John Sherman created HIVE-26038:
-----------------------------------
Summary: Respect Owner privileges in all paths in
AuthorizationMetaStoreFilterHook
Key: HIVE-26038
URL: https://issues.apache.org/jira/browse/HIVE-26038
Project: Hive
Issue Type: Improvement
Components: Metastore
Reporter: John Sherman
Currently there are some paths in AuthorizationMetaStoreFilterHook that do not
provide object ownership information to the authorization plugin. Specifically
- any method using filterDatabases or filterTableNames will not include object
ownership in the privilege request. This is problematic when an application
using Hive uses these code paths together:
Example:
Applications creates a table, inserts into, selects from it through HS2.
Explicit privilege is never given to the table in the authorization provider -
it is relying on the fact that the user is owner of the table. (The user has
CREATE privilege on the DB in question to be able to CREATE the table).
Application then uses:
service/src/java/org/apache/hive/service/cli/operation/GetTablesOperation.java
to get a list of tables. Which in turn calls metastoreClient.getTableMeta -
which ends up using filterTableNames to remove table entries that the user is
not authorized to see. But filterTableNames does not provide table ownership
information to the authorization framework so the framework will filter out
tables user actually has ownership of.
There are two methods here:
{code:java}
public List<String> filterTableNames(String catName, String dbName,
List<String> tableList){code}
vs
{code:java}
public List<Table> filterTables(List<Table> tableList) throws
MetaException{code}
First one only takes in a list of strings and would be impossible to provide
proper ownership information (without additional HMS calls) - we should remove
this method and modify all code paths to use filterTables. This would involve
some plumbing and adding additional information to various HMS responses to
include ownership information.
The same problem exists for the database code paths.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
