hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chen Chun (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-2817) Drop any table even without privilege
Date Sun, 07 Apr 2013 13:15:16 GMT

    [ https://issues.apache.org/jira/browse/HIVE-2817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13624911#comment-13624911
] 

Chen Chun commented on HIVE-2817:
---------------------------------

{code}
// I think the following code in DDLSemanticAnalyzer.analyzeDropTable cause the problem
// if we set hive.exec.drop.ignorenonexistent=true, then throwException=false and so the inputs
and outputs are empty
// And it will not do authorization check after semantic analyze. 
    try {
      Table tab = db.getTable(db.getCurrentDatabase(), tableName, throwException);
      if (tab != null) {
        inputs.add(new ReadEntity(tab));
        outputs.add(new WriteEntity(tab));
      }
    } catch (HiveException e) {
      throw new SemanticException(ErrorMsg.INVALID_TABLE.getMsg(tableName));
    }
{code}

A easy way to fix the problem is to set hive.exec.drop.ignorenonexistent=false. 

When I test the sql "drop table default.src_authorization_8" with ant, the log "</PERFLOG
method=doAuthorization start=1365321309304 end=1365321309304 duration=0>" duration=0 leave
a clue of what I said.

{code}
2013-04-07 00:55:09,279 DEBUG parse.VariableSubstitution (VariableSubstitution.java:substitute(67))
- Substitution is on:
drop table default.src_authorization_8
2013-04-07 00:55:09,280 INFO  parse.ParseDriver (ParseDriver.java:parse(179)) - Parsing command:
drop table default.src_authorization_8
2013-04-07 00:55:09,282 INFO  parse.ParseDriver (ParseDriver.java:parse(197)) - Parse Completed
2013-04-07 00:55:09,282 INFO  metastore.HiveMetaStore (HiveMetaStore.java:logInfo(452)) -
0: get_table : db=default tbl=default.src_authorization_8
2013-04-07 00:55:09,286 INFO  HiveMetaStore.audit (HiveMetaStore.java:logAuditEvent(238))
- ugi=chenchun        ip=unknown-ip-addr      cmd=get_table : db=default tbl=default.s
rc_authorization_8
2013-04-07 00:55:09,302 ERROR metastore.RetryingHMSHandler (RetryingHMSHandler.java:invoke(132))
- NoSuchObjectException(message:default.default.src_authorization_8 table not f
ound)
        at org.apache.hadoop.hive.metastore.HiveMetaStore$HMSHandler.get_table(HiveMetaStore.java:1369)
        at sun.reflect.GeneratedMethodAccessor9.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.hadoop.hive.metastore.RetryingHMSHandler.invoke(RetryingHMSHandler.java:105)
        at $Proxy8.get_table(Unknown Source)
        at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.getTable(HiveMetaStoreClient.java:838)
        at sun.reflect.GeneratedMethodAccessor15.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.invoke(RetryingMetaStoreClient.java:74)
        at $Proxy9.getTable(Unknown Source)
        at org.apache.hadoop.hive.ql.metadata.Hive.getTable(Hive.java:948)
        at org.apache.hadoop.hive.ql.parse.DDLSemanticAnalyzer.getTable(DDLSemanticAnalyzer.java:3032)
        at org.apache.hadoop.hive.ql.parse.DDLSemanticAnalyzer.getTable(DDLSemanticAnalyzer.java:3026)
        at org.apache.hadoop.hive.ql.parse.DDLSemanticAnalyzer.analyzeDropTable(DDLSemanticAnalyzer.java:737)
        at org.apache.hadoop.hive.ql.parse.DDLSemanticAnalyzer.analyzeInternal(DDLSemanticAnalyzer.java:228)
        at org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer.analyze(BaseSemanticAnalyzer.java:259)
        at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:433)
        at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:337)
        at org.apache.hadoop.hive.ql.Driver.run(Driver.java:902)
        at org.apache.hadoop.hive.cli.CliDriver.processLocalCmd(CliDriver.java:259)
        at org.apache.hadoop.hive.cli.CliDriver.processCmd(CliDriver.java:216)
        at org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:413)
        at org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:348)
        at org.apache.hadoop.hive.ql.QTestUtil.executeClient(QTestUtil.java:797)
        at org.apache.hadoop.hive.cli.TestCliDriver.runTest(TestCliDriver.java:124)
        at org.apache.hadoop.hive.cli.TestCliDriver.testCliDriver_authorization_8(TestCliDriver.java:108)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at junit.framework.TestCase.runTest(TestCase.java:154)
        at junit.framework.TestCase.runBare(TestCase.java:127)
        at junit.framework.TestResult$1.protect(TestResult.java:106)
        at junit.framework.TestResult.runProtected(TestResult.java:124)
        at junit.framework.TestResult.run(TestResult.java:109)
        at junit.framework.TestCase.run(TestCase.java:118)
        at junit.framework.TestSuite.runTest(TestSuite.java:208)
        at junit.framework.TestSuite.run(TestSuite.java:203)
        at org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.run(JUnitTestRunner.java:520)
        at org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.launch(JUnitTestRunner.java:1060)
        at org.apache.tools.ant.taskdefs.optional.junit.JUnitTestRunner.main(JUnitTestRunner.java:911)

2013-04-07 00:55:09,303 INFO  ql.Driver (Driver.java:compile(442)) - Semantic Analysis Completed
2013-04-07 00:55:09,303 INFO  ql.Driver (Driver.java:getSchema(259)) - Returning Hive schema:
Schema(fieldSchemas:null, properties:null)
2013-04-07 00:55:09,304 INFO  ql.Driver (PerfLogger.java:PerfLogBegin(100)) - <PERFLOG
method=doAuthorization>
2013-04-07 00:55:09,304 INFO  ql.Driver (PerfLogger.java:PerfLogEnd(127)) - </PERFLOG method=doAuthorization
start=1365321309304 end=1365321309304 duration=0>
{code}
                
> Drop any table even without privilege
> -------------------------------------
>
>                 Key: HIVE-2817
>                 URL: https://issues.apache.org/jira/browse/HIVE-2817
>             Project: Hive
>          Issue Type: Bug
>    Affects Versions: 0.7.1
>            Reporter: Benyi Wang
>
> You can drop any table if you use fully qualified name 'database.table' even you don't
have any previlige.
> {code}
> hive> set hive.security.authorization.enabled=true;
> hive> revoke all on default from user test_user;
> hive> drop table abc;
> hive> drop table abc;
> Authorization failed:No privilege 'Drop' found for outputs { database:default, table:abc}.
Use show grant to get more details.
> hive> drop table default.abc;
> OK
> Time taken: 0.13 seconds
> {code}
> The table and the file in {{/usr/hive/warehouse}} or external file will be deleted. If
you don't have hadoop access permission on {{/usr/hive/warehouse}} or external files, you
will see a hadoop access error
> {code}
> 12/02/23 15:35:35 ERROR hive.log: org.apache.hadoop.security.AccessControlException:
org.apache.hadoop.security.AccessControlException: Permission denied: user=test_user, access=WRITE,
inode="/user/myetl":myetl:etl:drwxr-xr-x
> 	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> 	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
> {code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message