HIVE-29248: Propagate HiveAccessControlException to HiveCatalog #6171
+746
−17
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
okumin
force-pushed
the
HIVE-29248-error-message
branch
from
cce3ff3 to
0e8b53a
Compare
okumin
force-pushed
the
HIVE-29248-error-message
branch
from
0e8b53a to
3598bd1
Compare
asf-ci-hive
added
tests unstable
tests pending
tests passed
and removed
tests pending
tests unstable
labels
okumin
force-pushed
the
HIVE-29248-error-message
branch
from
3598bd1 to
cf0be80
Compare
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
Add a prefixed message,
Got exception: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException, to MetaException when HiveMetaStoreAuthorizer handles HiveAccessControlException, and make HiveCatalog translate it to Iceberg's ForbiddenException.This Pull Request implements the first option in the following document, and I'm not obsessed with this option; I chose it first because the change is minimal. I'm open to Option 2 or 3, or another suggestion.
https://docs.google.com/document/d/1SMvIud9k5lVSzqjgCzohHH59oW5MWAwA9BW-pPr9yIc/edit?usp=sharing
https://issues.apache.org/jira/browse/HIVE-29248
Why are the changes needed?
Currently, when Ranger rejects an access, HiveMetastore throws
MetaException(message:<Message thrown by Ranger>), and a Thrift client can't get further information. So, HiveCatalog can't distinguish it from a generic error, i.e., an internal server error. Iceberg-based data pipeline can't process the error correctly(might retry it), and HMS Iceberg REST API can't return the correct status code.Does this PR introduce any user-facing change?
No. The error message will contain more information.
How was this patch tested?
I added integration tests to verify that thrown exceptions are handled correctly.