Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
0.12.0
-
None
Description
During testing for 0.12, it was found that if someone tries to use the SBAP as a client-side authorization provider, and runs hcat -e "show databases;", SBAP denies permission to the user.
Looking at SBAP code, why it does so is self-evident from this section:
@Override public void authorize(Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) throws HiveException, AuthorizationException { // Currently not used in hive code-base, but intended to authorize actions // that are directly user-level. As there's no storage based aspect to this, // we can follow one of two routes: // a) We can allow by default - that way, this call stays out of the way // b) We can deny by default - that way, no privileges are authorized that // is not understood and explicitly allowed. // Both approaches have merit, but given that things like grants and revokes // that are user-level do not make sense from the context of storage-permission // based auth, denying seems to be more canonical here. throw new AuthorizationException(StorageBasedAuthorizationProvider.class.getName() + " does not allow user-level authorization"); }
Thus, this deny-by-default behaviour affects the "show databases" call from hcat cli, which uses user-level privileges to determine if a user can perform that.