Carter Shanklin created HIVE-15689:
--------------------------------------

             Summary: SQL standard auth makes privilege manage difficult by 
throwing errors aggressively
                 Key: HIVE-15689
                 URL: https://issues.apache.org/jira/browse/HIVE-15689
             Project: Hive
          Issue Type: Improvement
            Reporter: Carter Shanklin
            Priority: Minor


Consider an application that tries to help users manage Hive authorizations by 
generating SQL statements based on a selection of privileges.

Suppose the user first select to only allow select, then later allows the user 
to both select and update.

{code}
0: jdbc:hive2://localhost:10000/default> grant select on table secured to role 
public;
No rows affected (0.029 seconds)
0: jdbc:hive2://localhost:10000/default> grant select, update on table secured 
to role public;
Error: Error while processing statement: FAILED: Execution Error, return code 1 
from org.apache.hadoop.hive.ql.exec.DDLTask. 
org.apache.hadoop.hive.ql.metadata.HiveException: java.lang.RuntimeException: 
InvalidObjectException(message:SELECT is already granted on table 
[default,secured] by hive) (state=08S01,code=1)
{code}

The update privilege is in fact not granted. To get around this the application 
would have to probe all privileges, determine that select is already present, 
then generate just a grant of update. Alternatively the app could generate 
grants individually and just ignore all errors.

It would be more convenient if this just wasn't treated as an error.

Compare: Postgres:
{code}
vagrant=# grant select on table secured to public;
GRANT
vagrant=# grant select, update on table secured to public;
GRANT
vagrant=# grant select, update on table secured to public;
GRANT
vagrant=# revoke select, update on table secured from public;
REVOKE
vagrant=# revoke select, update on table secured from public;
REVOKE
{code}

Here even revokes that don't have any effect are ignored.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to