Sushanth Sowmyan created HIVE-5479:
--------------------------------------
Summary: SBAP restricts hcat -e 'show databases'
Key: HIVE-5479
URL: https://issues.apache.org/jira/browse/HIVE-5479
Project: Hive
Issue Type: Bug
Components: Authorization, HCatalog
Affects Versions: 0.12.0
Reporter: Sushanth Sowmyan
Assignee: Sushanth Sowmyan
During testing for 0.12, it was found that if someone tries to use the SBAP as
a client-side authorization provider, and runs hcat -e "show databases;", SBAP
denies permission to the user.
Looking at SBAP code, why it does so is self-evident from this section:
{code}
@Override
public void authorize(Privilege[] readRequiredPriv, Privilege[]
writeRequiredPriv)
throws HiveException, AuthorizationException {
// Currently not used in hive code-base, but intended to authorize actions
// that are directly user-level. As there's no storage based aspect to this,
// we can follow one of two routes:
// a) We can allow by default - that way, this call stays out of the way
// b) We can deny by default - that way, no privileges are authorized that
// is not understood and explicitly allowed.
// Both approaches have merit, but given that things like grants and revokes
// that are user-level do not make sense from the context of
storage-permission
// based auth, denying seems to be more canonical here.
throw new
AuthorizationException(StorageBasedAuthorizationProvider.class.getName() +
" does not allow user-level authorization");
}
{code}
Thus, this deny-by-default behaviour affects the "show databases" call from
hcat cli, which uses user-level privileges to determine if a user can perform
that.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
