[jira] [Commented] (HIVE-2817) Drop any table even without privilege

Chen Chun (JIRA) Sun, 07 Apr 2013 06:15:19 -0700

    [ 
https://issues.apache.org/jira/browse/HIVE-2817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13624911#comment-13624911
 ]


Chen Chun commented on HIVE-2817:
---------------------------------

{code}
// I think the following code in DDLSemanticAnalyzer.analyzeDropTable cause the 
problem
// if we set hive.exec.drop.ignorenonexistent=true, then throwException=false 
and so the inputs and outputs are empty
// And it will not do authorization check after semantic analyze. 
    try {
      Table tab = db.getTable(db.getCurrentDatabase(), tableName, 
throwException);
      if (tab != null) {
        inputs.add(new ReadEntity(tab));
        outputs.add(new WriteEntity(tab));
      }
    } catch (HiveException e) {
      throw new SemanticException(ErrorMsg.INVALID_TABLE.getMsg(tableName));
    }
{code}

A easy way to fix the problem is to set hive.exec.drop.ignorenonexistent=false. 

When I test the sql "drop table default.src_authorization_8" with ant, the log 
"</PERFLOG method=doAuthorization start=1365321309304 end=1365321309304 
duration=0>" duration=0 leave a clue of what I said.

{code}
2013-04-07 00:55:09,279 DEBUG parse.VariableSubstitution 
(VariableSubstitution.java:substitute(67)) - Substitution is on:
drop table default.src_authorization_8
2013-04-07 00:55:09,280 INFO  parse.ParseDriver (ParseDriver.java:parse(179)) - 
Parsing command:
drop table default.src_authorization_8
2013-04-07 00:55:09,282 INFO  parse.ParseDriver (ParseDriver.java:parse(197)) - 
Parse Completed
2013-04-07 00:55:09,282 INFO  metastore.HiveMetaStore 
(HiveMetaStore.java:logInfo(452)) - 0: get_table : db=default 
tbl=default.src_authorization_8
2013-04-07 00:55:09,286 INFO  HiveMetaStore.audit 
(HiveMetaStore.java:logAuditEvent(238)) - ugi=chenchun        
ip=unknown-ip-addr      cmd=get_table : db=default tbl=default.s
rc_authorization_8
2013-04-07 00:55:09,302 ERROR metastore.RetryingHMSHandler 
(RetryingHMSHandler.java:invoke(132)) - 
NoSuchObjectException(message:default.default.src_authorization_8 table not f
ound)
        at 
org.apache.hadoop.hive.metastore.HiveMetaStore$HMSHandler.get_table(HiveMetaStore.java:1369)
        at sun.reflect.GeneratedMethodAccessor9.invoke(Unknown Source)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at 
org.apache.hadoop.hive.metastore.RetryingHMSHandler.invoke(RetryingHMSHandler.java:105)
        at $Proxy8.get_table(Unknown Source)
        at 
org.apache.hadoop.hive.metastore.HiveMetaStoreClient.getTable(HiveMetaStoreClient.java:838)
        at sun.reflect.GeneratedMethodAccessor15.invoke(Unknown Source)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at 
org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.invoke(RetryingMetaStoreClient.java:74)
        at $Proxy9.getTable(Unknown Source)
        at org.apache.hadoop.hive.ql.metadata.Hive.getTable(Hive.java:948)
        at 
org.apache.hadoop.hive.ql.parse.DDLSemanticAnalyzer.getTable(DDLSemanticAnalyzer.java:3032)
        at 
org.apache.hadoop.hive.ql.parse.DDLSemanticAnalyzer.getTable(DDLSemanticAnalyzer.java:3026)
        at 
org.apache.hadoop.hive.ql.parse.DDLSemanticAnalyzer.analyzeDropTable(DDLSemanticAnalyzer.java:737)
        at 
org.apache.hadoop.hive.ql.parse.DDLSemanticAnalyzer.analyzeInternal(DDLSemanticAnalyzer.java:228)
        at 
org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer.analyze(BaseSemanticAnalyzer.java:259)
        at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:433)
        at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:337)
        at org.apache.hadoop.hive.ql.Driver.run(Driver.java:902)
        at 
org.apache.hadoop.hive.cli.CliDriver.processLocalCmd(CliDriver.java:259)
        at org.apache.hadoop.hive.cli.CliDriver.processCmd(CliDriver.java:216)
        at org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:413)
        at org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:348)
        at org.apache.hadoop.hive.ql.QTestUtil.executeClient(QTestUtil.java:797)
        at 
org.apache.hadoop.hive.cli.TestCliDriver.runTest(TestCliDriver.java:124)
        at 
org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_authorization_8(TestCliDriver.java:108)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at junit.framework.TestCase.runTest(TestCase.java:154)
        at junit.framework.TestCase.runBare(TestCase.java:127)
        at junit.framework.TestResult$1.protect(TestResult.java:106)
        at junit.framework.TestResult.runProtected(TestResult.java:124)
        at junit.framework.TestResult.run(TestResult.java:109)
        at junit.framework.TestCase.run(TestCase.java:118)
        at junit.framework.TestSuite.runTest(TestSuite.java:208)
        at junit.framework.TestSuite.run(TestSuite.java:203)
        at 
org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.run(JUnitTestRunner.java:520)
        at 
org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.launch(JUnitTestRunner.java:1060)
        at 
org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.main(JUnitTestRunner.java:911)

2013-04-07 00:55:09,303 INFO  ql.Driver (Driver.java:compile(442)) - Semantic 
Analysis Completed
2013-04-07 00:55:09,303 INFO  ql.Driver (Driver.java:getSchema(259)) - 
Returning Hive schema: Schema(fieldSchemas:null, properties:null)
2013-04-07 00:55:09,304 INFO  ql.Driver (PerfLogger.java:PerfLogBegin(100)) - 
<PERFLOG method=doAuthorization>
2013-04-07 00:55:09,304 INFO  ql.Driver (PerfLogger.java:PerfLogEnd(127)) - 
</PERFLOG method=doAuthorization start=1365321309304 end=1365321309304 
duration=0>
{code}
                
> Drop any table even without privilege
> -------------------------------------
>
>                 Key: HIVE-2817
>                 URL: https://issues.apache.org/jira/browse/HIVE-2817
>             Project: Hive
>          Issue Type: Bug
>    Affects Versions: 0.7.1
>            Reporter: Benyi Wang
>
> You can drop any table if you use fully qualified name 'database.table' even 
> you don't have any previlige.
> {code}
> hive> set hive.security.authorization.enabled=true;
> hive> revoke all on default from user test_user;
> hive> drop table abc;
> hive> drop table abc;
> Authorization failed:No privilege 'Drop' found for outputs { 
> database:default, table:abc}. Use show grant to get more details.
> hive> drop table default.abc;
> OK
> Time taken: 0.13 seconds
> {code}
> The table and the file in {{/usr/hive/warehouse}} or external file will be 
> deleted. If you don't have hadoop access permission on 
> {{/usr/hive/warehouse}} or external files, you will see a hadoop access error
> {code}
> 12/02/23 15:35:35 ERROR hive.log: 
> org.apache.hadoop.security.AccessControlException: 
> org.apache.hadoop.security.AccessControlException: Permission denied: 
> user=test_user, access=WRITE, inode="/user/myetl":myetl:etl:drwxr-xr-x
>       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>       at 
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
> {code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HIVE-2817) Drop any table even without privilege

Reply via email to