[jira] [Commented] (RANGER-930) Restricting Table names with the "Update" permission for HIVE does not work

Sun, 01 May 2016 20:07:08 -0700 

    [ 
https://issues.apache.org/jira/browse/RANGER-930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15266080#comment-15266080
 ] 

Madhan Neethiraj commented on RANGER-930:
-----------------------------------------


Ranger authorizer is called to authorize QUERY on temporary table 
values__tmp__table__1 - see the checkPrivilege() call details below. Hence 
Ranger requires an authorization policy to allow the access.

[~thejas] how is this case (insert statement requiring SELECT on temporary 
tables) handled in Hive's SQLStdAuthorizer? Do you require explicit grants?

'checkPrivileges':{'hiveOpType':QUERY, 
'inputHObjs':['HivePrivilegeObject':{'type':TABLE_OR_VIEW, 'dbName':default, 
'objectType':TABLE_OR_VIEW, 'objectName':values__tmp__table__1, 
'columns':[tmp_values_col1, tmp_values_col2], 'partKeys':[], 
'commandParams':[], 'actionType':OTHER}], 
'outputHObjs':['HivePrivilegeObject':{'type':TABLE_OR_VIEW, 'dbName':default, 
'objectType':TABLE_OR_VIEW, 'objectName':testtable, 'columns':[], 
'partKeys':[], 'commandParams':[], 'actionType':INSERT}], 
'context':{'clientType':HIVESERVER2, 'commandString':insert into testTable 
values(1, 'name #1'), 'ipAddress':127.0.0.1, 
'sessionString':e6149e82-56c5-47e3-9b1f-0bf76a12ae18}, 'user':hive, 
'groups':[hadoop]}


> Restricting Table names with the "Update" permission for HIVE does not work
> ---------------------------------------------------------------------------
>
>                 Key: RANGER-930
>                 URL: https://issues.apache.org/jira/browse/RANGER-930
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 0.6.0
>            Reporter: Colm O hEigeartaigh
>            Assignee: Madhan Neethiraj
>            Priority: Blocker
>             Fix For: 0.6.0
>
>
> If I create a Ranger policy for a specific Table with "SELECT" + "UPDATE" 
> permissions, the user can't actually invoke an "insert" query in HIVE, e.g.:
> H110 Unable to submit statement. Error while compiling statement: FAILED: 
> HiveAccessControlException Permission denied: user [colm] does not have 
> [SELECT] privilege on 
> [default/values__tmp__table__3/tmp_values_col1,tmp_values_col2] [ERROR_STATUS]
> It looks like there is an issue with access verification for temporary 
> tables. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to