[GitHub] [hive] jkovacs-hwx commented on a diff in pull request #4276: HIVE-27304: Exclude CTAS condition while forming storage handler url …

Fri, 04 Aug 2023 11:22:56 -0700 


jkovacs-hwx commented on code in PR #4276:
URL: https://github.com/apache/hive/pull/4276#discussion_r1230811367


##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java:
##########
@@ -201,8 +201,7 @@ private static void addHivePrivObject(Entity privObject, 
Map<String, List<String
           HiveConf.ConfVars.HIVE_AUTHORIZATION_TABLES_ON_STORAGEHANDLERS)) {
         //TODO: add hive privilege object for storage based handlers for 
create and alter table commands.
         if (hiveOpType == HiveOperationType.CREATETABLE ||
-                hiveOpType == HiveOperationType.ALTERTABLE_PROPERTIES ||
-                hiveOpType == HiveOperationType.CREATETABLE_AS_SELECT) {

Review Comment:
   RWSTORAGE AuthZ should be only used when a Storagehandler based table is
   - created (external source location referenced)
   - altered (external source location changed)
   
   When such a Storagehandler based table is used to select data from it or 
insert into or delete from the table, the external location reference is not 
changing so no need to do RWSTORAGE AuthZ, the plain SQL policies should cover 
the SELECT, INSERT, etc. statement authorizations.  
   
   When doing a CTAS in a way e.g.  CREATE .. hivetable AS .. jdbctable .., 
then the Storagehandler based table is used only as it would be selected so no 
RWSTORAGE AuthZ should be against it (e.g. only SELECT access should be 
checked).
   
   When a CTAS is used in a way to create a Storagehandler based table - if 
that is possible at all - then of course from the Storagehandler based table's 
point of view it equals as CREATE TABLE which should involve the RWSTORAGE 
AuthZ as described as the first reason in the top.
   
   If hive allows, the edge case would be  CTAS between two Storagehandler 
based tables, like CREATE .. jdbctarget AS .. jdbcsource ..;  in that case only 
the target - e.g. jdbctarget - should be involved in a RWSTORAGE authorization, 
as the source table - e.g. jdbcsource - is only handled as it would be in a 
SELECT statement.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to