Skip to content

HIVE-29215: Fix owner info for view in authorizable events for alter … #6087

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Oct 13, 2025
Merged

HIVE-29215: Fix owner info for view in authorizable events for alter … #6087

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8cae808
HIVE-29215: Fix owner info for view in authorizable events for alter …
saihemanth-cloudera Sep 18, 2025
58b8a33
Address test failure
saihemanth-cloudera Sep 19, 2025
2409ddc
added qfile test
saihemanth-cloudera Sep 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions ql/src/java/org/apache/hadoop/hive/ql/ddl/DDLUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,11 @@ public static void addDbAndTableToOutputs(Database database, TableName tableName
outputs.add(new WriteEntity(table, WriteEntity.WriteType.DDL_NO_LOCK));
}

public static void addDbAndTableToOutputs(Database database, Table table, Set<WriteEntity> outputs) {
outputs.add(new WriteEntity(database, WriteEntity.WriteType.DDL_SHARED));
outputs.add(new WriteEntity(table, WriteEntity.WriteType.DDL_NO_LOCK));
}

public static void setColumnsAndStorePartitionTransformSpecOfTable(
List<FieldSchema> columns, List<FieldSchema> partitionColumns,
HiveConf conf, Table tbl) {
Expand Down
11 changes: 7 additions & 4 deletions ql/src/java/org/apache/hadoop/hive/ql/ddl/view/create/AlterViewAsAnalyzer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,14 +67,16 @@ public void analyzeInternal(ASTNode root) throws SemanticException {
String expandedText = ctx.getTokenRewriteStream().toString(select.getTokenStartIndex(), select.getTokenStopIndex());

AlterViewAsDesc desc = new AlterViewAsDesc(fqViewName, schema, originalText, expandedText);
validateCreateView(desc, analyzer);
Table oldView = validateCreateView(desc, analyzer);
oldView.setDbName(viewName.getDb());
oldView.setTableName(viewName.getTable());
oldView.setTableType(TableType.VIRTUAL_VIEW);

rootTasks.add(TaskFactory.get(new DDLWork(getInputs(), getOutputs(), desc)));
DDLUtils.addDbAndTableToOutputs(getDatabase(viewName.getDb()), viewName, TableType.VIRTUAL_VIEW, false,
null, outputs);
DDLUtils.addDbAndTableToOutputs(getDatabase(viewName.getDb()), oldView, outputs);
Copy link
Member

@dengzhhu653 dengzhhu653 Sep 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't get it, before this fix DDLUtils.addDbAndTableToOutputs will create a dummy table based on viewName, it has the same db and table with the oldView, why it doesn't work before?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The viewName has type TableName, which has dbname and table name. So the HivePrivilegeObject will be constructed with the current user as the owner of the view. This is incorrect behavior.

}

private void validateCreateView(AlterViewAsDesc desc, SemanticAnalyzer analyzer) throws SemanticException {
private Table validateCreateView(AlterViewAsDesc desc, SemanticAnalyzer analyzer) throws SemanticException {
validateTablesUsed(analyzer);

Table oldView = null;
Expand All @@ -90,5 +92,6 @@ private void validateCreateView(AlterViewAsDesc desc, SemanticAnalyzer analyzer)
}

validateReplaceWithPartitions(desc.getViewName(), oldView, null);
return oldView;
}
}
24 changes: 24 additions & 0 deletions ql/src/test/queries/clientnegative/authorization_alter_view.q
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
--! qt:authorizer
set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;

-- create db1, tab1, view1 as hive_admin_user
set user.name=hive_admin_user;
set role ADMIN;

create database db1;
create table db1.tab1(i int);
create view db1.view1 as select * from db1.tab1;

-- grant select privileges on db1 and view1
GRANT select ON DATABASE db1 TO USER user2;
GRANT select ON TABLE db1.view1 to USER user2;

-- create db2, tab2 as user2
set user.name=user2;
create database db2;
create table db2.tab2(i int);

-- try to alter view1 as user2 and it should fail as user2 doesn't have required privilege
alter view db1.view1 as select * from db2.tab2
54 changes: 54 additions & 0 deletions ql/src/test/results/clientnegative/authorization_alter_view.q.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
PREHOOK: query: set role ADMIN
PREHOOK: type: SHOW_ROLES
POSTHOOK: query: set role ADMIN
POSTHOOK: type: SHOW_ROLES
PREHOOK: query: create database db1
PREHOOK: type: CREATEDATABASE
PREHOOK: Output: database:db1
POSTHOOK: query: create database db1
POSTHOOK: type: CREATEDATABASE
POSTHOOK: Output: database:db1
PREHOOK: query: create table db1.tab1(i int)
PREHOOK: type: CREATETABLE
PREHOOK: Output: database:db1
PREHOOK: Output: db1@tab1
POSTHOOK: query: create table db1.tab1(i int)
POSTHOOK: type: CREATETABLE
POSTHOOK: Output: database:db1
POSTHOOK: Output: db1@tab1
PREHOOK: query: create view db1.view1 as select * from db1.tab1
PREHOOK: type: CREATEVIEW
PREHOOK: Input: db1@tab1
PREHOOK: Output: database:db1
PREHOOK: Output: db1@view1
POSTHOOK: query: create view db1.view1 as select * from db1.tab1
POSTHOOK: type: CREATEVIEW
POSTHOOK: Input: db1@tab1
POSTHOOK: Output: database:db1
POSTHOOK: Output: db1@view1
POSTHOOK: Lineage: view1.i SIMPLE [(tab1)tab1.FieldSchema(name:i, type:int, comment:null), ]
PREHOOK: query: GRANT select ON DATABASE db1 TO USER user2
PREHOOK: type: GRANT_PRIVILEGE
POSTHOOK: query: GRANT select ON DATABASE db1 TO USER user2
POSTHOOK: type: GRANT_PRIVILEGE
PREHOOK: query: GRANT select ON TABLE db1.view1 to USER user2
PREHOOK: type: GRANT_PRIVILEGE
PREHOOK: Output: db1@view1
POSTHOOK: query: GRANT select ON TABLE db1.view1 to USER user2
POSTHOOK: type: GRANT_PRIVILEGE
POSTHOOK: Output: db1@view1
PREHOOK: query: create database db2
PREHOOK: type: CREATEDATABASE
PREHOOK: Output: database:db2
POSTHOOK: query: create database db2
POSTHOOK: type: CREATEDATABASE
POSTHOOK: Output: database:db2
PREHOOK: query: create table db2.tab2(i int)
PREHOOK: type: CREATETABLE
PREHOOK: Output: database:db2
PREHOOK: Output: db2@tab2
POSTHOOK: query: create table db2.tab2(i int)
POSTHOOK: type: CREATETABLE
POSTHOOK: Output: database:db2
POSTHOOK: Output: db2@tab2
FAILED: HiveAccessControlException Permission denied: Principal [name=user2, type=USER] does not have following privileges for operation ALTERVIEW_AS [[OBJECT OWNERSHIP] on Object [type=DATABASE, name=db1], [OBJECT OWNERSHIP] on Object [type=TABLE_OR_VIEW, name=db1.view1]]
2 changes: 1 addition & 1 deletion ql/src/test/results/clientpositive/llap/lineage3.q.out
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -321,7 +321,7 @@ PREHOOK: type: ALTERVIEW_AS
PREHOOK: Input: default@alltypesorc
PREHOOK: Output: database:default
PREHOOK: Output: default@dest_v3
{"version":"1.0","engine":"tez","database":"default","hash":"81bb549360513aeae39a3bd971405be3","queryText":"alter view dest_v3 as\n select * from (\n select sum(a.ctinyint) over (partition by a.csmallint order by a.csmallint) a,\n count(b.cstring1) x, b.cboolean1\n from alltypesorc a join alltypesorc b on (a.cint = b.cint)\n where a.cboolean2 = true and b.cfloat > 0\n group by a.ctinyint, a.csmallint, b.cboolean1\n having count(a.cint) > 10\n order by a, x, b.cboolean1 limit 10) t_n20","edges":[{"sources":[3,4],"targets":[0],"expression":"sum((. (tok_table_or_col $hdt$_0) ctinyint)) over (partition by (. (tok_table_or_col $hdt$_0) csmallint) order by (. (tok_table_or_col $hdt$_0) csmallint) RANGE between unbounded and current_row)","edgeType":"PROJECTION"},{"sources":[5],"targets":[1],"expression":"count(default.alltypesorc.cstring1)","edgeType":"PROJECTION"},{"sources":[6],"targets":[2],"edgeType":"PROJECTION"},{"sources":[7,8],"targets":[0,1,2],"expression":"(a.cboolean2 and a.cint is not null)","edgeType":"PREDICATE"},{"sources":[8],"targets":[0,1,2],"expression":"(a.cint = b.cint)","edgeType":"PREDICATE"},{"sources":[9,8],"targets":[0,1,2],"expression":"((b.cfloat > 0.0) and b.cint is not null)","edgeType":"PREDICATE"},{"sources":[8],"targets":[0,1,2],"expression":"(count(default.alltypesorc.cint) > 10L)","edgeType":"PREDICATE"}],"vertices":[{"id":0,"vertexType":"COLUMN","vertexId":"default.dest_v3.a"},{"id":1,"vertexType":"COLUMN","vertexId":"default.dest_v3.x"},{"id":2,"vertexType":"COLUMN","vertexId":"default.dest_v3.cboolean1"},{"id":3,"vertexType":"COLUMN","vertexId":"default.alltypesorc.ctinyint"},{"id":4,"vertexType":"COLUMN","vertexId":"default.alltypesorc.csmallint"},{"id":5,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cstring1"},{"id":6,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cboolean1"},{"id":7,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cboolean2"},{"id":8,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cint"},{"id":9,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cfloat"}]}
{"version":"1.0","engine":"tez","database":"default","hash":"81bb549360513aeae39a3bd971405be3","queryText":"alter view dest_v3 as\n select * from (\n select sum(a.ctinyint) over (partition by a.csmallint order by a.csmallint) a,\n count(b.cstring1) x, b.cboolean1\n from alltypesorc a join alltypesorc b on (a.cint = b.cint)\n where a.cboolean2 = true and b.cfloat > 0\n group by a.ctinyint, a.csmallint, b.cboolean1\n having count(a.cint) > 10\n order by a, x, b.cboolean1 limit 10) t_n20","edges":[{"sources":[3,4],"targets":[0],"expression":"sum((. (tok_table_or_col $hdt$_0) ctinyint)) over (partition by (. (tok_table_or_col $hdt$_0) csmallint) order by (. (tok_table_or_col $hdt$_0) csmallint) RANGE between unbounded and current_row)","edgeType":"PROJECTION"},{"sources":[5],"targets":[1],"expression":"count(default.alltypesorc.cstring1)","edgeType":"PROJECTION"},{"sources":[6],"targets":[2],"edgeType":"PROJECTION"},{"sources":[7,8],"targets":[0,1,2],"expression":"(a.cboolean2 and a.cint is not null)","edgeType":"PREDICATE"},{"sources":[8],"targets":[0,1,2],"expression":"(a.cint = b.cint)","edgeType":"PREDICATE"},{"sources":[9,8],"targets":[0,1,2],"expression":"((b.cfloat > 0.0) and b.cint is not null)","edgeType":"PREDICATE"},{"sources":[8],"targets":[0,1,2],"expression":"(count(default.alltypesorc.cint) > 10L)","edgeType":"PREDICATE"}],"vertices":[{"id":0,"vertexType":"COLUMN","vertexId":"default.dest_v3.a1"},{"id":1,"vertexType":"COLUMN","vertexId":"default.dest_v3.a2"},{"id":2,"vertexType":"COLUMN","vertexId":"default.dest_v3.a3"},{"id":3,"vertexType":"COLUMN","vertexId":"default.alltypesorc.ctinyint"},{"id":4,"vertexType":"COLUMN","vertexId":"default.alltypesorc.csmallint"},{"id":5,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cstring1"},{"id":6,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cboolean1"},{"id":7,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cboolean2"},{"id":8,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cint"},{"id":9,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cfloat"}]}
PREHOOK: query: select * from dest_v3 limit 2
PREHOOK: type: QUERY
PREHOOK: Input: default@alltypesorc
Expand Down