[ https://issues.apache.org/jira/browse/HIVE-7943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14120395#comment-14120395 ]
Ashu Pachauri commented on HIVE-7943: ------------------------------------- Is that the purpose of the configuration flag? I thought the reason for separating owner grants from user grants was that the owner grants are dynamically applied at the time of authorization to the current owner (if there would be a way to change the owner). If they are persisted in metadata, the grants need to be changed when the owner changes or when the configuration property changes. (E.g. From ALL to SELECT, DROP etc.) "show grant on temp_table" gives me empty results unless I explicitly do a 'grant all on temp_table to user testuser' . The problem is not observed only with "ALL" privileges. Same problem is encountered when I change the configuration property to DROP instead of ALL. > hive.security.authorization.createtable.owner.grants is ineffective with > Default Authorization > ---------------------------------------------------------------------------------------------- > > Key: HIVE-7943 > URL: https://issues.apache.org/jira/browse/HIVE-7943 > Project: Hive > Issue Type: Bug > Components: Authorization > Affects Versions: 0.13.1 > Reporter: Ashu Pachauri > Attachments: HIVE-7943.1.patch > > > HIVE-6250 separates owner privileges from user privileges. However, Default > Authorization does not adapt to the change and table owners do not inherit > permissions from the config. > Steps to Reproduce: > set hive.security.authorization.enabled=true; > set hive.security.authorization.createtable.owner.grants=ALL; > create table temp_table(id int, value string); > drop table temp_table; > Above set of operations throw the following error: > > Authorization failed:No privilege 'Drop' found for outputs { > database:default, table:temp_table}. Use SHOW GRANT to get more details. > 14/09/02 17:49:38 ERROR ql.Driver: Authorization failed:No privilege 'Drop' > found for outputs { database:default, table:temp_table}. Use SHOW GRANT to > get more details. -- This message was sent by Atlassian JIRA (v6.3.4#6332)