HIVE-29215: Fix owner info for view in authorizable events for alter … (#6087)

commit: abcca13414d4fe372975b823f80b9c19e189afcf [log] [tgz]
author: Sai Hemanth Gantasala <68923650+saihemanth-cloudera@users.noreply.github.com> Mon Oct 13 10:04:42 2025 -0700
committer: GitHub <noreply@github.com> Mon Oct 13 10:04:42 2025 -0700
tree: a0df565205a1b1a5c9d49e3cb8924f4852816149
parent: 2fa252a04748e97e6581b7685f8dcc93825eb7f9 [diff]
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/ddl/DDLUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/ddl/DDLUtils.java
index 22a62e2..3ee8d74 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/ddl/DDLUtils.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/ddl/DDLUtils.java

@@ -198,6 +198,11 @@ public static void addDbAndTableToOutputs(Database database, TableName tableName
     outputs.add(new WriteEntity(table, WriteEntity.WriteType.DDL_NO_LOCK));
   }
 
+  public static void addDbAndTableToOutputs(Database database, Table table, Set<WriteEntity> outputs) {
+    outputs.add(new WriteEntity(database, WriteEntity.WriteType.DDL_SHARED));
+    outputs.add(new WriteEntity(table, WriteEntity.WriteType.DDL_NO_LOCK));
+  }
+
   public static void setColumnsAndStorePartitionTransformSpecOfTable(
           List<FieldSchema> columns, List<FieldSchema> partitionColumns,
           HiveConf conf, Table tbl) {

diff --git a/ql/src/java/org/apache/hadoop/hive/ql/ddl/view/create/AlterViewAsAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/ddl/view/create/AlterViewAsAnalyzer.java
index 329ed84..88f741f 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/ddl/view/create/AlterViewAsAnalyzer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/ddl/view/create/AlterViewAsAnalyzer.java

@@ -67,14 +67,16 @@ public void analyzeInternal(ASTNode root) throws SemanticException {
     String expandedText = ctx.getTokenRewriteStream().toString(select.getTokenStartIndex(), select.getTokenStopIndex());
 
     AlterViewAsDesc desc = new AlterViewAsDesc(fqViewName, schema, originalText, expandedText);
-    validateCreateView(desc, analyzer);
+    Table oldView = validateCreateView(desc, analyzer);
+    oldView.setDbName(viewName.getDb());
+    oldView.setTableName(viewName.getTable());
+    oldView.setTableType(TableType.VIRTUAL_VIEW);
 
     rootTasks.add(TaskFactory.get(new DDLWork(getInputs(), getOutputs(), desc)));
-    DDLUtils.addDbAndTableToOutputs(getDatabase(viewName.getDb()), viewName, TableType.VIRTUAL_VIEW, false,
-        null, outputs);
+    DDLUtils.addDbAndTableToOutputs(getDatabase(viewName.getDb()), oldView, outputs);
   }
 
-  private void validateCreateView(AlterViewAsDesc desc, SemanticAnalyzer analyzer) throws SemanticException {
+  private Table validateCreateView(AlterViewAsDesc desc, SemanticAnalyzer analyzer) throws SemanticException {
     validateTablesUsed(analyzer);
 
     Table oldView = null;
@@ -90,5 +92,6 @@ private void validateCreateView(AlterViewAsDesc desc, SemanticAnalyzer analyzer)
     }
 
     validateReplaceWithPartitions(desc.getViewName(), oldView, null);
+    return oldView;
   }
 }

diff --git a/ql/src/test/queries/clientnegative/authorization_alter_view.q b/ql/src/test/queries/clientnegative/authorization_alter_view.q
new file mode 100644
index 0000000..25ce3de
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/authorization_alter_view.q

@@ -0,0 +1,24 @@
+--! qt:authorizer
+set hive.test.authz.sstd.hs2.mode=true;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+
+-- create db1, tab1, view1 as hive_admin_user
+set user.name=hive_admin_user;
+set role ADMIN;
+
+create database db1;
+create table db1.tab1(i int);
+create view db1.view1 as select * from db1.tab1;
+
+-- grant select privileges on db1 and view1
+GRANT select ON DATABASE db1 TO USER user2;
+GRANT select ON TABLE db1.view1 to USER user2;
+
+-- create db2, tab2 as user2
+set user.name=user2;
+create database db2;
+create table db2.tab2(i int);
+
+-- try to alter view1 as user2 and it should fail as user2 doesn't have required privilege
+alter view db1.view1 as select * from db2.tab2
\ No newline at end of file

diff --git a/ql/src/test/results/clientnegative/authorization_alter_view.q.out b/ql/src/test/results/clientnegative/authorization_alter_view.q.out
new file mode 100644
index 0000000..68c0fab
--- /dev/null
+++ b/ql/src/test/results/clientnegative/authorization_alter_view.q.out

@@ -0,0 +1,54 @@
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: create database db1
+PREHOOK: type: CREATEDATABASE
+PREHOOK: Output: database:db1
+POSTHOOK: query: create database db1
+POSTHOOK: type: CREATEDATABASE
+POSTHOOK: Output: database:db1
+PREHOOK: query: create table db1.tab1(i int)
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:db1
+PREHOOK: Output: db1@tab1
+POSTHOOK: query: create table db1.tab1(i int)
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:db1
+POSTHOOK: Output: db1@tab1
+PREHOOK: query: create view db1.view1 as select * from db1.tab1
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: db1@tab1
+PREHOOK: Output: database:db1
+PREHOOK: Output: db1@view1
+POSTHOOK: query: create view db1.view1 as select * from db1.tab1
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: db1@tab1
+POSTHOOK: Output: database:db1
+POSTHOOK: Output: db1@view1
+POSTHOOK: Lineage: view1.i SIMPLE [(tab1)tab1.FieldSchema(name:i, type:int, comment:null), ]
+PREHOOK: query: GRANT select ON DATABASE db1 TO USER user2
+PREHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: query: GRANT select ON DATABASE db1 TO USER user2
+POSTHOOK: type: GRANT_PRIVILEGE
+PREHOOK: query: GRANT select ON TABLE db1.view1 to USER user2
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: db1@view1
+POSTHOOK: query: GRANT select ON TABLE db1.view1 to USER user2
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: db1@view1
+PREHOOK: query: create database db2
+PREHOOK: type: CREATEDATABASE
+PREHOOK: Output: database:db2
+POSTHOOK: query: create database db2
+POSTHOOK: type: CREATEDATABASE
+POSTHOOK: Output: database:db2
+PREHOOK: query: create table db2.tab2(i int)
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:db2
+PREHOOK: Output: db2@tab2
+POSTHOOK: query: create table db2.tab2(i int)
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:db2
+POSTHOOK: Output: db2@tab2
+FAILED: HiveAccessControlException Permission denied: Principal [name=user2, type=USER] does not have following privileges for operation ALTERVIEW_AS [[OBJECT OWNERSHIP] on Object [type=DATABASE, name=db1], [OBJECT OWNERSHIP] on Object [type=TABLE_OR_VIEW, name=db1.view1]]

diff --git a/ql/src/test/results/clientpositive/llap/lineage3.q.out b/ql/src/test/results/clientpositive/llap/lineage3.q.out
index 8ea78bc..e00fcd2 100644
--- a/ql/src/test/results/clientpositive/llap/lineage3.q.out
+++ b/ql/src/test/results/clientpositive/llap/lineage3.q.out

@@ -321,7 +321,7 @@
 PREHOOK: Input: default@alltypesorc
 PREHOOK: Output: database:default
 PREHOOK: Output: default@dest_v3
-{"version":"1.0","engine":"tez","database":"default","hash":"81bb549360513aeae39a3bd971405be3","queryText":"alter view dest_v3 as\n  select * from (\n    select sum(a.ctinyint) over (partition by a.csmallint order by a.csmallint) a,\n      count(b.cstring1) x, b.cboolean1\n    from alltypesorc a join alltypesorc b on (a.cint = b.cint)\n    where a.cboolean2 = true and b.cfloat > 0\n    group by a.ctinyint, a.csmallint, b.cboolean1\n    having count(a.cint) > 10\n    order by a, x, b.cboolean1 limit 10) t_n20","edges":[{"sources":[3,4],"targets":[0],"expression":"sum((. (tok_table_or_col $hdt$_0) ctinyint)) over (partition by (. (tok_table_or_col $hdt$_0) csmallint) order by (. (tok_table_or_col $hdt$_0) csmallint) RANGE between unbounded and current_row)","edgeType":"PROJECTION"},{"sources":[5],"targets":[1],"expression":"count(default.alltypesorc.cstring1)","edgeType":"PROJECTION"},{"sources":[6],"targets":[2],"edgeType":"PROJECTION"},{"sources":[7,8],"targets":[0,1,2],"expression":"(a.cboolean2 and a.cint is not null)","edgeType":"PREDICATE"},{"sources":[8],"targets":[0,1,2],"expression":"(a.cint = b.cint)","edgeType":"PREDICATE"},{"sources":[9,8],"targets":[0,1,2],"expression":"((b.cfloat > 0.0) and b.cint is not null)","edgeType":"PREDICATE"},{"sources":[8],"targets":[0,1,2],"expression":"(count(default.alltypesorc.cint) > 10L)","edgeType":"PREDICATE"}],"vertices":[{"id":0,"vertexType":"COLUMN","vertexId":"default.dest_v3.a"},{"id":1,"vertexType":"COLUMN","vertexId":"default.dest_v3.x"},{"id":2,"vertexType":"COLUMN","vertexId":"default.dest_v3.cboolean1"},{"id":3,"vertexType":"COLUMN","vertexId":"default.alltypesorc.ctinyint"},{"id":4,"vertexType":"COLUMN","vertexId":"default.alltypesorc.csmallint"},{"id":5,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cstring1"},{"id":6,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cboolean1"},{"id":7,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cboolean2"},{"id":8,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cint"},{"id":9,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cfloat"}]}
+{"version":"1.0","engine":"tez","database":"default","hash":"81bb549360513aeae39a3bd971405be3","queryText":"alter view dest_v3 as\n  select * from (\n    select sum(a.ctinyint) over (partition by a.csmallint order by a.csmallint) a,\n      count(b.cstring1) x, b.cboolean1\n    from alltypesorc a join alltypesorc b on (a.cint = b.cint)\n    where a.cboolean2 = true and b.cfloat > 0\n    group by a.ctinyint, a.csmallint, b.cboolean1\n    having count(a.cint) > 10\n    order by a, x, b.cboolean1 limit 10) t_n20","edges":[{"sources":[3,4],"targets":[0],"expression":"sum((. (tok_table_or_col $hdt$_0) ctinyint)) over (partition by (. (tok_table_or_col $hdt$_0) csmallint) order by (. (tok_table_or_col $hdt$_0) csmallint) RANGE between unbounded and current_row)","edgeType":"PROJECTION"},{"sources":[5],"targets":[1],"expression":"count(default.alltypesorc.cstring1)","edgeType":"PROJECTION"},{"sources":[6],"targets":[2],"edgeType":"PROJECTION"},{"sources":[7,8],"targets":[0,1,2],"expression":"(a.cboolean2 and a.cint is not null)","edgeType":"PREDICATE"},{"sources":[8],"targets":[0,1,2],"expression":"(a.cint = b.cint)","edgeType":"PREDICATE"},{"sources":[9,8],"targets":[0,1,2],"expression":"((b.cfloat > 0.0) and b.cint is not null)","edgeType":"PREDICATE"},{"sources":[8],"targets":[0,1,2],"expression":"(count(default.alltypesorc.cint) > 10L)","edgeType":"PREDICATE"}],"vertices":[{"id":0,"vertexType":"COLUMN","vertexId":"default.dest_v3.a1"},{"id":1,"vertexType":"COLUMN","vertexId":"default.dest_v3.a2"},{"id":2,"vertexType":"COLUMN","vertexId":"default.dest_v3.a3"},{"id":3,"vertexType":"COLUMN","vertexId":"default.alltypesorc.ctinyint"},{"id":4,"vertexType":"COLUMN","vertexId":"default.alltypesorc.csmallint"},{"id":5,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cstring1"},{"id":6,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cboolean1"},{"id":7,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cboolean2"},{"id":8,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cint"},{"id":9,"vertexType":"COLUMN","vertexId":"default.alltypesorc.cfloat"}]}
 PREHOOK: query: select * from dest_v3 limit 2
 PREHOOK: type: QUERY
 PREHOOK: Input: default@alltypesorc
commit	abcca13414d4fe372975b823f80b9c19e189afcf	[log] [tgz]
author	Sai Hemanth Gantasala <68923650+saihemanth-cloudera@users.noreply.github.com>	Mon Oct 13 10:04:42 2025 -0700
committer	GitHub <noreply@github.com>	Mon Oct 13 10:04:42 2025 -0700
tree	a0df565205a1b1a5c9d49e3cb8924f4852816149
parent	2fa252a04748e97e6581b7685f8dcc93825eb7f9 [diff]