[jira] [Commented] (HIVE-5485) SBAP errors on null partition being passed into partition level authorization
[ https://issues.apache.org/jira/browse/HIVE-5485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13793970#comment-13793970 ] Hudson commented on HIVE-5485: -- ABORTED: Integrated in Hive-trunk-hadoop2 #500 (See [https://builds.apache.org/job/Hive-trunk-hadoop2/500/]) HIVE-5485 : SBAP errors on null partition being passed into partition level authorization (Sushanth Sowmyan via Ashutosh Chauhan) (hashutosh: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1531707) * /hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java > SBAP errors on null partition being passed into partition level authorization > - > > Key: HIVE-5485 > URL: https://issues.apache.org/jira/browse/HIVE-5485 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 0.12.0 >Reporter: Sushanth Sowmyan >Assignee: Sushanth Sowmyan > Fix For: 0.13.0 > > Attachments: HIVE-5485.patch > > > SBAP causes an NPE when null is passed in as a partition for partition-level > or column-level authorization. > Personally, in my opinion, this is not a SBAP bug, but incorrect usage of > AuthorizationProviders - one should not be calling the column-level authorize > (given that column-level is more basic than partition-level) function and > pass in a null as the partition value. However, that happens on code > introduced by HIVE-1887, and unless we rewrite that (and possibly a whole > bunch more(will need evaluation)), we have to accommodate that null and > appropriately attempt to fall back to table-level authorization in that case. > The offending code section is in Driver.java:685 > {code} > 678 // if we reach here, it means it needs to do a table > authorization > 679 // check, and the table authorization may already happened > because of other > 680 // partitions > 681 if (tbl != null && > !tableAuthChecked.contains(tbl.getTableName()) && > 682 !(tableUsePartLevelAuth.get(tbl.getTableName()) == > Boolean.TRUE)) { > 683 List cols = tab2Cols.get(tbl); > 684 if (cols != null && cols.size() > 0) { > 685 ss.getAuthorizer().authorize(tbl, null, cols, > 686 op.getInputRequiredPrivileges(), null); > 687 } else { > 688 ss.getAuthorizer().authorize(tbl, > op.getInputRequiredPrivileges(), > 689 null); > 690 } > 691 tableAuthChecked.add(tbl.getTableName()); > 692 } > {code} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HIVE-5485) SBAP errors on null partition being passed into partition level authorization
[ https://issues.apache.org/jira/browse/HIVE-5485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13793805#comment-13793805 ] Hudson commented on HIVE-5485: -- FAILURE: Integrated in Hive-trunk-hadoop2-ptest #138 (See [https://builds.apache.org/job/Hive-trunk-hadoop2-ptest/138/]) HIVE-5485 : SBAP errors on null partition being passed into partition level authorization (Sushanth Sowmyan via Ashutosh Chauhan) (hashutosh: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1531707) * /hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java > SBAP errors on null partition being passed into partition level authorization > - > > Key: HIVE-5485 > URL: https://issues.apache.org/jira/browse/HIVE-5485 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 0.12.0 >Reporter: Sushanth Sowmyan >Assignee: Sushanth Sowmyan > Fix For: 0.13.0 > > Attachments: HIVE-5485.patch > > > SBAP causes an NPE when null is passed in as a partition for partition-level > or column-level authorization. > Personally, in my opinion, this is not a SBAP bug, but incorrect usage of > AuthorizationProviders - one should not be calling the column-level authorize > (given that column-level is more basic than partition-level) function and > pass in a null as the partition value. However, that happens on code > introduced by HIVE-1887, and unless we rewrite that (and possibly a whole > bunch more(will need evaluation)), we have to accommodate that null and > appropriately attempt to fall back to table-level authorization in that case. > The offending code section is in Driver.java:685 > {code} > 678 // if we reach here, it means it needs to do a table > authorization > 679 // check, and the table authorization may already happened > because of other > 680 // partitions > 681 if (tbl != null && > !tableAuthChecked.contains(tbl.getTableName()) && > 682 !(tableUsePartLevelAuth.get(tbl.getTableName()) == > Boolean.TRUE)) { > 683 List cols = tab2Cols.get(tbl); > 684 if (cols != null && cols.size() > 0) { > 685 ss.getAuthorizer().authorize(tbl, null, cols, > 686 op.getInputRequiredPrivileges(), null); > 687 } else { > 688 ss.getAuthorizer().authorize(tbl, > op.getInputRequiredPrivileges(), > 689 null); > 690 } > 691 tableAuthChecked.add(tbl.getTableName()); > 692 } > {code} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HIVE-5485) SBAP errors on null partition being passed into partition level authorization
[ https://issues.apache.org/jira/browse/HIVE-5485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13793768#comment-13793768 ] Hudson commented on HIVE-5485: -- FAILURE: Integrated in Hive-trunk-h0.21 #2398 (See [https://builds.apache.org/job/Hive-trunk-h0.21/2398/]) HIVE-5485 : SBAP errors on null partition being passed into partition level authorization (Sushanth Sowmyan via Ashutosh Chauhan) (hashutosh: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1531707) * /hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java > SBAP errors on null partition being passed into partition level authorization > - > > Key: HIVE-5485 > URL: https://issues.apache.org/jira/browse/HIVE-5485 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 0.12.0 >Reporter: Sushanth Sowmyan >Assignee: Sushanth Sowmyan > Fix For: 0.13.0 > > Attachments: HIVE-5485.patch > > > SBAP causes an NPE when null is passed in as a partition for partition-level > or column-level authorization. > Personally, in my opinion, this is not a SBAP bug, but incorrect usage of > AuthorizationProviders - one should not be calling the column-level authorize > (given that column-level is more basic than partition-level) function and > pass in a null as the partition value. However, that happens on code > introduced by HIVE-1887, and unless we rewrite that (and possibly a whole > bunch more(will need evaluation)), we have to accommodate that null and > appropriately attempt to fall back to table-level authorization in that case. > The offending code section is in Driver.java:685 > {code} > 678 // if we reach here, it means it needs to do a table > authorization > 679 // check, and the table authorization may already happened > because of other > 680 // partitions > 681 if (tbl != null && > !tableAuthChecked.contains(tbl.getTableName()) && > 682 !(tableUsePartLevelAuth.get(tbl.getTableName()) == > Boolean.TRUE)) { > 683 List cols = tab2Cols.get(tbl); > 684 if (cols != null && cols.size() > 0) { > 685 ss.getAuthorizer().authorize(tbl, null, cols, > 686 op.getInputRequiredPrivileges(), null); > 687 } else { > 688 ss.getAuthorizer().authorize(tbl, > op.getInputRequiredPrivileges(), > 689 null); > 690 } > 691 tableAuthChecked.add(tbl.getTableName()); > 692 } > {code} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HIVE-5485) SBAP errors on null partition being passed into partition level authorization
[ https://issues.apache.org/jira/browse/HIVE-5485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13793738#comment-13793738 ] Hudson commented on HIVE-5485: -- FAILURE: Integrated in Hive-trunk-hadoop1-ptest #203 (See [https://builds.apache.org/job/Hive-trunk-hadoop1-ptest/203/]) HIVE-5485 : SBAP errors on null partition being passed into partition level authorization (Sushanth Sowmyan via Ashutosh Chauhan) (hashutosh: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1531707) * /hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java > SBAP errors on null partition being passed into partition level authorization > - > > Key: HIVE-5485 > URL: https://issues.apache.org/jira/browse/HIVE-5485 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 0.12.0 >Reporter: Sushanth Sowmyan >Assignee: Sushanth Sowmyan > Fix For: 0.13.0 > > Attachments: HIVE-5485.patch > > > SBAP causes an NPE when null is passed in as a partition for partition-level > or column-level authorization. > Personally, in my opinion, this is not a SBAP bug, but incorrect usage of > AuthorizationProviders - one should not be calling the column-level authorize > (given that column-level is more basic than partition-level) function and > pass in a null as the partition value. However, that happens on code > introduced by HIVE-1887, and unless we rewrite that (and possibly a whole > bunch more(will need evaluation)), we have to accommodate that null and > appropriately attempt to fall back to table-level authorization in that case. > The offending code section is in Driver.java:685 > {code} > 678 // if we reach here, it means it needs to do a table > authorization > 679 // check, and the table authorization may already happened > because of other > 680 // partitions > 681 if (tbl != null && > !tableAuthChecked.contains(tbl.getTableName()) && > 682 !(tableUsePartLevelAuth.get(tbl.getTableName()) == > Boolean.TRUE)) { > 683 List cols = tab2Cols.get(tbl); > 684 if (cols != null && cols.size() > 0) { > 685 ss.getAuthorizer().authorize(tbl, null, cols, > 686 op.getInputRequiredPrivileges(), null); > 687 } else { > 688 ss.getAuthorizer().authorize(tbl, > op.getInputRequiredPrivileges(), > 689 null); > 690 } > 691 tableAuthChecked.add(tbl.getTableName()); > 692 } > {code} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HIVE-5485) SBAP errors on null partition being passed into partition level authorization
[ https://issues.apache.org/jira/browse/HIVE-5485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13793400#comment-13793400 ] Ashutosh Chauhan commented on HIVE-5485: +1 > SBAP errors on null partition being passed into partition level authorization > - > > Key: HIVE-5485 > URL: https://issues.apache.org/jira/browse/HIVE-5485 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 0.12.0 >Reporter: Sushanth Sowmyan >Assignee: Sushanth Sowmyan > Attachments: HIVE-5485.patch > > > SBAP causes an NPE when null is passed in as a partition for partition-level > or column-level authorization. > Personally, in my opinion, this is not a SBAP bug, but incorrect usage of > AuthorizationProviders - one should not be calling the column-level authorize > (given that column-level is more basic than partition-level) function and > pass in a null as the partition value. However, that happens on code > introduced by HIVE-1887, and unless we rewrite that (and possibly a whole > bunch more(will need evaluation)), we have to accommodate that null and > appropriately attempt to fall back to table-level authorization in that case. > The offending code section is in Driver.java:685 > {code} > 678 // if we reach here, it means it needs to do a table > authorization > 679 // check, and the table authorization may already happened > because of other > 680 // partitions > 681 if (tbl != null && > !tableAuthChecked.contains(tbl.getTableName()) && > 682 !(tableUsePartLevelAuth.get(tbl.getTableName()) == > Boolean.TRUE)) { > 683 List cols = tab2Cols.get(tbl); > 684 if (cols != null && cols.size() > 0) { > 685 ss.getAuthorizer().authorize(tbl, null, cols, > 686 op.getInputRequiredPrivileges(), null); > 687 } else { > 688 ss.getAuthorizer().authorize(tbl, > op.getInputRequiredPrivileges(), > 689 null); > 690 } > 691 tableAuthChecked.add(tbl.getTableName()); > 692 } > {code} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HIVE-5485) SBAP errors on null partition being passed into partition level authorization
[ https://issues.apache.org/jira/browse/HIVE-5485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13792090#comment-13792090 ] Hive QA commented on HIVE-5485: --- {color:green}Overall{color}: +1 all checks pass Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/12607281/HIVE-5485.patch {color:green}SUCCESS:{color} +1 4364 tests passed Test results: https://builds.apache.org/job/PreCommit-HIVE-Build/1098/testReport Console output: https://builds.apache.org/job/PreCommit-HIVE-Build/1098/console Messages: {noformat} Executing org.apache.hive.ptest.execution.PrepPhase Executing org.apache.hive.ptest.execution.ExecutionPhase Executing org.apache.hive.ptest.execution.ReportingPhase {noformat} This message is automatically generated. > SBAP errors on null partition being passed into partition level authorization > - > > Key: HIVE-5485 > URL: https://issues.apache.org/jira/browse/HIVE-5485 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 0.12.0 >Reporter: Sushanth Sowmyan >Assignee: Sushanth Sowmyan > Attachments: HIVE-5485.patch > > > SBAP causes an NPE when null is passed in as a partition for partition-level > or column-level authorization. > Personally, in my opinion, this is not a SBAP bug, but incorrect usage of > AuthorizationProviders - one should not be calling the column-level authorize > (given that column-level is more basic than partition-level) function and > pass in a null as the partition value. However, that happens on code > introduced by HIVE-1887, and unless we rewrite that (and possibly a whole > bunch more(will need evaluation)), we have to accommodate that null and > appropriately attempt to fall back to table-level authorization in that case. > The offending code section is in Driver.java:685 > {code} > 678 // if we reach here, it means it needs to do a table > authorization > 679 // check, and the table authorization may already happened > because of other > 680 // partitions > 681 if (tbl != null && > !tableAuthChecked.contains(tbl.getTableName()) && > 682 !(tableUsePartLevelAuth.get(tbl.getTableName()) == > Boolean.TRUE)) { > 683 List cols = tab2Cols.get(tbl); > 684 if (cols != null && cols.size() > 0) { > 685 ss.getAuthorizer().authorize(tbl, null, cols, > 686 op.getInputRequiredPrivileges(), null); > 687 } else { > 688 ss.getAuthorizer().authorize(tbl, > op.getInputRequiredPrivileges(), > 689 null); > 690 } > 691 tableAuthChecked.add(tbl.getTableName()); > 692 } > {code} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HIVE-5485) SBAP errors on null partition being passed into partition level authorization
[ https://issues.apache.org/jira/browse/HIVE-5485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13792012#comment-13792012 ] Sushanth Sowmyan commented on HIVE-5485: Also, note that this is currently tested by e2e tests TestHive_6 and TestHive_7 in hcatalog/src/test/e2e/templeton/tests/jobsubmission.conf when SBAP is used. > SBAP errors on null partition being passed into partition level authorization > - > > Key: HIVE-5485 > URL: https://issues.apache.org/jira/browse/HIVE-5485 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 0.12.0 >Reporter: Sushanth Sowmyan >Assignee: Sushanth Sowmyan > Attachments: HIVE-5485.patch > > > SBAP causes an NPE when null is passed in as a partition for partition-level > or column-level authorization. > Personally, in my opinion, this is not a SBAP bug, but incorrect usage of > AuthorizationProviders - one should not be calling the column-level authorize > (given that column-level is more basic than partition-level) function and > pass in a null as the partition value. However, that happens on code > introduced by HIVE-1887, and unless we rewrite that (and possibly a whole > bunch more(will need evaluation)), we have to accommodate that null and > appropriately attempt to fall back to table-level authorization in that case. > The offending code section is in Driver.java:685 > {code} > 678 // if we reach here, it means it needs to do a table > authorization > 679 // check, and the table authorization may already happened > because of other > 680 // partitions > 681 if (tbl != null && > !tableAuthChecked.contains(tbl.getTableName()) && > 682 !(tableUsePartLevelAuth.get(tbl.getTableName()) == > Boolean.TRUE)) { > 683 List cols = tab2Cols.get(tbl); > 684 if (cols != null && cols.size() > 0) { > 685 ss.getAuthorizer().authorize(tbl, null, cols, > 686 op.getInputRequiredPrivileges(), null); > 687 } else { > 688 ss.getAuthorizer().authorize(tbl, > op.getInputRequiredPrivileges(), > 689 null); > 690 } > 691 tableAuthChecked.add(tbl.getTableName()); > 692 } > {code} -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (HIVE-5485) SBAP errors on null partition being passed into partition level authorization
[ https://issues.apache.org/jira/browse/HIVE-5485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13791984#comment-13791984 ] Sushanth Sowmyan commented on HIVE-5485: Verifiable by setting hive.security.authorization.manager to SBAP and turning client-side auth on before running hive -e CTAS onto an unpartitioned table. > SBAP errors on null partition being passed into partition level authorization > - > > Key: HIVE-5485 > URL: https://issues.apache.org/jira/browse/HIVE-5485 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 0.12.0 >Reporter: Sushanth Sowmyan >Assignee: Sushanth Sowmyan > Attachments: HIVE-5485.patch > > > SBAP causes an NPE when null is passed in as a partition for partition-level > or column-level authorization. > Personally, in my opinion, this is not a SBAP bug, but incorrect usage of > AuthorizationProviders - one should not be calling the column-level authorize > (given that column-level is more basic than partition-level) function and > pass in a null as the partition value. However, that happens on code > introduced by HIVE-1887, and unless we rewrite that (and possibly a whole > bunch more(will need evaluation)), we have to accommodate that null and > appropriately attempt to fall back to table-level authorization in that case. > The offending code section is in Driver.java:685 > {code} > 678 // if we reach here, it means it needs to do a table > authorization > 679 // check, and the table authorization may already happened > because of other > 680 // partitions > 681 if (tbl != null && > !tableAuthChecked.contains(tbl.getTableName()) && > 682 !(tableUsePartLevelAuth.get(tbl.getTableName()) == > Boolean.TRUE)) { > 683 List cols = tab2Cols.get(tbl); > 684 if (cols != null && cols.size() > 0) { > 685 ss.getAuthorizer().authorize(tbl, null, cols, > 686 op.getInputRequiredPrivileges(), null); > 687 } else { > 688 ss.getAuthorizer().authorize(tbl, > op.getInputRequiredPrivileges(), > 689 null); > 690 } > 691 tableAuthChecked.add(tbl.getTableName()); > 692 } > {code} -- This message was sent by Atlassian JIRA (v6.1#6144)