> On June 14, 2019, 4:36 p.m., Na Li wrote: > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java > > Lines 228 (patched) > > <https://reviews.apache.org/r/70846/diff/3/?file=2149532#file2149532line232> > > > > do you want to change for create function as well to get true currDB? > > > > case HiveParser.TOK_CREATEFUNCTION: > > String udfClassName = > > BaseSemanticAnalyzer.unescapeSQLString(ast.getChild(1).getText()); > > try { > > CodeSource udfSrc = > > Class.forName(udfClassName, true, > > Utilities.getSessionSpecifiedClassLoader()) > > .getProtectionDomain().getCodeSource(); > > if (udfSrc == null) { > > throw new SemanticException("Could not resolve the jar for > > UDF class " + udfClassName); > > } > > String udfJar = udfSrc.getLocation().getPath(); > > if (udfJar == null || udfJar.isEmpty()) { > > throw new SemanticException("Could not find the jar for UDF > > class " + udfClassName + > > "to validate privileges"); > > } > > udfURIs.add(parseURI(udfSrc.getLocation().toString(), true)); > > } catch (ClassNotFoundException e) { > > List<String> functionJars = getFunctionJars(ast); > > if (functionJars.isEmpty()) { > > throw new SemanticException("Error retrieving udf class:" + > > e.getMessage(), e); > > } else { > > // Add the jars from the command "Create function using > > jar" to the access list > > // Defer to hive to check if the class is in the jars > > for(String jar : functionJars) { > > udfURIs.add(parseURI(jar, false)); > > } > > } > > } > > > > // create/drop function is allowed with any database > > currDB = Database.ALL;
I could but we are trying to limit the changes to very minimum. Adding changes to create function will increase the scope of this fix - Arjun ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70846/#review215904 ----------------------------------------------------------- On June 14, 2019, 2:58 p.m., Arjun Mishra wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/70846/ > ----------------------------------------------------------- > > (Updated June 14, 2019, 2:58 p.m.) > > > Review request for sentry, kalyan kumar kalvagadda and Na Li. > > > Bugs: SENTRY-2240 > https://issues.apache.org/jira/browse/SENTRY-2240 > > > Repository: sentry > > > Description > ------- > > User can DROP UDF function under a database that he/she has no access to. > > I created it as separate JIRA from SENTRY-781 due to changes are quite > different. > > > Diffs > ----- > > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java > e87d0f664fd6cf93b3b86a61b57f148827e5692f > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java > ed278c8d68c4133335198f40bed62cfa757fa5a9 > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java > 1aaa9b3fcade6ebcefcea269b3bd919fb47a44f6 > > sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java > bd0f978e86733b37cf3343c9841304fd61f9dcab > > > Diff: https://reviews.apache.org/r/70846/diff/3/ > > > Testing > ------- > > > Thanks, > > Arjun Mishra > >
