[jira] [Commented] (HIVE-27195) Add database authorization for drop table command

Fri, 21 Jul 2023 02:38:29 -0700 


    [ 
https://issues.apache.org/jira/browse/HIVE-27195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17745509#comment-17745509
 ] 

Riju Trivedi commented on HIVE-27195:
-------------------------------------

Thank you [~zabetak] for reviewing and consolidating test scenarios. I have 
updated the test results to the 
[sheet|https://docs.google.com/spreadsheets/d/1CJ1U0LOCpK7TfxY5RSSM4Wmbmt7GiKt5VQrWt1x2tfs/edit?pli=1#gid=0]
 and uploaded tests to the PR.

> Add database authorization for drop table command
> -------------------------------------------------
>
>                 Key: HIVE-27195
>                 URL: https://issues.apache.org/jira/browse/HIVE-27195
>             Project: Hive
>          Issue Type: Bug
>            Reporter: Riju Trivedi
>            Assignee: Riju Trivedi
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Include authorization of the database object during the "drop table" command. 
> Similar to "Create table", DB permissions should be verified in the case of 
> "drop table" too. Add the database object along with the table object to the 
> list of output objects sent for verifying privileges. This change would 
> ensure that in case of a non-existent table or temporary table (skipped from 
> authorization after HIVE-20051), the authorizer will verify privileges for 
> the database object.
> This would also prevent DROP TABLE IF EXISTS command failure for temporary or 
> non-existing tables with `RangerHiveAuthorizer`. In case of 
> temporary/non-existing table, empty input and output HivePrivilege Objects 
> are sent to Ranger authorizer and after 
> https://issues.apache.org/jira/browse/RANGER-3407 authorization request is 
> built from command in case of empty objects. Hence, the drop table if Exists 
> command fails with  HiveAccessControlException.
> Steps to Repro:
> {code:java}
> use test; CREATE TEMPORARY TABLE temp_table (id int);
> drop table if exists test.temp_table;
> Error: Error while compiling statement: FAILED: HiveAccessControlException 
> Permission denied: user [rtrivedi] does not have [DROP] privilege on 
> [test/temp_table] (state=42000,code=40000) {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to