[
https://issues.apache.org/jira/browse/HIVE-27326?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jai Patel updated HIVE-27326:
-----------------------------
Description:
We have a Ranger plugin implemented for HiveService which uses the hook
provided by the HiveService i.e. the "{*}checkPrivileges{*}" method in
"org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer.java" -
[https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java#L163|http://example.com/].
We do authorization based on the information provided in the *inputObjs* and
*outputObjs* parameters.
This *works fine* for the normal alter query like -
{code:java}
ALTER TABLE hr ADD COLUMNS (country VARCHAR(255)){code}
Logs -
{code:java}
2023-05-08T14:31:40,505 DEBUG [c85f84fd-85d6-4e1a-ae72-ea07323e1a93
HiveServer2-Handler-Pool: Thread-90]
ranger.authorization.hive.authorizer.RangerHiveAuthorizer:
'checkPrivileges':{'hiveOpType':ALTERTABLE_ADDCOLS,
'inputHObjs':['HivePrivilegeObject':{'type':TABLE_OR_VIEW, 'dbName':test,
'objectType':TABLE_OR_VIEW, 'objectName':hr, 'columns':[], 'partKeys':[],
'commandParams':[], 'actionType':OTHER}],
'outputHObjs':['HivePrivilegeObject':{'type':TABLE_OR_VIEW, 'dbName':test,
'objectType':TABLE_OR_VIEW, 'objectName':hr, 'columns':[], 'partKeys':[],
'commandParams':[], 'actionType':OTHER}], 'context':{'clientType':HIVESERVER2,
'commandString':ALTER TABLE hr ADD COLUMNS (country VARCHAR(255)),
'ipAddress':172.18.0.1, 'forwardedAddresses':null,
'sessionString':c85f84fd-85d6-4e1a-ae72-ea07323e1a93}, 'user':root,
'groups':[root]}
{code}
{color:#ff0000}*But for below alter queries, we are not getting the db and
table information -*
{color}Query 1 -
{code:java}
ALTER TABLE hr ADD CONSTRAINT unique_key_const UNIQUE (c0) DISABLE
NOVALIDATE;{code}
LOGS -
{code:java}
2023-05-08T12:14:22,502 DEBUG [c0c66e4e-3014-4258-8e1a-7b689c2fbe6d
HiveServer2-Handler-Pool: Thread-90]
ranger.authorization.hive.authorizer.RangerHiveAuthorizer:
'checkPrivileges':{'hiveOpType':ALTERTABLE_ADDCONSTRAINT, 'inputHObjs':[],
'outputHObjs':[], 'context':{'clientType':HIVESERVER2, 'commandString':ALTER
TABLE hr ADD CONSTRAINT unique_key_const1 UNIQUE (c0) DISABLE NOVALIDATE,
'ipAddress':172.18.0.1, 'forwardedAddresses':null, 'sessionString':c0c66{code}
Query 2 -
{code:java}
ALTER TABLE temp PARTITION (c1=1) COMPACT 'minor';{code}
Logs -
{code:java}
2023-05-08T12:16:30,595 DEBUG [c0c66e4e-3014-4258-8e1a-7b689c2fbe6d
HiveServer2-Handler-Pool: Thread-90]
ranger.authorization.hive.authorizer.RangerHiveAuthorizer:
'checkPrivileges':{'hiveOpType':ALTERTABLE_COMPACT, 'inputHObjs':[],
'outputHObjs':[], 'context':
{'clientType':HIVESERVER2, 'commandString':ALTER TABLE temp PARTITION (c1=1)
COMPACT 'minor', 'ipAddress':172.18.0.1, 'forwardedAddresses':null,
'sessionString':c0c66e4e-3014-4258-8e1a-7b689c2fbe6d}
, 'user':root, 'groups':[root]}
{code}
As you can see in the logs, we are getting empty inputHObjs and outputObjs in
case of Alter Table Add Constraint and Partition. This is not the case for
ALTER TABLE ADD COLUMNS and hence it works fine in that case.
Can we fix this so as to provide proper authorization on these queries?
was:
We have a Ranger plugin implemented for HiveService which uses the hook
provided by the HiveService i.e. the "checkPriviliges" method in
"org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer.java" -
[https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java#L163|http://example.com].
We do authorization based on the information provided in the inputObjs and
outputObjs parameters.
This works fine for the normal alter query like -
ALTER TABLE hr ADD COLUMNS (country VARCHAR(255))
Logs -
2023-05-08T14:31:40,505 DEBUG [c85f84fd-85d6-4e1a-ae72-ea07323e1a93
HiveServer2-Handler-Pool: Thread-90]
ranger.authorization.hive.authorizer.RangerHiveAuthorizer:
'checkPrivileges':\{'hiveOpType':ALTERTABLE_ADDCOLS,
'inputHObjs':['HivePrivilegeObject':{'type':TABLE_OR_VIEW, 'dbName':privacera,
'objectType':TABLE_OR_VIEW, 'objectName':hr, 'columns':[], 'partKeys':[],
'commandParams':[], 'actionType':OTHER}],
'outputHObjs':['HivePrivilegeObject':\{'type':TABLE_OR_VIEW,
'dbName':privacera, 'objectType':TABLE_OR_VIEW, 'objectName':hr, 'columns':[],
'partKeys':[], 'commandParams':[], 'actionType':OTHER}],
'context':\{'clientType':HIVESERVER2, 'commandString':ALTER TABLE hr ADD
COLUMNS (country VARCHAR(255)), 'ipAddress':172.18.0.1,
'forwardedAddresses':null,
'sessionString':c85f84fd-85d6-4e1a-ae72-ea07323e1a93}, 'user':root,
'groups':[root]}
{color:#FF0000}*But for below alter queries, we are not getting the db and
table information -*
{color}Query 1 -
ALTER TABLE hr ADD CONSTRAINT unique_key_const UNIQUE (c0) DISABLE NOVALIDATE;
LOGS -
2023-05-08T12:14:22,502 DEBUG [c0c66e4e-3014-4258-8e1a-7b689c2fbe6d
HiveServer2-Handler-Pool: Thread-90]
ranger.authorization.hive.authorizer.RangerHiveAuthorizer:
'checkPrivileges':{'hiveOpType':ALTERTABLE_ADDCONSTRAINT, 'inputHObjs':[],
'outputHObjs':[], 'context':{'clientType':HIVESERVER2, 'commandString':ALTER
TABLE hr ADD CONSTRAINT unique_key_const1 UNIQUE (c0) DISABLE NOVALIDATE,
'ipAddress':172.18.0.1, 'forwardedAddresses':null, 'sessionString':c0c66
Query 2 -
ALTER TABLE temp PARTITION (c1=1) COMPACT 'minor';
Logs -
2023-05-08T12:16:30,595 DEBUG [c0c66e4e-3014-4258-8e1a-7b689c2fbe6d
HiveServer2-Handler-Pool: Thread-90]
ranger.authorization.hive.authorizer.RangerHiveAuthorizer:
'checkPrivileges':\{'hiveOpType':ALTERTABLE_COMPACT, 'inputHObjs':[],
'outputHObjs':[], 'context':{'clientType':HIVESERVER2, 'commandString':ALTER
TABLE temp PARTITION (c1=1) COMPACT 'minor', 'ipAddress':172.18.0.1,
'forwardedAddresses':null,
'sessionString':c0c66e4e-3014-4258-8e1a-7b689c2fbe6d}, 'user':root,
'groups':[root]}
As you can see in the logs, we are getting empty inputHObjs and outputObjs in
case of Alter Table Add Constraint and Partition.
Can we fix this so as to provide proper authorization on these queries?
> Hive Authorizer not receiving resource information for few alter queries
> causing authorization check to fail
> ------------------------------------------------------------------------------------------------------------
>
> Key: HIVE-27326
> URL: https://issues.apache.org/jira/browse/HIVE-27326
> Project: Hive
> Issue Type: Bug
> Components: Authorization
> Affects Versions: 3.1.2
> Reporter: Jai Patel
> Priority: Major
>
> We have a Ranger plugin implemented for HiveService which uses the hook
> provided by the HiveService i.e. the "{*}checkPrivileges{*}" method in
> "org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer.java"
> -
> [https://github.com/apache/hive/blob/master/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java#L163|http://example.com/].
> We do authorization based on the information provided in the *inputObjs* and
> *outputObjs* parameters.
> This *works fine* for the normal alter query like -
> {code:java}
> ALTER TABLE hr ADD COLUMNS (country VARCHAR(255)){code}
> Logs -
> {code:java}
> 2023-05-08T14:31:40,505 DEBUG [c85f84fd-85d6-4e1a-ae72-ea07323e1a93
> HiveServer2-Handler-Pool: Thread-90]
> ranger.authorization.hive.authorizer.RangerHiveAuthorizer:
> 'checkPrivileges':{'hiveOpType':ALTERTABLE_ADDCOLS,
> 'inputHObjs':['HivePrivilegeObject':{'type':TABLE_OR_VIEW, 'dbName':test,
> 'objectType':TABLE_OR_VIEW, 'objectName':hr, 'columns':[], 'partKeys':[],
> 'commandParams':[], 'actionType':OTHER}],
> 'outputHObjs':['HivePrivilegeObject':{'type':TABLE_OR_VIEW, 'dbName':test,
> 'objectType':TABLE_OR_VIEW, 'objectName':hr, 'columns':[], 'partKeys':[],
> 'commandParams':[], 'actionType':OTHER}],
> 'context':{'clientType':HIVESERVER2, 'commandString':ALTER TABLE hr ADD
> COLUMNS (country VARCHAR(255)), 'ipAddress':172.18.0.1,
> 'forwardedAddresses':null,
> 'sessionString':c85f84fd-85d6-4e1a-ae72-ea07323e1a93}, 'user':root,
> 'groups':[root]}
> {code}
>
> {color:#ff0000}*But for below alter queries, we are not getting the db and
> table information -*
> {color}Query 1 -
> {code:java}
> ALTER TABLE hr ADD CONSTRAINT unique_key_const UNIQUE (c0) DISABLE
> NOVALIDATE;{code}
> LOGS -
> {code:java}
> 2023-05-08T12:14:22,502 DEBUG [c0c66e4e-3014-4258-8e1a-7b689c2fbe6d
> HiveServer2-Handler-Pool: Thread-90]
> ranger.authorization.hive.authorizer.RangerHiveAuthorizer:
> 'checkPrivileges':{'hiveOpType':ALTERTABLE_ADDCONSTRAINT, 'inputHObjs':[],
> 'outputHObjs':[], 'context':{'clientType':HIVESERVER2, 'commandString':ALTER
> TABLE hr ADD CONSTRAINT unique_key_const1 UNIQUE (c0) DISABLE NOVALIDATE,
> 'ipAddress':172.18.0.1, 'forwardedAddresses':null, 'sessionString':c0c66{code}
> Query 2 -
> {code:java}
> ALTER TABLE temp PARTITION (c1=1) COMPACT 'minor';{code}
> Logs -
> {code:java}
> 2023-05-08T12:16:30,595 DEBUG [c0c66e4e-3014-4258-8e1a-7b689c2fbe6d
> HiveServer2-Handler-Pool: Thread-90]
> ranger.authorization.hive.authorizer.RangerHiveAuthorizer:
> 'checkPrivileges':{'hiveOpType':ALTERTABLE_COMPACT, 'inputHObjs':[],
> 'outputHObjs':[], 'context':
> {'clientType':HIVESERVER2, 'commandString':ALTER TABLE temp PARTITION (c1=1)
> COMPACT 'minor', 'ipAddress':172.18.0.1, 'forwardedAddresses':null,
> 'sessionString':c0c66e4e-3014-4258-8e1a-7b689c2fbe6d}
> , 'user':root, 'groups':[root]}
> {code}
>
>
> As you can see in the logs, we are getting empty inputHObjs and outputObjs in
> case of Alter Table Add Constraint and Partition. This is not the case for
> ALTER TABLE ADD COLUMNS and hence it works fine in that case.
> Can we fix this so as to provide proper authorization on these queries?
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
