From a2a8dd5365081bbf52f1efb28226cf4e0a38dc73 Mon Sep 17 00:00:00 2001 From: Guy Cohen Date: Mon, 28 Oct 2024 14:04:38 +0200 Subject: [PATCH] Allow hive table owner to change ownership --- .../hive/security/SqlStandardAccessControl.java | 2 +- .../io/trino/plugin/hive/BaseHiveConnectorTest.java | 11 +++-------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java index 51ae942207dc..c856063e61a8 100644 --- a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java +++ b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java @@ -317,7 +317,7 @@ public void checkCanAlterColumn(ConnectorSecurityContext context, SchemaTableNam @Override public void checkCanSetTableAuthorization(ConnectorSecurityContext context, SchemaTableName tableName, TrinoPrincipal principal) { - if (!isAdmin(context)) { + if (!isTableOwner(context, tableName)) { denySetTableAuthorization(tableName.toString(), principal); } } diff --git a/plugin/trino-hive/src/test/java/io/trino/plugin/hive/BaseHiveConnectorTest.java b/plugin/trino-hive/src/test/java/io/trino/plugin/hive/BaseHiveConnectorTest.java index e0839a7b1b90..3f5be1e17313 100644 --- a/plugin/trino-hive/src/test/java/io/trino/plugin/hive/BaseHiveConnectorTest.java +++ b/plugin/trino-hive/src/test/java/io/trino/plugin/hive/BaseHiveConnectorTest.java @@ -945,11 +945,7 @@ public void testTableAuthorization() "ALTER TABLE test_table_authorization.foo SET AUTHORIZATION alice", "Cannot set authorization for table test_table_authorization.foo to USER alice"); assertUpdate(admin, "ALTER TABLE test_table_authorization.foo SET AUTHORIZATION alice"); - // only admin can change the owner - assertAccessDenied( - alice, - "ALTER TABLE test_table_authorization.foo SET AUTHORIZATION alice", - "Cannot set authorization for table test_table_authorization.foo to USER alice"); + assertUpdate(alice, "ALTER TABLE test_table_authorization.foo SET AUTHORIZATION alice"); // alice as new owner can now drop table assertUpdate(alice, "DROP TABLE test_table_authorization.foo"); @@ -982,11 +978,10 @@ public void testTableAuthorizationForRole() "DROP TABLE test_table_authorization_role.foo", "Cannot drop table test_table_authorization_role.foo"); assertUpdate(admin, "ALTER TABLE test_table_authorization_role.foo SET AUTHORIZATION alice"); - // Only admin can change the owner - assertAccessDenied( + assertQueryFails( alice, "ALTER TABLE test_table_authorization_role.foo SET AUTHORIZATION ROLE admin", - "Cannot set authorization for table test_table_authorization_role.foo to ROLE admin"); + "Setting table owner type as a role is not supported"); // new owner can drop table assertUpdate(alice, "DROP TABLE test_table_authorization_role.foo"); assertUpdate(admin, "DROP SCHEMA test_table_authorization_role");