HIVE-29248: Propagate HiveAccessControlException to HiveCatalog #6171
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
okumin
force-pushed
the
HIVE-29248-error-message
branch
from
cce3ff3 to
0e8b53a
Compare
okumin
force-pushed
the
HIVE-29248-error-message
branch
from
0e8b53a to
3598bd1
Compare
asf-ci-hive
added
tests unstable
tests pending
tests passed
and removed
tests pending
tests unstable
labels
okumin
force-pushed
the
HIVE-29248-error-message
branch
from
3598bd1 to
cf0be80
Compare
asf-ci-hive
added
tests pending
tests unstable
and removed
tests passed
tests pending
tests unstable
labels
|
deniskuzZ
reviewed
Nov 17, 2025
|
|
||
| private boolean isAccessControlException(MetaException exception) { | ||
| return exception.getMessage() != null && exception.getMessage().startsWith( | ||
| "Got exception: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException"); |
Member
There was a problem hiding this comment.
should we just check for contains "org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException" ?
deniskuzZ
reviewed
Nov 17, 2025
| <!-- Test dependencies --> | ||
| <dependency> | ||
| <groupId>org.apache.hive</groupId> | ||
| <artifactId>hive-exec</artifactId> |
Member
There was a problem hiding this comment.
why do we need ql dependency here? HMS is supposed to be standalone project
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
Add a prefixed message,
Got exception: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException, to MetaException when HiveMetaStoreAuthorizer handles HiveAccessControlException, and make HiveCatalog translate it to Iceberg's ForbiddenException.This Pull Request implements the first option in the following document, and I'm not obsessed with this option; I chose it first because the change is minimal(easy to revert). I'm open to Option 2 or 3, or another suggestion.
https://docs.google.com/document/d/1SMvIud9k5lVSzqjgCzohHH59oW5MWAwA9BW-pPr9yIc/edit?usp=sharing
https://issues.apache.org/jira/browse/HIVE-29248
Why are the changes needed?
Currently, when Ranger rejects an access, HiveMetastore throws
MetaException(message:<Message thrown by Ranger>), and a Thrift client can't get more information than the error message implemented in Apache Ranger. It's inconvenient for an Iceberg client such as Spark to distinguish the root cause and Iceberg REST API can't return a proper status code, i.e., 403.Does this PR introduce any user-facing change?
No. The error message will contain more information.
How was this patch tested?
I added integration tests to verify that thrown exceptions are handled correctly.