Riju Trivedi created HIVE-29628:
-----------------------------------
Summary: Incorrect objectName in PARTITION HivePrivilegeObject for
view queries on partitioned tablesselect query on view fails with 'Permission
denied'
Key: HIVE-29628
URL: https://issues.apache.org/jira/browse/HIVE-29628
Project: Hive
Issue Type: Bug
Components: Authorization
Affects Versions: 4.2.0
Reporter: Riju Trivedi
Assignee: Riju Trivedi
When a user queries a Hive view defined over a partitioned table ( {{SELECT *
FROM viewdb.v1}} where {{v1}} is a view on {{{}datadb.t1{}}}),
{{CommandAuthorizerV2}} constructs a {{PARTITION}} {{HivePrivilegeObject}}
using the underlying base table's name ({{{}t1{}}}) rather than the view alias
({{{}v1{}}}). This causes authorization plugins (e.g., Apache Ranger) to check
permissions on the base table's partition, which may be denied even though the
user has explicit SELECT access on the view.
This is a regression introduced by HIVE-27892 which added {{PARTITION}} objects
to the input privilege set, but resolves the {{objectName}} to the base table
rather than the alias active in the query context.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
