Allow hive table owner to change ownership

[guyco33]

Description

Hive sql-standard security mode restricts the possibility to change ownership to admin users only, making the authorization rules almost useless.

With this PR, Hive table owners will be able to transfer the ownership to other users, similar to community databases like Postgres.

For views, only admin users will be able to transfer ownership, as by letting owners to do it, a security breach will happen while they might transfer the ownership to users that able to select sensitive masked columns (or more filtered rows) and expose themself to data that they are not allowed to query.

Actually the option for transferring ownership to other users can be achieved by letting the new owner a grant to show view code and recreate the view and become the new owner.

Additional context and related issues

Release notes

( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
(x) Release notes are required, with the following suggested text:

## hive-connector
* Allow table owner to change ownership with sql-standard security mode. ({issue}`23842`)

[findinpath]

@guyco33 pls sketch a bit a scenario where it makes sense to change ownership of the hive table/view and outline the current limitations of the system without your change.
Also pls consider referencing Hive documentation (if any) on how this functionality is achieved there.

[kokosing]

This is related to #16691

[kokosing]

This is insecure. IMO it would introduce a vector attack for Trino that was removed in #10351 (it is on purpose not having all details).

It is not enough to see you can own the object, but we need to make sure that to what users we can grant it. See some thinking here #16691 (review)

[guyco33]

Table owner can grant any permission to any user including the WITH GRANT OPTION, so I don't understand how changing ownership that actually add the privilege to DROP the table will add a new security risk.

Same for views. If the view security mode was set to DEFINER than all masking functions and filter rules will run on behalf of the new owner privileges, so if the new owner is blocked from viewing some specific sensitive columns, all executed queries on the view will result with masked data.
Views with INVOKER security mode are executed with the privileges of the authenticated users running the queries - so no issue here.

[kokosing]

if the new owner is blocked from viewing some specific sensitive columns

Yes. But access could be different and so it could happen that things that here not visible to original user are now accessible to that user by querying the view they created and altered (transferred ownerhsip).

[guyco33]

But access could be different and so it could happen that things that here not visible to original user are now accessible to that user by querying the view they created and altered

You are right. The view owner can change the ownership to any privileged user, so we should allow it only for views created with INVOKER security mode

[kokosing]

so we should allow it only for views created with INVOKER security mode

I am not a fan of such conditions. I would prefer to have secure security model instead. However I am not sure if it is doable in hive sql-standard.

[guyco33]

Views can be recreated by a user with proper privileges to become the new owner, so I can skip this change for views and keep it for tables only.

[guyco33]

pls sketch a bit a scenario where it makes sense to change ownership of the hive table/view

We are using hive with sql-standard security mode as we have a common hive schema used by all users to create their private tables in a way that only the owners have privileges unless they explicitly grant permissions to other users or hive roles - (using the GRANT ... PRIVILEGES ON ... sql command)
We want the owners to be able to transfer the ownership to other users when they leave their role or when they want the tables to be populated by other applicative users.

Currently there is no option to transfer table ownership by the table owner.
Same for views, but since there is a security breach with changing views' ownership, we can implement it by allowing the new owner with the SHOW CREATE VIEW permission (by granting SELECT ... WITH GRANT OPTION) , so it will be able to recreate the view and become the new owner.

[kokosing]

Please squash the commits.

@dain would you like to take a look? We have discussed this issue in the past. @guyco33 wants to allow SET AUTHORIZATION for tables only, which seems IMO to be safe.

[github-actions]

This pull request has gone a while without any activity. Tagging the Trino developer relations team: @bitsondatadev @colebow @mosabua

[github-actions]

Closing this pull request, as it has been stale for six weeks. Feel free to re-open at any time.

[mosabua]

Given that this is already approved by @kokosing I am reopening. Hopefully @dain can chime in and then we decide to merge or update as needed.

[github-actions]

This pull request has gone a while without any activity. Tagging for triage help: @mosabua

[github-actions]

Closing this pull request, as it has been stale for six weeks. Feel free to re-open at any time.