[
https://issues.apache.org/jira/browse/RANGER-4994?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Raghav Aggarwal updated RANGER-4994:
------------------------------------
Description:
Attaching the steps to reproduce issue as attachments.
{_}NOTE{_}: MV is created via hive user and rebuilding it via other user
(raghav user).
When Materialized View (MV) is outdated and unauthorized user triggers the
ALTER query to rebuild it, it is failing as it also requries access to base
tables.
{code:java}
Error: Error while compiling statement: FAILED: HiveAccessControlException
Permission denied: user [raghav] does not have [ALTER] privilege on
[raghav/emps/deptno,empid,hire_date]{code}
But when MV is not outdated, then running alter query will not do anything i.e
it will not use any base table and the query passes and doesn't throw any auth
exception. *But ideally it should throw exception*
But running a SELECT on same MV from unauthorized user fails throwing error
(expected behaviour):
{code:java}
Error: Error while compiling statement: FAILED: HiveAccessControlException
Permission denied [raghav] does not have [SELECT] privilege on
[raghav/mv_recently_hired/*] {code}
My understanding is that the behaviour should remain same irrespective of the
state of the MV for ALTER query. _Thoughts on this?_
was:
Attaching the steps to reproduce issue as attachments.
{_}NOTE{_}: MV is created via hive user and rebuilding it via other user
(raghav user).
When Materialized View (MV) is outdated and unauthorized user triggers the
ALTER query to rebuild it, it is failing as it also requries access to base
tables.
{code:java}
Error: Error while compiling statement: FAILED: HiveAccessControlException
Permission denied: user [raghav] does not have [ALTER] privilege on
[raghav/emps/deptno,empid,hire_date]{code}
But when MV is not outdated, then running alter query will not do anything i.e
it will not use any base table and the query passes and doesn't throw any auth
exception. *But ideally it should throw exception*
But running a SELECT on same MV from unauthorized user fails throwing error
(expected behaviour):
{code:java}
Error: Error while compiling statement: FAILED: HiveAccessControlException
Permission denied [raghav] does not have [SELECT] privilege on
[raghav/mv_recently_hired/*] {code}
My understanding is that the behaviour should remain same irrespective of the
state of the MV for ALTER query. _Thoughts on this?_
> Alter MV rebuild should fail for unauthorized user irrespective of MV state
> ---------------------------------------------------------------------------
>
> Key: RANGER-4994
> URL: https://issues.apache.org/jira/browse/RANGER-4994
> Project: Ranger
> Issue Type: Bug
> Components: plugins, Ranger
> Reporter: Raghav Aggarwal
> Priority: Major
> Attachments: expected_case.sql, no_error_case.sql
>
>
> Attaching the steps to reproduce issue as attachments.
> {_}NOTE{_}: MV is created via hive user and rebuilding it via other user
> (raghav user).
> When Materialized View (MV) is outdated and unauthorized user triggers the
> ALTER query to rebuild it, it is failing as it also requries access to base
> tables.
> {code:java}
> Error: Error while compiling statement: FAILED: HiveAccessControlException
> Permission denied: user [raghav] does not have [ALTER] privilege on
> [raghav/emps/deptno,empid,hire_date]{code}
>
> But when MV is not outdated, then running alter query will not do anything
> i.e it will not use any base table and the query passes and doesn't throw any
> auth exception. *But ideally it should throw exception*
> But running a SELECT on same MV from unauthorized user fails throwing error
> (expected behaviour):
> {code:java}
> Error: Error while compiling statement: FAILED: HiveAccessControlException
> Permission denied [raghav] does not have [SELECT] privilege on
> [raghav/mv_recently_hired/*] {code}
>
> My understanding is that the behaviour should remain same irrespective of the
> state of the MV for ALTER query. _Thoughts on this?_
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
