Skip to content

HIVE-29248: Propagate HiveAccessControlException to HiveCatalog#6171

Merged
okumin merged 3 commits intoapache:masterfrom
okumin:HIVE-29248-error-message
Dec 5, 2025
Merged

HIVE-29248: Propagate HiveAccessControlException to HiveCatalog#6171
okumin merged 3 commits intoapache:masterfrom
okumin:HIVE-29248-error-message

Conversation

@okumin
Copy link
Copy Markdown
Contributor

@okumin okumin commented Nov 7, 2025
edited
Loading

What changes were proposed in this pull request?

Add a prefixed message, Got exception: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException, to MetaException when HiveMetaStoreAuthorizer handles HiveAccessControlException, and make HiveCatalog translate it to Iceberg's ForbiddenException.

This Pull Request implements the first option in the following document, and I'm not obsessed with this option; I chose it first because the change is minimal(easy to revert). I'm open to Option 2 or 3, or another suggestion.
https://docs.google.com/document/d/1SMvIud9k5lVSzqjgCzohHH59oW5MWAwA9BW-pPr9yIc/edit?usp=sharing

https://issues.apache.org/jira/browse/HIVE-29248

Why are the changes needed?

Currently, when Ranger rejects an access, HiveMetastore throws MetaException(message:<Message thrown by Ranger>), and a Thrift client can't get more information than the error message implemented in Apache Ranger. It's inconvenient for an Iceberg client such as Spark to distinguish the root cause and Iceberg REST API can't return a proper status code, i.e., 403.

Does this PR introduce any user-facing change?

No. The error message will contain more information.

How was this patch tested?

I added integration tests to verify that thrown exceptions are handled correctly.

@okumin okumin force-pushed the HIVE-29248-error-message branch from cce3ff3 to 0e8b53a Compare November 8, 2025 02:54
@okumin okumin force-pushed the HIVE-29248-error-message branch from 0e8b53a to 3598bd1 Compare November 8, 2025 04:36
@okumin okumin force-pushed the HIVE-29248-error-message branch from 3598bd1 to cf0be80 Compare November 9, 2025 01:50
@okumin okumin marked this pull request as ready for review November 11, 2025 07:04
deniskuzZ
deniskuzZ reviewed Nov 17, 2025
View reviewed changes
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Dec 4, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

deniskuzZ
deniskuzZ approved these changes Dec 4, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@deniskuzZ deniskuzZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, pending tests

@okumin
Copy link
Copy Markdown
Contributor Author

okumin commented Dec 5, 2025

I verified that a client would see a ForbiddenException for sure

trino> select * from iceberg.default.test;
Query 20251205_083416_00005_ntu85 failed: Failed to load view 'test'
io.trino.spi.TrinoException: Failed to load view 'test'
	at io.trino.plugin.iceberg.catalog.rest.TrinoRestCatalog.getIcebergView(TrinoRestCatalog.java:715)
	at io.trino.plugin.iceberg.catalog.rest.TrinoRestCatalog.getView(TrinoRestCatalog.java:686)
	at io.trino.plugin.iceberg.IcebergMetadata.getView(IcebergMetadata.java:3272)
...
Caused by: org.apache.iceberg.exceptions.ForbiddenException: Forbidden: Access denied: Got exception: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException Permission denied: user [trino] does not have [SELECT] privilege on [default/test]
	at org.apache.iceberg.rest.ErrorHandlers$DefaultErrorHandler.accept(ErrorHandlers.java:236)

@okumin okumin merged commit cad3734 into apache:master Dec 5, 2025
2 checks passed
@okumin okumin deleted the HIVE-29248-error-message branch December 5, 2025 23:42
@okumin
Copy link
Copy Markdown
Contributor Author

okumin commented Dec 5, 2025

Merged. @deniskuzZ Thanks for reviewing this PR!

@Chaho12 Chaho12 mentioned this pull request Jan 6, 2026
Open
@Chaho12
Copy link
Copy Markdown
Contributor

Chaho12 commented Jan 6, 2026

@okumin Hi, I have a question regarding this PR.
Does this change propagate authorization-related errors to Trino as a ForbiddenException?

I ran into an issue with using StorageBasedAuthorizationProvider where AccessControlExceptions were not propagated to the client immediately, causing the request to wait until the metastore timeout.
Here is the fix, not pretty, but I had no choice.

@okumin
Copy link
Copy Markdown
Contributor Author

okumin commented Jan 12, 2026

@Chaho12
This patch does not directly help your issue. Your issue likely occurs when you use the Hive connector, which lets Trino access Hive's Thrift API. HIVE-29248 would make Hive's Iceberg REST API return a ForbiddenException. The Thrift API still returns a MetaException, with the message slightly changed.

DanielZhu58 pushed a commit to DanielZhu58/hive that referenced this pull request Jan 12, 2026
@okumin
HIVE-29248: Propagate HiveAccessControlException to HiveCatalog (apac…
cdaf1c7 
…he#6171)

* Add test cases to reproduce HiveAccessControlException

* Classify HiveAccessControlException as ForbiddenException

* Add core classifier
nareshpr pushed a commit to nareshpr/hive-1 that referenced this pull request Feb 28, 2026
@okumin @nareshpr
HIVE-29248: Propagate HiveAccessControlException to HiveCatalog (apac…
4abab8e 
…he#6171)

* Add test cases to reproduce HiveAccessControlException

* Classify HiveAccessControlException as ForbiddenException

* Add core classifier
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deniskuzZ deniskuzZ deniskuzZ approved these changes

Assignees

No one assigned

Labels

tests passed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@okumin @Chaho12 @deniskuzZ @asf-ci-hive