Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-9183

Dataset truncate on impersonated dataset fails

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 4.1.0
    • Fix Version/s: 4.1.1
    • Component/s: Datasets, Explore, Security
    • Labels:
    • Rank:
      1|hzzyqn:

      Description

      When disabling explore for a dataset (during truncate or drop), explore table manager first checks whether the Hive table exists. This is done via a call to ExploreService.getTableInfo(). That method directly queries the meta store without impersonation, and it fails if the CDAP user cannot read (describe) that table.

      Unfortunately, the Hive meta store throws a NoSuchObjectException instead of indicating a lack of access privileges. Hence, because it appears that the table does not exist, the explore table manager does not execute a DROP TABLE statement.

      This may also affect other methods that rely on getTableInfo().

      This issue is only reproducible if the CDAP user has insufficient privileges to describe the table. That is, CDAP cannot be a Hive super user or Hive admin.

        Attachments

          Activity

            People

            • Assignee:
              andreas Andreas Neumann
              Reporter:
              andreas Andreas Neumann
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: