[ https://issues.apache.org/jira/browse/HIVE-5479?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13788677#comment-13788677 ]
Sushanth Sowmyan commented on HIVE-5479: ---------------------------------------- Available workaround : If the problem is observed in hcat commandline, then instead of running hcat -e 'show databases;', run hive -e 'show databases;'. If using webhcat in secure mode, then there's no way to get around it using hcat, then in that case, the suggested workaround would be to disable client-side authorization or SBAP on client-side to get around this problem. Metastore-side authorization can still be used. > SBAP restricts hcat -e 'show databases' > --------------------------------------- > > Key: HIVE-5479 > URL: https://issues.apache.org/jira/browse/HIVE-5479 > Project: Hive > Issue Type: Bug > Components: Authorization, HCatalog > Affects Versions: 0.12.0 > Reporter: Sushanth Sowmyan > Assignee: Sushanth Sowmyan > Attachments: HIVE-5479.patch > > > During testing for 0.12, it was found that if someone tries to use the SBAP > as a client-side authorization provider, and runs hcat -e "show databases;", > SBAP denies permission to the user. > Looking at SBAP code, why it does so is self-evident from this section: > {code} > @Override > public void authorize(Privilege[] readRequiredPriv, Privilege[] > writeRequiredPriv) > throws HiveException, AuthorizationException { > // Currently not used in hive code-base, but intended to authorize actions > // that are directly user-level. As there's no storage based aspect to > this, > // we can follow one of two routes: > // a) We can allow by default - that way, this call stays out of the way > // b) We can deny by default - that way, no privileges are authorized that > // is not understood and explicitly allowed. > // Both approaches have merit, but given that things like grants and > revokes > // that are user-level do not make sense from the context of > storage-permission > // based auth, denying seems to be more canonical here. > throw new > AuthorizationException(StorageBasedAuthorizationProvider.class.getName() + > " does not allow user-level authorization"); > } > {code} > Thus, this deny-by-default behaviour affects the "show databases" call from > hcat cli, which uses user-level privileges to determine if a user can perform > that. -- This message was sent by Atlassian JIRA (v6.1#6144)