> On May 10, 2018, 2:17 a.m., Sergio Pena wrote:
> > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
> > Lines 123 (patched)
> > <https://reviews.apache.org/r/67046/diff/1/?file=2019242#file2019242line123>
> >
> >     Are roles with INSERT privileges allowed to add partitions in a table? 
> >     
> >     I think that in order to add new partitions on a table, the ALTER 
> > privilege is required; and to remove partitions the DROP privilege is 
> > required. Both privileges are supported in Sentry. Can you confirm which 
> > privilege is required?
> 
> Na Li wrote:
>     I debug into the code, the following is what's filled by hive
>     
>         // input required privilege:
>     
>         //   1) select, scope: user, db, table, column 2) delete, scope: 
> user, db, table
>     
>         // output required privilege:
>     
>         //   1) insert, scope: user, db, table
> 
> Sergio Pena wrote:
>     Which code did you debug?
>     
>     Sentry has this privilege for adding partitions:
>     
>     HiveAuthzPrivileges addPartitionPrivilege = new 
> HiveAuthzPrivileges.AuthzPrivilegeBuilder().
>             addOutputObjectPriviledge(AuthorizableType.Table, 
> EnumSet.of(DBModelAction.ALTER)).
>             //TODO: Uncomment this if we want to make it more restrictive
>             //addInputObjectPriviledge(AuthorizableType.Table, 
> EnumSet.of(DBModelAction.CREATE)).
>             addInputObjectPriviledge(AuthorizableType.URI, 
> EnumSet.of(DBModelAction.SELECT)).//TODO: make it optional
>             addOutputObjectPriviledge(AuthorizableType.URI, 
> EnumSet.of(DBModelAction.ALL)).
>             setOperationScope(HiveOperationScope.TABLE).
>             setOperationType(HiveOperationType.DDL).
>             build();
>             
>     And this for dropping partitions:
>     
>     HiveAuthzPrivileges dropPartitionPrivilege = new 
> HiveAuthzPrivileges.AuthzPrivilegeBuilder().
>             addInputObjectPriviledge(AuthorizableType.Table, 
> EnumSet.of(DBModelAction.ALTER)).
>             addInputObjectPriviledge(AuthorizableType.Table, 
> EnumSet.of(DBModelAction.DROP)).
>             setOperationScope(HiveOperationScope.TABLE).
>             setOperationType(HiveOperationType.DDL).
>             build();
>             
>     Isn't exchanging partitions the same as adding a partition in the dest 
> table and dropping a partition in the source table?

1) That is why you think, but not what hive does.

Can you take a look at  input required privileges and output required 
privileges in stmtOperation for command "ALTER TABLE EXCHANGE" in following 
code of HiveAuthzBindingHook class. These are the privileges user must have in 
order to execute the command. 

  @Override
  public void postAnalyze(HiveSemanticAnalyzerHookContext context,
      List<Task<? extends Serializable>> rootTasks) throws SemanticException {
    HiveOperation stmtOperation = context.getHiveOperation();
    HiveAuthzPrivileges stmtAuthObject;

    stmtAuthObject = 
HiveAuthzPrivilegesMap.getHiveAuthzPrivileges(stmtOperation);  <-check 
stmtOperation
    
    
2) Hive actions

public enum PrivilegeType {

  ALL(HiveParser.TOK_PRIV_ALL, "All"),
  ALTER_DATA(HiveParser.TOK_PRIV_ALTER_DATA, "Update"),
  ALTER_METADATA(HiveParser.TOK_PRIV_ALTER_METADATA, "Alter"),
  CREATE(HiveParser.TOK_PRIV_CREATE, "Create"),
  DROP(HiveParser.TOK_PRIV_DROP, "Drop"),
  INDEX(HiveParser.TOK_PRIV_INDEX, "Index"),
  LOCK(HiveParser.TOK_PRIV_LOCK, "Lock"),
  SELECT(HiveParser.TOK_PRIV_SELECT, "Select"),
  SHOW_DATABASE(HiveParser.TOK_PRIV_SHOW_DATABASE, "Show_Database"),
  INSERT(HiveParser.TOK_PRIV_INSERT, "Insert"),
  DELETE(HiveParser.TOK_PRIV_DELETE, "Delete"),
  UNKNOWN(null, null);
  
3) Sentry supported actions

public enum DBModelAction implements Action {

  // SENTRY-1292
  // Need to ensure the order of enum to have SELECT in front to avoid 
performance
  // regression. Since most real use case of permissions may be read 
only(SELECT).
  SELECT(AccessConstants.SELECT),
  INSERT(AccessConstants.INSERT),
  ALTER(AccessConstants.ALTER),
  CREATE(AccessConstants.CREATE),
  DROP(AccessConstants.DROP),
  INDEX(AccessConstants.INDEX),
  LOCK(AccessConstants.LOCK),
  ALL(AccessConstants.ALL);
  
4) As you can see Hive has DELECT, but sentry does not have that. DELECT is 
different from DROP. IN "ALTER TABLE EXCHANGE", the partition is not dropped. 
It is deleted from source table and inserted into destination table. 
5) As shown in the added unit tests, you can see once granting user the 
corresponding privileges, user can execute the command. Basically, the 
privileges requested by hive have to be granted to user.


- Na


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67046/#review202818
-----------------------------------------------------------


On May 10, 2018, 1:11 a.m., Na Li wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67046/
> -----------------------------------------------------------
> 
> (Updated May 10, 2018, 1:11 a.m.)
> 
> 
> Review request for sentry.
> 
> 
> Bugs: sentry-2226
>     https://issues.apache.org/jira/browse/sentry-2226
> 
> 
> Repository: sentry
> 
> 
> Description
> -------
> 
> add support for "ALTER TABLE EXCHANGE"
> 
> 
> Diffs
> -----
> 
>   
> sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
>  ffa193f 
>   
> sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbColumnLevelMetaDataOps.java
>  3735179 
> 
> 
> Diff: https://reviews.apache.org/r/67046/diff/1/
> 
> 
> Testing
> -------
> 
> unit test for "ALTER TABLE EXCHANGE" succeeded
> 
> 
> Thanks,
> 
> Na Li
> 
>

Reply via email to