You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by Na Li via Review Board <no...@reviews.apache.org> on 2019/02/07 03:31:53 UTC
Review Request 69914: HIVE-21227: HIVE-20776 causes view access
regression
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69914/
-----------------------------------------------------------
Review request for hive and Vihang Karajgaonkar.
Bugs: hive-21227
https://issues.apache.org/jira/browse/hive-21227
Repository: hive-git
Description
-------
HIVE-20776 introduces a change that causes regression for view access.
Before the change, a user with select access of a view can get all columns of a view with select access of a view that is derived from a partitioned table.
With the change, that user cannot access that view.
The reason is that
When user accesses columns of a view, Hive needs to get the partitions of the table that the view is derived from. The user name is the user who issues the query to access the view.
The change in HIVE-20776 checks if user has access to a table before getting its partitions. When user only has access of a view, not the access of a table itself, this change denies the user access of the view.
The solution is when getting table partitions, do not filter on table at HMS client
Diffs
-----
standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java a1826fa259d424c9f3d5a2f58a18f617355d586f
Diff: https://reviews.apache.org/r/69914/diff/1/
Testing
-------
TestGetPartitions and TestListPartitions pass
Thanks,
Na Li
Re: Review Request 69914: HIVE-21227: HIVE-20776 causes view access
regression
Posted by Peter Vary via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69914/#review212667
-----------------------------------------------------------
Ship it!
Ship It!
- Peter Vary
On febr. 8, 2019, 6:48 de, Na Li wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69914/
> -----------------------------------------------------------
>
> (Updated febr. 8, 2019, 6:48 de)
>
>
> Review request for hive and Vihang Karajgaonkar.
>
>
> Bugs: hive-21227
> https://issues.apache.org/jira/browse/hive-21227
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> HIVE-20776 introduces a change that causes regression for view access.
>
> Before the change, a user with select access of a view can get all columns of a view with select access of a view that is derived from a partitioned table.
>
> With the change, that user cannot access that view.
>
> The reason is that
>
> When user accesses columns of a view, Hive needs to get the partitions of the table that the view is derived from. The user name is the user who issues the query to access the view.
> The change in HIVE-20776 checks if user has access to a table before getting its partitions. When user only has access of a view, not the access of a table itself, this change denies the user access of the view.
> The solution is when getting table partitions, do not filter on table at HMS client
>
>
> Diffs
> -----
>
> standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java a1826fa259d424c9f3d5a2f58a18f617355d586f
> standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/TestFilterHooks.java 6a0d0aa8840d9fc6799c16463a70ed6f0cc2c354
>
>
> Diff: https://reviews.apache.org/r/69914/diff/2/
>
>
> Testing
> -------
>
> TestGetPartitions and TestListPartitions pass
>
>
> Thanks,
>
> Na Li
>
>
Re: Review Request 69914: HIVE-21227: HIVE-20776 causes view access
regression
Posted by Na Li via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69914/
-----------------------------------------------------------
(Updated Feb. 8, 2019, 6:48 a.m.)
Review request for hive and Vihang Karajgaonkar.
Bugs: hive-21227
https://issues.apache.org/jira/browse/hive-21227
Repository: hive-git
Description
-------
HIVE-20776 introduces a change that causes regression for view access.
Before the change, a user with select access of a view can get all columns of a view with select access of a view that is derived from a partitioned table.
With the change, that user cannot access that view.
The reason is that
When user accesses columns of a view, Hive needs to get the partitions of the table that the view is derived from. The user name is the user who issues the query to access the view.
The change in HIVE-20776 checks if user has access to a table before getting its partitions. When user only has access of a view, not the access of a table itself, this change denies the user access of the view.
The solution is when getting table partitions, do not filter on table at HMS client
Diffs (updated)
-----
standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java a1826fa259d424c9f3d5a2f58a18f617355d586f
standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/TestFilterHooks.java 6a0d0aa8840d9fc6799c16463a70ed6f0cc2c354
Diff: https://reviews.apache.org/r/69914/diff/2/
Changes: https://reviews.apache.org/r/69914/diff/1-2/
Testing
-------
TestGetPartitions and TestListPartitions pass
Thanks,
Na Li
Re: Review Request 69914: HIVE-21227: HIVE-20776 causes view access
regression
Posted by Na Li via Review Board <no...@reviews.apache.org>.
> On Feb. 7, 2019, 5:48 p.m., Karthik Manamcheri wrote:
> > standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java
> > Line 2509 (original), 2512 (patched)
> > <https://reviews.apache.org/r/69914/diff/1/?file=2124160#file2124160line2512>
> >
> > We should add unit tests to make sure that this doesn't happen again. Can you add a test which would fail if this fix wasn't there?
I changed the test on partitions to refect the fact that HMS client does not filter partitions' table due to "HIVE-21227: HIVE-20776 causes view access regression"
- Na
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69914/#review212633
-----------------------------------------------------------
On Feb. 7, 2019, 3:31 a.m., Na Li wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69914/
> -----------------------------------------------------------
>
> (Updated Feb. 7, 2019, 3:31 a.m.)
>
>
> Review request for hive and Vihang Karajgaonkar.
>
>
> Bugs: hive-21227
> https://issues.apache.org/jira/browse/hive-21227
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> HIVE-20776 introduces a change that causes regression for view access.
>
> Before the change, a user with select access of a view can get all columns of a view with select access of a view that is derived from a partitioned table.
>
> With the change, that user cannot access that view.
>
> The reason is that
>
> When user accesses columns of a view, Hive needs to get the partitions of the table that the view is derived from. The user name is the user who issues the query to access the view.
> The change in HIVE-20776 checks if user has access to a table before getting its partitions. When user only has access of a view, not the access of a table itself, this change denies the user access of the view.
> The solution is when getting table partitions, do not filter on table at HMS client
>
>
> Diffs
> -----
>
> standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java a1826fa259d424c9f3d5a2f58a18f617355d586f
>
>
> Diff: https://reviews.apache.org/r/69914/diff/1/
>
>
> Testing
> -------
>
> TestGetPartitions and TestListPartitions pass
>
>
> Thanks,
>
> Na Li
>
>
Re: Review Request 69914: HIVE-21227: HIVE-20776 causes view access
regression
Posted by Karthik Manamcheri via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69914/#review212633
-----------------------------------------------------------
standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java
Line 2509 (original), 2512 (patched)
<https://reviews.apache.org/r/69914/#comment298460>
We should add unit tests to make sure that this doesn't happen again. Can you add a test which would fail if this fix wasn't there?
- Karthik Manamcheri
On Feb. 7, 2019, 3:31 a.m., Na Li wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69914/
> -----------------------------------------------------------
>
> (Updated Feb. 7, 2019, 3:31 a.m.)
>
>
> Review request for hive and Vihang Karajgaonkar.
>
>
> Bugs: hive-21227
> https://issues.apache.org/jira/browse/hive-21227
>
>
> Repository: hive-git
>
>
> Description
> -------
>
> HIVE-20776 introduces a change that causes regression for view access.
>
> Before the change, a user with select access of a view can get all columns of a view with select access of a view that is derived from a partitioned table.
>
> With the change, that user cannot access that view.
>
> The reason is that
>
> When user accesses columns of a view, Hive needs to get the partitions of the table that the view is derived from. The user name is the user who issues the query to access the view.
> The change in HIVE-20776 checks if user has access to a table before getting its partitions. When user only has access of a view, not the access of a table itself, this change denies the user access of the view.
> The solution is when getting table partitions, do not filter on table at HMS client
>
>
> Diffs
> -----
>
> standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java a1826fa259d424c9f3d5a2f58a18f617355d586f
>
>
> Diff: https://reviews.apache.org/r/69914/diff/1/
>
>
> Testing
> -------
>
> TestGetPartitions and TestListPartitions pass
>
>
> Thanks,
>
> Na Li
>
>