[
https://issues.apache.org/jira/browse/HIVE-23454?focusedWorklogId=479213&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-479213
]
ASF GitHub Bot logged work on HIVE-23454:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 04/Sep/20 18:22
Start Date: 04/Sep/20 18:22
Worklog Time Spent: 10m
Work Description: vineetgarg02 opened a new pull request #1471:
URL: https://github.com/apache/hive/pull/1471
<!--
Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, please read our contributor guidelines:
https://cwiki.apache.org/confluence/display/Hive/HowToContribute
2. Ensure that you have created an issue on the Hive project JIRA:
https://issues.apache.org/jira/projects/HIVE/summary
3. Ensure you have added or run the appropriate tests for your PR:
4. If the PR is unfinished, add '[WIP]' in your PR title, e.g.,
'[WIP]HIVE-XXXXX: Your PR title ...'.
5. Be sure to keep the PR description updated to reflect all changes.
6. Please write your PR title to summarize what this PR proposes.
7. If possible, provide a concise example to reproduce the issue for a
faster review.
-->
### What changes were proposed in this pull request?
<!--
Please clarify what changes you are proposing. The purpose of this section
is to outline the changes and how this PR fixes the issue.
If possible, please consider writing useful notes for better and faster
reviews in your PR. See the examples below.
1. If you refactor some codes with changing classes, showing the class
hierarchy will help reviewers.
2. If you fix some SQL features, you can provide some references of other
DBMSes.
3. If there is design documentation, please add the link.
4. If there is a discussion in the mailing list, please add the link.
-->
### Why are the changes needed?
<!--
Please clarify why the changes are needed. For instance,
1. If you propose a new API, clarify the use case for a new API.
2. If you fix a bug, you can clarify why it is a bug.
-->
### Does this PR introduce _any_ user-facing change?
<!--
Note that it means *any* user-facing change including all aspects such as
the documentation fix.
If yes, please clarify the previous behavior and the change this PR proposes
- provide the console output, description, screenshot and/or a reproducable
example to show the behavior difference if possible.
If possible, please also clarify if this is a user-facing change compared to
the released Hive versions or within the unreleased branches such as master.
If no, write 'No'.
-->
### How was this patch tested?
<!--
If tests were added, say they were added here. Please make sure to add some
test cases that check the changes thoroughly including negative and positive
cases if possible.
If it was tested in a way different from regular unit tests, please clarify
how you tested step by step, ideally copy and paste-able, so that other
reviewers can test and check, and descendants can verify in the future.
If tests were not added, please describe why they were not added and/or why
it was difficult to add.
-->
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 479213)
Remaining Estimate: 0h
Time Spent: 10m
> Querying hive table which has Materialized view fails with
> HiveAccessControlException
> -------------------------------------------------------------------------------------
>
> Key: HIVE-23454
> URL: https://issues.apache.org/jira/browse/HIVE-23454
> Project: Hive
> Issue Type: Bug
> Components: Authorization, HiveServer2
> Affects Versions: 3.0.0, 3.2.0
> Reporter: Chiran Ravani
> Assignee: Vineet Garg
> Priority: Critical
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Query fails with HiveAccessControlException against table when there is
> Materialized view pointing to that table which end user does not have access
> to, but the actual table user has all the privileges.
> From the HiveServer2 logs - it looks as part of optimization Hive uses
> materialized view to query the data instead of table and since end user does
> not have access on MV we receive HiveAccessControlException.
> https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/cost/HiveVolcanoPlanner.java#L99
> The Simplest reproducer for this issue is as below.
> 1. Create a table using hive user and insert some data
> {code:java}
> create table db1.testmvtable(id int, name string) partitioned by(year int);
> insert into db1.testmvtable partition(year=2020) values(1,'Name1');
> insert into db1.testmvtable partition(year=2020) values(1,'Name2');
> insert into db1.testmvtable partition(year=2016) values(1,'Name1');
> insert into db1.testmvtable partition(year=2016) values(1,'Name2');
> {code}
> 2. Create Materialized view on top of above table with partitioned and where
> clause as hive user.
> {code:java}
> CREATE MATERIALIZED VIEW db2.testmv PARTITIONED ON(year) as select * from
> db1.testmvtable tmv where year >= 2018;
> {code}
> 3. Grant all (Select to be minimum) access to user 'chiran' via Ranger on
> database db1.
> 4. Run select on base table db1.testmvtable as 'chiran' with where clause
> having partition value >=2018, it runs into HiveAccessControlException on
> db2.testmv
> {code:java}
> eg:- (select * from db1.testmvtable where year=2020;)
> 0: jdbc:hive2://node2> select * from db1.testmvtable where year=2020;
> Error: Error while compiling statement: FAILED: HiveAccessControlException
> Permission denied: user [chiran] does not have [SELECT] privilege on
> [db2/testmv/*] (state=42000,code=40000)
> {code}
> 5. This works when partition column is not in MV
> {code:java}
> 0: jdbc:hive2://node2> select * from db1.testmvtable where year=2016;
> DEBUG : Acquired the compile lock.
> INFO : Compiling
> command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a):
> select * from db1.testmvtable where year=2016
> DEBUG : Encoding valid txns info 897:9223372036854775807::893,895,896
> txnid:897
> INFO : Semantic Analysis Completed (retrial = false)
> INFO : Returning Hive schema:
> Schema(fieldSchemas:[FieldSchema(name:testmvtable.id, type:int,
> comment:null), FieldSchema(name:testmvtable.name, type:string, comment:null),
> FieldSchema(name:testmvtable.year, type:int, comment:null)], properties:null)
> INFO : Completed compiling
> command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a);
> Time taken: 0.222 seconds
> DEBUG : Encoding valid txn write ids info
> 897$db1.testmvtable:4:9223372036854775807:: txnid:897
> INFO : Executing
> command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a):
> select * from db1.testmvtable where year=2016
> INFO : Completed executing
> command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a);
> Time taken: 0.008 seconds
> INFO : OK
> DEBUG : Shutting down query select * from db1.testmvtable where year=2016
> +-----------------+-------------------+-------------------+
> | testmvtable.id | testmvtable.name | testmvtable.year |
> +-----------------+-------------------+-------------------+
> | 1 | Name1 | 2016 |
> | 1 | Name2 | 2016 |
> +-----------------+-------------------+-------------------+
> 2 rows selected (0.302 seconds)
> 0: jdbc:hive2://node2>
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
