[
https://issues.apache.org/jira/browse/HIVE-23454?focusedWorklogId=481062&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-481062
]
ASF GitHub Bot logged work on HIVE-23454:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 09/Sep/20 21:22
Start Date: 09/Sep/20 21:22
Worklog Time Spent: 10m
Work Description: vineetgarg02 commented on a change in pull request
#1471:
URL: https://github.com/apache/hive/pull/1471#discussion_r485929257
##########
File path:
ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/rules/views/HiveMaterializedViewUtils.java
##########
@@ -347,6 +355,38 @@ public static RelNode copyNodeNewCluster(RelOptCluster
optCluster, RelNode node)
}
}
+ /**
+ * Validate if given materialized view has SELECT privileges for current user
+ * @param cachedMVTable
+ * @return false if user does not have privilege otherwise true
+ * @throws HiveException
+ */
+ public static boolean checkPrivilegeForMV(List<Table> cachedMVTableList)
throws HiveException {
Review comment:
Done
##########
File path: ql/src/java/org/apache/hadoop/hive/ql/parse/CalcitePlanner.java
##########
@@ -2280,6 +2280,15 @@ private RelNode
applyMaterializedViewRewriting(RelOptPlanner planner, RelNode ba
return calcitePreMVRewritingPlan;
}
+ try {
+ if
(!HiveMaterializedViewUtils.checkPrivilegeForMV(materializedViewsUsedAfterRewrite))
{
+ // if materialized views do not have appropriate privilges, we
shouldn't be using them
Review comment:
Fixed
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 481062)
Time Spent: 1h 10m (was: 1h)
> Querying hive table which has Materialized view fails with
> HiveAccessControlException
> -------------------------------------------------------------------------------------
>
> Key: HIVE-23454
> URL: https://issues.apache.org/jira/browse/HIVE-23454
> Project: Hive
> Issue Type: Bug
> Components: Authorization, HiveServer2
> Affects Versions: 3.0.0, 3.2.0
> Reporter: Chiran Ravani
> Assignee: Vineet Garg
> Priority: Critical
> Labels: pull-request-available
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> Query fails with HiveAccessControlException against table when there is
> Materialized view pointing to that table which end user does not have access
> to, but the actual table user has all the privileges.
> From the HiveServer2 logs - it looks as part of optimization Hive uses
> materialized view to query the data instead of table and since end user does
> not have access on MV we receive HiveAccessControlException.
> https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/cost/HiveVolcanoPlanner.java#L99
> The Simplest reproducer for this issue is as below.
> 1. Create a table using hive user and insert some data
> {code:java}
> create table db1.testmvtable(id int, name string) partitioned by(year int);
> insert into db1.testmvtable partition(year=2020) values(1,'Name1');
> insert into db1.testmvtable partition(year=2020) values(1,'Name2');
> insert into db1.testmvtable partition(year=2016) values(1,'Name1');
> insert into db1.testmvtable partition(year=2016) values(1,'Name2');
> {code}
> 2. Create Materialized view on top of above table with partitioned and where
> clause as hive user.
> {code:java}
> CREATE MATERIALIZED VIEW db2.testmv PARTITIONED ON(year) as select * from
> db1.testmvtable tmv where year >= 2018;
> {code}
> 3. Grant all (Select to be minimum) access to user 'chiran' via Ranger on
> database db1.
> 4. Run select on base table db1.testmvtable as 'chiran' with where clause
> having partition value >=2018, it runs into HiveAccessControlException on
> db2.testmv
> {code:java}
> eg:- (select * from db1.testmvtable where year=2020;)
> 0: jdbc:hive2://node2> select * from db1.testmvtable where year=2020;
> Error: Error while compiling statement: FAILED: HiveAccessControlException
> Permission denied: user [chiran] does not have [SELECT] privilege on
> [db2/testmv/*] (state=42000,code=40000)
> {code}
> 5. This works when partition column is not in MV
> {code:java}
> 0: jdbc:hive2://node2> select * from db1.testmvtable where year=2016;
> DEBUG : Acquired the compile lock.
> INFO : Compiling
> command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a):
> select * from db1.testmvtable where year=2016
> DEBUG : Encoding valid txns info 897:9223372036854775807::893,895,896
> txnid:897
> INFO : Semantic Analysis Completed (retrial = false)
> INFO : Returning Hive schema:
> Schema(fieldSchemas:[FieldSchema(name:testmvtable.id, type:int,
> comment:null), FieldSchema(name:testmvtable.name, type:string, comment:null),
> FieldSchema(name:testmvtable.year, type:int, comment:null)], properties:null)
> INFO : Completed compiling
> command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a);
> Time taken: 0.222 seconds
> DEBUG : Encoding valid txn write ids info
> 897$db1.testmvtable:4:9223372036854775807:: txnid:897
> INFO : Executing
> command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a):
> select * from db1.testmvtable where year=2016
> INFO : Completed executing
> command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a);
> Time taken: 0.008 seconds
> INFO : OK
> DEBUG : Shutting down query select * from db1.testmvtable where year=2016
> +-----------------+-------------------+-------------------+
> | testmvtable.id | testmvtable.name | testmvtable.year |
> +-----------------+-------------------+-------------------+
> | 1 | Name1 | 2016 |
> | 1 | Name2 | 2016 |
> +-----------------+-------------------+-------------------+
> 2 rows selected (0.302 seconds)
> 0: jdbc:hive2://node2>
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
