HIVE-29248: Propagate HiveAccessControlException to HiveCatalog #6171
Conversation
okumin
force-pushed
the
HIVE-29248-error-message
branch
from
cce3ff3 to
0e8b53a
Compare
okumin
force-pushed
the
HIVE-29248-error-message
branch
from
0e8b53a to
3598bd1
Compare
asf-ci-hive
added
tests unstable
tests pending
tests passed
and removed
tests pending
tests unstable
labels
okumin
force-pushed
the
HIVE-29248-error-message
branch
from
3598bd1 to
cf0be80
Compare
asf-ci-hive
added
tests pending
tests unstable
and removed
tests passed
tests pending
tests unstable
labels
|
|
|
||
| private boolean isAccessControlException(MetaException exception) { | ||
| return exception.getMessage() != null && exception.getMessage().startsWith( | ||
| "Got exception: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException"); |
There was a problem hiding this comment.
should we just check for contains "org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException" ?
There was a problem hiding this comment.
The current style is aligned with L118, Got exception: org.apache.thrift.transport.TTransportException. To be honest, I don't have a preference. They should eventually be consistent between apache/hive and apache/iceberg.
There was a problem hiding this comment.
i would use regex to check for the exception class only
| <!-- Test dependencies --> | ||
| <dependency> | ||
| <groupId>org.apache.hive</groupId> | ||
| <artifactId>hive-exec</artifactId> |
There was a problem hiding this comment.
why do we need ql dependency here? HMS is supposed to be standalone project
There was a problem hiding this comment.
Unfortunately, the authorization framework belongs to hive-exec, which means we need hive-exec whenever we use hive.security.authorization.manager. We should finally clean it up; however, it's not a trivial task. I've not discovered a concrete migration path.
https://github.com/apache/hive/tree/master/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin
There was a problem hiding this comment.
could we use core classifier?
3 participants
What changes were proposed in this pull request?
Add a prefixed message,
Got exception: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException, to MetaException when HiveMetaStoreAuthorizer handles HiveAccessControlException, and make HiveCatalog translate it to Iceberg's ForbiddenException.This Pull Request implements the first option in the following document, and I'm not obsessed with this option; I chose it first because the change is minimal(easy to revert). I'm open to Option 2 or 3, or another suggestion.
https://docs.google.com/document/d/1SMvIud9k5lVSzqjgCzohHH59oW5MWAwA9BW-pPr9yIc/edit?usp=sharing
https://issues.apache.org/jira/browse/HIVE-29248
Why are the changes needed?
Currently, when Ranger rejects an access, HiveMetastore throws
MetaException(message:<Message thrown by Ranger>), and a Thrift client can't get more information than the error message implemented in Apache Ranger. It's inconvenient for an Iceberg client such as Spark to distinguish the root cause and Iceberg REST API can't return a proper status code, i.e., 403.Does this PR introduce any user-facing change?
No. The error message will contain more information.
How was this patch tested?
I added integration tests to verify that thrown exceptions are handled correctly.