[HIVE-16028] Fail UPDATE/DELETE/MERGE queries when Ranger authorization manager is used - ASF JIRA

Log work

Agile Board

Rank to Top

Rank to Bottom

Bulk Copy Attachments

Bulk Move Attachments

Voters

Watch issue

Watchers

Create sub-task

Convert to sub-task

Move

Link

Clone

Labels

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.2.0
Fix Version/s: 2.2.0
Component/s: Authorization, Transactions
Labels:
None

Target Version/s:

2.2.0

Description

This is a followup of ~~HIVE-15891~~. In that jira an error-out logic was added, but the assumption that we need to do row filtering/column masking for entries in a non-empty list of tables returned by applyRowFilterAndColumnMasking is wrong, because on Ranger side, RangerHiveAuthorizer#applyRowFilterAndColumnMasking will unconditionally return a list of tables no matter whether row filtering/column masking is applicable on the tables.

The fix for Hive for now will be to move the error-out logic after we figure out there's no replacement text for the query. But ideally we should consider modifying Ranger logic to only return tables that need to be masked.