Chiran Ravani created HIVE-23454:
------------------------------------
Summary: Querying hive table which has Materialized view fails
with HiveAccessControlException
Key: HIVE-23454
URL: https://issues.apache.org/jira/browse/HIVE-23454
Project: Hive
Issue Type: Bug
Components: Authorization, HiveServer2
Affects Versions: 3.0.0, 3.2.0
Reporter: Chiran Ravani
Query fails with HiveAccessControlException against table when there is
Materialized view pointing to that table which end user does not have access
to, but the actual table user has all the privileges.
>From the HiveServer2 logs - it looks as part of optimization Hive uses
>materialized view to query the data instead of table and since end user does
>not have access on MV we receive HiveAccessControlException.
https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/cost/HiveVolcanoPlanner.java#L99
The Simplest reproducer for this issue is as below.
1. Create a table using hive user and insert some data
{code:java}
create table db1.testmvtable(id int, name string) partitioned by(year int);
insert into db1.testmvtable partition(year=2020) values(1,'Name1');
insert into db1.testmvtable partition(year=2020) values(1,'Name2');
insert into db1.testmvtable partition(year=2016) values(1,'Name1');
insert into db1.testmvtable partition(year=2016) values(1,'Name2');
{code}
2. Create Materialized view on top of above table with partitioned and where
clause as hive user.
{code:java}
CREATE MATERIALIZED VIEW db2.testmv PARTITIONED ON(year) as select * from
db1.testmvtable tmv where year >= 2018;
{code}
3. Grant all (Select to be minimum) access to user 'chiran' via Ranger on
database db1.
4. Run select on base table db1.testmvtable as 'chiran' with where clause
having partition value >=2018, it runs into HiveAccessControlException on
db2.testmv
{code:java}
eg:- (select * from db1.testmvtable where year=2020;)
0: jdbc:hive2://node2> select * from db1.testmvtable where year=2020;
Error: Error while compiling statement: FAILED: HiveAccessControlException
Permission denied: user [chiran] does not have [SELECT] privilege on
[db2/testmv/*] (state=42000,code=40000)
{code}
5. This works when partition column is not in MV
{code:java}
0: jdbc:hive2://node2> select * from db1.testmvtable where year=2016;
DEBUG : Acquired the compile lock.
INFO : Compiling
command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a):
select * from db1.testmvtable where year=2016
DEBUG : Encoding valid txns info 897:9223372036854775807::893,895,896 txnid:897
INFO : Semantic Analysis Completed (retrial = false)
INFO : Returning Hive schema:
Schema(fieldSchemas:[FieldSchema(name:testmvtable.id, type:int, comment:null),
FieldSchema(name:testmvtable.name, type:string, comment:null),
FieldSchema(name:testmvtable.year, type:int, comment:null)], properties:null)
INFO : Completed compiling
command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a); Time
taken: 0.222 seconds
DEBUG : Encoding valid txn write ids info
897$db1.testmvtable:4:9223372036854775807:: txnid:897
INFO : Executing
command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a):
select * from db1.testmvtable where year=2016
INFO : Completed executing
command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a); Time
taken: 0.008 seconds
INFO : OK
DEBUG : Shutting down query select * from db1.testmvtable where year=2016
+-----------------+-------------------+-------------------+
| testmvtable.id | testmvtable.name | testmvtable.year |
+-----------------+-------------------+-------------------+
| 1 | Name1 | 2016 |
| 1 | Name2 | 2016 |
+-----------------+-------------------+-------------------+
2 rows selected (0.302 seconds)
0: jdbc:hive2://node2>
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
