hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ashu Pachauri (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-7943) hive.security.authorization.createtable.owner.grants is ineffective with Default Authorization
Date Wed, 03 Sep 2014 20:34:52 GMT

    [ https://issues.apache.org/jira/browse/HIVE-7943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14120395#comment-14120395
] 

Ashu Pachauri commented on HIVE-7943:
-------------------------------------

Is that the purpose of the configuration flag? I thought the reason for separating owner grants
from user grants was that the owner grants are dynamically applied at the time of authorization
to the current owner (if there would be a way to change the owner). If they are persisted
in metadata, the grants need to be changed when the owner changes or when the configuration
property changes. (E.g. From ALL to SELECT, DROP etc.)

"show grant on temp_table" gives me empty results unless I explicitly do a 'grant all on temp_table
to user testuser' . The problem is not observed only with "ALL" privileges. Same problem is
encountered when I change the configuration property to DROP instead of ALL.

> hive.security.authorization.createtable.owner.grants is ineffective with Default Authorization
> ----------------------------------------------------------------------------------------------
>
>                 Key: HIVE-7943
>                 URL: https://issues.apache.org/jira/browse/HIVE-7943
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization
>    Affects Versions: 0.13.1
>            Reporter: Ashu Pachauri
>         Attachments: HIVE-7943.1.patch
>
>
> HIVE-6250 separates owner privileges from user privileges. However, Default Authorization
does not adapt to the change and table owners do not inherit permissions from the config.
> Steps to Reproduce:
> set hive.security.authorization.enabled=true;
> set hive.security.authorization.createtable.owner.grants=ALL;
> create table temp_table(id int, value string);
> drop table temp_table;
> Above set of operations throw the following error:
>                         
> Authorization failed:No privilege 'Drop' found for outputs { database:default, table:temp_table}.
Use SHOW GRANT to get more details.
> 14/09/02 17:49:38 ERROR ql.Driver: Authorization failed:No privilege 'Drop' found for
outputs { database:default, table:temp_table}. Use SHOW GRANT to get more details.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message