[jira] [Work logged] (HIVE-25680) Authorize #get_table_meta HiveMetastore Server API to use any of the HiveMetastore Authorization model

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/HIVE-25680?focusedWorklogId=684393&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-684393
 ]

ASF GitHub Bot logged work on HIVE-25680:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 21/Nov/21 19:35
            Start Date: 21/Nov/21 19:35
    Worklog Time Spent: 10m 
      Work Description: shameersss1 commented on a change in pull request #2770:
URL: https://github.com/apache/hive/pull/2770#discussion_r753676946



##########
File path: 
standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HMSHandler.java
##########
@@ -5484,6 +5509,29 @@ private void fireReadTablePreEvent(String catName, 
String dbName, String tblName
     }
   }
 
+  /**
+   * Fire a pre-event for read database operation, if there are any
+   * pre-event listeners registered
+   */
+  private void fireReadDatabasePreEvent(final String name)
+          throws MetaException, NoSuchObjectException {
+    if(preListeners.size() > 0) {
+      // do this only if there is a pre event listener registered (avoid 
unnecessary
+      // metastore api call)
+      String[] parsedDbName = parseDbName(name, conf);
+      Database db = null;
+      try {
+        db = get_database_core(parsedDbName[CAT_NAME], parsedDbName[DB_NAME]);
+        if (db == null) {
+          throw new NoSuchObjectException("Database: " + name + " not found");
+        }
+      } catch(MetaException | NoSuchObjectException e) {
+        throw new RuntimeException(e);

Review comment:
       Added tests




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 684393)
    Time Spent: 2h 40m  (was: 2.5h)

> Authorize #get_table_meta HiveMetastore Server API to use any of the 
> HiveMetastore Authorization model
> ------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-25680
>                 URL: https://issues.apache.org/jira/browse/HIVE-25680
>             Project: Hive
>          Issue Type: Bug
>          Components: Standalone Metastore
>    Affects Versions: All Versions
>            Reporter: Syed Shameerur Rahman
>            Assignee: Syed Shameerur Rahman
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 4.0.0
>
>         Attachments: Screenshot 2021-11-08 at 2.39.30 PM.png
>
>          Time Spent: 2h 40m
>  Remaining Estimate: 0h
>
> When Apache Hue or any other application which uses #get_table_meta API is 
> not gated to use any of the authorization model which HiveMetastore provides.
> For more information on Storage based Authorization Model : 
> https://cwiki.apache.org/confluence/display/Hive/HCatalog+Authorization
> You can easily reproduce this with Apache Hive + Apache Hue
> {code:java}
>   <property>
>     <name>hive.security.metastore.authorization.manager</name>
>     
> <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
>   </property>
>     <property>
>     <name>hive.security.metastore.authenticator.manager</name>
>     
> <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
>   </property>
>     <property>
>     <name>hive.metastore.pre.event.listeners</name>
>     
> <value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value>
>   </property>
> {code}
> {code:java}
> #!/bin/bash
> set -x
> hdfs dfs -mkdir /datasets
> hdfs dfs -mkdir /datasets/database1
> hdfs dfs -mkdir /datasets/database1/table1
> echo "stefano,1992" | hdfs dfs -put - /datasets/database1/table1/file1.csv
> hdfs dfs -chmod -R 700 /datasets/database1
> sudo tee -a setup.hql > /dev/null <<EOT
> CREATE DATABASE IF NOT EXISTS database1 LOCATION "/datasets/database1";
> CREATE EXTERNAL TABLE IF NOT EXISTS database1.table1 (
>   name string, 
>   year int)
> ROW FORMAT DELIMITED
> FIELDS TERMINATED BY ','
> LOCATION
>   '/datasets/database1/table1';
> EOT
> hive -f setup.hql
> {code}
> 1. Login to Hue => create the first user called "admin" and provide a 
> password Access the Hive Editor
> 2. On the SQL section on the left under Databases you should see default and 
> database1 listed. Click on database1
> 3. As you can see a table called table1 is listed => this should not be 
> possible as our admin user has no HDFS grants on /datasets/database1
> 4. run from the Hive editor the following query SHOW TABLES; The output shows 
> a Permission denied error => this is the expected behavior



--
This message was sent by Atlassian Jira
(v8.20.1#820001)