What exactly is granting all on a URI needed for? Is it only needed when creating tables? If admins create tables on behalf of the users they already have all privileges on everything. Does a user need permissions on a URI to add partitions or not?
The following DDL command is used to add partitions to tables and works with and without specifying the LOCATION keyword:
ALTER TABLE db.tb ADD PARTITION (part=1)
ALTER TABLE db.tb ADD PARTITION (part=1) LOCATION 's3://....'
Are the URI permissions only checked on the second command?