You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by "Thejas M Nair (JIRA)" <ji...@apache.org> on 2014/04/01 10:57:15 UTC

[jira] [Commented] (HIVE-6804) sql std auth - granting existing table privilege to owner should result in error

    [ https://issues.apache.org/jira/browse/HIVE-6804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13956269#comment-13956269 ] 

Thejas M Nair commented on HIVE-6804:
-------------------------------------

>From [~deepesh]
Steps to reproduce:
# Login as a public user (eg. hrt_1).
{noformat}
0: jdbc:hive2://localhost:10> create table foobar (foo string, bar string);
No rows affected (0.167 seconds)
0: jdbc:hive2://localhost:10> show grant on table foobar;
+-----------+---------+------------+---------+-----------------+-----------------+------------+---------------+--------+
| database  |  table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |   gran |
+-----------+---------+------------+---------+-----------------+-----------------+------------+---------------+--------+
| default   | foobar  |            |         | hrt_1           | USER            | DELETE     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | INSERT     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | SELECT     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | UPDATE     | true          | 139629 |
+-----------+---------+------------+---------+-----------------+-----------------+------------+---------------+--------+
4 rows selected (0.043 seconds)
0: jdbc:hive2://localhost:10> grant all on table foobar to user hrt_1 with grant option;
No rows affected (0.171 seconds)
0: jdbc:hive2://localhost:10> show grant on table foobar;
+-----------+---------+------------+---------+-----------------+-----------------+------------+---------------+--------+
| database  |  table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |   gran |
+-----------+---------+------------+---------+-----------------+-----------------+------------+---------------+--------+
| default   | foobar  |            |         | hrt_1           | USER            | DELETE     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | DELETE     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | INSERT     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | INSERT     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | SELECT     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | SELECT     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | UPDATE     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | UPDATE     | true          | 139629 |
+-----------+---------+------------+---------+-----------------+-----------------+------------+---------------+--------+
8 rows selected (0.046 seconds)
{noformat}
I would not expect duplicate entries, either we should error out when we try to grant privileges on a table where user already has privileges or the command become a NOOP.
# Now try grant another time and revoke.
{noformat}
0: jdbc:hive2://localhost:10> grant all on table foobar to user hrt_1 with grant option;
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error granting privileges: Internal error processing grant_privileges (state=08S01,code=1)
0: jdbc:hive2://localhost:10> show grant on table foobar;
+-----------+---------+------------+---------+-----------------+-----------------+------------+---------------+--------+
| database  |  table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |   gran |
+-----------+---------+------------+---------+-----------------+-----------------+------------+---------------+--------+
| default   | foobar  |            |         | hrt_1           | USER            | DELETE     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | DELETE     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | INSERT     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | INSERT     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | SELECT     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | SELECT     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | UPDATE     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | UPDATE     | true          | 139629 |
+-----------+---------+------------+---------+-----------------+-----------------+------------+---------------+--------+
8 rows selected (0.045 seconds)
0: jdbc:hive2://localhost:10> revoke all on table foobar from user hrt_1;
No rows affected (0.156 seconds)
0: jdbc:hive2://localhost:10> show grant on table foobar;
+-----------+---------+------------+---------+-----------------+-----------------+------------+---------------+--------+
| database  |  table  | partition  | column  | principal_name  | principal_type  | privilege  | grant_option  |   gran |
+-----------+---------+------------+---------+-----------------+-----------------+------------+---------------+--------+
| default   | foobar  |            |         | hrt_1           | USER            | DELETE     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | INSERT     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | SELECT     | true          | 139629 |
| default   | foobar  |            |         | hrt_1           | USER            | UPDATE     | true          | 139629 |
+-----------+---------+------------+---------+-----------------+-----------------+------------+---------------+--------+
4 rows selected (0.039 seconds)
{noformat}
So we see two things here. First, the user cannot grant privileges again which is right and should have been the case even earlier. Second, revoking privileges removes only the duplicate set of privileges. This can be bad for end user who might think that he already revoked privileges but the system still preserves a set.

> sql std auth - granting existing table privilege to owner should result in error
> --------------------------------------------------------------------------------
>
>                 Key: HIVE-6804
>                 URL: https://issues.apache.org/jira/browse/HIVE-6804
>             Project: Hive
>          Issue Type: Sub-task
>          Components: Authorization
>            Reporter: Deepesh Khandelwal
>            Assignee: Thejas M Nair
>
> Table owner gets all privileges on the table at the time of table creation.
> But granting some or all of the privileges using grant statement still works resulting in duplicate privileges. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)