[
https://issues.apache.org/jira/browse/HIVE-27304?focusedWorklogId=859910&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-859910
]
ASF GitHub Bot logged work on HIVE-27304:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 01/May/23 19:26
Start Date: 01/May/23 19:26
Worklog Time Spent: 10m
Work Description: saihemanth-cloudera commented on code in PR #4276:
URL: https://github.com/apache/hive/pull/4276#discussion_r1181823272
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java:
##########
@@ -201,8 +201,7 @@ private static void addHivePrivObject(Entity privObject,
Map<String, List<String
HiveConf.ConfVars.HIVE_AUTHORIZATION_TABLES_ON_STORAGEHANDLERS)) {
//TODO: add hive privilege object for storage based handlers for
create and alter table commands.
if (hiveOpType == HiveOperationType.CREATETABLE ||
- hiveOpType == HiveOperationType.ALTERTABLE_PROPERTIES ||
- hiveOpType == HiveOperationType.CREATETABLE_AS_SELECT) {
Review Comment:
IMO, I don't think we would read permissions on the JDBC url.
_Some history about storage URLs:_ Why do we need the read permission on
JDBC url?
Whenever you are creating/alter a table based on an external storage handler
(eg: kafka, hbase), with impersonation disabled from hive 3.x, Hive should know
which end user is read/writing to external tables. So we have introduced
read/write privileges on storage urls.
_The reason behind removing Read/write privileges on storage URLs for CTAS
queries:_ Consider this use case:
> Let's say a user 'foo' is running the below table
`CREATE EXTERNAL TABLE default.jdbctable (DB_ID bigint)
STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
TBLPROPERTIES (
'hive.sql.database.type' = 'MYSQL',
'hive.sql.jdbc.driver' = 'com.mysql.jdbc.Driver',
'hive.sql.jdbc.url' = 'jdbc:mysql://somehostname3306/hive1',
'hive.sql.dbcp.username' = 'hive1',
'hive.sql.dbcp.password' = 'hive1',
'hive.sql.query' = 'SELECT DB_ID FROM DBS'
);`
To create this 'jdbctable' user 'foo' need to have create privileges on the
storage url 'jdbc:mysql://somehostname3306/hive1'
> When another user 'foobar' tries to do something like below
`CREATE TABLE default.hivetablefromjdbc as select * from default.jdbctable;`
Now the user 'foobar' requires only select privileges on the source table
'jdbctable' and the data that is only present in the table 'jdbctable' will be
inserted into the target table 'hivetablefromjdbc'. So, we are not really
reading anything from storage URL, and hence the read permissions are not
required CTAS queries.
Issue Time Tracking
-------------------
Worklog Id: (was: 859910)
Time Spent: 40m (was: 0.5h)
> Exclude CTAS condition while forming storage handler url permissions in HS2
> authorizer.
> ---------------------------------------------------------------------------------------
>
> Key: HIVE-27304
> URL: https://issues.apache.org/jira/browse/HIVE-27304
> Project: Hive
> Issue Type: Bug
> Components: Hive
> Reporter: Sai Hemanth Gantasala
> Assignee: Sai Hemanth Gantasala
> Priority: Major
> Labels: pull-request-available
> Time Spent: 40m
> Remaining Estimate: 0h
>
> CTAS queries with storage handler table as source table doesn't require read
> permissions on storage URL for the target table
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
