This is an automated email from the ASF dual-hosted git repository.

dengzh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git


The following commit(s) were added to refs/heads/master by this push:
     new 937d10069dc HIVE-28736:Remove DFS_URI authorization for CREATE_TABLE 
event with n… (#5689)
937d10069dc is described below

commit 937d10069dc11143c42a521bb2fe0896a0b2d9d8
Author: rtrivedi12 <32664785+rtrived...@users.noreply.github.com>
AuthorDate: Thu Jul 3 20:27:15 2025 -0500

    HIVE-28736:Remove DFS_URI authorization for CREATE_TABLE event with n… 
(#5689)
---
 .../plugin/metastore/events/CreateTableEvent.java  | 39 +++++++++++--
 ...e_ext_table_1.q => auth_create_table_event_1.q} | 12 +++-
 .../llap/auth_create_ext_table_1.q.out             | 27 ---------
 .../llap/auth_create_table_event_1.q.out           | 67 ++++++++++++++++++++++
 4 files changed, 111 insertions(+), 34 deletions(-)

diff --git 
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/CreateTableEvent.java
 
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/CreateTableEvent.java
index 4099405abe9..2b9ca3b8f5f 100644
--- 
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/CreateTableEvent.java
+++ 
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/CreateTableEvent.java
@@ -20,11 +20,12 @@
 package 
org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
 
 import org.apache.commons.lang3.StringUtils;
-import org.apache.hadoop.hive.metastore.api.Table;
 import org.apache.hadoop.hive.metastore.api.Database;
-import org.apache.hadoop.hive.metastore.TableType;
+import org.apache.hadoop.hive.metastore.api.MetaException;
+import org.apache.hadoop.hive.metastore.api.Table;
 import org.apache.hadoop.hive.metastore.events.PreCreateTableEvent;
 import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import org.apache.hadoop.hive.metastore.utils.MetaStoreUtils;
 import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
 import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
 import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
@@ -34,7 +35,6 @@
 import org.slf4j.LoggerFactory;
 
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.List;
 
 /*
@@ -62,11 +62,18 @@ private List<HivePrivilegeObject> getInputHObjs() {
     List<HivePrivilegeObject> ret   = new ArrayList<>();
     PreCreateTableEvent       event = (PreCreateTableEvent) preEventContext;
     Table                     table = event.getTable();
+    Database                  database = event.getDatabase();
     String                    uri   = getSdLocation(table.getSd());
 
-    if (StringUtils.isNotEmpty(uri)) {
+    if (StringUtils.isEmpty(uri)) {
+      return ret;
+    }
+
+    // Skip DFS_URI only if table location is under default db path
+    if (this.needDFSUriAuth(uri, this.getDefaultTablePath(database, table))) {
       ret.add(new HivePrivilegeObject(HivePrivilegeObjectType.DFS_URI, null, 
uri));
     }
+
     return ret;
   }
 
@@ -82,8 +89,12 @@ private List<HivePrivilegeObject> getOutputHObjs() {
     ret.add(getHivePrivilegeObject(database));
     ret.add(getHivePrivilegeObject(table));
 
-    if (StringUtils.isNotEmpty(uri) && 
!TableType.EXTERNAL_TABLE.toString().equalsIgnoreCase(table.getTableType())) {
-      ret.add(new HivePrivilegeObject(HivePrivilegeObjectType.DFS_URI, null, 
uri));
+    if (StringUtils.isNotEmpty(uri)) {
+      // Skip DFS_URI for external tables and if managed table location is 
under default db path
+      if (!MetaStoreUtils.isExternalTable(table) && this.needDFSUriAuth(uri,
+          this.getDefaultTablePath(database, table))) {
+        ret.add(new HivePrivilegeObject(HivePrivilegeObjectType.DFS_URI, null, 
uri));
+      }
     }
 
     COMMAND_STR = buildCommandString(COMMAND_STR,table);
@@ -101,4 +112,20 @@ private String buildCommandString(String cmdStr, Table 
tbl) {
     }
     return ret;
   }
+
+  private String getDefaultTablePath(Database database, Table table) {
+    String expectedTablePath = null;
+    try {
+      expectedTablePath = 
preEventContext.getHandler().getWh().getDefaultTablePath(database, 
table).toString();
+    } catch (MetaException e) {
+      LOG.warn("Got exception fetching Default location for dbName: {} 
tableName: {} ", database.getName(),
+          table.getTableName(), e);
+    }
+    return expectedTablePath;
+  }
+
+  private boolean needDFSUriAuth(String uri, String expectedTablePath) {
+    return (StringUtils.isEmpty(expectedTablePath) || 
!uri.equalsIgnoreCase(expectedTablePath));
+  }
+
 }
diff --git a/ql/src/test/queries/clientpositive/auth_create_ext_table_1.q 
b/ql/src/test/queries/clientpositive/auth_create_table_event_1.q
similarity index 61%
rename from ql/src/test/queries/clientpositive/auth_create_ext_table_1.q
rename to ql/src/test/queries/clientpositive/auth_create_table_event_1.q
index b2753031339..b2e80fd3be2 100644
--- a/ql/src/test/queries/clientpositive/auth_create_ext_table_1.q
+++ b/ql/src/test/queries/clientpositive/auth_create_table_event_1.q
@@ -8,8 +8,18 @@ dfs -chmod 555 ${system:test.tmp.dir}/a_ext_create_tab2;
 set 
hive.metastore.pre.event.listeners=org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer;
 set 
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
 
--- Attempt to Create external table without having write permissions on table 
dir should not result in error
+-- HIVE-27525 Attempt to Create external table without having write 
permissions on table dir should not result in error
 CREATE EXTERNAL TABLE t1(i int) location 
'${system:test.tmp.dir}/a_ext_create_tab1';
 Select * from t1;
 
 CREATE EXTERNAL TABLE LikeExternalTable LIKE t1 location 
'${system:test.tmp.dir}/a_ext_create_tab2';
+
+-- Skip authorization if location is not specified
+CREATE DATABASE IF NOT EXISTS test_db COMMENT 'Hive test database';
+use test_db;
+
+-- HIVE-28736 Skip DFS_URI auth for table under default DB location
+-- Attempt to Create external table without having write permissions on table 
dir should not result in error
+CREATE EXTERNAL TABLE t1(i int) location 
'${system:test.warehouse.dir}/test_db.db/t1';;
+CREATE TABLE t2(i int, name String) stored as ORC;
+CREATE TABLE t3(i int, name String) stored as ORC location 
'${system:test.warehouse.dir}/test_db.db/t3';
diff --git 
a/ql/src/test/results/clientpositive/llap/auth_create_ext_table_1.q.out 
b/ql/src/test/results/clientpositive/llap/auth_create_ext_table_1.q.out
deleted file mode 100644
index aa6fd6ed017..00000000000
--- a/ql/src/test/results/clientpositive/llap/auth_create_ext_table_1.q.out
+++ /dev/null
@@ -1,27 +0,0 @@
-#### A masked pattern was here ####
-PREHOOK: type: CREATETABLE
-#### A masked pattern was here ####
-PREHOOK: Output: database:default
-PREHOOK: Output: default@t1
-#### A masked pattern was here ####
-POSTHOOK: type: CREATETABLE
-#### A masked pattern was here ####
-POSTHOOK: Output: database:default
-POSTHOOK: Output: default@t1
-PREHOOK: query: Select * from t1
-PREHOOK: type: QUERY
-PREHOOK: Input: default@t1
-#### A masked pattern was here ####
-POSTHOOK: query: Select * from t1
-POSTHOOK: type: QUERY
-POSTHOOK: Input: default@t1
-#### A masked pattern was here ####
-PREHOOK: type: CREATETABLE
-#### A masked pattern was here ####
-PREHOOK: Output: database:default
-PREHOOK: Output: default@LikeExternalTable
-#### A masked pattern was here ####
-POSTHOOK: type: CREATETABLE
-#### A masked pattern was here ####
-POSTHOOK: Output: database:default
-POSTHOOK: Output: default@LikeExternalTable
diff --git 
a/ql/src/test/results/clientpositive/llap/auth_create_table_event_1.q.out 
b/ql/src/test/results/clientpositive/llap/auth_create_table_event_1.q.out
new file mode 100644
index 00000000000..3cda32fc51c
--- /dev/null
+++ b/ql/src/test/results/clientpositive/llap/auth_create_table_event_1.q.out
@@ -0,0 +1,67 @@
+#### A masked pattern was here ####
+PREHOOK: type: CREATETABLE
+#### A masked pattern was here ####
+PREHOOK: Output: database:default
+PREHOOK: Output: default@t1
+#### A masked pattern was here ####
+POSTHOOK: type: CREATETABLE
+#### A masked pattern was here ####
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@t1
+PREHOOK: query: Select * from t1
+PREHOOK: type: QUERY
+PREHOOK: Input: default@t1
+#### A masked pattern was here ####
+POSTHOOK: query: Select * from t1
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@t1
+#### A masked pattern was here ####
+PREHOOK: type: CREATETABLE
+#### A masked pattern was here ####
+PREHOOK: Output: database:default
+PREHOOK: Output: default@LikeExternalTable
+#### A masked pattern was here ####
+POSTHOOK: type: CREATETABLE
+#### A masked pattern was here ####
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@LikeExternalTable
+PREHOOK: query: CREATE DATABASE IF NOT EXISTS test_db COMMENT 'Hive test 
database'
+PREHOOK: type: CREATEDATABASE
+PREHOOK: Output: database:test_db
+POSTHOOK: query: CREATE DATABASE IF NOT EXISTS test_db COMMENT 'Hive test 
database'
+POSTHOOK: type: CREATEDATABASE
+POSTHOOK: Output: database:test_db
+PREHOOK: query: use test_db
+PREHOOK: type: SWITCHDATABASE
+PREHOOK: Input: database:test_db
+POSTHOOK: query: use test_db
+POSTHOOK: type: SWITCHDATABASE
+POSTHOOK: Input: database:test_db
+#### A masked pattern was here ####
+PREHOOK: type: CREATETABLE
+#### A masked pattern was here ####
+PREHOOK: Output: database:test_db
+PREHOOK: Output: test_db@t1
+#### A masked pattern was here ####
+POSTHOOK: type: CREATETABLE
+#### A masked pattern was here ####
+POSTHOOK: Output: database:test_db
+POSTHOOK: Output: test_db@t1
+PREHOOK: query: CREATE TABLE t2(i int, name String) stored as ORC
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:test_db
+PREHOOK: Output: test_db@t2
+POSTHOOK: query: CREATE TABLE t2(i int, name String) stored as ORC
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:test_db
+POSTHOOK: Output: test_db@t2
+#### A masked pattern was here ####
+PREHOOK: type: CREATETABLE
+#### A masked pattern was here ####
+PREHOOK: Output: database:test_db
+PREHOOK: Output: test_db@t3
+#### A masked pattern was here ####
+POSTHOOK: type: CREATETABLE
+#### A masked pattern was here ####
+POSTHOOK: Output: database:test_db
+POSTHOOK: Output: test_db@t3

Reply via email to