[jira] [Commented] (HIVE-12408) SQLStdAuthorizer expects external table creator to be owner of directory, does not respect rwx group permission. Only one user could ever create an external table definition to dir!

[Akira Ajisaka (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HIVE-12408?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16220181#comment-16220181
 ] 

Akira Ajisaka commented on HIVE-12408:
--------------------------------------

Hi [~thejas], would you review the latest patch?

> SQLStdAuthorizer expects external table creator to be owner of directory, 
> does not respect rwx group permission. Only one user could ever create an 
> external table definition to dir!
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-12408
>                 URL: https://issues.apache.org/jira/browse/HIVE-12408
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization, Security, SQLStandardAuthorization
>    Affects Versions: 0.14.0
>         Environment: HDP 2.2 + Kerberos
>            Reporter: Hari Sekhon
>            Assignee: Akira Ajisaka
>            Priority: Critical
>         Attachments: HIVE-12408.001.patch, HIVE-12408.002.patch
>
>
> When trying to create an external table via beeline in Hive using the 
> SQLStdAuthorizer it expects the table creator to be the owner of the 
> directory path and ignores the group rwx permission that is granted to the 
> user.
> {code}Error: Error while compiling statement: FAILED: 
> HiveAccessControlException Permission denied: Principal [name=hari, 
> type=USER] does not have following privileges for operation CREATETABLE 
> [[INSERT, DELETE, OBJECT OWNERSHIP] on Object [type=DFS_URI, 
> name=/etl/path/to/hdfs/dir]] (state=42000,code=40000){code}
> All it should be checking is read access to that directory.
> The directory owner requirement breaks the ability of more than one user to 
> create external table definitions to a given location. For example this is a 
> flume landing directory with json data, and the /etl tree is owned by the 
> flume user. Even chowning the tree to another user would still break access 
> to other users who are able to read the directory in hdfs but would still 
> unable to create external tables on top of it.
> This looks like a remnant of the owner only access model in SQLStdAuth and is 
> a separate issue to HIVE-11864 / HIVE-12324.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)