hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thejas M Nair (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-7943) hive.security.authorization.createtable.owner.grants is ineffective with Default Authorization
Date Wed, 03 Sep 2014 19:36:52 GMT

    [ https://issues.apache.org/jira/browse/HIVE-7943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14120306#comment-14120306
] 

Thejas M Nair commented on HIVE-7943:
-------------------------------------

This patch does not add the owner grants into table metadata. That is the purpose of this
configuration flag. Instead it is adding the privileges at runtime during the checks.

Looking at the current code again, I don't see a bug there wrt to the privileges getting set
at table creation. I wonder if the problem is that "ALL" privileges are not getting correctly
interpreted as including the the Drop privilege.

In the example that you have in description. Can you paste the output of 'show grant on table
temp_table' ?


> hive.security.authorization.createtable.owner.grants is ineffective with Default Authorization
> ----------------------------------------------------------------------------------------------
>
>                 Key: HIVE-7943
>                 URL: https://issues.apache.org/jira/browse/HIVE-7943
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization
>    Affects Versions: 0.13.1
>            Reporter: Ashu Pachauri
>         Attachments: HIVE-7943.1.patch
>
>
> HIVE-6250 separates owner privileges from user privileges. However, Default Authorization
does not adapt to the change and table owners do not inherit permissions from the config.
> Steps to Reproduce:
> set hive.security.authorization.enabled=true;
> set hive.security.authorization.createtable.owner.grants=ALL;
> create table temp_table(id int, value string);
> drop table temp_table;
> Above set of operations throw the following error:
>                         
> Authorization failed:No privilege 'Drop' found for outputs { database:default, table:temp_table}.
Use SHOW GRANT to get more details.
> 14/09/02 17:49:38 ERROR ql.Driver: Authorization failed:No privilege 'Drop' found for
outputs { database:default, table:temp_table}. Use SHOW GRANT to get more details.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message