From 8cae808d271deeca370929db2c2992d2b444b568 Mon Sep 17 00:00:00 2001 From: saihemanth Date: Thu, 18 Sep 2025 16:37:52 -0700 Subject: [PATCH 1/3] HIVE-29215: Fix owner info for view in authorizable events for alter view query --- .../java/org/apache/hadoop/hive/ql/ddl/DDLUtils.java | 5 +++++ .../hive/ql/ddl/view/create/AlterViewAsAnalyzer.java | 11 +++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/ql/src/java/org/apache/hadoop/hive/ql/ddl/DDLUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/ddl/DDLUtils.java index 22a62e2c652e..3ee8d74cea9d 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/ddl/DDLUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/ddl/DDLUtils.java @@ -198,6 +198,11 @@ public static void addDbAndTableToOutputs(Database database, TableName tableName outputs.add(new WriteEntity(table, WriteEntity.WriteType.DDL_NO_LOCK)); } + public static void addDbAndTableToOutputs(Database database, Table table, Set outputs) { + outputs.add(new WriteEntity(database, WriteEntity.WriteType.DDL_SHARED)); + outputs.add(new WriteEntity(table, WriteEntity.WriteType.DDL_NO_LOCK)); + } + public static void setColumnsAndStorePartitionTransformSpecOfTable( List columns, List partitionColumns, HiveConf conf, Table tbl) { diff --git a/ql/src/java/org/apache/hadoop/hive/ql/ddl/view/create/AlterViewAsAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/ddl/view/create/AlterViewAsAnalyzer.java index 329ed84a6015..88f741f83eb9 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/ddl/view/create/AlterViewAsAnalyzer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/ddl/view/create/AlterViewAsAnalyzer.java @@ -67,14 +67,16 @@ public void analyzeInternal(ASTNode root) throws SemanticException { String expandedText = ctx.getTokenRewriteStream().toString(select.getTokenStartIndex(), select.getTokenStopIndex()); AlterViewAsDesc desc = new AlterViewAsDesc(fqViewName, schema, originalText, expandedText); - validateCreateView(desc, analyzer); + Table oldView = validateCreateView(desc, analyzer); + oldView.setDbName(viewName.getDb()); + oldView.setTableName(viewName.getTable()); + oldView.setTableType(TableType.VIRTUAL_VIEW); rootTasks.add(TaskFactory.get(new DDLWork(getInputs(), getOutputs(), desc))); - DDLUtils.addDbAndTableToOutputs(getDatabase(viewName.getDb()), viewName, TableType.VIRTUAL_VIEW, false, - null, outputs); + DDLUtils.addDbAndTableToOutputs(getDatabase(viewName.getDb()), oldView, outputs); } - private void validateCreateView(AlterViewAsDesc desc, SemanticAnalyzer analyzer) throws SemanticException { + private Table validateCreateView(AlterViewAsDesc desc, SemanticAnalyzer analyzer) throws SemanticException { validateTablesUsed(analyzer); Table oldView = null; @@ -90,5 +92,6 @@ private void validateCreateView(AlterViewAsDesc desc, SemanticAnalyzer analyzer) } validateReplaceWithPartitions(desc.getViewName(), oldView, null); + return oldView; } } From 58b8a33d209c3ebdecf7b266b274908fce4c0f9d Mon Sep 17 00:00:00 2001 From: saihemanth Date: Fri, 19 Sep 2025 12:28:40 -0700 Subject: [PATCH 2/3] Address test failure --- ql/src/test/results/clientpositive/llap/lineage3.q.out | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ql/src/test/results/clientpositive/llap/lineage3.q.out b/ql/src/test/results/clientpositive/llap/lineage3.q.out index 8ea78bcc827d..e00fcd21fd03 100644 --- a/ql/src/test/results/clientpositive/llap/lineage3.q.out +++ b/ql/src/test/results/clientpositive/llap/lineage3.q.out @@ -321,7 +321,7 @@ PREHOOK: type: ALTERVIEW_AS PREHOOK: Input: default@alltypesorc PREHOOK: Output: database:default PREHOOK: Output: default@dest_v3 -{"version":"1.0","engine":"tez","database":"default","hash":"81bb549360513aeae39a3bd971405be3","queryText":"alter view dest_v3 as\n select * from (\n select sum(a.ctinyint) over (partition by a.csmallint order by a.csmallint) a,\n count(b.cstring1) x, b.cboolean1\n from alltypesorc a join alltypesorc b on (a.cint = b.cint)\n where a.cboolean2 = true and b.cfloat > 0\n group by a.ctinyint, a.csmallint, b.cboolean1\n having count(a.cint) > 10\n order by a, x, b.cboolean1 limit 10) t_n20","edges":[{"sources":[3,4],"targets":[0],"expression":"sum((. (tok_table_or_col $hdt$_0) ctinyint)) over (partition by (. (tok_table_or_col $hdt$_0) csmallint) order by (. (tok_table_or_col $hdt$_0) csmallint) RANGE between unbounded and current_row)","edgeType":"PROJECTION"},{"sources":[5],"targets":[1],"expression":"count(default.alltypesorc.cstring1)","edgeType":"PROJECTION"},{"sources":[6],"targets":[2],"edgeType":"PROJECTION"},{"sources":[7,8],"targets":[0,1,2],"expression":"(a.cboolean2 and a.cint is not null)","edgeType":"PREDICATE"},{"sources":[8],"targets":[0,1,2],"expression":"(a.cint = b.cint)","edgeType":"PREDICATE"},{"sources":[9,8],"targets":[0,1,2],"expression":"((b.cfloat > 0.0) and b.cint is not null)","edgeType":"PREDICATE"},{"sources":[8],"targets":[0,1,2],"expression":"(count(default.alltypesorc.cint) > 10L)","edgeType":"PREDICATE"}],"vertices":[{"id":0,"vertexType":"COLUMN","vertexId":"default.dest_v3.a"},{"id":1,"vertexType":"COLUMN","vertexId":"default.dest_v3.x"},{"id":2,"vertexType":"COLUMN","vertexId":"default.dest_v3.cboolean1"},{"id":3,"vertexType":"COLUMN","vertexId":"default.alltypesorc.ctinyint"},{"id":4,"vertexType":"COLUMN","vertexId":"default.alltypesorc.csmallint"},{"id":5,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cstring1"},{"id":6,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cboolean1"},{"id":7,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cboolean2"},{"id":8,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cint"},{"id":9,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cfloat"}]} +{"version":"1.0","engine":"tez","database":"default","hash":"81bb549360513aeae39a3bd971405be3","queryText":"alter view dest_v3 as\n select * from (\n select sum(a.ctinyint) over (partition by a.csmallint order by a.csmallint) a,\n count(b.cstring1) x, b.cboolean1\n from alltypesorc a join alltypesorc b on (a.cint = b.cint)\n where a.cboolean2 = true and b.cfloat > 0\n group by a.ctinyint, a.csmallint, b.cboolean1\n having count(a.cint) > 10\n order by a, x, b.cboolean1 limit 10) t_n20","edges":[{"sources":[3,4],"targets":[0],"expression":"sum((. (tok_table_or_col $hdt$_0) ctinyint)) over (partition by (. (tok_table_or_col $hdt$_0) csmallint) order by (. (tok_table_or_col $hdt$_0) csmallint) RANGE between unbounded and current_row)","edgeType":"PROJECTION"},{"sources":[5],"targets":[1],"expression":"count(default.alltypesorc.cstring1)","edgeType":"PROJECTION"},{"sources":[6],"targets":[2],"edgeType":"PROJECTION"},{"sources":[7,8],"targets":[0,1,2],"expression":"(a.cboolean2 and a.cint is not null)","edgeType":"PREDICATE"},{"sources":[8],"targets":[0,1,2],"expression":"(a.cint = b.cint)","edgeType":"PREDICATE"},{"sources":[9,8],"targets":[0,1,2],"expression":"((b.cfloat > 0.0) and b.cint is not null)","edgeType":"PREDICATE"},{"sources":[8],"targets":[0,1,2],"expression":"(count(default.alltypesorc.cint) > 10L)","edgeType":"PREDICATE"}],"vertices":[{"id":0,"vertexType":"COLUMN","vertexId":"default.dest_v3.a1"},{"id":1,"vertexType":"COLUMN","vertexId":"default.dest_v3.a2"},{"id":2,"vertexType":"COLUMN","vertexId":"default.dest_v3.a3"},{"id":3,"vertexType":"COLUMN","vertexId":"default.alltypesorc.ctinyint"},{"id":4,"vertexType":"COLUMN","vertexId":"default.alltypesorc.csmallint"},{"id":5,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cstring1"},{"id":6,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cboolean1"},{"id":7,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cboolean2"},{"id":8,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cint"},{"id":9,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cfloat"}]} PREHOOK: query: select * from dest_v3 limit 2 PREHOOK: type: QUERY PREHOOK: Input: default@alltypesorc From 2409ddc6d5f1ad3effebe64d94422e240aebf9b5 Mon Sep 17 00:00:00 2001 From: saihemanth Date: Mon, 22 Sep 2025 16:08:04 -0700 Subject: [PATCH 3/3] added qfile test --- .../clientnegative/authorization_alter_view.q | 24 +++++++++ .../authorization_alter_view.q.out | 54 +++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 ql/src/test/queries/clientnegative/authorization_alter_view.q create mode 100644 ql/src/test/results/clientnegative/authorization_alter_view.q.out diff --git a/ql/src/test/queries/clientnegative/authorization_alter_view.q b/ql/src/test/queries/clientnegative/authorization_alter_view.q new file mode 100644 index 000000000000..25ce3defc30f --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_alter_view.q @@ -0,0 +1,24 @@ +--! qt:authorizer +set hive.test.authz.sstd.hs2.mode=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; + +-- create db1, tab1, view1 as hive_admin_user +set user.name=hive_admin_user; +set role ADMIN; + +create database db1; +create table db1.tab1(i int); +create view db1.view1 as select * from db1.tab1; + +-- grant select privileges on db1 and view1 +GRANT select ON DATABASE db1 TO USER user2; +GRANT select ON TABLE db1.view1 to USER user2; + +-- create db2, tab2 as user2 +set user.name=user2; +create database db2; +create table db2.tab2(i int); + +-- try to alter view1 as user2 and it should fail as user2 doesn't have required privilege +alter view db1.view1 as select * from db2.tab2 \ No newline at end of file diff --git a/ql/src/test/results/clientnegative/authorization_alter_view.q.out b/ql/src/test/results/clientnegative/authorization_alter_view.q.out new file mode 100644 index 000000000000..68c0fab64160 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_alter_view.q.out @@ -0,0 +1,54 @@ +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: create database db1 +PREHOOK: type: CREATEDATABASE +PREHOOK: Output: database:db1 +POSTHOOK: query: create database db1 +POSTHOOK: type: CREATEDATABASE +POSTHOOK: Output: database:db1 +PREHOOK: query: create table db1.tab1(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:db1 +PREHOOK: Output: db1@tab1 +POSTHOOK: query: create table db1.tab1(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:db1 +POSTHOOK: Output: db1@tab1 +PREHOOK: query: create view db1.view1 as select * from db1.tab1 +PREHOOK: type: CREATEVIEW +PREHOOK: Input: db1@tab1 +PREHOOK: Output: database:db1 +PREHOOK: Output: db1@view1 +POSTHOOK: query: create view db1.view1 as select * from db1.tab1 +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: db1@tab1 +POSTHOOK: Output: database:db1 +POSTHOOK: Output: db1@view1 +POSTHOOK: Lineage: view1.i SIMPLE [(tab1)tab1.FieldSchema(name:i, type:int, comment:null), ] +PREHOOK: query: GRANT select ON DATABASE db1 TO USER user2 +PREHOOK: type: GRANT_PRIVILEGE +POSTHOOK: query: GRANT select ON DATABASE db1 TO USER user2 +POSTHOOK: type: GRANT_PRIVILEGE +PREHOOK: query: GRANT select ON TABLE db1.view1 to USER user2 +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: db1@view1 +POSTHOOK: query: GRANT select ON TABLE db1.view1 to USER user2 +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: db1@view1 +PREHOOK: query: create database db2 +PREHOOK: type: CREATEDATABASE +PREHOOK: Output: database:db2 +POSTHOOK: query: create database db2 +POSTHOOK: type: CREATEDATABASE +POSTHOOK: Output: database:db2 +PREHOOK: query: create table db2.tab2(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:db2 +PREHOOK: Output: db2@tab2 +POSTHOOK: query: create table db2.tab2(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:db2 +POSTHOOK: Output: db2@tab2 +FAILED: HiveAccessControlException Permission denied: Principal [name=user2, type=USER] does not have following privileges for operation ALTERVIEW_AS [[OBJECT OWNERSHIP] on Object [type=DATABASE, name=db1], [OBJECT OWNERSHIP] on Object [type=TABLE_OR_VIEW, name=db1.view1]]