[
https://issues.apache.org/jira/browse/HIVE-29248?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated HIVE-29248:
----------------------------------
Labels: pull-request-available (was: )
> Propagate HiveAccessControlException to HiveCatalog
> ---------------------------------------------------
>
> Key: HIVE-29248
> URL: https://issues.apache.org/jira/browse/HIVE-29248
> Project: Hive
> Issue Type: Improvement
> Components: Authorization, Iceberg integration, Standalone Metastore
> Affects Versions: 4.1.0
> Reporter: Shohei Okumiya
> Assignee: Shohei Okumiya
> Priority: Major
> Labels: pull-request-available
>
> The current implementation does not handle permission errors and returns a
> 500 error. This is the exception when I integrated HMS Iceberg REST Catalog
> with Apache Ranger.
> {code:java}
> 2025-10-07T02:26:57,248 ERROR [qtp100805003-49] rest.HMSCatalogServlet: Error
> processing REST request
> org.apache.iceberg.exceptions.RESTException: Unhandled error:
> ErrorResponse(code=500, type=RuntimeException, message=Failed to list
> namespace under namespace: default in Hive Metastore)
> java.lang.RuntimeException: Failed to list namespace under namespace: default
> in Hive Metastore
> at
> org.apache.iceberg.hive.HiveCatalog.loadNamespaceMetadata(HiveCatalog.java:632)
> at
> org.apache.iceberg.catalog.SupportsNamespaces.namespaceExists(SupportsNamespaces.java:159)
> at
> org.apache.iceberg.rest.CatalogHandlers.namespaceExists(CatalogHandlers.java:167)
> at
> org.apache.iceberg.rest.HMSCatalogAdapter.namespaceExists(HMSCatalogAdapter.java:249)
> at
> org.apache.iceberg.rest.HMSCatalogAdapter.handleRequest(HMSCatalogAdapter.java:441)
> at
> org.apache.iceberg.rest.HMSCatalogAdapter.execute(HMSCatalogAdapter.java:524)
> at
> org.apache.iceberg.rest.HMSCatalogServlet.service(HMSCatalogServlet.java:75)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> ...
> Caused by: MetaException(message:Permission denied: user [trino] does not
> have [USE] privilege on [default])
> at
> org.apache.hadoop.hive.metastore.utils.MetaStoreUtils.newMetaException(MetaStoreUtils.java:229)
> at
> org.apache.hadoop.hive.metastore.utils.MetaStoreUtils.newMetaException(MetaStoreUtils.java:219)
> at
> org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer.onEvent(HiveMetaStoreAuthorizer.java:137)
> at
> org.apache.hadoop.hive.metastore.HMSHandler.firePreEvent(HMSHandler.java:4133)
> at
> org.apache.hadoop.hive.metastore.HMSHandler.get_database_req(HMSHandler.java:1475)
> ...
> Caused by:
> org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
> Permission denied: user [trino] does not have [USE] privil
> ege on [default]
> at
> org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:1155)
> at
> org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer.checkPrivileges(HiveMetaStoreAuthorizer.java:701)
> at
> org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer.onEvent(HiveMetaStoreAuthorizer.java:133)
> ... 69 more
> at
> org.apache.iceberg.rest.HMSCatalogAdapter.execute(HMSCatalogAdapter.java:537)
> ~[hive-standalone-metastore-rest-catalog-4.2.0-SNAPSHOT.jar:4.2.0 at
> org.apache.iceberg.rest.HMSCatalogServlet.service(HMSCatalogServlet.java:75)
> ~[hive-standalone-metastore-rest-catalog-4.2.0-SNAPSHOT.jar:4.2.0-
> SNAPSHOT] {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
