ramackri opened a new pull request, #1044: URL: https://github.com/apache/ranger/pull/1044
## Summary Backport of [409e8a72](https://github.com/apache/ranger/commit/409e8a72cacbdf7d160d6ca508d7fb4770188a5f) / [#1012](https://github.com/apache/ranger/pull/1012) to `ranger-2.9`. For `CREATETABLE_AS_SELECT` and `CREATE_MATERIALIZED_VIEW`, treat input `FUNCTION` privilege objects as `SELECT` so CTAS/temp-table queries cannot bypass UDF select authorization. Fixes [RANGER-5634](https://issues.apache.org/jira/browse/RANGER-5634). ## Changes | File | Change | |------|--------| | `hive-agent/.../RangerHiveAuthorizer.java` | Map input `FUNCTION` objects to `HiveAccessType.SELECT` for CTAS / create materialized view | **Note:** Unit tests from #1012 (`TestRangerHiveAuthorizer`) are not included — that test class does not exist on `ranger-2.9`. Production fix only. ## Test plan - [ ] Manual: user without UDF SELECT should get `HiveAccessControlException` on `CREATE TABLE ... AS SELECT ...` using that UDF - [ ] Manual: plain `SELECT` with UDF still denied as before - [ ] CI `build-8` green on `ranger-2.9` Made with [Cursor](https://cursor.com) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
