saihemanth-cloudera commented on code in PR #4276:
URL: https://github.com/apache/hive/pull/4276#discussion_r1181823272
##########
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java:
##########
@@ -201,8 +201,7 @@ private static void addHivePrivObject(Entity privObject,
Map<String, List<String
HiveConf.ConfVars.HIVE_AUTHORIZATION_TABLES_ON_STORAGEHANDLERS)) {
//TODO: add hive privilege object for storage based handlers for
create and alter table commands.
if (hiveOpType == HiveOperationType.CREATETABLE ||
- hiveOpType == HiveOperationType.ALTERTABLE_PROPERTIES ||
- hiveOpType == HiveOperationType.CREATETABLE_AS_SELECT) {
Review Comment:
IMO, I don't think we would read permissions on the JDBC url.
_Some history about storage URLs:_ Why do we need the read permission on
JDBC url?
Whenever you are creating/alter a table based on an external storage handler
(eg: kafka, hbase), with impersonation disabled from hive 3.x, Hive should know
which end user is read/writing to external tables. So we have introduced
read/write privileges on storage urls.
_The reason behind removing Read/write privileges on storage URLs for CTAS
queries:_ Consider this use case:
> Let's say a user 'foo' is running the below table
`CREATE EXTERNAL TABLE default.jdbctable (DB_ID bigint)
STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
TBLPROPERTIES (
'hive.sql.database.type' = 'MYSQL',
'hive.sql.jdbc.driver' = 'com.mysql.jdbc.Driver',
'hive.sql.jdbc.url' = 'jdbc:mysql://somehostname3306/hive1',
'hive.sql.dbcp.username' = 'hive1',
'hive.sql.dbcp.password' = 'hive1',
'hive.sql.query' = 'SELECT DB_ID FROM DBS'
);`
To create this 'jdbctable' user 'foo' need to have create privileges on the
storage url 'jdbc:mysql://somehostname3306/hive1'
> When another user 'foobar' tries to do something like below
`CREATE TABLE default.hivetablefromjdbc as select * from default.jdbctable;`
Now the user 'foobar' requires only select privileges on the source table
'jdbctable' and the data that is only present in the table 'jdbctable' will be
inserted into the target table 'hivetablefromjdbc'. So, we are not really
reading anything from storage URL, and hence the read permissions are not
required CTAS queries.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
