HIVE-29628: Incorrect objectName in PARTITION HivePrivilegeObject for…#6508
Conversation
asf-ci-hive
added
tests pending
tests failed
and removed
tests pending
tests failed
labels
… view queries on partitioned tables
asf-ci-hive
added
tests pending
tests passed
and removed
tests failed
tests pending
labels
asf-ci-hive
added
tests pending
tests unstable
tests passed
and removed
tests passed
tests pending
tests unstable
labels
soumyakanti3578
left a comment
soumyakanti3578
left a comment
There was a problem hiding this comment.
Overall looks good to me, I just have one question about a potential NPE. I will approve when it's resolved.
| String tableType = t.getTTable().getTableType(); | ||
| return TableType.MATERIALIZED_VIEW.name().equals(tableType) | ||
| || TableType.VIRTUAL_VIEW.name().equals(tableType); | ||
| } |
There was a problem hiding this comment.
Do you think getTTable() can return null? Although I see similar pattern elsewhere too, so I will leave it up to you.
nit: Also maybe this method can be used inside isDeferredAuthView?
There was a problem hiding this comment.
Thanks for pointing that out @soumyakanti3578 ! Table already exposes isView() and isMaterializedView() instance methods which are used everywhere. Hence removed this helper method.
|
There are a few Sonar issues regarding unused imports and method namings, can you please handle that? |
Thanks, handled sonar issues. |
asf-ci-hive
added
tests passed
tests pending
tests unstable
and removed
tests pending
tests passed
labels
asf-ci-hive
added
tests pending
tests unstable
and removed
tests unstable
tests pending
labels
|
soumyakanti3578
left a comment
soumyakanti3578
left a comment
There was a problem hiding this comment.
LGTM. Approving, pending tests.
5 participants
… view queries on partitioned tables
What changes were proposed in this pull request?
Fixed incorrect
PARTITIONHivePrivilegeObjectgeneration inCommandAuthorizerV2for queries that access a regular (non-deferred) view over a partitioned base table.In
CommandAuthorizerV2.getHivePrivObjects(), skip emitting aHivePrivilegeObjectforPARTITION/DUMMYPARTITIONentities when access is through a regular view. The view’sTABLE_OR_VIEWobject already covers authorization.Skip logic (
isPartitionAccessedViaRegularView):TABLEentity for the same base table has a regular view parent → skip.Authorized=false) → emitPARTITIONon the base table (existing behaviour).PARTITIONon the base tableWhy are the changes needed?
HIVE-27892 added handling for
PARTITION/DUMMYPARTITIONentities inaddHivePrivObject, always using the physical base-table name (datadb/t1). For view queries, this causes authorizers to receive an extraPARTITIONobject on the base table in addition to the view’sTABLE_OR_VIEWobject. Users with view-only policies are getting PERMISSION denied.Does this PR introduce any user-facing change?
yes
View queries through regular views send only the view TABLE_OR_VIEW privilege object. Direct queries on partitioned tables and deferred-auth views still emit base-table PARTITION objects as before.
How was this patch tested?
mvn test -Dtest=TestViewPartitionPrivilegeObjects