hive impersonation=true not effect when show schemas/tables

[user-GitHub-user]

trino:400
hive:3.1.2

catalog:
connector.name=hive
hive.metastore.uri=thrift://host1:9083,thrift://host2:9083,thrift://host3:9083
hive.config.resources=/hadoop_conf/core-site.xml,/hadoop_conf/hdfs-site.xml
hive.metastore.thrift.impersonation.enabled=true

use default system access control

hive config Range plugin for access control

any user can see all of schema and tables but can't select from table

i [see:]12002(#12002)
is any other thing should config?

[zhangbutao]

hive.metastore.thrift.impersonation.enabled=true is just used to pass real client user(Trino side) to metastore, and you can check metastore log to verify the user info.

If i understand correctly, you want to add access control on hive catalog, here have two methods to achieve this:

1. Add Trino ranger plugin, you can add fine-grained permissions on hive catalog. This way is not related to the config hive.metastore.thrift.impersonation.enabled=true;
2. https://issues.apache.org/jira/browse/HIVE-21753 (Hive4.0 metastore Ranger Based Authorization) with hive.metastore.thrift.impersonation.enabled=true, you can get correct output for each user when executing query 'show schemas/tables'.