[
https://issues.apache.org/jira/browse/HIVE-5485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sushanth Sowmyan updated HIVE-5485:
-----------------------------------
Description:
SBAP causes an NPE when null is passed in as a partition for partition-level or
column-level authorization.
Personally, in my opinion, this is not a SBAP bug, but incorrect usage of
AuthorizationProviders - one should not be calling the column-level authorize
(given that column-level is more basic than partition-level) function and pass
in a null as the partition value. However, that happens on code introduced by
HIVE-1887, and unless we rewrite that (and possibly a whole bunch more(will
need evaluation)), we have to accommodate that null and appropriately attempt
to fall back to table-level authorization in that case.
The offending code section is in Driver.java:685
{code}
678 // if we reach here, it means it needs to do a table authorization
679 // check, and the table authorization may already happened because
of other
680 // partitions
681 if (tbl != null && !tableAuthChecked.contains(tbl.getTableName())
&&
682 !(tableUsePartLevelAuth.get(tbl.getTableName()) ==
Boolean.TRUE)) {
683 List<String> cols = tab2Cols.get(tbl);
684 if (cols != null && cols.size() > 0) {
685 ss.getAuthorizer().authorize(tbl, null, cols,
686 op.getInputRequiredPrivileges(), null);
687 } else {
688 ss.getAuthorizer().authorize(tbl,
op.getInputRequiredPrivileges(),
689 null);
690 }
691 tableAuthChecked.add(tbl.getTableName());
692 }
{code}
was:
SBAP causes an NPE when null is passed in as a partition for partition-level
authorization.
Personally, in my opinion, this is not a SBAP bug, but incorrect usage of
AuthorizationProviders - one should not be calling the column-level authorize
(given that column-level is more basic than partition-level) function and pass
in a null as the partition value. However, that happens on code introduced by
HIVE-1887, and unless we rewrite that (and possibly a whole bunch more(will
need evaluation)), we have to accommodate that null and appropriately attempt
to fall back to table-level authorization in that case.
The offending code section is in Driver.java:685
{code}
678 // if we reach here, it means it needs to do a table authorization
679 // check, and the table authorization may already happened because
of other
680 // partitions
681 if (tbl != null && !tableAuthChecked.contains(tbl.getTableName())
&&
682 !(tableUsePartLevelAuth.get(tbl.getTableName()) ==
Boolean.TRUE)) {
683 List<String> cols = tab2Cols.get(tbl);
684 if (cols != null && cols.size() > 0) {
685 ss.getAuthorizer().authorize(tbl, null, cols,
686 op.getInputRequiredPrivileges(), null);
687 } else {
688 ss.getAuthorizer().authorize(tbl,
op.getInputRequiredPrivileges(),
689 null);
690 }
691 tableAuthChecked.add(tbl.getTableName());
692 }
{code}
> SBAP errors on null partition being passed into partition level authorization
> -----------------------------------------------------------------------------
>
> Key: HIVE-5485
> URL: https://issues.apache.org/jira/browse/HIVE-5485
> Project: Hive
> Issue Type: Bug
> Components: Authorization
> Affects Versions: 0.12.0
> Reporter: Sushanth Sowmyan
> Assignee: Sushanth Sowmyan
> Attachments: HIVE-5485.patch
>
>
> SBAP causes an NPE when null is passed in as a partition for partition-level
> or column-level authorization.
> Personally, in my opinion, this is not a SBAP bug, but incorrect usage of
> AuthorizationProviders - one should not be calling the column-level authorize
> (given that column-level is more basic than partition-level) function and
> pass in a null as the partition value. However, that happens on code
> introduced by HIVE-1887, and unless we rewrite that (and possibly a whole
> bunch more(will need evaluation)), we have to accommodate that null and
> appropriately attempt to fall back to table-level authorization in that case.
> The offending code section is in Driver.java:685
> {code}
> 678 // if we reach here, it means it needs to do a table
> authorization
> 679 // check, and the table authorization may already happened
> because of other
> 680 // partitions
> 681 if (tbl != null &&
> !tableAuthChecked.contains(tbl.getTableName()) &&
> 682 !(tableUsePartLevelAuth.get(tbl.getTableName()) ==
> Boolean.TRUE)) {
> 683 List<String> cols = tab2Cols.get(tbl);
> 684 if (cols != null && cols.size() > 0) {
> 685 ss.getAuthorizer().authorize(tbl, null, cols,
> 686 op.getInputRequiredPrivileges(), null);
> 687 } else {
> 688 ss.getAuthorizer().authorize(tbl,
> op.getInputRequiredPrivileges(),
> 689 null);
> 690 }
> 691 tableAuthChecked.add(tbl.getTableName());
> 692 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
