[jira] [Commented] (HIVE-11901) StorageBasedAuthorizationProvider requires write permission on table for SELECT statements
[ https://issues.apache.org/jira/browse/HIVE-11901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14973760#comment-14973760 ] Chengbing Liu commented on HIVE-11901: -- Thanks [~thejas] for review and committing! > StorageBasedAuthorizationProvider requires write permission on table for > SELECT statements > -- > > Key: HIVE-11901 > URL: https://issues.apache.org/jira/browse/HIVE-11901 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 1.2.1 >Reporter: Chengbing Liu >Assignee: Chengbing Liu > Fix For: 1.3.0, 2.0.0 > > Attachments: HIVE-11901.01.patch, HIVE-11901.02.patch, > HIVE-11901.03.patch > > > With HIVE-7895, it will require write permission on the table directory even > for a SELECT statement. > Looking at the stacktrace, it seems the method > {{StorageBasedAuthorizationProvider#authorize(Table table, Partition part, > Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv)}} always treats > a null partition as a CREATE statement, which can also be a SELECT. > We may have to check {{readRequiredPriv}} and {{writeRequiredPriv}} first > in order to tell which statement it is. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-11901) StorageBasedAuthorizationProvider requires write permission on table for SELECT statements
[ https://issues.apache.org/jira/browse/HIVE-11901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14970533#comment-14970533 ] Thejas M Nair commented on HIVE-11901: -- The test failures are unrelated. > StorageBasedAuthorizationProvider requires write permission on table for > SELECT statements > -- > > Key: HIVE-11901 > URL: https://issues.apache.org/jira/browse/HIVE-11901 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 1.2.1 >Reporter: Chengbing Liu >Assignee: Chengbing Liu > Attachments: HIVE-11901.01.patch, HIVE-11901.02.patch, > HIVE-11901.03.patch > > > With HIVE-7895, it will require write permission on the table directory even > for a SELECT statement. > Looking at the stacktrace, it seems the method > {{StorageBasedAuthorizationProvider#authorize(Table table, Partition part, > Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv)}} always treats > a null partition as a CREATE statement, which can also be a SELECT. > We may have to check {{readRequiredPriv}} and {{writeRequiredPriv}} first > in order to tell which statement it is. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-11901) StorageBasedAuthorizationProvider requires write permission on table for SELECT statements
[ https://issues.apache.org/jira/browse/HIVE-11901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14969850#comment-14969850 ] Hive QA commented on HIVE-11901: Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/12767946/HIVE-11901.03.patch {color:green}SUCCESS:{color} +1 due to 3 test(s) being added or modified. {color:red}ERROR:{color} -1 due to 3 failed/errored test(s), 9699 tests executed *Failed tests:* {noformat} org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_index_bitmap_auto org.apache.hive.hcatalog.api.TestHCatClient.testTableSchemaPropagation org.apache.hive.jdbc.TestSSL.testSSLVersion {noformat} Test results: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/5738/testReport Console output: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/5738/console Test logs: http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-TRUNK-Build-5738/ Messages: {noformat} Executing org.apache.hive.ptest.execution.TestCheckPhase Executing org.apache.hive.ptest.execution.PrepPhase Executing org.apache.hive.ptest.execution.ExecutionPhase Executing org.apache.hive.ptest.execution.ReportingPhase Tests exited with: TestsFailedException: 3 tests failed {noformat} This message is automatically generated. ATTACHMENT ID: 12767946 - PreCommit-HIVE-TRUNK-Build > StorageBasedAuthorizationProvider requires write permission on table for > SELECT statements > -- > > Key: HIVE-11901 > URL: https://issues.apache.org/jira/browse/HIVE-11901 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 1.2.1 >Reporter: Chengbing Liu >Assignee: Chengbing Liu > Attachments: HIVE-11901.01.patch, HIVE-11901.02.patch, > HIVE-11901.03.patch > > > With HIVE-7895, it will require write permission on the table directory even > for a SELECT statement. > Looking at the stacktrace, it seems the method > {{StorageBasedAuthorizationProvider#authorize(Table table, Partition part, > Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv)}} always treats > a null partition as a CREATE statement, which can also be a SELECT. > We may have to check {{readRequiredPriv}} and {{writeRequiredPriv}} first > in order to tell which statement it is. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-11901) StorageBasedAuthorizationProvider requires write permission on table for SELECT statements
[ https://issues.apache.org/jira/browse/HIVE-11901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14966850#comment-14966850 ] Hive QA commented on HIVE-11901: Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/12767754/HIVE-11901.02.patch {color:green}SUCCESS:{color} +1 due to 2 test(s) being added or modified. {color:red}ERROR:{color} -1 due to 2 failed/errored test(s), 9697 tests executed *Failed tests:* {noformat} org.apache.hive.hcatalog.api.TestHCatClient.testTableSchemaPropagation org.apache.hive.jdbc.TestSSL.testSSLVersion {noformat} Test results: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/5722/testReport Console output: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/5722/console Test logs: http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-TRUNK-Build-5722/ Messages: {noformat} Executing org.apache.hive.ptest.execution.TestCheckPhase Executing org.apache.hive.ptest.execution.PrepPhase Executing org.apache.hive.ptest.execution.ExecutionPhase Executing org.apache.hive.ptest.execution.ReportingPhase Tests exited with: TestsFailedException: 2 tests failed {noformat} This message is automatically generated. ATTACHMENT ID: 12767754 - PreCommit-HIVE-TRUNK-Build > StorageBasedAuthorizationProvider requires write permission on table for > SELECT statements > -- > > Key: HIVE-11901 > URL: https://issues.apache.org/jira/browse/HIVE-11901 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 1.2.1 >Reporter: Chengbing Liu >Assignee: Chengbing Liu > Attachments: HIVE-11901.01.patch, HIVE-11901.02.patch > > > With HIVE-7895, it will require write permission on the table directory even > for a SELECT statement. > Looking at the stacktrace, it seems the method > {{StorageBasedAuthorizationProvider#authorize(Table table, Partition part, > Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv)}} always treats > a null partition as a CREATE statement, which can also be a SELECT. > We may have to check {{readRequiredPriv}} and {{writeRequiredPriv}} first > in order to tell which statement it is. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-11901) StorageBasedAuthorizationProvider requires write permission on table for SELECT statements
[ https://issues.apache.org/jira/browse/HIVE-11901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14968361#comment-14968361 ] Chengbing Liu commented on HIVE-11901: -- Failed tests are not related. > StorageBasedAuthorizationProvider requires write permission on table for > SELECT statements > -- > > Key: HIVE-11901 > URL: https://issues.apache.org/jira/browse/HIVE-11901 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 1.2.1 >Reporter: Chengbing Liu >Assignee: Chengbing Liu > Attachments: HIVE-11901.01.patch, HIVE-11901.02.patch > > > With HIVE-7895, it will require write permission on the table directory even > for a SELECT statement. > Looking at the stacktrace, it seems the method > {{StorageBasedAuthorizationProvider#authorize(Table table, Partition part, > Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv)}} always treats > a null partition as a CREATE statement, which can also be a SELECT. > We may have to check {{readRequiredPriv}} and {{writeRequiredPriv}} first > in order to tell which statement it is. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-11901) StorageBasedAuthorizationProvider requires write permission on table for SELECT statements
[ https://issues.apache.org/jira/browse/HIVE-11901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14968373#comment-14968373 ] Thejas M Nair commented on HIVE-11901: -- [~chengbing.liu] Thanks for adding the tests for the case where StorageBasedAuthorization is used in the client side. Can you also please add a test case for StorageBasedAuthorization when used in metastore server, as that is the recommended mode for StorageBasedAuthorization ? A quick way would be to add this to TestStorageBasedMetastoreAuthorizationReads.java - {code} @Test public void testReadTableSuccessWithReadOnly() throws Exception { readTableByOtherUser("-r--r--r--", true); } {code} > StorageBasedAuthorizationProvider requires write permission on table for > SELECT statements > -- > > Key: HIVE-11901 > URL: https://issues.apache.org/jira/browse/HIVE-11901 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 1.2.1 >Reporter: Chengbing Liu >Assignee: Chengbing Liu > Attachments: HIVE-11901.01.patch, HIVE-11901.02.patch > > > With HIVE-7895, it will require write permission on the table directory even > for a SELECT statement. > Looking at the stacktrace, it seems the method > {{StorageBasedAuthorizationProvider#authorize(Table table, Partition part, > Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv)}} always treats > a null partition as a CREATE statement, which can also be a SELECT. > We may have to check {{readRequiredPriv}} and {{writeRequiredPriv}} first > in order to tell which statement it is. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-11901) StorageBasedAuthorizationProvider requires write permission on table for SELECT statements
[ https://issues.apache.org/jira/browse/HIVE-11901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14968397#comment-14968397 ] Thejas M Nair commented on HIVE-11901: -- Thanks for the update! +1 pending tests. > StorageBasedAuthorizationProvider requires write permission on table for > SELECT statements > -- > > Key: HIVE-11901 > URL: https://issues.apache.org/jira/browse/HIVE-11901 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 1.2.1 >Reporter: Chengbing Liu >Assignee: Chengbing Liu > Attachments: HIVE-11901.01.patch, HIVE-11901.02.patch, > HIVE-11901.03.patch > > > With HIVE-7895, it will require write permission on the table directory even > for a SELECT statement. > Looking at the stacktrace, it seems the method > {{StorageBasedAuthorizationProvider#authorize(Table table, Partition part, > Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv)}} always treats > a null partition as a CREATE statement, which can also be a SELECT. > We may have to check {{readRequiredPriv}} and {{writeRequiredPriv}} first > in order to tell which statement it is. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-11901) StorageBasedAuthorizationProvider requires write permission on table for SELECT statements
[ https://issues.apache.org/jira/browse/HIVE-11901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14966486#comment-14966486 ] Chengbing Liu commented on HIVE-11901: -- [~thejas], thanks for the hint. I wasn't aware of itests back then... Uploaded the fix with tests updated. > StorageBasedAuthorizationProvider requires write permission on table for > SELECT statements > -- > > Key: HIVE-11901 > URL: https://issues.apache.org/jira/browse/HIVE-11901 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 1.2.1 >Reporter: Chengbing Liu >Assignee: Chengbing Liu > Attachments: HIVE-11901.01.patch, HIVE-11901.02.patch > > > With HIVE-7895, it will require write permission on the table directory even > for a SELECT statement. > Looking at the stacktrace, it seems the method > {{StorageBasedAuthorizationProvider#authorize(Table table, Partition part, > Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv)}} always treats > a null partition as a CREATE statement, which can also be a SELECT. > We may have to check {{readRequiredPriv}} and {{writeRequiredPriv}} first > in order to tell which statement it is. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-11901) StorageBasedAuthorizationProvider requires write permission on table for SELECT statements
[ https://issues.apache.org/jira/browse/HIVE-11901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14959584#comment-14959584 ] Thejas M Nair commented on HIVE-11901: -- [~chengbing.liu] It is better to include the tests with fix as far as possible. Otherwise, the tests don't often get added, and we won't notice the regression if it happens again. Please take a look at the test cases in TestStorageBasedMetastoreAuthorizationReads or TestStorageBasedMetastoreAuthorizationDrops for examples on how to create the test case. Let me know if you need help with that. > StorageBasedAuthorizationProvider requires write permission on table for > SELECT statements > -- > > Key: HIVE-11901 > URL: https://issues.apache.org/jira/browse/HIVE-11901 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 1.2.1 >Reporter: Chengbing Liu >Assignee: Chengbing Liu > Attachments: HIVE-11901.01.patch > > > With HIVE-7895, it will require write permission on the table directory even > for a SELECT statement. > Looking at the stacktrace, it seems the method > {{StorageBasedAuthorizationProvider#authorize(Table table, Partition part, > Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv)}} always treats > a null partition as a CREATE statement, which can also be a SELECT. > We may have to check {{readRequiredPriv}} and {{writeRequiredPriv}} first > in order to tell which statement it is. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-11901) StorageBasedAuthorizationProvider requires write permission on table for SELECT statements
[ https://issues.apache.org/jira/browse/HIVE-11901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14948018#comment-14948018 ] Chengbing Liu commented on HIVE-11901: -- [~thejas], I think we can add test cases for the authorization part in another JIRA and check this in first, if you think the patch is ok. > StorageBasedAuthorizationProvider requires write permission on table for > SELECT statements > -- > > Key: HIVE-11901 > URL: https://issues.apache.org/jira/browse/HIVE-11901 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 1.2.1 >Reporter: Chengbing Liu >Assignee: Chengbing Liu > Attachments: HIVE-11901.01.patch > > > With HIVE-7895, it will require write permission on the table directory even > for a SELECT statement. > Looking at the stacktrace, it seems the method > {{StorageBasedAuthorizationProvider#authorize(Table table, Partition part, > Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv)}} always treats > a null partition as a CREATE statement, which can also be a SELECT. > We may have to check {{readRequiredPriv}} and {{writeRequiredPriv}} first > in order to tell which statement it is. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-11901) StorageBasedAuthorizationProvider requires write permission on table for SELECT statements
[ https://issues.apache.org/jira/browse/HIVE-11901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14933182#comment-14933182 ] Chengbing Liu commented on HIVE-11901: -- [~thejas], I find it difficult to add a test case for it from scratch. Do we need to mock {{Table}} and even {{Path}}? And we have to consider HDFS ACL for {{StorageBasedAuthorizationProvider}}... > StorageBasedAuthorizationProvider requires write permission on table for > SELECT statements > -- > > Key: HIVE-11901 > URL: https://issues.apache.org/jira/browse/HIVE-11901 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 1.2.1 >Reporter: Chengbing Liu >Assignee: Chengbing Liu > Attachments: HIVE-11901.01.patch > > > With HIVE-7895, it will require write permission on the table directory even > for a SELECT statement. > Looking at the stacktrace, it seems the method > {{StorageBasedAuthorizationProvider#authorize(Table table, Partition part, > Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv)}} always treats > a null partition as a CREATE statement, which can also be a SELECT. > We may have to check {{readRequiredPriv}} and {{writeRequiredPriv}} first > in order to tell which statement it is. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-11901) StorageBasedAuthorizationProvider requires write permission on table for SELECT statements
[ https://issues.apache.org/jira/browse/HIVE-11901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14908942#comment-14908942 ] Hive QA commented on HIVE-11901: {color:red}Overall{color}: -1 at least one tests failed Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/12761542/HIVE-11901.01.patch {color:red}ERROR:{color} -1 due to 5 failed/errored test(s), 9591 tests executed *Failed tests:* {noformat} TestCliDriver-skewjoinopt3.q-vector_acid3.q-ctas_date.q-and-12-more - did not produce a TEST-*.xml file TestMiniTezCliDriver-orc_merge6.q-vector_outer_join0.q-mapreduce1.q-and-12-more - did not produce a TEST-*.xml file org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_vector_groupby_reduce org.apache.hadoop.hive.cli.TestMiniTezCliDriver.testCliDriver_vector_groupby_reduce org.apache.hive.hcatalog.api.TestHCatClient.testTableSchemaPropagation {noformat} Test results: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/5417/testReport Console output: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/5417/console Test logs: http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-TRUNK-Build-5417/ Messages: {noformat} Executing org.apache.hive.ptest.execution.PrepPhase Executing org.apache.hive.ptest.execution.ExecutionPhase Executing org.apache.hive.ptest.execution.ReportingPhase Tests exited with: TestsFailedException: 5 tests failed {noformat} This message is automatically generated. ATTACHMENT ID: 12761542 - PreCommit-HIVE-TRUNK-Build > StorageBasedAuthorizationProvider requires write permission on table for > SELECT statements > -- > > Key: HIVE-11901 > URL: https://issues.apache.org/jira/browse/HIVE-11901 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 1.2.1 >Reporter: Chengbing Liu >Assignee: Chengbing Liu > Attachments: HIVE-11901.01.patch > > > With HIVE-7895, it will require write permission on the table directory even > for a SELECT statement. > Looking at the stacktrace, it seems the method > {{StorageBasedAuthorizationProvider#authorize(Table table, Partition part, > Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv)}} always treats > a null partition as a CREATE statement, which can also be a SELECT. > We may have to check {{readRequiredPriv}} and {{writeRequiredPriv}} first > in order to tell which statement it is. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-11901) StorageBasedAuthorizationProvider requires write permission on table for SELECT statements
[ https://issues.apache.org/jira/browse/HIVE-11901?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14908967#comment-14908967 ] Thejas M Nair commented on HIVE-11901: -- Thanks for catching this and the patch [~chengbing.liu]! Can you also please add a test case for this ? (You can refer to existing tests for examples). > StorageBasedAuthorizationProvider requires write permission on table for > SELECT statements > -- > > Key: HIVE-11901 > URL: https://issues.apache.org/jira/browse/HIVE-11901 > Project: Hive > Issue Type: Bug > Components: Authorization >Affects Versions: 1.2.1 >Reporter: Chengbing Liu >Assignee: Chengbing Liu > Attachments: HIVE-11901.01.patch > > > With HIVE-7895, it will require write permission on the table directory even > for a SELECT statement. > Looking at the stacktrace, it seems the method > {{StorageBasedAuthorizationProvider#authorize(Table table, Partition part, > Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv)}} always treats > a null partition as a CREATE statement, which can also be a SELECT. > We may have to check {{readRequiredPriv}} and {{writeRequiredPriv}} first > in order to tell which statement it is. -- This message was sent by Atlassian JIRA (v6.3.4#6332)