[jira] [Commented] (SENTRY-849) [column level privilege] without table level privilege and column level privilege for column i, test user can still explain select column from test_tb;

[guoquan (JIRA)]

    [ 
https://issues.apache.org/jira/browse/SENTRY-849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14708006#comment-14708006
 ] 

guoquan commented on SENTRY-849:
--------------------------------

Hi [~anneyu], [~sravya], I found the apache hive doesn't this functionality. I 
set up the testing environment with the hadoop-2.6.0 and hive-1.1.0.
{code}
hive> select i from test_tb;
Authorization failed:No privilege 'Select' found for inputs { database:db_1, 
table:test_tb, columnName:i}. Use SHOW GRANT to get more details.
hive> select i from test_tb;
Authorization failed:No privilege 'Select' found for inputs { database:db_1, 
table:test_tb, columnName:i}. Use SHOW GRANT to get more details.
hive> explain select i from test_tb;
OK
STAGE DEPENDENCIES:
  Stage-0 is a root stage

STAGE PLANS:
  Stage: Stage-0
    Fetch Operator
      limit: -1
      Processor Tree:
        TableScan
          alias: test_tb
          Statistics: Num rows: 0 Data size: 12 Basic stats: PARTIAL Column 
stats: NONE
          Select Operator
            expressions: i (type: string)
            outputColumnNames: _col0
            Statistics: Num rows: 0 Data size: 12 Basic stats: PARTIAL Column 
stats: NONE
            ListSink

Time taken: 0.104 seconds, Fetched: 17 row(s)
{code}.
Should we need to support this new feature. I am afraid this new feature should 
change code in Hive side.

> [column level privilege] without table level privilege and column level 
> privilege for column i, test user can still explain select column from 
> test_tb;
> -------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SENTRY-849
>                 URL: https://issues.apache.org/jira/browse/SENTRY-849
>             Project: Sentry
>          Issue Type: Bug
>    Affects Versions: 1.5.1
>            Reporter: Anne Yu
>            Assignee: guoquan
>
> {code}
> 0: jdbc:hive2://anneyu-cdh55-1.vpc.cloudera.c> show grant role test_role on 
> table test_tb;
> +-----------+----------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> | database  |  table   | partition  | column  | principal_name  | 
> principal_type  | privilege  | grant_option  |    grant_time     | grantor  |
> +-----------+----------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> | test_db   | test_tb  |            | s       | test_role       | ROLE        
>     | select     | false         | 1439502394526000  | --       |
> +-----------+----------+------------+---------+-----------------+-----------------+------------+---------------+-------------------+----------+--+
> {code}
> However explain "select i from test_tb" shows the column "i" test_user 
> doesn't have privileges.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)