Details

    • Type: Sub-task Sub-task
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.13.0
    • Component/s: Authorization
    • Labels:
      None

      Description

      A role can belong to another role. But get_privilege_set in hive metastore api checks only the privileges of the immediate roles a user belongs to.

      1. HIVE-5954.3.patch
        24 kB
        Thejas M Nair
      2. HIVE-5954.2.patch
        24 kB
        Thejas M Nair
      3. HIVE-5954.1.patch
        21 kB
        Thejas M Nair

        Issue Links

          Activity

          Hide
          Thejas M Nair added a comment -

          Patch committed to trunk. Thanks for the review Ashutosh!

          Show
          Thejas M Nair added a comment - Patch committed to trunk. Thanks for the review Ashutosh!
          Hide
          Thejas M Nair added a comment -

          Created HIVE-6494 for metastore api support for returning list of roles considering the hierarchy.

          Show
          Thejas M Nair added a comment - Created HIVE-6494 for metastore api support for returning list of roles considering the hierarchy.
          Hide
          Thejas M Nair added a comment -

          HIVE-5954.3.patch - updates authorization_rolehierarchy_privs.q.out (roles should get printed in sorted order.)

          Show
          Thejas M Nair added a comment - HIVE-5954 .3.patch - updates authorization_rolehierarchy_privs.q.out (roles should get printed in sorted order.)
          Hide
          Ashutosh Chauhan added a comment -

          I think in most (all ?) cases full role hierarchy is required, so it may be better to add another parameter to list_roles() thrift api to get immediate vs all roles. That would also get rid of multiple calls that client currently makes to server. Can you create follow-up jira to track this for future work?
          Other than that looks good, +1

          Show
          Ashutosh Chauhan added a comment - I think in most (all ?) cases full role hierarchy is required, so it may be better to add another parameter to list_roles() thrift api to get immediate vs all roles. That would also get rid of multiple calls that client currently makes to server. Can you create follow-up jira to track this for future work? Other than that looks good, +1
          Hide
          Hive QA added a comment -

          Overall: -1 at least one tests failed

          Here are the results of testing the latest attachment:
          https://issues.apache.org/jira/secure/attachment/12630473/HIVE-5954.2.patch

          ERROR: -1 due to 3 failed/errored test(s), 5177 tests executed
          Failed tests:

          org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_auto_sortmerge_join_16
          org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_schemeAuthority2
          org.apache.hadoop.hive.cli.TestNegativeCliDriver.testNegativeCliDriver_authorization_rolehierarchy_privs
          

          Test results: http://bigtop01.cloudera.org:8080/job/PreCommit-HIVE-Build/1476/testReport
          Console output: http://bigtop01.cloudera.org:8080/job/PreCommit-HIVE-Build/1476/console

          Messages:

          Executing org.apache.hive.ptest.execution.PrepPhase
          Executing org.apache.hive.ptest.execution.ExecutionPhase
          Executing org.apache.hive.ptest.execution.ReportingPhase
          Tests exited with: TestsFailedException: 3 tests failed
          

          This message is automatically generated.

          ATTACHMENT ID: 12630473

          Show
          Hive QA added a comment - Overall : -1 at least one tests failed Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/12630473/HIVE-5954.2.patch ERROR: -1 due to 3 failed/errored test(s), 5177 tests executed Failed tests: org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_auto_sortmerge_join_16 org.apache.hadoop.hive.cli.TestMinimrCliDriver.testCliDriver_schemeAuthority2 org.apache.hadoop.hive.cli.TestNegativeCliDriver.testNegativeCliDriver_authorization_rolehierarchy_privs Test results: http://bigtop01.cloudera.org:8080/job/PreCommit-HIVE-Build/1476/testReport Console output: http://bigtop01.cloudera.org:8080/job/PreCommit-HIVE-Build/1476/console Messages: Executing org.apache.hive.ptest.execution.PrepPhase Executing org.apache.hive.ptest.execution.ExecutionPhase Executing org.apache.hive.ptest.execution.ReportingPhase Tests exited with: TestsFailedException: 3 tests failed This message is automatically generated. ATTACHMENT ID: 12630473
          Hide
          Thejas M Nair added a comment -

          Adding review board link.

          Show
          Thejas M Nair added a comment - Adding review board link.
          Hide
          Ashutosh Chauhan added a comment -

          Thejas M Nair Can you create RB request for this?

          Show
          Ashutosh Chauhan added a comment - Thejas M Nair Can you create RB request for this?
          Hide
          Thejas M Nair added a comment -

          HIVE-5954.2.patch - sorting show roles and show current roles output for deterministic results.

          Show
          Thejas M Nair added a comment - HIVE-5954 .2.patch - sorting show roles and show current roles output for deterministic results.
          Hide
          Thejas M Nair added a comment -

          HIVE-5954.1.patch - With this change, the current roles used in SQL standard auth also now includes roles in hierarchy.

          Show
          Thejas M Nair added a comment - HIVE-5954 .1.patch - With this change, the current roles used in SQL standard auth also now includes roles in hierarchy.
          Hide
          Navis added a comment -

          Looks like HIVE-6203. I'll update that in tomorrow.

          Show
          Navis added a comment - Looks like HIVE-6203 . I'll update that in tomorrow.
          Hide
          Thejas M Nair added a comment - - edited

          Navis This is probably another jira where you have a patch already.

          Show
          Thejas M Nair added a comment - - edited Navis This is probably another jira where you have a patch already.
          Hide
          Thejas M Nair added a comment - - edited

          Navis I believe your internal patch "NHIVE-26 Indirect roles are not reflected in authorization" must be doing the same as what is described in this jira. Will you able able to contribute that ?

          Show
          Thejas M Nair added a comment - - edited Navis I believe your internal patch "NHIVE-26 Indirect roles are not reflected in authorization" must be doing the same as what is described in this jira. Will you able able to contribute that ?

            People

            • Assignee:
              Unassigned
              Reporter:
              Thejas M Nair
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 24h
                24h
                Remaining:
                Remaining Estimate - 24h
                24h
                Logged:
                Time Spent - Not Specified
                Not Specified

                  Development