Carter Shanklin created HIVE-15689: -------------------------------------- Summary: SQL standard auth makes privilege manage difficult by throwing errors aggressively Key: HIVE-15689 URL: https://issues.apache.org/jira/browse/HIVE-15689 Project: Hive Issue Type: Improvement Reporter: Carter Shanklin Priority: Minor
Consider an application that tries to help users manage Hive authorizations by generating SQL statements based on a selection of privileges. Suppose the user first select to only allow select, then later allows the user to both select and update. {code} 0: jdbc:hive2://localhost:10000/default> grant select on table secured to role public; No rows affected (0.029 seconds) 0: jdbc:hive2://localhost:10000/default> grant select, update on table secured to role public; Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: java.lang.RuntimeException: InvalidObjectException(message:SELECT is already granted on table [default,secured] by hive) (state=08S01,code=1) {code} The update privilege is in fact not granted. To get around this the application would have to probe all privileges, determine that select is already present, then generate just a grant of update. Alternatively the app could generate grants individually and just ignore all errors. It would be more convenient if this just wasn't treated as an error. Compare: Postgres: {code} vagrant=# grant select on table secured to public; GRANT vagrant=# grant select, update on table secured to public; GRANT vagrant=# grant select, update on table secured to public; GRANT vagrant=# revoke select, update on table secured from public; REVOKE vagrant=# revoke select, update on table secured from public; REVOKE {code} Here even revokes that don't have any effect are ignored. -- This message was sent by Atlassian JIRA (v6.3.4#6332)