Shohei Okumiya created HIVE-29248:
-------------------------------------
Summary: HMS Iceberg REST API should return 403 on
HiveAccessControlException
Key: HIVE-29248
URL: https://issues.apache.org/jira/browse/HIVE-29248
Project: Hive
Issue Type: Improvement
Components: Authorization, Iceberg integration, Standalone Metastore
Affects Versions: 4.1.0
Reporter: Shohei Okumiya
The current implementation does not handle permission errors and returns a 500
error. This is the exception when I integrated HMS Iceberg REST Catalog with
Apache Ranger.
{code:java}
2025-10-07T02:26:57,248 ERROR [qtp100805003-49] rest.HMSCatalogServlet: Error
processing REST request
org.apache.iceberg.exceptions.RESTException: Unhandled error:
ErrorResponse(code=500, type=RuntimeException, message=Failed to list namespace
under namespace: default in Hive Metastore)
java.lang.RuntimeException: Failed to list namespace under namespace: default
in Hive Metastore
at
org.apache.iceberg.hive.HiveCatalog.loadNamespaceMetadata(HiveCatalog.java:632)
at
org.apache.iceberg.catalog.SupportsNamespaces.namespaceExists(SupportsNamespaces.java:159)
at
org.apache.iceberg.rest.CatalogHandlers.namespaceExists(CatalogHandlers.java:167)
at
org.apache.iceberg.rest.HMSCatalogAdapter.namespaceExists(HMSCatalogAdapter.java:249)
at
org.apache.iceberg.rest.HMSCatalogAdapter.handleRequest(HMSCatalogAdapter.java:441)
at
org.apache.iceberg.rest.HMSCatalogAdapter.execute(HMSCatalogAdapter.java:524)
at
org.apache.iceberg.rest.HMSCatalogServlet.service(HMSCatalogServlet.java:75)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
...
Caused by: MetaException(message:Permission denied: user [trino] does not have
[USE] privilege on [default])
at
org.apache.hadoop.hive.metastore.utils.MetaStoreUtils.newMetaException(MetaStoreUtils.java:229)
at
org.apache.hadoop.hive.metastore.utils.MetaStoreUtils.newMetaException(MetaStoreUtils.java:219)
at
org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer.onEvent(HiveMetaStoreAuthorizer.java:137)
at
org.apache.hadoop.hive.metastore.HMSHandler.firePreEvent(HMSHandler.java:4133)
at
org.apache.hadoop.hive.metastore.HMSHandler.get_database_req(HMSHandler.java:1475)
...
Caused by:
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
Permission denied: user [trino] does not have [USE] privil
ege on [default]
at
org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:1155)
at
org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer.checkPrivileges(HiveMetaStoreAuthorizer.java:701)
at
org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer.onEvent(HiveMetaStoreAuthorizer.java:133)
... 69 more
at
org.apache.iceberg.rest.HMSCatalogAdapter.execute(HMSCatalogAdapter.java:537)
~[hive-standalone-metastore-rest-catalog-4.2.0-SNAPSHOT.jar:4.2.0 at
org.apache.iceberg.rest.HMSCatalogServlet.service(HMSCatalogServlet.java:75)
~[hive-standalone-metastore-rest-catalog-4.2.0-SNAPSHOT.jar:4.2.0-
SNAPSHOT] {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
