Karen Coppage created HIVE-20818:
------------------------------------
Summary: Views created with a WHERE subquery will regard views
referenced in the subquery as direct input
Key: HIVE-20818
URL: https://issues.apache.org/jira/browse/HIVE-20818
Project: Hive
Issue Type: Bug
Reporter: Karen Coppage
If Hive is configured with an authorization hook like Sentry, and a view is
created with a WHERE clause referencing a different view' user has no access
to, user cannot access the view as view' is considered direct input.
For example:
{code:java}
create database db1;
create database db2;
create database db3;
create table db1.table1 (cola string, colb string, colc string);
insert into db1.table1 values ('a','b','c');
insert into db1.table1 values ('x','y','z');
CREATE VIEW db2.view1 AS SELECT cola, colb, colc FROM db1.table1 WHERE
cola="x";
CREATE VIEW db2.view2 AS SELECT table1.cola, table1.colb, table1.colc FROM
db1.table1 WHERE table1.cola NOT IN (SELECT view1.cola FROM db2.view1);
create view db3.view3 as select * from db2.view2
{code}
If test_user has read permission for only db3 (but not db1 or db2), their query
{code:java}
select * from db3.view3;{code}
will fail with :
{code:java}
Error while compiling statement: FAILED: SemanticException No valid privileges
User test_user does not have privileges for QUERY The required privileges:
Server=server1->Db=db2->Table=view1->action=select; {code}
WHERE IN and WHERE EXISTS cause the same issue.
Cascading views created with no WHERE clauses (i.e. with simple SELECTs and
FROM clauses) work fine.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)