Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
Include authorization of the database object during the "drop table" command. Similar to "Create table", DB permissions should be verified in the case of "drop table" too. Add the database object along with the table object to the list of output objects sent for verifying privileges. This change would ensure that in case of a non-existent table or temporary table (skipped from authorization after HIVE-20051), the authorizer will verify privileges for the database object.
This would also prevent DROP TABLE IF EXISTS command failure for temporary or non-existing tables with `RangerHiveAuthorizer`. In case of temporary/non-existing table, empty input and output HivePrivilege Objects are sent to Ranger authorizer and after https://issues.apache.org/jira/browse/RANGER-3407 authorization request is built from command in case of empty objects. Hence, the drop table if Exists command fails with HiveAccessControlException.
Steps to Repro:
use test; CREATE TEMPORARY TABLE temp_table (id int); drop table if exists test.temp_table; Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [rtrivedi] does not have [DROP] privilege on [test/temp_table] (state=42000,code=40000)
Attachments
Issue Links
- relates to
-
HIVE-20051 Skip authorization for temp tables
- Closed
- links to