[jira] [Commented] (HIVE-17544) Provide classname info for function authorization

Mon, 02 Oct 2017 11:48:16 -0700 

    [ 
https://issues.apache.org/jira/browse/HIVE-17544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16188610#comment-16188610
 ] 

Aihua Xu commented on HIVE-17544:
---------------------------------

patch-3: I reverted the check part that if the inputs/outputs are empty, we 
will not call authorizer module. It's possible for some calls like metadata 
calls which don't have inputs/outputs, but authorizer module could still check 
from the current user if certain permissions are allowed. 


> Provide classname info for function authorization
> -------------------------------------------------
>
>                 Key: HIVE-17544
>                 URL: https://issues.apache.org/jira/browse/HIVE-17544
>             Project: Hive
>          Issue Type: Task
>          Components: Authorization
>    Affects Versions: 2.1.1
>            Reporter: Na Li
>            Assignee: Aihua Xu
>            Priority: Critical
>         Attachments: HIVE-17544.1.patch, HIVE-17544.2.patch, 
> HIVE-17544.3.patch
>
>
> Right now, for authorization 2, the 
> HiveAuthorizationValidator.checkPrivileges(HiveOperationType var1, 
> List<HivePrivilegeObject> var2, List<HivePrivilegeObject> var3, 
> HiveAuthzContext var4) does not contain the parsed sql command string as 
> input. Therefore, Sentry has to parse the command again.
> The API should be changed to include all required information as input, so 
> Sentry does not need to parse the sql command string again.
> known situations:
> 1) when dropping a database which does not exist, hive should not call sentry 
> or it calls sentry with database name as input
> 2) when creating function, hive should provide UDF class name as input.
> 3) When dropping function, hive should provide UDF class name as input.
> 4) When dropping a table which does not exist, hive should not call sentry or 
> it calls sentry with database name and table name as input.
> 5) In any situation that the command should succeeds and hive does not 
> provide required info to sentry, hive should not call sentry at all because 
> sentry will throw exception when required info is not available from input.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to