diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java index 8f81ef9..4d16540 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java @@ -233,10 +233,14 @@ private void authorize(Table table, Partition part, Privilege[] readRequiredPriv // we try to default to checking the permissions of the parent table. // Partition itself can also be null, in cases where this gets called as a generic // catch-all call in cases like those with CTAS onto an unpartitioned table (see HIVE-1887) - if ((part == null) || (part.getLocation() == null)) { - // this should be the case only if this is a create partition. - // The privilege needed on the table should be ALTER_DATA, and not CREATE - authorize(table, new Privilege[]{}, new Privilege[]{Privilege.ALTER_DATA}); + if (part == null || part.getLocation() == null) { + if (requireCreatePrivilege(readRequiredPriv) || requireCreatePrivilege(writeRequiredPriv)) { + // this should be the case only if this is a create partition. + // The privilege needed on the table should be ALTER_DATA, and not CREATE + authorize(table, new Privilege[]{}, new Privilege[]{Privilege.ALTER_DATA}); + } else { + authorize(table, readRequiredPriv, writeRequiredPriv); + } } else { authorize(part.getDataLocation(), readRequiredPriv, writeRequiredPriv); }