[
https://issues.apache.org/jira/browse/SENTRY-977?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16237796#comment-16237796
]
Arjun Mishra commented on SENTRY-977:
-------------------------------------
This issue was fixed in Hive by HIVE-15346
(https://issues.apache.org/jira/browse/HIVE-15346) The issue was, when insert
into command was being executed temporary tables, and columns would be created.
And the input context would then have these temporary tables/columns, which
were therefore being tested for privileges. But since privileges were never
granted to temp tables, it would fail. The change was to not consider temp
tables and columns when building input context.
> grant insert on table; insert into table values doesn't work with
> "SemanticException No valid privileges"
> ---------------------------------------------------------------------------------------------------------
>
> Key: SENTRY-977
> URL: https://issues.apache.org/jira/browse/SENTRY-977
> Project: Sentry
> Issue Type: Bug
> Affects Versions: 1.5.1
> Reporter: Anne Yu
> Assignee: Arjun Mishra
> Priority: Blocker
>
> {code}
> create database test_db;
> use test_db;
> create role test_role;
> create table test_tbl(s STRING);
> grant select on table test_tbl to role test_role;
> grant insert on table test_tbl to role test_role;
> insert into table test_tbl values ('test');
> {code}
> Then can see the failure with error:
> {noformat}
> Error: Error while compiling statement: FAILED: SemanticException No valid
> privileges
> User test_user does not have privileges for QUERY (state=42000,code=40000)
> {noformat}
> However, insert into table ... select ... from an_existing_table works fine.
> The difference between these two queries, shown from sentry service log is:
> Reading in results for query "SELECT FROM
> org.apache.sentry.provider.db.service.model.MSentryPrivilege WHERE
> roles.contains(role) && (role.roleName == "test_role_2" || role.roleName ==
> "test_role") && serverName == "server1" && ((dbName == "test_db_2") ||
> (dbName == "__NULL__")) && (URI == "__NULL__") && ((tableName ==
> "test_tbl_2") || (tableName == "__NULL__")) && (URI == "__NULL__") &&
> ((columnName == "s") || (columnName == "__NULL__")) && (URI == "__NULL__")
> VARIABLES org.apache.sentry.provider.db.service.model.MSentryRole role" since
> the connection used is closing
> Reading in results for query "SELECT FROM
> org.apache.sentry.provider.db.service.model.MSentryPrivilege WHERE
> roles.contains(role) && (role.roleName == "test_role_2" || role.roleName ==
> "test_role") && serverName == "server1" && ((dbName == "test_db_2") ||
> (dbName == "__NULL__")) && (URI == "__NULL__") && ((tableName ==
> "test_tbl_2") || (tableName == "__NULL__")) && (URI == "__NULL__") VARIABLES
> org.apache.sentry.provider.db.service.model.MSentryRole role" since the
> connection used is closing;
> Seems we don't process (columnName == "__NULL__")) && (URI == "__NULL__")
> correctly. If do {noformat}show grant role test_role{noformat}, can see
> column value is NULL, not "--"; don't know if this matters.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
