Skip to content

RANGER-5634: CTAS and temporary-table queries must authorize UDF SELECT#1044

Merged
ramackri merged 1 commit into
ranger-2.9from
RANGER-5634-backport-ranger-2.9
Jul 4, 2026
Merged

RANGER-5634: CTAS and temporary-table queries must authorize UDF SELECT#1044
ramackri merged 1 commit into
ranger-2.9from
RANGER-5634-backport-ranger-2.9

Conversation

@ramackri

@ramackri ramackri commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Summary

Backport of 409e8a72 / #1012 to ranger-2.9.

For CREATETABLE_AS_SELECT and CREATE_MATERIALIZED_VIEW, treat input FUNCTION privilege objects as SELECT so CTAS/temp-table queries cannot bypass UDF select authorization.

Fixes RANGER-5634.

Changes

File Change
hive-agent/.../RangerHiveAuthorizer.java Map input FUNCTION objects to HiveAccessType.SELECT for CTAS / create materialized view

Note: Unit tests from #1012 (TestRangerHiveAuthorizer) are not included — that test class does not exist on ranger-2.9. Production fix only.

Test plan

  • Manual: user without UDF SELECT should get HiveAccessControlException on CREATE TABLE ... AS SELECT ... using that UDF
  • Manual: plain SELECT with UDF still denied as before
  • CI build-8 green on ranger-2.9

Made with Cursor

Backport of 409e8a7 (#1012) to ranger-2.9.

For CREATETABLE_AS_SELECT and CREATE_MATERIALIZED_VIEW, treat input
FUNCTION privilege objects as SELECT so CTAS/temp-table queries cannot
bypass UDF select authorization.
@ramackri ramackri merged commit a6387b8 into ranger-2.9 Jul 4, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant