hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chen Chun (JIRA)" <>
Subject [jira] [Commented] (HIVE-2817) Drop any table even without privilege
Date Sun, 07 Apr 2013 13:15:16 GMT


Chen Chun commented on HIVE-2817:

// I think the following code in DDLSemanticAnalyzer.analyzeDropTable cause the problem
// if we set hive.exec.drop.ignorenonexistent=true, then throwException=false and so the inputs
and outputs are empty
// And it will not do authorization check after semantic analyze. 
    try {
      Table tab = db.getTable(db.getCurrentDatabase(), tableName, throwException);
      if (tab != null) {
        inputs.add(new ReadEntity(tab));
        outputs.add(new WriteEntity(tab));
    } catch (HiveException e) {
      throw new SemanticException(ErrorMsg.INVALID_TABLE.getMsg(tableName));

A easy way to fix the problem is to set hive.exec.drop.ignorenonexistent=false. 

When I test the sql "drop table default.src_authorization_8" with ant, the log "</PERFLOG
method=doAuthorization start=1365321309304 end=1365321309304 duration=0>" duration=0 leave
a clue of what I said.

2013-04-07 00:55:09,279 DEBUG parse.VariableSubstitution (
- Substitution is on:
drop table default.src_authorization_8
2013-04-07 00:55:09,280 INFO  parse.ParseDriver ( - Parsing command:
drop table default.src_authorization_8
2013-04-07 00:55:09,282 INFO  parse.ParseDriver ( - Parse Completed
2013-04-07 00:55:09,282 INFO  metastore.HiveMetaStore ( -
0: get_table : db=default tbl=default.src_authorization_8
2013-04-07 00:55:09,286 INFO  HiveMetaStore.audit (
- ugi=chenchun        ip=unknown-ip-addr      cmd=get_table : db=default tbl=default.s
2013-04-07 00:55:09,302 ERROR metastore.RetryingHMSHandler (
- NoSuchObjectException(message:default.default.src_authorization_8 table not f
        at org.apache.hadoop.hive.metastore.HiveMetaStore$HMSHandler.get_table(
        at sun.reflect.GeneratedMethodAccessor9.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(
        at java.lang.reflect.Method.invoke(
        at org.apache.hadoop.hive.metastore.RetryingHMSHandler.invoke(
        at $Proxy8.get_table(Unknown Source)
        at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.getTable(
        at sun.reflect.GeneratedMethodAccessor15.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(
        at java.lang.reflect.Method.invoke(
        at org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.invoke(
        at $Proxy9.getTable(Unknown Source)
        at org.apache.hadoop.hive.ql.metadata.Hive.getTable(
        at org.apache.hadoop.hive.ql.parse.DDLSemanticAnalyzer.getTable(
        at org.apache.hadoop.hive.ql.parse.DDLSemanticAnalyzer.getTable(
        at org.apache.hadoop.hive.ql.parse.DDLSemanticAnalyzer.analyzeDropTable(
        at org.apache.hadoop.hive.ql.parse.DDLSemanticAnalyzer.analyzeInternal(
        at org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer.analyze(
        at org.apache.hadoop.hive.ql.Driver.compile(
        at org.apache.hadoop.hive.ql.Driver.compile(
        at org.apache.hadoop.hive.cli.CliDriver.processLocalCmd(
        at org.apache.hadoop.hive.cli.CliDriver.processCmd(
        at org.apache.hadoop.hive.cli.CliDriver.processLine(
        at org.apache.hadoop.hive.cli.CliDriver.processLine(
        at org.apache.hadoop.hive.ql.QTestUtil.executeClient(
        at org.apache.hadoop.hive.cli.TestCliDriver.runTest(
        at org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_authorization_8(
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(
        at java.lang.reflect.Method.invoke(
        at junit.framework.TestCase.runTest(
        at junit.framework.TestCase.runBare(
        at junit.framework.TestResult$1.protect(
        at junit.framework.TestResult.runProtected(
        at junit.framework.TestSuite.runTest(

2013-04-07 00:55:09,303 INFO  ql.Driver ( - Semantic Analysis Completed
2013-04-07 00:55:09,303 INFO  ql.Driver ( - Returning Hive schema:
Schema(fieldSchemas:null, properties:null)
2013-04-07 00:55:09,304 INFO  ql.Driver ( - <PERFLOG
2013-04-07 00:55:09,304 INFO  ql.Driver ( - </PERFLOG method=doAuthorization
start=1365321309304 end=1365321309304 duration=0>
> Drop any table even without privilege
> -------------------------------------
>                 Key: HIVE-2817
>                 URL:
>             Project: Hive
>          Issue Type: Bug
>    Affects Versions: 0.7.1
>            Reporter: Benyi Wang
> You can drop any table if you use fully qualified name 'database.table' even you don't
have any previlige.
> {code}
> hive> set;
> hive> revoke all on default from user test_user;
> hive> drop table abc;
> hive> drop table abc;
> Authorization failed:No privilege 'Drop' found for outputs { database:default, table:abc}.
Use show grant to get more details.
> hive> drop table;
> OK
> Time taken: 0.13 seconds
> {code}
> The table and the file in {{/usr/hive/warehouse}} or external file will be deleted. If
you don't have hadoop access permission on {{/usr/hive/warehouse}} or external files, you
will see a hadoop access error
> {code}
> 12/02/23 15:35:35 ERROR hive.log: Permission denied: user=test_user, access=WRITE,
> 	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> 	at sun.reflect.NativeConstructorAccessorImpl.newInstance(
> {code}

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message