(hive) branch master updated: HIVE-29215: Fix owner info for view in authorizable events for alter … (#6087)

gsaihemanth Sat, 18 Oct 2025 10:45:41 -0700

This is an automated email from the ASF dual-hosted git repository.

gsaihemanth pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git



The following commit(s) were added to refs/heads/master by this push:
     new abcca13414d HIVE-29215: Fix owner info for view in authorizable events 
for alter … (#6087)
abcca13414d is described below

commit abcca13414d4fe372975b823f80b9c19e189afcf
Author: Sai Hemanth Gantasala 
<[email protected]>
AuthorDate: Mon Oct 13 10:04:42 2025 -0700

    HIVE-29215: Fix owner info for view in authorizable events for alter … 
(#6087)
---
 .../org/apache/hadoop/hive/ql/ddl/DDLUtils.java    |  5 ++
 .../ql/ddl/view/create/AlterViewAsAnalyzer.java    | 11 +++--
 .../clientnegative/authorization_alter_view.q      | 24 ++++++++++
 .../clientnegative/authorization_alter_view.q.out  | 54 ++++++++++++++++++++++
 .../results/clientpositive/llap/lineage3.q.out     |  2 +-
 5 files changed, 91 insertions(+), 5 deletions(-)

diff --git a/ql/src/java/org/apache/hadoop/hive/ql/ddl/DDLUtils.java 
b/ql/src/java/org/apache/hadoop/hive/ql/ddl/DDLUtils.java
index 22a62e2c652..3ee8d74cea9 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/ddl/DDLUtils.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/ddl/DDLUtils.java
@@ -198,6 +198,11 @@ public static void addDbAndTableToOutputs(Database 
database, TableName tableName
     outputs.add(new WriteEntity(table, WriteEntity.WriteType.DDL_NO_LOCK));
   }
 
+  public static void addDbAndTableToOutputs(Database database, Table table, 
Set<WriteEntity> outputs) {
+    outputs.add(new WriteEntity(database, WriteEntity.WriteType.DDL_SHARED));
+    outputs.add(new WriteEntity(table, WriteEntity.WriteType.DDL_NO_LOCK));
+  }
+
   public static void setColumnsAndStorePartitionTransformSpecOfTable(
           List<FieldSchema> columns, List<FieldSchema> partitionColumns,
           HiveConf conf, Table tbl) {
diff --git 
a/ql/src/java/org/apache/hadoop/hive/ql/ddl/view/create/AlterViewAsAnalyzer.java
 
b/ql/src/java/org/apache/hadoop/hive/ql/ddl/view/create/AlterViewAsAnalyzer.java
index 329ed84a601..88f741f83eb 100644
--- 
a/ql/src/java/org/apache/hadoop/hive/ql/ddl/view/create/AlterViewAsAnalyzer.java
+++ 
b/ql/src/java/org/apache/hadoop/hive/ql/ddl/view/create/AlterViewAsAnalyzer.java
@@ -67,14 +67,16 @@ public void analyzeInternal(ASTNode root) throws 
SemanticException {
     String expandedText = 
ctx.getTokenRewriteStream().toString(select.getTokenStartIndex(), 
select.getTokenStopIndex());
 
     AlterViewAsDesc desc = new AlterViewAsDesc(fqViewName, schema, 
originalText, expandedText);
-    validateCreateView(desc, analyzer);
+    Table oldView = validateCreateView(desc, analyzer);
+    oldView.setDbName(viewName.getDb());
+    oldView.setTableName(viewName.getTable());
+    oldView.setTableType(TableType.VIRTUAL_VIEW);
 
     rootTasks.add(TaskFactory.get(new DDLWork(getInputs(), getOutputs(), 
desc)));
-    DDLUtils.addDbAndTableToOutputs(getDatabase(viewName.getDb()), viewName, 
TableType.VIRTUAL_VIEW, false,
-        null, outputs);
+    DDLUtils.addDbAndTableToOutputs(getDatabase(viewName.getDb()), oldView, 
outputs);
   }
 
-  private void validateCreateView(AlterViewAsDesc desc, SemanticAnalyzer 
analyzer) throws SemanticException {
+  private Table validateCreateView(AlterViewAsDesc desc, SemanticAnalyzer 
analyzer) throws SemanticException {
     validateTablesUsed(analyzer);
 
     Table oldView = null;
@@ -90,5 +92,6 @@ private void validateCreateView(AlterViewAsDesc desc, 
SemanticAnalyzer analyzer)
     }
 
     validateReplaceWithPartitions(desc.getViewName(), oldView, null);
+    return oldView;
   }
 }
diff --git a/ql/src/test/queries/clientnegative/authorization_alter_view.q 
b/ql/src/test/queries/clientnegative/authorization_alter_view.q
new file mode 100644
index 00000000000..25ce3defc30
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/authorization_alter_view.q
@@ -0,0 +1,24 @@
+--! qt:authorizer
+set hive.test.authz.sstd.hs2.mode=true;
+set 
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
+set 
hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+
+-- create db1, tab1, view1 as hive_admin_user
+set user.name=hive_admin_user;
+set role ADMIN;
+
+create database db1;
+create table db1.tab1(i int);
+create view db1.view1 as select * from db1.tab1;
+
+-- grant select privileges on db1 and view1
+GRANT select ON DATABASE db1 TO USER user2;
+GRANT select ON TABLE db1.view1 to USER user2;
+
+-- create db2, tab2 as user2
+set user.name=user2;
+create database db2;
+create table db2.tab2(i int);
+
+-- try to alter view1 as user2 and it should fail as user2 doesn't have 
required privilege
+alter view db1.view1 as select * from db2.tab2
\ No newline at end of file
diff --git a/ql/src/test/results/clientnegative/authorization_alter_view.q.out 
b/ql/src/test/results/clientnegative/authorization_alter_view.q.out
new file mode 100644
index 00000000000..68c0fab6416
--- /dev/null
+++ b/ql/src/test/results/clientnegative/authorization_alter_view.q.out
@@ -0,0 +1,54 @@
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: create database db1
+PREHOOK: type: CREATEDATABASE
+PREHOOK: Output: database:db1
+POSTHOOK: query: create database db1
+POSTHOOK: type: CREATEDATABASE
+POSTHOOK: Output: database:db1
+PREHOOK: query: create table db1.tab1(i int)
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:db1
+PREHOOK: Output: db1@tab1
+POSTHOOK: query: create table db1.tab1(i int)
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:db1
+POSTHOOK: Output: db1@tab1
+PREHOOK: query: create view db1.view1 as select * from db1.tab1
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: db1@tab1
+PREHOOK: Output: database:db1
+PREHOOK: Output: db1@view1
+POSTHOOK: query: create view db1.view1 as select * from db1.tab1
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: db1@tab1
+POSTHOOK: Output: database:db1
+POSTHOOK: Output: db1@view1
+POSTHOOK: Lineage: view1.i SIMPLE [(tab1)tab1.FieldSchema(name:i, type:int, 
comment:null), ]
+PREHOOK: query: GRANT select ON DATABASE db1 TO USER user2
+PREHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: query: GRANT select ON DATABASE db1 TO USER user2
+POSTHOOK: type: GRANT_PRIVILEGE
+PREHOOK: query: GRANT select ON TABLE db1.view1 to USER user2
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: db1@view1
+POSTHOOK: query: GRANT select ON TABLE db1.view1 to USER user2
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: db1@view1
+PREHOOK: query: create database db2
+PREHOOK: type: CREATEDATABASE
+PREHOOK: Output: database:db2
+POSTHOOK: query: create database db2
+POSTHOOK: type: CREATEDATABASE
+POSTHOOK: Output: database:db2
+PREHOOK: query: create table db2.tab2(i int)
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:db2
+PREHOOK: Output: db2@tab2
+POSTHOOK: query: create table db2.tab2(i int)
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:db2
+POSTHOOK: Output: db2@tab2
+FAILED: HiveAccessControlException Permission denied: Principal [name=user2, 
type=USER] does not have following privileges for operation ALTERVIEW_AS 
[[OBJECT OWNERSHIP] on Object [type=DATABASE, name=db1], [OBJECT OWNERSHIP] on 
Object [type=TABLE_OR_VIEW, name=db1.view1]]
diff --git a/ql/src/test/results/clientpositive/llap/lineage3.q.out 
b/ql/src/test/results/clientpositive/llap/lineage3.q.out
index 8ea78bcc827..e00fcd21fd0 100644
--- a/ql/src/test/results/clientpositive/llap/lineage3.q.out
+++ b/ql/src/test/results/clientpositive/llap/lineage3.q.out
@@ -321,7 +321,7 @@ PREHOOK: type: ALTERVIEW_AS
 PREHOOK: Input: default@alltypesorc
 PREHOOK: Output: database:default
 PREHOOK: Output: default@dest_v3
-{"version":"1.0","engine":"tez","database":"default","hash":"81bb549360513aeae39a3bd971405be3","queryText":"alter
 view dest_v3 as\n  select * from (\n    select sum(a.ctinyint) over (partition 
by a.csmallint order by a.csmallint) a,\n      count(b.cstring1) x, 
b.cboolean1\n    from alltypesorc a join alltypesorc b on (a.cint = b.cint)\n   
 where a.cboolean2 = true and b.cfloat > 0\n    group by a.ctinyint, 
a.csmallint, b.cboolean1\n    having count(a.cint) > 10\n    order by a, x, 
b.cboo [...]
+{"version":"1.0","engine":"tez","database":"default","hash":"81bb549360513aeae39a3bd971405be3","queryText":"alter
 view dest_v3 as\n  select * from (\n    select sum(a.ctinyint) over (partition 
by a.csmallint order by a.csmallint) a,\n      count(b.cstring1) x, 
b.cboolean1\n    from alltypesorc a join alltypesorc b on (a.cint = b.cint)\n   
 where a.cboolean2 = true and b.cfloat > 0\n    group by a.ctinyint, 
a.csmallint, b.cboolean1\n    having count(a.cint) > 10\n    order by a, x, 
b.cboo [...]
 PREHOOK: query: select * from dest_v3 limit 2
 PREHOOK: type: QUERY
 PREHOOK: Input: default@alltypesorc

(hive) branch master updated: HIVE-29215: Fix owner info for view in authorizable events for alter … (#6087)

Reply via email to