This is an automated email from the ASF dual-hosted git repository.
dengzh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push:
new 937d10069dc HIVE-28736:Remove DFS_URI authorization for CREATE_TABLE
event with n… (#5689)
937d10069dc is described below
commit 937d10069dc11143c42a521bb2fe0896a0b2d9d8
Author: rtrivedi12 <[email protected]>
AuthorDate: Thu Jul 3 20:27:15 2025 -0500
HIVE-28736:Remove DFS_URI authorization for CREATE_TABLE event with n…
(#5689)
---
.../plugin/metastore/events/CreateTableEvent.java | 39 +++++++++++--
...e_ext_table_1.q => auth_create_table_event_1.q} | 12 +++-
.../llap/auth_create_ext_table_1.q.out | 27 ---------
.../llap/auth_create_table_event_1.q.out | 67 ++++++++++++++++++++++
4 files changed, 111 insertions(+), 34 deletions(-)
diff --git
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/CreateTableEvent.java
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/CreateTableEvent.java
index 4099405abe9..2b9ca3b8f5f 100644
---
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/CreateTableEvent.java
+++
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/events/CreateTableEvent.java
@@ -20,11 +20,12 @@
package
org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.events;
import org.apache.commons.lang3.StringUtils;
-import org.apache.hadoop.hive.metastore.api.Table;
import org.apache.hadoop.hive.metastore.api.Database;
-import org.apache.hadoop.hive.metastore.TableType;
+import org.apache.hadoop.hive.metastore.api.MetaException;
+import org.apache.hadoop.hive.metastore.api.Table;
import org.apache.hadoop.hive.metastore.events.PreCreateTableEvent;
import org.apache.hadoop.hive.metastore.events.PreEventContext;
+import org.apache.hadoop.hive.metastore.utils.MetaStoreUtils;
import
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
@@ -34,7 +35,6 @@
import org.slf4j.LoggerFactory;
import java.util.ArrayList;
-import java.util.Collections;
import java.util.List;
/*
@@ -62,11 +62,18 @@ private List<HivePrivilegeObject> getInputHObjs() {
List<HivePrivilegeObject> ret = new ArrayList<>();
PreCreateTableEvent event = (PreCreateTableEvent) preEventContext;
Table table = event.getTable();
+ Database database = event.getDatabase();
String uri = getSdLocation(table.getSd());
- if (StringUtils.isNotEmpty(uri)) {
+ if (StringUtils.isEmpty(uri)) {
+ return ret;
+ }
+
+ // Skip DFS_URI only if table location is under default db path
+ if (this.needDFSUriAuth(uri, this.getDefaultTablePath(database, table))) {
ret.add(new HivePrivilegeObject(HivePrivilegeObjectType.DFS_URI, null,
uri));
}
+
return ret;
}
@@ -82,8 +89,12 @@ private List<HivePrivilegeObject> getOutputHObjs() {
ret.add(getHivePrivilegeObject(database));
ret.add(getHivePrivilegeObject(table));
- if (StringUtils.isNotEmpty(uri) &&
!TableType.EXTERNAL_TABLE.toString().equalsIgnoreCase(table.getTableType())) {
- ret.add(new HivePrivilegeObject(HivePrivilegeObjectType.DFS_URI, null,
uri));
+ if (StringUtils.isNotEmpty(uri)) {
+ // Skip DFS_URI for external tables and if managed table location is
under default db path
+ if (!MetaStoreUtils.isExternalTable(table) && this.needDFSUriAuth(uri,
+ this.getDefaultTablePath(database, table))) {
+ ret.add(new HivePrivilegeObject(HivePrivilegeObjectType.DFS_URI, null,
uri));
+ }
}
COMMAND_STR = buildCommandString(COMMAND_STR,table);
@@ -101,4 +112,20 @@ private String buildCommandString(String cmdStr, Table
tbl) {
}
return ret;
}
+
+ private String getDefaultTablePath(Database database, Table table) {
+ String expectedTablePath = null;
+ try {
+ expectedTablePath =
preEventContext.getHandler().getWh().getDefaultTablePath(database,
table).toString();
+ } catch (MetaException e) {
+ LOG.warn("Got exception fetching Default location for dbName: {}
tableName: {} ", database.getName(),
+ table.getTableName(), e);
+ }
+ return expectedTablePath;
+ }
+
+ private boolean needDFSUriAuth(String uri, String expectedTablePath) {
+ return (StringUtils.isEmpty(expectedTablePath) ||
!uri.equalsIgnoreCase(expectedTablePath));
+ }
+
}
diff --git a/ql/src/test/queries/clientpositive/auth_create_ext_table_1.q
b/ql/src/test/queries/clientpositive/auth_create_table_event_1.q
similarity index 61%
rename from ql/src/test/queries/clientpositive/auth_create_ext_table_1.q
rename to ql/src/test/queries/clientpositive/auth_create_table_event_1.q
index b2753031339..b2e80fd3be2 100644
--- a/ql/src/test/queries/clientpositive/auth_create_ext_table_1.q
+++ b/ql/src/test/queries/clientpositive/auth_create_table_event_1.q
@@ -8,8 +8,18 @@ dfs -chmod 555 ${system:test.tmp.dir}/a_ext_create_tab2;
set
hive.metastore.pre.event.listeners=org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer;
set
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
--- Attempt to Create external table without having write permissions on table
dir should not result in error
+-- HIVE-27525 Attempt to Create external table without having write
permissions on table dir should not result in error
CREATE EXTERNAL TABLE t1(i int) location
'${system:test.tmp.dir}/a_ext_create_tab1';
Select * from t1;
CREATE EXTERNAL TABLE LikeExternalTable LIKE t1 location
'${system:test.tmp.dir}/a_ext_create_tab2';
+
+-- Skip authorization if location is not specified
+CREATE DATABASE IF NOT EXISTS test_db COMMENT 'Hive test database';
+use test_db;
+
+-- HIVE-28736 Skip DFS_URI auth for table under default DB location
+-- Attempt to Create external table without having write permissions on table
dir should not result in error
+CREATE EXTERNAL TABLE t1(i int) location
'${system:test.warehouse.dir}/test_db.db/t1';;
+CREATE TABLE t2(i int, name String) stored as ORC;
+CREATE TABLE t3(i int, name String) stored as ORC location
'${system:test.warehouse.dir}/test_db.db/t3';
diff --git
a/ql/src/test/results/clientpositive/llap/auth_create_ext_table_1.q.out
b/ql/src/test/results/clientpositive/llap/auth_create_ext_table_1.q.out
deleted file mode 100644
index aa6fd6ed017..00000000000
--- a/ql/src/test/results/clientpositive/llap/auth_create_ext_table_1.q.out
+++ /dev/null
@@ -1,27 +0,0 @@
-#### A masked pattern was here ####
-PREHOOK: type: CREATETABLE
-#### A masked pattern was here ####
-PREHOOK: Output: database:default
-PREHOOK: Output: default@t1
-#### A masked pattern was here ####
-POSTHOOK: type: CREATETABLE
-#### A masked pattern was here ####
-POSTHOOK: Output: database:default
-POSTHOOK: Output: default@t1
-PREHOOK: query: Select * from t1
-PREHOOK: type: QUERY
-PREHOOK: Input: default@t1
-#### A masked pattern was here ####
-POSTHOOK: query: Select * from t1
-POSTHOOK: type: QUERY
-POSTHOOK: Input: default@t1
-#### A masked pattern was here ####
-PREHOOK: type: CREATETABLE
-#### A masked pattern was here ####
-PREHOOK: Output: database:default
-PREHOOK: Output: default@LikeExternalTable
-#### A masked pattern was here ####
-POSTHOOK: type: CREATETABLE
-#### A masked pattern was here ####
-POSTHOOK: Output: database:default
-POSTHOOK: Output: default@LikeExternalTable
diff --git
a/ql/src/test/results/clientpositive/llap/auth_create_table_event_1.q.out
b/ql/src/test/results/clientpositive/llap/auth_create_table_event_1.q.out
new file mode 100644
index 00000000000..3cda32fc51c
--- /dev/null
+++ b/ql/src/test/results/clientpositive/llap/auth_create_table_event_1.q.out
@@ -0,0 +1,67 @@
+#### A masked pattern was here ####
+PREHOOK: type: CREATETABLE
+#### A masked pattern was here ####
+PREHOOK: Output: database:default
+PREHOOK: Output: default@t1
+#### A masked pattern was here ####
+POSTHOOK: type: CREATETABLE
+#### A masked pattern was here ####
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@t1
+PREHOOK: query: Select * from t1
+PREHOOK: type: QUERY
+PREHOOK: Input: default@t1
+#### A masked pattern was here ####
+POSTHOOK: query: Select * from t1
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@t1
+#### A masked pattern was here ####
+PREHOOK: type: CREATETABLE
+#### A masked pattern was here ####
+PREHOOK: Output: database:default
+PREHOOK: Output: default@LikeExternalTable
+#### A masked pattern was here ####
+POSTHOOK: type: CREATETABLE
+#### A masked pattern was here ####
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@LikeExternalTable
+PREHOOK: query: CREATE DATABASE IF NOT EXISTS test_db COMMENT 'Hive test
database'
+PREHOOK: type: CREATEDATABASE
+PREHOOK: Output: database:test_db
+POSTHOOK: query: CREATE DATABASE IF NOT EXISTS test_db COMMENT 'Hive test
database'
+POSTHOOK: type: CREATEDATABASE
+POSTHOOK: Output: database:test_db
+PREHOOK: query: use test_db
+PREHOOK: type: SWITCHDATABASE
+PREHOOK: Input: database:test_db
+POSTHOOK: query: use test_db
+POSTHOOK: type: SWITCHDATABASE
+POSTHOOK: Input: database:test_db
+#### A masked pattern was here ####
+PREHOOK: type: CREATETABLE
+#### A masked pattern was here ####
+PREHOOK: Output: database:test_db
+PREHOOK: Output: test_db@t1
+#### A masked pattern was here ####
+POSTHOOK: type: CREATETABLE
+#### A masked pattern was here ####
+POSTHOOK: Output: database:test_db
+POSTHOOK: Output: test_db@t1
+PREHOOK: query: CREATE TABLE t2(i int, name String) stored as ORC
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:test_db
+PREHOOK: Output: test_db@t2
+POSTHOOK: query: CREATE TABLE t2(i int, name String) stored as ORC
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:test_db
+POSTHOOK: Output: test_db@t2
+#### A masked pattern was here ####
+PREHOOK: type: CREATETABLE
+#### A masked pattern was here ####
+PREHOOK: Output: database:test_db
+PREHOOK: Output: test_db@t3
+#### A masked pattern was here ####
+POSTHOOK: type: CREATETABLE
+#### A masked pattern was here ####
+POSTHOOK: Output: database:test_db
+POSTHOOK: Output: test_db@t3
