Re: Review Request 67046: SENTRY-2226: Support Hive operation ALTER TABLE EXCHANGE

Thu, 10 May 2018 09:45:48 -0700 


> On May 10, 2018, 2:17 a.m., Sergio Pena wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
> > Lines 123 (patched)
> > <https://reviews.apache.org/r/67046/diff/1/?file=2019242#file2019242line123>
> >
> >     Are roles with INSERT privileges allowed to add partitions in a table? 
> >     
> >     I think that in order to add new partitions on a table, the ALTER 
> > privilege is required; and to remove partitions the DROP privilege is 
> > required. Both privileges are supported in Sentry. Can you confirm which 
> > privilege is required?
> 
> Na Li wrote:
>     I debug into the code, the following is what's filled by hive
>     
>         // input required privilege:
>     
>         //   1) select, scope: user, db, table, column 2) delete, scope: 
> user, db, table
>     
>         // output required privilege:
>     
>         //   1) insert, scope: user, db, table

Which code did you debug?

Sentry has this privilege for adding partitions:

HiveAuthzPrivileges addPartitionPrivilege = new 
HiveAuthzPrivileges.AuthzPrivilegeBuilder().
        addOutputObjectPriviledge(AuthorizableType.Table, 
EnumSet.of(DBModelAction.ALTER)).
        //TODO: Uncomment this if we want to make it more restrictive
        //addInputObjectPriviledge(AuthorizableType.Table, 
EnumSet.of(DBModelAction.CREATE)).
        addInputObjectPriviledge(AuthorizableType.URI, 
EnumSet.of(DBModelAction.SELECT)).//TODO: make it optional
        addOutputObjectPriviledge(AuthorizableType.URI, 
EnumSet.of(DBModelAction.ALL)).
        setOperationScope(HiveOperationScope.TABLE).
        setOperationType(HiveOperationType.DDL).
        build();
        
And this for dropping partitions:

HiveAuthzPrivileges dropPartitionPrivilege = new 
HiveAuthzPrivileges.AuthzPrivilegeBuilder().
        addInputObjectPriviledge(AuthorizableType.Table, 
EnumSet.of(DBModelAction.ALTER)).
        addInputObjectPriviledge(AuthorizableType.Table, 
EnumSet.of(DBModelAction.DROP)).
        setOperationScope(HiveOperationScope.TABLE).
        setOperationType(HiveOperationType.DDL).
        build();
        
Isn't exchanging partitions the same as adding a partition in the dest table 
and dropping a partition in the source table?


- Sergio


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67046/#review202818
-----------------------------------------------------------


On May 10, 2018, 1:11 a.m., Na Li wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67046/
> -----------------------------------------------------------
> 
> (Updated May 10, 2018, 1:11 a.m.)
> 
> 
> Review request for sentry.
> 
> 
> Bugs: sentry-2226
>     https://issues.apache.org/jira/browse/sentry-2226
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> add support for "ALTER TABLE EXCHANGE"
> 
> 
> Diffs
> -----
> 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
>  ffa193f 
>   
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbColumnLevelMetaDataOps.java
>  3735179 
> 
> 
> Diff: https://reviews.apache.org/r/67046/diff/1/
> 
> 
> Testing
> -------
> 
> unit test for "ALTER TABLE EXCHANGE" succeeded
> 
> 
> Thanks,
> 
> Na Li
> 
>

Reply via email to