Chiran Ravani created HIVE-23454:
------------------------------------

             Summary: Querying hive table which has Materialized view fails 
with HiveAccessControlException
                 Key: HIVE-23454
                 URL: https://issues.apache.org/jira/browse/HIVE-23454
             Project: Hive
          Issue Type: Bug
          Components: Authorization, HiveServer2
    Affects Versions: 3.0.0, 3.2.0
            Reporter: Chiran Ravani


Query fails with HiveAccessControlException against table when there is  
Materialized view pointing to that table which end user does not have access 
to, but the actual table user has all the privileges.

>From the HiveServer2 logs - it looks as part of optimization Hive uses 
>materialized view to query the data instead of table and since end user does 
>not have access on MV we receive HiveAccessControlException.

https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/cost/HiveVolcanoPlanner.java#L99

The Simplest reproducer for this issue is as below.
1. Create a table using hive user and insert some data
{code:java}
create table db1.testmvtable(id int, name string) partitioned by(year int);
insert into db1.testmvtable partition(year=2020) values(1,'Name1');
insert into db1.testmvtable partition(year=2020) values(1,'Name2');
insert into db1.testmvtable partition(year=2016) values(1,'Name1');
insert into db1.testmvtable partition(year=2016) values(1,'Name2');
{code}


2. Create Materialized view on top of above table with partitioned and where 
clause as hive user.
{code:java}
CREATE MATERIALIZED VIEW db2.testmv PARTITIONED ON(year) as select * from 
db1.testmvtable tmv where year >= 2018;
{code}

3. Grant all (Select to be minimum) access to user 'chiran' via Ranger on 
database db1.

4. Run select on base table db1.testmvtable as 'chiran' with where clause 
having partition value >=2018, it runs into HiveAccessControlException on 
db2.testmv

{code:java}
eg:- (select * from db1.testmvtable where year=2020;)
0: jdbc:hive2://node2> select * from db1.testmvtable where year=2020;
Error: Error while compiling statement: FAILED: HiveAccessControlException 
Permission denied: user [chiran] does not have [SELECT] privilege on 
[db2/testmv/*] (state=42000,code=40000)
{code}

5. This works when partition column is not in MV
{code:java}
0: jdbc:hive2://node2> select * from db1.testmvtable where year=2016;
DEBUG : Acquired the compile lock.
INFO  : Compiling 
command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a): 
select * from db1.testmvtable where year=2016
DEBUG : Encoding valid txns info 897:9223372036854775807::893,895,896 txnid:897
INFO  : Semantic Analysis Completed (retrial = false)
INFO  : Returning Hive schema: 
Schema(fieldSchemas:[FieldSchema(name:testmvtable.id, type:int, comment:null), 
FieldSchema(name:testmvtable.name, type:string, comment:null), 
FieldSchema(name:testmvtable.year, type:int, comment:null)], properties:null)
INFO  : Completed compiling 
command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a); Time 
taken: 0.222 seconds
DEBUG : Encoding valid txn write ids info 
897$db1.testmvtable:4:9223372036854775807:: txnid:897
INFO  : Executing 
command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a): 
select * from db1.testmvtable where year=2016
INFO  : Completed executing 
command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a); Time 
taken: 0.008 seconds
INFO  : OK
DEBUG : Shutting down query select * from db1.testmvtable where year=2016
+-----------------+-------------------+-------------------+
| testmvtable.id  | testmvtable.name  | testmvtable.year  |
+-----------------+-------------------+-------------------+
| 1               | Name1             | 2016              |
| 1               | Name2             | 2016              |
+-----------------+-------------------+-------------------+
2 rows selected (0.302 seconds)
0: jdbc:hive2://node2>
{code}




--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to