You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@sentry.apache.org by "Ryan P (JIRA)" <ji...@apache.org> on 2015/08/09 16:40:45 UTC

[jira] [Commented] (SENTRY-716) Hive pluing does not correctly enforce privileges for new in case of nested queries

    [ https://issues.apache.org/jira/browse/SENTRY-716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14679161#comment-14679161 ] 

Ryan P commented on SENTRY-716:
-------------------------------

The problem here resides in the fact that table t1 is no longer considered a child of view1. 

This can be seen here:

explain dependency select * from (select * from v1)v2;
{"input_partitions":[],"input_tables":[{"tablename":"default@v1","tabletype":"VIRTUAL_VIEW"},{"tablename":"default@test","tabletype":"MANAGED_TABLE"}]} 

Because of this HiveAuthzBindingHook.isChildTabForView(ReadEntity readEntity)  will always return false.  Not entirely sure how we fix this on the Sentry side exclusively. 

> Hive pluing does not correctly enforce privileges for new in case of nested queries
> -----------------------------------------------------------------------------------
>
>                 Key: SENTRY-716
>                 URL: https://issues.apache.org/jira/browse/SENTRY-716
>             Project: Sentry
>          Issue Type: Bug
>    Affects Versions: 1.5.0
>            Reporter: Prasad Mujumdar
>
> A nested query on view incorrectly enforces base table privileges instead of view privileges. For example,
> {noformat}
> create view v1 as select * from t1;
> grant select on table v1 to role test;
> select * from ( select * from v1) v2;
> {noformat}
> doesn't work if you have read privilege on view v1. It only works when you have read privilege on underlying table t1.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)