[
https://issues.apache.org/jira/browse/HIVE-15687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15929598#comment-15929598
]
Lantao Jin commented on HIVE-15687:
-----------------------------------
If you want to grant {{insert}} | {{delete}} to a role under default
authorization provider. You can run grant {{all}} for instead.
That's not a but. If you set {{hive.security.authorization.manager}} to
{{DefaultHiveAuthorizationProvider}}(default) or
{{StorageBasedAuthorizationProvider}} which are the subclass of
{{HiveAuthorizationProvider}}. The privilege {{insert}} | {{delete}} aren't
support.
We can get the evidence from PrivilegeRegistry:
{code:java}
static {
Registry = new HashMap<PrivilegeType, Privilege>();
//add the privileges supported in authorization mode V1
Registry.put(Privilege.ALL.getPriv(), Privilege.ALL);
Registry.put(Privilege.ALTER_DATA.getPriv(), Privilege.ALTER_DATA);
Registry.put(Privilege.ALTER_METADATA.getPriv(), Privilege.ALTER_METADATA);
Registry.put(Privilege.CREATE.getPriv(), Privilege.CREATE);
Registry.put(Privilege.DROP.getPriv(), Privilege.DROP);
Registry.put(Privilege.INDEX.getPriv(), Privilege.INDEX);
Registry.put(Privilege.LOCK.getPriv(), Privilege.LOCK);
Registry.put(Privilege.SELECT.getPriv(), Privilege.SELECT);
Registry.put(Privilege.SHOW_DATABASE.getPriv(),
Privilege.SHOW_DATABASE);
//add the privileges not supported in V1
//The list of privileges supported in V2 is implementation defined,
//so just pass everything that syntax supports.
RegistryV2 = new HashMap<PrivilegeType, Privilege>();
RegistryV2.putAll(Registry);
RegistryV2.put(Privilege.INSERT.getPriv(), Privilege.INSERT);
RegistryV2.put(Privilege.DELETE.getPriv(), Privilege.DELETE);
}
{code}
{code:java}
private static Privilege getPrivilegeFromRegistry(PrivilegeType ptype) {
return SessionState.get().isAuthorizationModeV2() ? RegistryV2.get(ptype) :
Registry.get(ptype);
}
public boolean isAuthorizationModeV2(){
return getAuthorizationMode() == AuthorizationMode.V2;
}
public AuthorizationMode getAuthorizationMode(){
setupAuth();
if(authorizer != null){
return AuthorizationMode.V1;
}else if(authorizerV2 != null){
return AuthorizationMode.V2;
}
//should not happen - this should not get called before this.start() is
called
throw new AssertionError("Authorization plugins not initialized!");
}
{code}
Only when object {{authorizer}} is null and {{authorizerV2}} isn't null, we can
grant {{INSERT | DELET}}, otherwise {{ALL}} instead.
For more details, Go into org.apache.hadoop.hive.ql.session.SessionState
{code:java}
private void setupAuth() {
String clsStr = HiveConf.getVar(conf,
HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER);
authorizer = HiveUtils.getAuthorizeProviderManager(conf,
clsStr, authenticator, true);
if (authorizer == null) {
..
authorizerV2 = authorizerFactory.createHiveAuthorizer(new
HiveMetastoreClientFactoryImpl(),
conf, authenticator, authzContextBuilder.build());
}
}
public static HiveAuthorizationProvider getAuthorizeProviderManager(
Configuration conf, String authzClassName,
HiveAuthenticationProvider authenticator, boolean nullIfOtherClass)
throws HiveException {
HiveAuthorizationProvider ret = null;
try {
Class<? extends HiveAuthorizationProvider> cls = null;
if (authzClassName == null || authzClassName.trim().equals("")) {
cls = DefaultHiveAuthorizationProvider.class;
} else {
Class<?> configClass = Class.forName(authzClassName, true,
JavaUtils.getClassLoader());
if(nullIfOtherClass &&
!HiveAuthorizationProvider.class.isAssignableFrom(configClass) ){
return null; /* ====> notice the condition how to return
null <======*/
}
cls = (Class<? extends HiveAuthorizationProvider>)configClass;
}
if (cls != null) {
ret = ReflectionUtils.newInstance(cls, conf);
}
} catch (Exception e) {
throw new HiveException(e);
}
ret.setAuthenticator(authenticator);
return ret;
}
{code}
{{nullIfOtherClass}} is always true, and only the {{authzClassName}} which
stand for the value of {{hive.security.authorization.manager}} is not the
subclass of {{HiveAuthorizationProvider}}, it will return null.
So please set {{hive.security.authorization.manager}} to
{{org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory}}
to get v2 authorization to grant INSERT | DELETE.
> SQL Standard auth: INSERT and DELETE privileges don't actually exist.
> ---------------------------------------------------------------------
>
> Key: HIVE-15687
> URL: https://issues.apache.org/jira/browse/HIVE-15687
> Project: Hive
> Issue Type: Bug
> Reporter: Carter Shanklin
>
> The documentation states
> https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization#SQLStandardBasedHiveAuthorization-ObjectPrivilegeCommands
> that there are privilege types of INSERT | SELECT | UPDATE | DELETE | ALL.
> Experience suggests otherwise:
> {code}
> : jdbc:hive2://localhost:10000/default> grant select on table secured_table
> to role my_role;
> No rows affected (0.034 seconds)
> 0: jdbc:hive2://localhost:10000/default> grant insert on table secured_table
> to role my_role;
> Error: Error while compiling statement: FAILED: SemanticException Undefined
> privilege Insert (state=42000,code=40000)
> 0: jdbc:hive2://localhost:10000/default> grant update on table secured_table
> to role my_role;
> No rows affected (0.037 seconds)
> 0: jdbc:hive2://localhost:10000/default> grant delete on table secured_table
> to role my_role;
> Error: Error while compiling statement: FAILED: SemanticException Undefined
> privilege Delete (state=42000,code=40000)
> 0: jdbc:hive2://localhost:10000/default> select version();
> +--------------------------------------------------------------+--+
> | _c0 |
> +--------------------------------------------------------------+--+
> | 2.1.0.2.6.0.0-369 r434bfeb707d21f6b44121ac7dfe5adbadb746387 |
> +--------------------------------------------------------------+--+
> {code}
> It would be good to support these, especially since Hive supports updates and
> deletions.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
