hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ashu Pachauri (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-7943) hive.security.authorization.createtable.owner.grants is ineffective with Default Authorization
Date Wed, 03 Sep 2014 22:59:56 GMT

    [ https://issues.apache.org/jira/browse/HIVE-7943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14120633#comment-14120633
] 

Ashu Pachauri commented on HIVE-7943:
-------------------------------------

Okay, I understand the rationale behind the separation. But I am confused between the two
cases:

1. Owner grants are tightly bound to the user who creates the table.
2. Owner grants are tightly bound only to the table (in metadata) but apply only to the current
owner.

If case 1 is true, we can just append owner privileges to user privs at table creation time.
If case 2 is true, we need some place to store owner privileges in the metadata at table creation
time and merge them with current user privileges (if he is the owner) at the time of authorization.

> hive.security.authorization.createtable.owner.grants is ineffective with Default Authorization
> ----------------------------------------------------------------------------------------------
>
>                 Key: HIVE-7943
>                 URL: https://issues.apache.org/jira/browse/HIVE-7943
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization
>    Affects Versions: 0.13.1
>            Reporter: Ashu Pachauri
>         Attachments: HIVE-7943.1.patch
>
>
> HIVE-6250 separates owner privileges from user privileges. However, Default Authorization
does not adapt to the change and table owners do not inherit permissions from the config.
> Steps to Reproduce:
> set hive.security.authorization.enabled=true;
> set hive.security.authorization.createtable.owner.grants=ALL;
> create table temp_table(id int, value string);
> drop table temp_table;
> Above set of operations throw the following error:
>                         
> Authorization failed:No privilege 'Drop' found for outputs { database:default, table:temp_table}.
Use SHOW GRANT to get more details.
> 14/09/02 17:49:38 ERROR ql.Driver: Authorization failed:No privilege 'Drop' found for
outputs { database:default, table:temp_table}. Use SHOW GRANT to get more details.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message