[
https://issues.apache.org/jira/browse/HIVE-27195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17746119#comment-17746119
]
Riju Trivedi edited comment on HIVE-27195 at 7/23/23 6:40 PM:
--
Thank you Stamatis for reviewing.
* These tests have default `hive.exec.drop.ignorenonexistent` to True hence
the behavior of DROP TABLE is the NOOP. I have added one more test with
`hive.exec.drop.ignorenonexistent` to False where DROP TABLE WITHOUT IF EXISTS
returns an error.
* Agreed, Updated tests to remove grant on tables.
* CREATE TABLE *IF NOT EXISTS* also throws an authentication error in case
table is already there. So, it is consistent with the DROP table IF EXISTS for
non-existing tables.
was (Author: rtrivedi12):
Thank you Stamatis for reviewing.
# These tests have default `hive.exec.drop.ignorenonexistent` to True hence
the behavior of DROP TABLE is the NOOP. I have added one more test with
`hive.exec.drop.ignorenonexistent` to False where DROP TABLE WITHOUT IF EXISTS
returns an error.
# Agreed, Updated tests to remove grant on tables.
# CREATE TABLE *IF NOT EXISTS* also throws an authentication error in case
table is already there.
> Add database authorization for drop table command
> -
>
> Key: HIVE-27195
> URL: https://issues.apache.org/jira/browse/HIVE-27195
> Project: Hive
> Issue Type: Bug
>Reporter: Riju Trivedi
>Assignee: Riju Trivedi
>Priority: Major
> Labels: pull-request-available
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Include authorization of the database object during the "drop table" command.
> Similar to "Create table", DB permissions should be verified in the case of
> "drop table" too. Add the database object along with the table object to the
> list of output objects sent for verifying privileges. This change would
> ensure that in case of a non-existent table or temporary table (skipped from
> authorization after HIVE-20051), the authorizer will verify privileges for
> the database object.
> This would also prevent DROP TABLE IF EXISTS command failure for temporary or
> non-existing tables with `RangerHiveAuthorizer`. In case of
> temporary/non-existing table, empty input and output HivePrivilege Objects
> are sent to Ranger authorizer and after
> https://issues.apache.org/jira/browse/RANGER-3407 authorization request is
> built from command in case of empty objects. Hence, the drop table if Exists
> command fails with HiveAccessControlException.
> Steps to Repro:
> {code:java}
> use test; CREATE TEMPORARY TABLE temp_table (id int);
> drop table if exists test.temp_table;
> Error: Error while compiling statement: FAILED: HiveAccessControlException
> Permission denied: user [rtrivedi] does not have [DROP] privilege on
> [test/temp_table] (state=42000,code=4) {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)