[jira] [Commented] (HIVE-7943) hive.security.authorization.createtable.owner.grants is ineffective with Default Authorization

Wed, 03 Sep 2014 13:35:57 -0700 

    [ 
https://issues.apache.org/jira/browse/HIVE-7943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14120395#comment-14120395
 ] 

Ashu Pachauri commented on HIVE-7943:
-------------------------------------

Is that the purpose of the configuration flag? I thought the reason for 
separating owner grants from user grants was that the owner grants are 
dynamically applied at the time of authorization to the current owner (if there 
would be a way to change the owner). If they are persisted in metadata, the 
grants need to be changed when the owner changes or when the configuration 
property changes. (E.g. From ALL to SELECT, DROP etc.)

"show grant on temp_table" gives me empty results unless I explicitly do a 
'grant all on temp_table to user testuser' . The problem is not observed only 
with "ALL" privileges. Same problem is encountered when I change the 
configuration property to DROP instead of ALL.

> hive.security.authorization.createtable.owner.grants is ineffective with 
> Default Authorization
> ----------------------------------------------------------------------------------------------
>
>                 Key: HIVE-7943
>                 URL: https://issues.apache.org/jira/browse/HIVE-7943
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization
>    Affects Versions: 0.13.1
>            Reporter: Ashu Pachauri
>         Attachments: HIVE-7943.1.patch
>
>
> HIVE-6250 separates owner privileges from user privileges. However, Default 
> Authorization does not adapt to the change and table owners do not inherit 
> permissions from the config.
> Steps to Reproduce:
> set hive.security.authorization.enabled=true;
> set hive.security.authorization.createtable.owner.grants=ALL;
> create table temp_table(id int, value string);
> drop table temp_table;
> Above set of operations throw the following error:
>                         
> Authorization failed:No privilege 'Drop' found for outputs { 
> database:default, table:temp_table}. Use SHOW GRANT to get more details.
> 14/09/02 17:49:38 ERROR ql.Driver: Authorization failed:No privilege 'Drop' 
> found for outputs { database:default, table:temp_table}. Use SHOW GRANT to 
> get more details.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to