in the permission model, as the DESCRIBE permission (which controls visibility of table metadata) is not being enforced correctly.

Reproduction Steps

Create a Lake Formation database with tables and views
Create a view that references one or more tables
Grant a user/role the following permissions:

SELECT and DESCRIBE on the view
Only SELECT (not DESCRIBE) on the referenced tables

Login as that user and access Athena
Observe that the user can see and explore all referenced tables in Athena

Possible Solution

No response

Additional Information/Context

I've verified this behavior across multiple accounts and roles. I've also confirmed that the IAM permissions are correct and that this appears to be specific to how Lake Formation permissions interact with Athena's interface.
Has anyone else experienced this issue or found a workaround? Are there any configuration settings I might be missing?

SDK version used

1.37

Environment details (OS name and version, etc.)

Python 3.9
@ElearG ElearG added bug This issue is a confirmed bug. needs-triage This issue or PR still needs to be triaged. labels Feb 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a confirmed bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ElearG