This is an automated email from the ASF dual-hosted git repository. dengzh pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push: new 937d10069dc HIVE-28736:Remove DFS_URI authorization for CREATE_TABLE event with n… (#5689) 937d10069dc is described below commit 937d10069dc11143c42a521bb2fe0896a0b2d9d8 Author: rtrivedi12 <32664785+rtrived...@users.noreply.github.com> AuthorDate: Thu Jul 3 20:27:15 2025 -0500 HIVE-28736:Remove DFS_URI authorization for CREATE_TABLE event with n… (#5689) --- .../plugin/metastore/events/CreateTableEvent.java | 39 +++++++++++-- ...e_ext_table_1.q => auth_create_table_event_1.q} | 12 +++- .../llap/auth_create_ext_table_1.q.out | 27 --------- .../llap/auth_create_table_event_1.q.out | 67 ++++++++++++++++++++++ 4 files changed, 111 insertions(+), 34 deletions(-) diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/CreateTableEvent.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/CreateTableEvent.java index 4099405abe9..2b9ca3b8f5f 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/CreateTableEvent.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/CreateTableEvent.java @@ -20,11 +20,12 @@ package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events; import org.apache.commons.lang3.StringUtils; -import org.apache.hadoop.hive.metastore.api.Table; import org.apache.hadoop.hive.metastore.api.Database; -import org.apache.hadoop.hive.metastore.TableType; +import org.apache.hadoop.hive.metastore.api.MetaException; +import org.apache.hadoop.hive.metastore.api.Table; import org.apache.hadoop.hive.metastore.events.PreCreateTableEvent; import org.apache.hadoop.hive.metastore.events.PreEventContext; +import org.apache.hadoop.hive.metastore.utils.MetaStoreUtils; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; @@ -34,7 +35,6 @@ import org.slf4j.LoggerFactory; import java.util.ArrayList; -import java.util.Collections; import java.util.List; /* @@ -62,11 +62,18 @@ private List<HivePrivilegeObject> getInputHObjs() { List<HivePrivilegeObject> ret = new ArrayList<>(); PreCreateTableEvent event = (PreCreateTableEvent) preEventContext; Table table = event.getTable(); + Database database = event.getDatabase(); String uri = getSdLocation(table.getSd()); - if (StringUtils.isNotEmpty(uri)) { + if (StringUtils.isEmpty(uri)) { + return ret; + } + + // Skip DFS_URI only if table location is under default db path + if (this.needDFSUriAuth(uri, this.getDefaultTablePath(database, table))) { ret.add(new HivePrivilegeObject(HivePrivilegeObjectType.DFS_URI, null, uri)); } + return ret; } @@ -82,8 +89,12 @@ private List<HivePrivilegeObject> getOutputHObjs() { ret.add(getHivePrivilegeObject(database)); ret.add(getHivePrivilegeObject(table)); - if (StringUtils.isNotEmpty(uri) && !TableType.EXTERNAL_TABLE.toString().equalsIgnoreCase(table.getTableType())) { - ret.add(new HivePrivilegeObject(HivePrivilegeObjectType.DFS_URI, null, uri)); + if (StringUtils.isNotEmpty(uri)) { + // Skip DFS_URI for external tables and if managed table location is under default db path + if (!MetaStoreUtils.isExternalTable(table) && this.needDFSUriAuth(uri, + this.getDefaultTablePath(database, table))) { + ret.add(new HivePrivilegeObject(HivePrivilegeObjectType.DFS_URI, null, uri)); + } } COMMAND_STR = buildCommandString(COMMAND_STR,table); @@ -101,4 +112,20 @@ private String buildCommandString(String cmdStr, Table tbl) { } return ret; } + + private String getDefaultTablePath(Database database, Table table) { + String expectedTablePath = null; + try { + expectedTablePath = preEventContext.getHandler().getWh().getDefaultTablePath(database, table).toString(); + } catch (MetaException e) { + LOG.warn("Got exception fetching Default location for dbName: {} tableName: {} ", database.getName(), + table.getTableName(), e); + } + return expectedTablePath; + } + + private boolean needDFSUriAuth(String uri, String expectedTablePath) { + return (StringUtils.isEmpty(expectedTablePath) || !uri.equalsIgnoreCase(expectedTablePath)); + } + } diff --git a/ql/src/test/queries/clientpositive/auth_create_ext_table_1.q b/ql/src/test/queries/clientpositive/auth_create_table_event_1.q similarity index 61% rename from ql/src/test/queries/clientpositive/auth_create_ext_table_1.q rename to ql/src/test/queries/clientpositive/auth_create_table_event_1.q index b2753031339..b2e80fd3be2 100644 --- a/ql/src/test/queries/clientpositive/auth_create_ext_table_1.q +++ b/ql/src/test/queries/clientpositive/auth_create_table_event_1.q @@ -8,8 +8,18 @@ dfs -chmod 555 ${system:test.tmp.dir}/a_ext_create_tab2; set hive.metastore.pre.event.listeners=org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory; --- Attempt to Create external table without having write permissions on table dir should not result in error +-- HIVE-27525 Attempt to Create external table without having write permissions on table dir should not result in error CREATE EXTERNAL TABLE t1(i int) location '${system:test.tmp.dir}/a_ext_create_tab1'; Select * from t1; CREATE EXTERNAL TABLE LikeExternalTable LIKE t1 location '${system:test.tmp.dir}/a_ext_create_tab2'; + +-- Skip authorization if location is not specified +CREATE DATABASE IF NOT EXISTS test_db COMMENT 'Hive test database'; +use test_db; + +-- HIVE-28736 Skip DFS_URI auth for table under default DB location +-- Attempt to Create external table without having write permissions on table dir should not result in error +CREATE EXTERNAL TABLE t1(i int) location '${system:test.warehouse.dir}/test_db.db/t1';; +CREATE TABLE t2(i int, name String) stored as ORC; +CREATE TABLE t3(i int, name String) stored as ORC location '${system:test.warehouse.dir}/test_db.db/t3'; diff --git a/ql/src/test/results/clientpositive/llap/auth_create_ext_table_1.q.out b/ql/src/test/results/clientpositive/llap/auth_create_ext_table_1.q.out deleted file mode 100644 index aa6fd6ed017..00000000000 --- a/ql/src/test/results/clientpositive/llap/auth_create_ext_table_1.q.out +++ /dev/null @@ -1,27 +0,0 @@ -#### A masked pattern was here #### -PREHOOK: type: CREATETABLE -#### A masked pattern was here #### -PREHOOK: Output: database:default -PREHOOK: Output: default@t1 -#### A masked pattern was here #### -POSTHOOK: type: CREATETABLE -#### A masked pattern was here #### -POSTHOOK: Output: database:default -POSTHOOK: Output: default@t1 -PREHOOK: query: Select * from t1 -PREHOOK: type: QUERY -PREHOOK: Input: default@t1 -#### A masked pattern was here #### -POSTHOOK: query: Select * from t1 -POSTHOOK: type: QUERY -POSTHOOK: Input: default@t1 -#### A masked pattern was here #### -PREHOOK: type: CREATETABLE -#### A masked pattern was here #### -PREHOOK: Output: database:default -PREHOOK: Output: default@LikeExternalTable -#### A masked pattern was here #### -POSTHOOK: type: CREATETABLE -#### A masked pattern was here #### -POSTHOOK: Output: database:default -POSTHOOK: Output: default@LikeExternalTable diff --git a/ql/src/test/results/clientpositive/llap/auth_create_table_event_1.q.out b/ql/src/test/results/clientpositive/llap/auth_create_table_event_1.q.out new file mode 100644 index 00000000000..3cda32fc51c --- /dev/null +++ b/ql/src/test/results/clientpositive/llap/auth_create_table_event_1.q.out @@ -0,0 +1,67 @@ +#### A masked pattern was here #### +PREHOOK: type: CREATETABLE +#### A masked pattern was here #### +PREHOOK: Output: database:default +PREHOOK: Output: default@t1 +#### A masked pattern was here #### +POSTHOOK: type: CREATETABLE +#### A masked pattern was here #### +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t1 +PREHOOK: query: Select * from t1 +PREHOOK: type: QUERY +PREHOOK: Input: default@t1 +#### A masked pattern was here #### +POSTHOOK: query: Select * from t1 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@t1 +#### A masked pattern was here #### +PREHOOK: type: CREATETABLE +#### A masked pattern was here #### +PREHOOK: Output: database:default +PREHOOK: Output: default@LikeExternalTable +#### A masked pattern was here #### +POSTHOOK: type: CREATETABLE +#### A masked pattern was here #### +POSTHOOK: Output: database:default +POSTHOOK: Output: default@LikeExternalTable +PREHOOK: query: CREATE DATABASE IF NOT EXISTS test_db COMMENT 'Hive test database' +PREHOOK: type: CREATEDATABASE +PREHOOK: Output: database:test_db +POSTHOOK: query: CREATE DATABASE IF NOT EXISTS test_db COMMENT 'Hive test database' +POSTHOOK: type: CREATEDATABASE +POSTHOOK: Output: database:test_db +PREHOOK: query: use test_db +PREHOOK: type: SWITCHDATABASE +PREHOOK: Input: database:test_db +POSTHOOK: query: use test_db +POSTHOOK: type: SWITCHDATABASE +POSTHOOK: Input: database:test_db +#### A masked pattern was here #### +PREHOOK: type: CREATETABLE +#### A masked pattern was here #### +PREHOOK: Output: database:test_db +PREHOOK: Output: test_db@t1 +#### A masked pattern was here #### +POSTHOOK: type: CREATETABLE +#### A masked pattern was here #### +POSTHOOK: Output: database:test_db +POSTHOOK: Output: test_db@t1 +PREHOOK: query: CREATE TABLE t2(i int, name String) stored as ORC +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:test_db +PREHOOK: Output: test_db@t2 +POSTHOOK: query: CREATE TABLE t2(i int, name String) stored as ORC +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:test_db +POSTHOOK: Output: test_db@t2 +#### A masked pattern was here #### +PREHOOK: type: CREATETABLE +#### A masked pattern was here #### +PREHOOK: Output: database:test_db +PREHOOK: Output: test_db@t3 +#### A masked pattern was here #### +POSTHOOK: type: CREATETABLE +#### A masked pattern was here #### +POSTHOOK: Output: database:test_db +POSTHOOK: Output: test_db@t3