[
https://issues.apache.org/jira/browse/HIVE-2817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Phabricator updated HIVE-2817:
------------------------------
Attachment: HIVE-2817.D10563.1.patch
chenchun requested code review of "HIVE-2817 [jira] Drop any table even without
privilege".
Reviewers: JIRA
HIVE-2817
You can drop any table if you use fully qualified name 'database.table' even
you don't have any previlige.
hive> set hive.security.authorization.enabled=true;
hive> revoke all on default from user test_user;
hive> drop table abc;
hive> drop table abc;
Authorization failed:No privilege 'Drop' found for outputs { database:default,
table:abc}. Use show grant to get more details.
hive> drop table default.abc;
OK
Time taken: 0.13 seconds
The table and the file in /usr/hive/warehouse or external file will be deleted.
If you don't have hadoop access permission on /usr/hive/warehouse or external
files, you will see a hadoop access error
12/02/23 15:35:35 ERROR hive.log:
org.apache.hadoop.security.AccessControlException:
org.apache.hadoop.security.AccessControlException: Permission denied:
user=test_user, access=WRITE, inode="/user/myetl":myetl:etl:drwxr-xr-x
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
TEST PLAN
EMPTY
REVISION DETAIL
https://reviews.facebook.net/D10563
AFFECTED FILES
ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java
ql/src/test/queries/clientnegative/authorization_fail_8.q
ql/src/test/results/clientnegative/authorization_fail_8.q.out
MANAGE HERALD RULES
https://reviews.facebook.net/herald/view/differential/
WHY DID I GET THIS EMAIL?
https://reviews.facebook.net/herald/transcript/25287/
To: JIRA, chenchun
> Drop any table even without privilege
> -------------------------------------
>
> Key: HIVE-2817
> URL: https://issues.apache.org/jira/browse/HIVE-2817
> Project: Hive
> Issue Type: Bug
> Affects Versions: 0.7.1
> Reporter: Benyi Wang
> Assignee: Chen Chun
> Attachments: HIVE-2817.D10371.1.patch, HIVE-2817.D10563.1.patch
>
>
> You can drop any table if you use fully qualified name 'database.table' even
> you don't have any previlige.
> {code}
> hive> set hive.security.authorization.enabled=true;
> hive> revoke all on default from user test_user;
> hive> drop table abc;
> hive> drop table abc;
> Authorization failed:No privilege 'Drop' found for outputs {
> database:default, table:abc}. Use show grant to get more details.
> hive> drop table default.abc;
> OK
> Time taken: 0.13 seconds
> {code}
> The table and the file in {{/usr/hive/warehouse}} or external file will be
> deleted. If you don't have hadoop access permission on
> {{/usr/hive/warehouse}} or external files, you will see a hadoop access error
> {code}
> 12/02/23 15:35:35 ERROR hive.log:
> org.apache.hadoop.security.AccessControlException:
> org.apache.hadoop.security.AccessControlException: Permission denied:
> user=test_user, access=WRITE, inode="/user/myetl":myetl:etl:drwxr-xr-x
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
