[
https://issues.apache.org/jira/browse/HIVE-7943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14120633#comment-14120633
]
Ashu Pachauri commented on HIVE-7943:
-------------------------------------
Okay, I understand the rationale behind the separation. But I am confused
between the two cases:
1. Owner grants are tightly bound to the user who creates the table.
2. Owner grants are tightly bound only to the table (in metadata) but apply
only to the current owner.
If case 1 is true, we can just append owner privileges to user privs at table
creation time.
If case 2 is true, we need some place to store owner privileges in the metadata
at table creation time and merge them with current user privileges (if he is
the owner) at the time of authorization.
> hive.security.authorization.createtable.owner.grants is ineffective with
> Default Authorization
> ----------------------------------------------------------------------------------------------
>
> Key: HIVE-7943
> URL: https://issues.apache.org/jira/browse/HIVE-7943
> Project: Hive
> Issue Type: Bug
> Components: Authorization
> Affects Versions: 0.13.1
> Reporter: Ashu Pachauri
> Attachments: HIVE-7943.1.patch
>
>
> HIVE-6250 separates owner privileges from user privileges. However, Default
> Authorization does not adapt to the change and table owners do not inherit
> permissions from the config.
> Steps to Reproduce:
> set hive.security.authorization.enabled=true;
> set hive.security.authorization.createtable.owner.grants=ALL;
> create table temp_table(id int, value string);
> drop table temp_table;
> Above set of operations throw the following error:
>
> Authorization failed:No privilege 'Drop' found for outputs {
> database:default, table:temp_table}. Use SHOW GRANT to get more details.
> 14/09/02 17:49:38 ERROR ql.Driver: Authorization failed:No privilege 'Drop'
> found for outputs { database:default, table:temp_table}. Use SHOW GRANT to
> get more details.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
