[
https://issues.apache.org/jira/browse/HIVE-27195?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Riju Trivedi updated HIVE-27195:
--------------------------------
Description:
Include authorization of the database object during the "drop table" command.
Similar to "Create table", DB permissions should be verified in the case of
"drop table" too. Add the database object along with the table object to the
list of output objects sent for verifying privileges. This change would ensure
that in case of a non-existent table or temporary table (skipped from
authorization after HIVE-20051), the authorizer will verify privileges for the
database object.
This would also prevent DROP TABLE IF EXISTS command failure for temporary or
non-existing tables with Ranger. In case of temporary/non-existing table, empty
input and output HivePrivilege Objects are sent to Ranger authorizer and after
https://issues.apache.org/jira/browse/RANGER-3407 authorization request is
build from command in case of empty objects. Hence
the drop table if Exists fails with HiveAccessControlException.
Steps to Repro:
{code:java}
use test; CREATE TEMPORARY TABLE temp_table (id int);
drop table if exists test.temp_table;
Error: Error while compiling statement: FAILED: HiveAccessControlException
Permission denied: user [rtrivedi] does not have [DROP] privilege on
[test/temp_table] (state=42000,code=40000) {code}
was:
Include authorization of the database object during the "drop table" command.
Similar to "Create table", DB permissions should be verified in the case of
"drop table" too. Add the database object along with the table object to the
list of output objects sent for verifying privileges. This change would ensure
that in case of a non-existent table or temporary table (skipped from
authorization after HIVE-20051), the authorizer will verify privileges for the
database object.
This would also prevent DROP TABLE IF EXISTS command failure for temporary or
non-existing tables with Ranger. In case of temporary/non-existing table, empty
input and output HivePrivilege Objects are sent to Ranger authroizer
the drop table if Exists fails with HiveAccessControlException.
Steps to Repro:
{code:java}
use test; CREATE TEMPORARY TABLE temp_table (id int);
drop table if exists test.temp_table;
Error: Error while compiling statement: FAILED: HiveAccessControlException
Permission denied: user [rtrivedi] does not have [DROP] privilege on
[test/temp_table] (state=42000,code=40000) {code}
> Add database authorization for drop table command
> -------------------------------------------------
>
> Key: HIVE-27195
> URL: https://issues.apache.org/jira/browse/HIVE-27195
> Project: Hive
> Issue Type: Bug
> Reporter: Riju Trivedi
> Assignee: Riju Trivedi
> Priority: Major
> Labels: pull-request-available
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Include authorization of the database object during the "drop table" command.
> Similar to "Create table", DB permissions should be verified in the case of
> "drop table" too. Add the database object along with the table object to the
> list of output objects sent for verifying privileges. This change would
> ensure that in case of a non-existent table or temporary table (skipped from
> authorization after HIVE-20051), the authorizer will verify privileges for
> the database object.
> This would also prevent DROP TABLE IF EXISTS command failure for temporary or
> non-existing tables with Ranger. In case of temporary/non-existing table,
> empty input and output HivePrivilege Objects are sent to Ranger authorizer
> and after https://issues.apache.org/jira/browse/RANGER-3407 authorization
> request is build from command in case of empty objects. Hence
> the drop table if Exists fails with HiveAccessControlException.
> Steps to Repro:
> {code:java}
> use test; CREATE TEMPORARY TABLE temp_table (id int);
> drop table if exists test.temp_table;
> Error: Error while compiling statement: FAILED: HiveAccessControlException
> Permission denied: user [rtrivedi] does not have [DROP] privilege on
> [test/temp_table] (state=42000,code=40000) {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
