This is an automated email from the ASF dual-hosted git repository.
ramackri pushed a commit to branch ranger-2.9
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.9 by this push:
new a6387b8f8 RANGER-5634: CTAS and temporary-table queries must authorize
UDF SELECT (#1044)
a6387b8f8 is described below
commit a6387b8f847c92a2979ff427ecaa99749c9d72d1
Author: Ramachandran Krishnan <[email protected]>
AuthorDate: Sat Jul 4 21:26:29 2026 +0530
RANGER-5634: CTAS and temporary-table queries must authorize UDF SELECT
(#1044)
Backport of 409e8a72 (#1012) to ranger-2.9.
For CREATETABLE_AS_SELECT and CREATE_MATERIALIZED_VIEW, treat input
FUNCTION privilege objects as SELECT so CTAS/temp-table queries cannot
bypass UDF select authorization.
Co-authored-by: ramk <[email protected]>
---
.../ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java | 2 ++
1 file changed, 2 insertions(+)
diff --git
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index 926b812bf..9e11073fc 100644
---
a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -1795,6 +1795,8 @@ private HiveAccessType getAccessType(HivePrivilegeObject
hiveObj, HiveOperationT
case CREATE_MATERIALIZED_VIEW:
if(hiveObj.getType() ==
HivePrivilegeObjectType.TABLE_OR_VIEW) {
accessType = isInput ?
HiveAccessType.SELECT : HiveAccessType.CREATE;
+ } else if (hiveObj.getType() ==
HivePrivilegeObjectType.FUNCTION) {
+ accessType =
HiveAccessType.SELECT;
}
break;
case ALTERVIEW_AS: