Allow hive table owner to change ownership

trinodb · Oct 28, 2024 · a2a8dd5 · a2a8dd5
1 parent d0bab0f
commit a2a8dd5
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 9 deletions.
diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/security/SqlStandardAccessControl.java
@@ -317,7 +317,7 @@ public void checkCanAlterColumn(ConnectorSecurityContext context, SchemaTableNam
     @Override
     public void checkCanSetTableAuthorization(ConnectorSecurityContext context, SchemaTableName tableName, TrinoPrincipal principal)
     {
-        if (!isAdmin(context)) {
+        if (!isTableOwner(context, tableName)) {
             denySetTableAuthorization(tableName.toString(), principal);
         }
     }

diff --git a/plugin/trino-hive/src/test/java/io/trino/plugin/hive/BaseHiveConnectorTest.java b/plugin/trino-hive/src/test/java/io/trino/plugin/hive/BaseHiveConnectorTest.java
@@ -945,11 +945,7 @@ public void testTableAuthorization()
                 "ALTER TABLE test_table_authorization.foo SET AUTHORIZATION alice",
                 "Cannot set authorization for table test_table_authorization.foo to USER alice");
         assertUpdate(admin, "ALTER TABLE test_table_authorization.foo SET AUTHORIZATION alice");
-        // only admin can change the owner
-        assertAccessDenied(
-                alice,
-                "ALTER TABLE test_table_authorization.foo SET AUTHORIZATION alice",
-                "Cannot set authorization for table test_table_authorization.foo to USER alice");
+        assertUpdate(alice, "ALTER TABLE test_table_authorization.foo SET AUTHORIZATION alice");
         // alice as new owner can now drop table
         assertUpdate(alice, "DROP TABLE test_table_authorization.foo");
 
@@ -982,11 +978,10 @@ public void testTableAuthorizationForRole()
                 "DROP TABLE test_table_authorization_role.foo",
                 "Cannot drop table test_table_authorization_role.foo");
         assertUpdate(admin, "ALTER TABLE test_table_authorization_role.foo SET AUTHORIZATION alice");
-        // Only admin can change the owner
-        assertAccessDenied(
+        assertQueryFails(
                 alice,
                 "ALTER TABLE test_table_authorization_role.foo SET AUTHORIZATION ROLE admin",
-                "Cannot set authorization for table test_table_authorization_role.foo to ROLE admin");
+                "Setting table owner type as a role is not supported");
         // new owner can drop table
         assertUpdate(alice, "DROP TABLE test_table_authorization_role.foo");
         assertUpdate(admin, "DROP SCHEMA test_table_authorization_role");