[jira] [Commented] (HIVE-6823) sql std auth - database authorization does not check for role ownership

Wed, 02 Apr 2014 17:56:58 -0700 

    [ 
https://issues.apache.org/jira/browse/HIVE-6823?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13958401#comment-13958401
 ] 

Thejas M Nair commented on HIVE-6823:
-------------------------------------

>From [~deepesh] -
Steps to reproduce:
# As admin user adminuser,
{noformat}
0: jdbc:hive2://localhost:10> create role testrole;
No rows affected (0.063 seconds)
0: jdbc:hive2://localhost:10> grant role testrole to user hrt_1;
No rows affected (0.07 seconds)
0: jdbc:hive2://localhost:10> create database testdb;
No rows affected (0.13 seconds)
0: jdbc:hive2://localhost:10> alter database testdb set owner role testrole;
No rows affected (0.111 seconds)
0: jdbc:hive2://localhost:10> desc database testdb;
+----------+----------+-----------------------------------------------------------------------+-------------+
| db_name  | comment  |                               location                  
              | parameters  |
+----------+----------+-----------------------------------------------------------------------+-------------+
| testdb   |          | hdfs://localhost:8020/apps/hive/warehouse/testdb.db  | 
testrole    |
+----------+----------+-----------------------------------------------------------------------+-------------+
1 row selected (0.038 seconds)
{noformat}
# As a user hrt_1 in role testrole,
{noformat}
0: jdbc:hive2://localhost:10> set role testrole;
No rows affected (0.055 seconds)
0: jdbc:hive2://localhost:10> drop database testdb;
Error: Error while compiling statement: FAILED: HiveAccessControlException 
Permission denied. Principal [name=hrt_1, type=USER] does not have following 
privileges on Object [type=DATABASE, name=testdb] : [OBJECT OWNERSHIP] 
(state=42000,code=40000)
0: jdbc:hive2://localhost:10> use testdb;
No rows affected (0.032 seconds)
0: jdbc:hive2://localhost:10> create table foobar (foo string, bar string);
Error: Error while compiling statement: FAILED: HiveAccessControlException 
Permission denied. Principal [name=hrt_1, type=USER] does not have following 
privileges on Object [type=DATABASE, name=testdb] : [OBJECT OWNERSHIP] 
(state=42000,code=40000)
{noformat}
I see that commands work when i set ownership to user hrt_1 directly. I expect 
to see the same behavior with role ownership as well.

> sql std auth - database authorization does not check for role ownership
> -----------------------------------------------------------------------
>
>                 Key: HIVE-6823
>                 URL: https://issues.apache.org/jira/browse/HIVE-6823
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization
>    Affects Versions: 0.13.0
>            Reporter: Deepesh Khandelwal
>            Assignee: Thejas M Nair
>
> A role can own the database, but when the authorization checks are 
> determining the privileges for a user, they are not checking if one of the 
> roles the user belongs to is an owner of the database.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to