[jira] [Commented] (HIVE-27195) Add database authorization for drop table command

Tue, 01 Aug 2023 07:06:05 -0700 


    [ 
https://issues.apache.org/jira/browse/HIVE-27195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17749786#comment-17749786
 ] 

Stamatis Zampetakis commented on HIVE-27195:
--------------------------------------------

Thanks for merging this [~ngangam]. In the future, please remember to give 
credits to contributors and reviewers in the commit message since we are mostly 
gathering stats from there for inviting new committer/PMC members.

> Add database authorization for drop table command
> -------------------------------------------------
>
>                 Key: HIVE-27195
>                 URL: https://issues.apache.org/jira/browse/HIVE-27195
>             Project: Hive
>          Issue Type: Bug
>            Reporter: Riju Trivedi
>            Assignee: Riju Trivedi
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 4.0.0-beta-1
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Include authorization of the database object during the "drop table" command. 
> Similar to "Create table", DB permissions should be verified in the case of 
> "drop table" too. Add the database object along with the table object to the 
> list of output objects sent for verifying privileges. This change would 
> ensure that in case of a non-existent table or temporary table (skipped from 
> authorization after HIVE-20051), the authorizer will verify privileges for 
> the database object.
> This would also prevent DROP TABLE IF EXISTS command failure for temporary or 
> non-existing tables with `RangerHiveAuthorizer`. In case of 
> temporary/non-existing table, empty input and output HivePrivilege Objects 
> are sent to Ranger authorizer and after 
> https://issues.apache.org/jira/browse/RANGER-3407 authorization request is 
> built from command in case of empty objects. Hence, the drop table if Exists 
> command fails with  HiveAccessControlException.
> Steps to Repro:
> {code:java}
> use test; CREATE TEMPORARY TABLE temp_table (id int);
> drop table if exists test.temp_table;
> Error: Error while compiling statement: FAILED: HiveAccessControlException 
> Permission denied: user [rtrivedi] does not have [DROP] privilege on 
> [test/temp_table] (state=42000,code=40000) {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to