LOAD and UNLOAD privilege check fixes 1437078 - LOAD fails with error 4481 even if user has priv
This problem happens because the table definition cached in NATableCache is not being refreshed with the new values:
Generally, when a query is compiled and the user does not have privilege(s), a call to checkPrivileges (called during binding) returns a special privilege error. After compilation completes, the compiler (CmpMain::sqlcomp) checks to see if a privilege error occurred. If so, the NATable entry is removed and the request is recompiled. If a privilege error occurs the second time, the privilege error is reported and the latest cached NATable structure is retained.
In the case of LOAD, the privilege checks are performed in the generator; therefore checkPrivileges is not being called, the special privilege error is not reported and the cached NATable entry is not being refreshed.
The fix moves authorization checks from the generator into the binder - specifically checkPrivileges. A bindNode method was added to the bulk loader code to verify privileges. The bindNode, checks to see if the user has the MANAGE_LOAD privilege. If so, no additional checks are required. If not bindNode sets up the privilege structure (stoi) and saves it in the binder work area. Later, checkPrivileges is called and privileges checked as required.
1305015 - User with SELECT and INSERT privs unable to UNLOAD
This problem occurs during the generator phase when privileges are being checked. When an unload statement is parsed, the parser creates the ExeUtilHBaseBulkUnload class and set the table name to DUMMY. When the privilege checks are later performed, the DUMMY table is checked which does not exist.
The fix moves authorization checks from the generation phase into the binder. A bindNode method was added to the bulk unload code to verify privileges. The bindNode code, first checks to see if the user has the MANAGE_LOAD privilege. If so, no additional checks are required. If not, it grabs the query expression attached the the ExeUtilHBaseBulkUnLoad class and binds it. Binding the query expression calls checkPrivileges and reports any violations.
This change requires that the query expression created during parsing be stored in a new class member.
Other fixes related to load and unload:
While fixing the above issues, a problem was found when trying to load a table with indexes if the user had MANAGE_LOAD privilege. A check was added to index code to allow the operation to proceed.
The load code is not checking privileges on the source table
1438896 Internal error during create or replace view
Not found errors can be returned, so the error check was change to look for STATUS_ERROR only.
Eliminate manual steps in load/ustat integration The fix achieves full integration of the bulk load utility with Update Statistics. The Hive backing sample table is now creeated automatically (formerly, we only wrote the HDFS files to be used by the Hive external table), the correct sampling percentage for the sample table is calculated, and the ustat command is launched fro1m the executor as one of the steps in execution of the bulk load utility.