[jira] [Commented] (HIVE-27304) Exclude CTAS condition while forming storage handler url permissions in HS2 authorizer.

Thu, 03 Aug 2023 23:39:04 -0700 


    [ 
https://issues.apache.org/jira/browse/HIVE-27304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17750971#comment-17750971
 ] 

Janos Kovacs commented on HIVE-27304:
-------------------------------------

When the target table is not a StorageHandler table in a CTAS - e.g. it's only 
the source, no RWStorage authorization should be invoked on source table.

 

The issue and behavioural inconsistency is at the bottom-right result:
||Behaviour||CTLT + INSERT||CREATE VIEW + CTAS||CTAS||
| |{{CREATE TABLE hivetbl}}
{{LIKE strghndlrtbl;}}
{{INSERT INTO  hivetbl}}
{{SELECT * FROM strghndlrtbl;}}|{{CREATE VIEW hivevw}}
{{AS SELECT * FROM strghndlrtbl;}}
{{CREATE TABLE hivetbl}}
{{AS SELECT * FROM hivevw;}}|{{CREATE TABLE hivetbl}}
{{AS SELECT * FROM strghndlrtbl;}}|
|Target table is plain hive table 
(storage handler props removed)|(/)|(/)|(/)|
|Copies schema|(/)|(/)|(/)|
|Copies data|(/)|(/)|(/)|
|Single statement|(x)|(x)|(/)|
|Works w/o any RWStorage
privileges to support FGAC
use-cases|(/)|(/)|(x)
Error: user lacks RWSTORAGE "create" 
privilege on url of the strghndlrtbl table!|

 

Completely excluding the RWStorage authorization from CTAS is not a solution as 
below code shows CTAS could be also with StorageHandler target table which 
should have the RWStorage Authorization:
{noformat}
DROP TABLE IF EXISTS default.user1hivetable2src;

CREATE TABLE default.user1hivetable2src (id int, txt string, stxt string);  -- 
important to have an empty table as source!

CREATE EXTERNAL TABLE default.user1hivetable2
STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
TBLPROPERTIES (
  'hive.sql.database.type' = 'MYSQL',
  'hive.sql.jdbc.driver'   = 'com.mysql.jdbc.Driver',
  'hive.sql.jdbc.url'      = 
'jdbc:mysql://jkovacs719-1.jkovacs719.site:3306/hive1',
  'hive.sql.dbcp.username' = 'user',
  'hive.sql.dbcp.password' = '*********',
  'hive.sql.table'         = 'user1table2'
)
AS SELECT * FROM default.user1hivetable2src;

SELECT * from default.user1hivetable2;
+---------------------+----------------------+-----------------------+
| user1hivetable2.id  | user1hivetable2.txt  | user1hivetable2.stxt  |
+---------------------+----------------------+-----------------------+
| 1                   | user1 data           | secret                |
+---------------------+----------------------+-----------------------+
{noformat}

> Exclude CTAS condition while forming storage handler url permissions in HS2 
> authorizer.
> ---------------------------------------------------------------------------------------
>
>                 Key: HIVE-27304
>                 URL: https://issues.apache.org/jira/browse/HIVE-27304
>             Project: Hive
>          Issue Type: Bug
>          Components: Hive
>            Reporter: Sai Hemanth Gantasala
>            Assignee: Sai Hemanth Gantasala
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> CTAS queries with storage handler table as source table doesn't require read 
> permissions on storage URL for the target table



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to