[
https://issues.apache.org/jira/browse/HIVE-27326?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Riju Trivedi reassigned HIVE-27326:
-----------------------------------
Assignee: Riju Trivedi
> Hive Authorizer not receiving resource information for few alter queries
> causing authorization check to fail
> ------------------------------------------------------------------------------------------------------------
>
> Key: HIVE-27326
> URL: https://issues.apache.org/jira/browse/HIVE-27326
> Project: Hive
> Issue Type: Bug
> Components: Authorization
> Affects Versions: 3.1.2
> Reporter: Jai Patel
> Assignee: Riju Trivedi
> Priority: Major
>
> We have a Ranger plugin implemented for HiveService which uses the hook
> provided by the HiveService i.e. the "{*}checkPrivileges{*}" method in
> "org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer.java"
> -
> [https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java#L163|http://example.com/].
> We do authorization based on the information provided in the *inputObjs* and
> *outputObjs* parameters.
> This *works fine* for the normal alter query like -
> {code:java}
> ALTER TABLE hr ADD COLUMNS (country VARCHAR(255)){code}
> Logs -
> {code:java}
> 2023-05-08T14:31:40,505 DEBUG [c85f84fd-85d6-4e1a-ae72-ea07323e1a93
> HiveServer2-Handler-Pool: Thread-90]
> ranger.authorization.hive.authorizer.RangerHiveAuthorizer:
> 'checkPrivileges':{'hiveOpType':ALTERTABLE_ADDCOLS,
> 'inputHObjs':['HivePrivilegeObject':{'type':TABLE_OR_VIEW, 'dbName':test,
> 'objectType':TABLE_OR_VIEW, 'objectName':hr, 'columns':[], 'partKeys':[],
> 'commandParams':[], 'actionType':OTHER}],
> 'outputHObjs':['HivePrivilegeObject':{'type':TABLE_OR_VIEW, 'dbName':test,
> 'objectType':TABLE_OR_VIEW, 'objectName':hr, 'columns':[], 'partKeys':[],
> 'commandParams':[], 'actionType':OTHER}],
> 'context':{'clientType':HIVESERVER2, 'commandString':ALTER TABLE hr ADD
> COLUMNS (country VARCHAR(255)), 'ipAddress':172.18.0.1,
> 'forwardedAddresses':null,
> 'sessionString':c85f84fd-85d6-4e1a-ae72-ea07323e1a93}, 'user':root,
> 'groups':[root]}
> {code}
>
> {color:#ff0000}*But for below alter queries, we are not getting the db and
> table information -*
> {color}Query 1 -
> {code:java}
> ALTER TABLE hr ADD CONSTRAINT unique_key_const UNIQUE (c0) DISABLE
> NOVALIDATE;{code}
> LOGS -
> {code:java}
> 2023-05-08T12:14:22,502 DEBUG [c0c66e4e-3014-4258-8e1a-7b689c2fbe6d
> HiveServer2-Handler-Pool: Thread-90]
> ranger.authorization.hive.authorizer.RangerHiveAuthorizer:
> 'checkPrivileges':{'hiveOpType':ALTERTABLE_ADDCONSTRAINT, 'inputHObjs':[],
> 'outputHObjs':[], 'context':{'clientType':HIVESERVER2, 'commandString':ALTER
> TABLE hr ADD CONSTRAINT unique_key_const1 UNIQUE (c0) DISABLE NOVALIDATE,
> 'ipAddress':172.18.0.1, 'forwardedAddresses':null, 'sessionString':c0c66{code}
> Query 2 -
> {code:java}
> ALTER TABLE temp PARTITION (c1=1) COMPACT 'minor';{code}
> Logs -
> {code:java}
> 2023-05-08T12:16:30,595 DEBUG [c0c66e4e-3014-4258-8e1a-7b689c2fbe6d
> HiveServer2-Handler-Pool: Thread-90]
> ranger.authorization.hive.authorizer.RangerHiveAuthorizer:
> 'checkPrivileges':{'hiveOpType':ALTERTABLE_COMPACT, 'inputHObjs':[],
> 'outputHObjs':[], 'context':
> {'clientType':HIVESERVER2, 'commandString':ALTER TABLE temp PARTITION (c1=1)
> COMPACT 'minor', 'ipAddress':172.18.0.1, 'forwardedAddresses':null,
> 'sessionString':c0c66e4e-3014-4258-8e1a-7b689c2fbe6d}
> , 'user':root, 'groups':[root]}
> {code}
>
>
> As you can see in the logs, we are getting empty inputHObjs and outputObjs in
> case of Alter Table Add Constraint and Partition. This is not the case for
> ALTER TABLE ADD COLUMNS and hence it works fine in that case.
> Can we fix this so as to provide proper authorization on these queries?
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
