You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by "Ryan P (JIRA)" <ji...@apache.org> on 2015/08/09 16:40:45 UTC
[jira] [Commented] (SENTRY-716) Hive pluing does not correctly
enforce privileges for new in case of nested queries
[ https://issues.apache.org/jira/browse/SENTRY-716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14679161#comment-14679161 ]
Ryan P commented on SENTRY-716:
-------------------------------
The problem here resides in the fact that table t1 is no longer considered a child of view1.
This can be seen here:
explain dependency select * from (select * from v1)v2;
{"input_partitions":[],"input_tables":[{"tablename":"default@v1","tabletype":"VIRTUAL_VIEW"},{"tablename":"default@test","tabletype":"MANAGED_TABLE"}]}
Because of this HiveAuthzBindingHook.isChildTabForView(ReadEntity readEntity) will always return false. Not entirely sure how we fix this on the Sentry side exclusively.
> Hive pluing does not correctly enforce privileges for new in case of nested queries
> -----------------------------------------------------------------------------------
>
> Key: SENTRY-716
> URL: https://issues.apache.org/jira/browse/SENTRY-716
> Project: Sentry
> Issue Type: Bug
> Affects Versions: 1.5.0
> Reporter: Prasad Mujumdar
>
> A nested query on view incorrectly enforces base table privileges instead of view privileges. For example,
> {noformat}
> create view v1 as select * from t1;
> grant select on table v1 to role test;
> select * from ( select * from v1) v2;
> {noformat}
> doesn't work if you have read privilege on view v1. It only works when you have read privilege on underlying table t1.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)