[jira] [Commented] (SENTRY-977) grant insert on table; insert into table values doesn't work with "SemanticException No valid privileges"

Thu, 21 Jul 2016 18:43:54 -0700 

    [ 
https://issues.apache.org/jira/browse/SENTRY-977?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15388737#comment-15388737
 ] 

Hao Hao commented on SENTRY-977:
--------------------------------

Investigated into the issue and found it is caused by hive passed some tmp 
table and tmp column name when using "insert into table test_tbl values 
('test');". 

In hive binding, Sentry reads the table/column name from 
HiveSemanticAnalyzerHookContext.getInputs() and there the temp name is passed 
through. This looks like more a Hive issue rather than Sentry. Will file a hive 
jira for it.

> grant insert on table; insert into table values doesn't work with 
> "SemanticException No valid privileges"
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: SENTRY-977
>                 URL: https://issues.apache.org/jira/browse/SENTRY-977
>             Project: Sentry
>          Issue Type: Bug
>    Affects Versions: 1.5.1
>            Reporter: Anne Yu
>            Assignee: Hao Hao
>            Priority: Blocker
>
> {code}
> create database test_db;
> use test_db;
> create role test_role;
> create table test_tbl(s STRING);
> grant select on table test_tbl to role test_role;
> grant insert on table test_tbl to role test_role;
> insert into table test_tbl values ('test');
> {code}
> Then can see the failure with error:
> {noformat}
> Error: Error while compiling statement: FAILED: SemanticException No valid 
> privileges
>  User test_user does not have privileges for QUERY (state=42000,code=40000)
> {noformat}
> However, insert into table ... select ... from an_existing_table works fine.
> The difference between these two queries, shown from sentry service log is:
> Reading in results for query "SELECT FROM 
> org.apache.sentry.provider.db.service.model.MSentryPrivilege WHERE 
> roles.contains(role) && (role.roleName == "test_role_2" || role.roleName == 
> "test_role") && serverName == "server1" && ((dbName == "test_db_2") || 
> (dbName == "__NULL__")) && (URI == "__NULL__") && ((tableName == 
> "test_tbl_2") || (tableName == "__NULL__")) && (URI == "__NULL__") && 
> ((columnName == "s") || (columnName == "__NULL__")) && (URI == "__NULL__") 
> VARIABLES org.apache.sentry.provider.db.service.model.MSentryRole role" since 
> the connection used is closing
> Reading in results for query "SELECT FROM 
> org.apache.sentry.provider.db.service.model.MSentryPrivilege WHERE 
> roles.contains(role) && (role.roleName == "test_role_2" || role.roleName == 
> "test_role") && serverName == "server1" && ((dbName == "test_db_2") || 
> (dbName == "__NULL__")) && (URI == "__NULL__") && ((tableName == 
> "test_tbl_2") || (tableName == "__NULL__")) && (URI == "__NULL__") VARIABLES 
> org.apache.sentry.provider.db.service.model.MSentryRole role" since the 
> connection used is closing;
> Seems we don't process  (columnName == "__NULL__")) && (URI == "__NULL__") 
> correctly. If do {noformat}show grant role test_role{noformat}, can see 
> column value is NULL, not "--"; don't know if this matters.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to