soumyakanti3578 commented on code in PR #6508:
URL: https://github.com/apache/hive/pull/6508#discussion_r3336162506
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java:
##########
@@ -180,6 +207,64 @@ private static boolean isDeferredAuthView(Table t){
return false;
}
+ /**
+ * Returns true when a PARTITION entity should not produce its own privilege
object
+ * because access is already covered by a view's TABLE_OR_VIEW object.
+ */
+ private static boolean isPartitionAccessedViaRegularView(Entity entity,
+ Set<String> baseTablesViaRegularView) {
+ if (!(entity instanceof ReadEntity)
+ || (entity.getTyp() != Type.PARTITION && entity.getTyp() !=
Type.DUMMYPARTITION)) {
+ return false;
+ }
+ ReadEntity re = (ReadEntity) entity;
+ // Deferred-auth views must still authorize the underlying base table.
+ if (hasDeferredViewParent(re)) {
+ return false;
+ }
+
+ if (hasRegularViewParent(re)) {
+ return true;
+ }
+ Table partTable = re.getTable();
+ return partTable != null
+ && baseTablesViaRegularView.contains(partTable.getDbName() + "." +
partTable.getTableName());
+ }
+
+ private static boolean hasDeferredViewParent(ReadEntity entity) {
+ Set<ReadEntity> parents = entity.getParents();
+ if (parents == null || parents.isEmpty()) {
+ return false;
+ }
+ for (ReadEntity parent : parents) {
+ if (parent.getTyp() == Type.TABLE && parent.getTable() != null
+ && isDeferredAuthView(parent.getTable())) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private static boolean hasRegularViewParent(ReadEntity entity) {
+ Set<ReadEntity> parents = entity.getParents();
+ if (parents == null || parents.isEmpty()) {
+ return false;
+ }
+ for (ReadEntity parent : parents) {
+ if (parent.getTyp() == Type.TABLE && parent.getTable() != null
+ && isView(parent.getTable()) &&
!isDeferredAuthView(parent.getTable())) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private static boolean isView(Table t) {
+ String tableType = t.getTTable().getTableType();
+ return TableType.MATERIALIZED_VIEW.name().equals(tableType)
+ || TableType.VIRTUAL_VIEW.name().equals(tableType);
+ }
Review Comment:
Do you think `getTTable()` can return `null`? Although I see similar pattern
elsewhere too, so I will leave it up to you.
nit: Also maybe this method can be used inside `isDeferredAuthView`?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
