Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
3.0.0, 3.2.0
Description
Query fails with HiveAccessControlException against table when there is Materialized view pointing to that table which end user does not have access to, but the actual table user has all the privileges.
From the HiveServer2 logs - it looks as part of optimization Hive uses materialized view to query the data instead of table and since end user does not have access on MV we receive HiveAccessControlException.
The Simplest reproducer for this issue is as below.
1. Create a table using hive user and insert some data
create table db1.testmvtable(id int, name string) partitioned by(year int); insert into db1.testmvtable partition(year=2020) values(1,'Name1'); insert into db1.testmvtable partition(year=2020) values(1,'Name2'); insert into db1.testmvtable partition(year=2016) values(1,'Name1'); insert into db1.testmvtable partition(year=2016) values(1,'Name2');
2. Create Materialized view on top of above table with partitioned and where clause as hive user.
CREATE MATERIALIZED VIEW db2.testmv PARTITIONED ON(year) as select * from db1.testmvtable tmv where year >= 2018;
3. Grant all (Select to be minimum) access to user 'chiran' via Ranger on database db1.
4. Run select on base table db1.testmvtable as 'chiran' with where clause having partition value >=2018, it runs into HiveAccessControlException on db2.testmv
eg:- (select * from db1.testmvtable where year=2020;) 0: jdbc:hive2://node2> select * from db1.testmvtable where year=2020; Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [chiran] does not have [SELECT] privilege on [db2/testmv/*] (state=42000,code=40000)
5. This works when partition column is not in MV
0: jdbc:hive2://node2> select * from db1.testmvtable where year=2016; DEBUG : Acquired the compile lock. INFO : Compiling command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a): select * from db1.testmvtable where year=2016 DEBUG : Encoding valid txns info 897:9223372036854775807::893,895,896 txnid:897 INFO : Semantic Analysis Completed (retrial = false) INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:testmvtable.id, type:int, comment:null), FieldSchema(name:testmvtable.name, type:string, comment:null), FieldSchema(name:testmvtable.year, type:int, comment:null)], properties:null) INFO : Completed compiling command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a); Time taken: 0.222 seconds DEBUG : Encoding valid txn write ids info 897$db1.testmvtable:4:9223372036854775807:: txnid:897 INFO : Executing command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a): select * from db1.testmvtable where year=2016 INFO : Completed executing command(queryId=hive_20200507130248_841458fe-7048-4727-8816-3f9472d2a67a); Time taken: 0.008 seconds INFO : OK DEBUG : Shutting down query select * from db1.testmvtable where year=2016 +-----------------+-------------------+-------------------+ | testmvtable.id | testmvtable.name | testmvtable.year | +-----------------+-------------------+-------------------+ | 1 | Name1 | 2016 | | 1 | Name2 | 2016 | +-----------------+-------------------+-------------------+ 2 rows selected (0.302 seconds) 0: jdbc:hive2://node2>
Attachments
Issue Links
- links to
