Sai Hemanth Gantasala created HIVE-26422:
--------------------------------------------
Summary: Create table via spark-shell vs HS2 has discrepancy in
authorization config policy
Key: HIVE-26422
URL: https://issues.apache.org/jira/browse/HIVE-26422
Project: Hive
Issue Type: Bug
Components: HiveServer2, Standalone Metastore
Affects Versions: 4.0.0
Reporter: Sai Hemanth Gantasala
Assignee: Sai Hemanth Gantasala
Create table via spark-shell creates 4 privileges "INSERT,SELECT,UPDATE,DELETE"
via table owner grants config whereas when we create an external table through
hiveserver2 (using client like beeline) it doesn't create any owner privileges
which is the desired condition.
Note: In Hive's hive-site.xml, the following is set:
hive.security.authorization.createtable.user.grants=''
hive.security.authorization.createtable.group.grants=''
hive.security.authorization.createtable.role.grants=''
hive.security.authorization.createtable.owner.grants=''
Also the setup is kerberized and uses ranger as an authorization service.
So, when we create a table via spark-shell we shouldn't set
hive.security.authorization.createtable.owner.grants in the code
[https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java#L625]
instead it should be picked using hive-site.xml. (which is already done in
CreateTableAutomaticGrants class).
The side effect of having table owner privileges set in the code, is that the
TBL_PRIVS table in RDBMS is growing with every create table command.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
