[
https://issues.apache.org/jira/browse/HIVE-29628?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Riju Trivedi updated HIVE-29628:
--------------------------------
Summary: Incorrect objectName in PARTITION HivePrivilegeObject for view
queries on partitioned tables (was: Incorrect objectName in PARTITION
HivePrivilegeObject for view queries on partitioned tablesselect query on view
fails with 'Permission denied')
> Incorrect objectName in PARTITION HivePrivilegeObject for view queries on
> partitioned tables
> --------------------------------------------------------------------------------------------
>
> Key: HIVE-29628
> URL: https://issues.apache.org/jira/browse/HIVE-29628
> Project: Hive
> Issue Type: Bug
> Components: Authorization
> Affects Versions: 4.2.0
> Reporter: Riju Trivedi
> Assignee: Riju Trivedi
> Priority: Major
>
> When a user queries a Hive view defined over a partitioned table ( {{SELECT *
> FROM viewdb.v1}} where {{v1}} is a view on {{{}datadb.t1{}}}),
> {{CommandAuthorizerV2}} constructs a {{PARTITION}} {{HivePrivilegeObject}}
> using the underlying base table's name ({{{}t1{}}}) rather than the view
> alias ({{{}v1{}}}). This causes authorization plugins (e.g., Apache Ranger)
> to check permissions on the base table's partition, which may be denied even
> though the user has explicit SELECT access on the view.
> This is a regression introduced by HIVE-27892 which added {{PARTITION}}
> objects to the input privilege set, but resolves the {{objectName}} to the
> base table rather than the alias active in the query context.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
