[
https://issues.apache.org/jira/browse/HIVE-17544?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Na Li updated HIVE-17544:
-------------------------
Description:
Right now, for authorization 2, the
HiveAuthorizationValidator.checkPrivileges(HiveOperationType var1,
List<HivePrivilegeObject> var2, List<HivePrivilegeObject> var3,
HiveAuthzContext var4) does not contain the parsed sql command string as input.
Therefore, Sentry has to parse the command again.
The API should be changed to include all required information as input, so
Sentry does not need to parse the sql command string again.
known situations:
1) when dropping a database which does not exist, hive should not call sentry
or it calls sentry with database name as input
2) when creating function, hive should provide UDF class name as input.
3) When dropping function, hive should provide UDF class name as input.
4) When dropping a table which does not exist, hive should not call sentry or
it calls sentry with database name and table name as input.
5) In any situation that the command should succeeds and hive does not provide
required info to sentry, hive should not call sentry at all because sentry will
throw exception when required info is not available from input.
was:
Right now, for authorization 2, the
HiveAuthorizationValidator.checkPrivileges(HiveOperationType var1,
List<HivePrivilegeObject> var2, List<HivePrivilegeObject> var3,
HiveAuthzContext var4) does not contain the parsed sql command string as input.
Therefore, Sentry has to parse the command again.
The API should be changed to include all required information as input, so
Sentry does not need to parse the sql command string again.
known situations:
1) when dropping a database which does not exist, hive should not call sentry
or it calls sentry with database name as input
2) when creating function, hive should provide UDF class name as input.
> Provide classname info for function authorization
> -------------------------------------------------
>
> Key: HIVE-17544
> URL: https://issues.apache.org/jira/browse/HIVE-17544
> Project: Hive
> Issue Type: Task
> Components: Authorization
> Affects Versions: 2.1.1
> Reporter: Na Li
> Assignee: Aihua Xu
> Priority: Critical
> Attachments: HIVE-17544.1.patch, HIVE-17544.2.patch
>
>
> Right now, for authorization 2, the
> HiveAuthorizationValidator.checkPrivileges(HiveOperationType var1,
> List<HivePrivilegeObject> var2, List<HivePrivilegeObject> var3,
> HiveAuthzContext var4) does not contain the parsed sql command string as
> input. Therefore, Sentry has to parse the command again.
> The API should be changed to include all required information as input, so
> Sentry does not need to parse the sql command string again.
> known situations:
> 1) when dropping a database which does not exist, hive should not call sentry
> or it calls sentry with database name as input
> 2) when creating function, hive should provide UDF class name as input.
> 3) When dropping function, hive should provide UDF class name as input.
> 4) When dropping a table which does not exist, hive should not call sentry or
> it calls sentry with database name and table name as input.
> 5) In any situation that the command should succeeds and hive does not
> provide required info to sentry, hive should not call sentry at all because
> sentry will throw exception when required info is not available from input.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
