Return-Path: X-Original-To: apmail-hive-dev-archive@www.apache.org Delivered-To: apmail-hive-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2C64B102E8 for ; Mon, 7 Oct 2013 22:01:55 +0000 (UTC) Received: (qmail 70416 invoked by uid 500); 7 Oct 2013 22:01:51 -0000 Delivered-To: apmail-hive-dev-archive@hive.apache.org Received: (qmail 70355 invoked by uid 500); 7 Oct 2013 22:01:47 -0000 Mailing-List: contact dev-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hive.apache.org Delivered-To: mailing list dev@hive.apache.org Received: (qmail 70342 invoked by uid 500); 7 Oct 2013 22:01:46 -0000 Delivered-To: apmail-hadoop-hive-dev@hadoop.apache.org Received: (qmail 70338 invoked by uid 99); 7 Oct 2013 22:01:45 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Oct 2013 22:01:45 +0000 Date: Mon, 7 Oct 2013 22:01:45 +0000 (UTC) From: "Sushanth Sowmyan (JIRA)" To: hive-dev@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HIVE-5479) SBAP restricts hcat -e 'show databases' MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HIVE-5479?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sushanth Sowmyan updated HIVE-5479: ----------------------------------- Attachment: HIVE-5479.patch Attaching patch to make SBAP mimic the old HdfsAuthorizationProvider for user-level authorization > SBAP restricts hcat -e 'show databases' > --------------------------------------- > > Key: HIVE-5479 > URL: https://issues.apache.org/jira/browse/HIVE-5479 > Project: Hive > Issue Type: Bug > Components: Authorization, HCatalog > Affects Versions: 0.12.0 > Reporter: Sushanth Sowmyan > Assignee: Sushanth Sowmyan > Attachments: HIVE-5479.patch > > > During testing for 0.12, it was found that if someone tries to use the SBAP as a client-side authorization provider, and runs hcat -e "show databases;", SBAP denies permission to the user. > Looking at SBAP code, why it does so is self-evident from this section: > {code} > @Override > public void authorize(Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) > throws HiveException, AuthorizationException { > // Currently not used in hive code-base, but intended to authorize actions > // that are directly user-level. As there's no storage based aspect to this, > // we can follow one of two routes: > // a) We can allow by default - that way, this call stays out of the way > // b) We can deny by default - that way, no privileges are authorized that > // is not understood and explicitly allowed. > // Both approaches have merit, but given that things like grants and revokes > // that are user-level do not make sense from the context of storage-permission > // based auth, denying seems to be more canonical here. > throw new AuthorizationException(StorageBasedAuthorizationProvider.class.getName() + > " does not allow user-level authorization"); > } > {code} > Thus, this deny-by-default behaviour affects the "show databases" call from hcat cli, which uses user-level privileges to determine if a user can perform that. -- This message was sent by Atlassian JIRA (v6.1#6144)