Index: common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
===================================================================
--- common/src/java/org/apache/hadoop/hive/conf/HiveConf.java (revision 1037574)
+++ common/src/java/org/apache/hadoop/hive/conf/HiveConf.java (working copy)
@@ -315,6 +315,14 @@
HIVEFETCHOUTPUTSERDE("hive.fetch.output.serde", "org.apache.hadoop.hive.serde2.DelimitedJSONSerDe"),
SEMANTIC_ANALYZER_HOOK("hive.semantic.analyzer.hook",null),
+
+ HIVE_AUTHORIZATION_ENABLED("hive.security.authorization.enabled", false),
+ HIVE_AUTHORIZATION_MANAGER("hive.security.authorization.manager", null),
+ HIVE_AUTHENTICATOR_MANAGER("hive.security.authenticator.manager", null),
+ HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS("hive.exec.security.authorization.table.owner.grants", null),
+ HIVE_AUTHORIZATION_TABLE_USER_GRANTS("hive.exec.security.authorization.table.user.grants", null),
+ HIVE_AUTHORIZATION_TABLE_GROUP_GRANTS("hive.exec.security.authorization.table.group.grants", null),
+ HIVE_AUTHORIZATION_TABLE_ROLE_GRANTS("hive.exec.security.authorization.table.role.grants", null),
;
Index: conf/hive-default.xml
===================================================================
--- conf/hive-default.xml (revision 1037574)
+++ conf/hive-default.xml (working copy)
@@ -786,4 +786,52 @@
Default property values for newly created tables
+
+ hive.security.authorization.enabled
+ false
+ enable or disable the hive client authorization
+
+
+
+ hive.security.authorization.manager
+ org.apache.hadoop.hive.ql.security.authorization.DefaultAuthorizationProviderManager
+ the hive client authorization manager class name
+
+
+
+ hive.security.authenticator.manager
+ org.apache.hadoop.hive.ql.security.HadoopDefaultAuthenticator
+ hive client authenticator manager class name
+
+
+
+ hive.exec.security.authorization.table.owner.grants
+
+ the privileges automatically granted to the owner
+
+
+
+ hive.exec.security.authorization.table.user.grants
+
+ the privileges automatically granted to some users whenenve a table gets created.
+ An example like "userX,userY:select;userZ:create" will grant select privilege to userX and userY,
+ and grant create privilege to userZ whenenve a new table created.
+
+
+
+ hive.exec.security.authorization.table.group.grants
+
+ the privileges automatically granted to some groups whenenve a table gets created.
+ An example like "groupX,groupY:select;groupZ:create" will grant select privilege to groupX and groupY,
+ and grant create privilege to groupZ whenenve a new table created.
+
+
+
+ hive.exec.security.authorization.table.role.grants
+
+ the privileges automatically granted to some groups whenenve a table gets created.
+ An example like "roleX,roleY:select;roleZ:create" will grant select privilege to roleX and roleY,
+ and grant create privilege to roleZ whenenve a new table created.
+
+
Index: metastore/if/hive_metastore.thrift
===================================================================
--- metastore/if/hive_metastore.thrift (revision 1037574)
+++ metastore/if/hive_metastore.thrift (working copy)
@@ -29,11 +29,25 @@
4: optional list fields // if the name is one of the user defined types
}
+struct PrincipalPrivilegeSet {
+ 1: map userPrivileges, // user name -> privilege set
+ 2: map groupPrivileges, // group name -> privilege set
+ 3: map rolePrivileges, //role name -> privilege set
+}
+
// namespace for tables
struct Database {
1: string name,
2: string description,
3: string locationUri,
+ 4: optional PrincipalPrivilegeSet privileges
+}
+
+struct Role {
+ 1: string roleName,
+ 2: Database database,
+ 3: i32 createTime,
+ 4: string ownerName,
}
// This object holds the information needed by SerDes
@@ -76,7 +90,8 @@
9: map parameters, // to store comments or any other user level parameters
10: string viewOriginalText, // original view text, null for non-view
11: string viewExpandedText, // expanded view text, null for non-view
- 12: string tableType // table type enum, e.g. EXTERNAL_TABLE
+ 12: string tableType, // table type enum, e.g. EXTERNAL_TABLE
+ 13: optional PrincipalPrivilegeSet privileges,
}
struct Partition {
@@ -86,7 +101,8 @@
4: i32 createTime,
5: i32 lastAccessTime,
6: StorageDescriptor sd,
- 7: map parameters
+ 7: map parameters,
+ 8: optional PrincipalPrivilegeSet privileges
}
struct Index {
@@ -109,6 +125,62 @@
2: map properties
}
+struct ColumnPrivilegeBag {
+ 1: string dbName,
+ 2: string tableName,
+ 3: string partitionName,
+ 4: map columnPrivileges
+}
+
+struct PrivilegeBag {
+ 1: string userPrivileges, //user privileges
+ 2: map dbPrivileges, //database privileges
+ 3: map tablePrivileges, //table privileges
+ 4: map partitionPrivileges, //partition privileges
+ 5: list columnPrivileges, //column privileges
+}
+
+struct SecurityUser {
+ 1: string principalName,
+ 2: bool isRole,
+ 3: bool isGroup,
+ 4: string privileges,
+ 5: i32 createTime,
+ 6: string grantor,
+}
+
+struct SecurityDB {
+ 1: string principalName,
+ 2: bool isRole,
+ 3: bool isGroup,
+ 4: string privileges,
+ 5: i32 createTime,
+ 6: string grantor,
+ 7: Database db,
+}
+
+struct SecurityTablePartition {
+ 1: string principalName,
+ 2: bool isRole,
+ 3: bool isGroup,
+ 4: string privileges,
+ 5: i32 createTime,
+ 6: string grantor,
+ 7: Table table,
+ 8: Partition part,
+}
+
+struct SecurityColumn {
+ 1: string principalName,
+ 2: bool isRole,
+ 3: bool isGroup,
+ 4: string privileges,
+ 5: i32 createTime,
+ 6: string grantor,
+ 7: Table table,
+ 8: Partition partition,
+ 9: string column,
+}
exception MetaException {
1: string message
@@ -208,6 +280,10 @@
throws(1:NoSuchObjectException o1, 2:MetaException o2)
Partition get_partition(1:string db_name, 2:string tbl_name, 3:list part_vals)
throws(1:MetaException o1, 2:NoSuchObjectException o2)
+
+ Partition get_partition_with_auth(1:string db_name, 2:string tbl_name, 3:list part_vals,
+ 4: string user_name, 5: list group_names) throws(1:MetaException o1, 2:NoSuchObjectException o2)
+
Partition get_partition_by_name(1:string db_name 2:string tbl_name, 3:string part_name)
throws(1:MetaException o1, 2:NoSuchObjectException o2)
@@ -215,6 +291,9 @@
// If max parts is given then it will return only that many.
list get_partitions(1:string db_name, 2:string tbl_name, 3:i16 max_parts=-1)
throws(1:NoSuchObjectException o1, 2:MetaException o2)
+ list get_partitions_with_auth(1:string db_name, 2:string tbl_name, 3:i16 max_parts=-1,
+ 4: string user_name, 5: list group_names) throws(1:NoSuchObjectException o1, 2:MetaException o2)
+
list get_partition_names(1:string db_name, 2:string tbl_name, 3:i16 max_parts=-1)
throws(1:MetaException o2)
@@ -227,6 +306,9 @@
list get_partitions_ps(1:string db_name 2:string tbl_name
3:list part_vals, 4:i16 max_parts=-1)
throws(1:MetaException o1)
+ list get_partitions_ps_with_auth(1:string db_name, 2:string tbl_name, 3:list part_vals, 4:i16 max_parts=-1,
+ 5: string user_name, 6: list group_names) throws(1:NoSuchObjectException o1, 2:MetaException o2)
+
list get_partition_names_ps(1:string db_name,
2:string tbl_name, 3:list part_vals, 4:i16 max_parts=-1)
throws(1:MetaException o1)
@@ -271,6 +353,46 @@
throws(1:NoSuchObjectException o1, 2:MetaException o2)
list get_index_names(1:string db_name, 2:string tbl_name, 3:i16 max_indexes=-1)
throws(1:MetaException o2)
+
+ //authorization privileges
+ PrincipalPrivilegeSet get_user_privilege_set (1: string user_name, 2: list group_names)
+ throws(1:MetaException o1)
+ PrincipalPrivilegeSet get_db_privilege_set (1: string db_name, 2: string user_name, 3: list group_names)
+ throws(1:MetaException o1)
+ PrincipalPrivilegeSet get_table_privilege_set (1: string db_name, 2: string table_name, 3: string user_name, 4: list group_names)
+ throws(1:MetaException o1)
+ PrincipalPrivilegeSet get_partition_privilege_set (1: string db_name, 2: string table_name, 3: string part_name, 4: string user_name, 5: list group_names)
+ throws(1:MetaException o1)
+
+ PrincipalPrivilegeSet get_column_privilege_set (1: string db_name, 2: string table_name, 3: string part_name, 4: string column_name, 5: string user_name, 6: list group_names)
+ throws(1:MetaException o1)
+
+ bool create_role(1: string role_name, 2: string owner_name, 3: string db_name) throws(1:MetaException o1)
+
+ bool drop_role(1: string role_name, 2: string db_name) throws(1:MetaException o1)
+
+ bool add_role_member (1: string role_name, 2: string user_name, 3: bool is_role, 4: bool is_group, 5: string db_name) throws(1:MetaException o1)
+
+ bool remove_role_member (1: string role_name, 2: string user_name, 3: bool is_role, 4: bool is_group, 5: string db_name) throws(1:MetaException o1)
+
+ list list_roles(1: string principal_name, 2: bool is_role, 3: bool is_group, 4: string db_name) throws(1:MetaException o1)
+
+ list list_security_user_grant(1: string principla_name, 2: bool is_role, 3: bool is_group) throws(1:MetaException o1)
+
+ list list_security_db_grant(1: string principal_name, 2: bool is_group, 3: bool is_role, 4: string db_name) throws(1:MetaException o1)
+
+ list list_security_table_grant(1: string principal_name, 2: bool is_group, 3: bool is_role, 4: string db_name, 5: string table_name) throws(1:MetaException o1)
+
+ list list_security_partition_grant(1: string principal_name, 2: bool is_group, 3: bool is_role, 4: string db_name, 5: string table_name, 6: string part_name) throws(1:MetaException o1)
+
+ list list_security_column_grant(1: string principal_name, 2: bool is_group, 3: bool is_role, 4: string db_name, 5: string table_name, 6: string part_name, 7: string column_name) throws(1:MetaException o1)
+
+ bool grant_privileges (1: string user_name, 2: bool is_role, 3: bool is_group, 4: PrivilegeBag privileges, 5: string grantor) throws(1:MetaException o1)
+
+ bool revoke_privileges (1: string user_name, 2: bool is_role, 3: bool is_group, 4: PrivilegeBag privileges) throws(1:MetaException o1)
+
+ bool revoke_all_privileges (1: string user_name, 2: bool is_role, 3: bool is_group, 4: bool remove_user_priv, 5: list dbs,
+ 6: list tables, 7: list parts, 8: map> columns) throws(1:MetaException o1)
}
// * Note about the DDL_TIME: When creating or altering a table or a partition,
Index: metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
===================================================================
--- metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java (revision 1037574)
+++ metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java (working copy)
@@ -48,12 +48,27 @@
import org.apache.hadoop.hive.metastore.api.MetaException;
import org.apache.hadoop.hive.metastore.api.NoSuchObjectException;
import org.apache.hadoop.hive.metastore.api.Partition;
+import org.apache.hadoop.hive.metastore.api.PrincipalPrivilegeSet;
+import org.apache.hadoop.hive.metastore.api.PrivilegeBag;
+import org.apache.hadoop.hive.metastore.api.Role;
+import org.apache.hadoop.hive.metastore.api.SecurityColumn;
+import org.apache.hadoop.hive.metastore.api.SecurityDB;
+import org.apache.hadoop.hive.metastore.api.SecurityTablePartition;
+import org.apache.hadoop.hive.metastore.api.SecurityUser;
import org.apache.hadoop.hive.metastore.api.Table;
import org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore;
import org.apache.hadoop.hive.metastore.api.Type;
import org.apache.hadoop.hive.metastore.api.UnknownDBException;
import org.apache.hadoop.hive.metastore.api.UnknownTableException;
import org.apache.hadoop.hive.metastore.hooks.JDOConnectionURLHook;
+import org.apache.hadoop.hive.metastore.model.MPartition;
+import org.apache.hadoop.hive.metastore.model.MSecurityColumn;
+import org.apache.hadoop.hive.metastore.model.MSecurityDB;
+import org.apache.hadoop.hive.metastore.model.MSecurityRoleEntity;
+import org.apache.hadoop.hive.metastore.model.MSecurityTablePartition;
+import org.apache.hadoop.hive.metastore.model.MSecurityUser;
+import org.apache.hadoop.hive.metastore.model.MSecurityUserRoleMap;
+import org.apache.hadoop.hive.metastore.model.MTable;
import org.apache.hadoop.hive.serde2.Deserializer;
import org.apache.hadoop.hive.serde2.SerDeException;
import org.apache.hadoop.hive.serde2.SerDeUtils;
@@ -360,7 +375,7 @@
} catch (NoSuchObjectException e) {
ms.createDatabase(
new Database(DEFAULT_DATABASE_NAME, DEFAULT_DATABASE_COMMENT,
- wh.getDefaultDatabasePath(DEFAULT_DATABASE_NAME).toString()));
+ wh.getDefaultDatabasePath(DEFAULT_DATABASE_NAME).toString(), null));
}
HMSHandler.createDefaultDB = true;
}
@@ -1225,17 +1240,20 @@
throw new NoSuchObjectException("Partition doesn't exist. "
+ part_vals);
}
-
+
isArchived = MetaStoreUtils.isArchived(part);
if (isArchived) {
archiveParentDir = MetaStoreUtils.getOriginalLocation(part);
}
+
if (part.getSd() == null || part.getSd().getLocation() == null) {
throw new MetaException("Partition metadata is corrupted");
}
+
if (!ms.dropPartition(db_name, tbl_name, part_vals)) {
throw new MetaException("Unable to drop partition");
}
+
success = ms.commitTransaction();
partPath = new Path(part.getSd().getLocation());
tbl = get_table(db_name, tbl_name);
@@ -1312,6 +1330,35 @@
}
return ret;
}
+
+ @Override
+ public Partition get_partition_with_auth(final String db_name,
+ final String tbl_name, final List part_vals,
+ final String user_name, final List group_names)
+ throws MetaException, NoSuchObjectException, TException {
+ incrementCounter("get_partition_with_auth");
+ logStartPartitionFunction("get_partition_with_auth", db_name, tbl_name,
+ part_vals);
+
+ Partition ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ Partition run(RawStore ms) throws Exception {
+ return ms.getPartitionWithAuth(db_name, tbl_name, part_vals,
+ user_name, group_names);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (NoSuchObjectException e) {
+ throw e;
+ } catch (Exception e) {
+ assert (e instanceof RuntimeException);
+ throw (RuntimeException) e;
+ }
+ return ret;
+ }
public List get_partitions(final String db_name, final String tbl_name,
final short max_parts) throws NoSuchObjectException, MetaException {
@@ -1337,6 +1384,35 @@
return ret;
}
+
+ @Override
+ public List get_partitions_with_auth(final String dbName,
+ final String tblName, final short maxParts, final String userName,
+ final List groupNames) throws NoSuchObjectException,
+ MetaException, TException {
+ incrementCounter("get_partitions_with_auth");
+ logStartTableFunction("get_partitions_with_auth", dbName, tblName);
+
+ List ret = null;
+ try {
+ ret = executeWithRetry(new Command>() {
+ @Override
+ List run(RawStore ms) throws Exception {
+ return ms.getPartitionsWithAuth(dbName, tblName, maxParts,
+ userName, groupNames);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (NoSuchObjectException e) {
+ throw e;
+ } catch (Exception e) {
+ assert (e instanceof RuntimeException);
+ throw (RuntimeException) e;
+ }
+ return ret;
+
+ }
public List get_partition_names(final String db_name, final String tbl_name,
final short max_parts) throws MetaException {
@@ -1774,10 +1850,24 @@
@Override
public List get_partitions_ps(final String db_name,
- final String tbl_name, final List part_vals, final short max_parts)
- throws MetaException, TException {
+ final String tbl_name, final List part_vals,
+ final short max_parts) throws MetaException, TException {
+ incrementCounter("get_partitions_ps");
+ logStartPartitionFunction("get_partitions_ps", db_name, tbl_name,
+ part_vals);
+
+ return this.get_partitions_ps_with_auth(db_name, tbl_name, part_vals,
+ max_parts, null, null);
+ }
+
+ @Override
+ public List get_partitions_ps_with_auth(final String db_name,
+ final String tbl_name, final List part_vals,
+ final short max_parts, final String userName,
+ final List groupNames) throws MetaException, TException {
incrementCounter("get_partitions_ps");
- logStartPartitionFunction("get_partitions_ps", db_name, tbl_name, part_vals);
+ logStartPartitionFunction("get_partitions_ps", db_name, tbl_name,
+ part_vals);
Table t;
try {
@@ -1791,7 +1881,7 @@
}
// Create a map from the partition column name to the partition value
Map partKeyToValues = new LinkedHashMap();
- int i=0;
+ int i = 0;
for (String value : part_vals) {
String col = t.getPartitionKeys().get(i).getName();
if (value.length() > 0) {
@@ -1799,21 +1889,48 @@
}
i++;
}
- final String filter = MetaStoreUtils.makeFilterStringFromMap(partKeyToValues);
+ final String filter = MetaStoreUtils
+ .makeFilterStringFromMap(partKeyToValues);
List ret = null;
try {
ret = executeWithRetry(new Command>() {
@Override
List run(RawStore ms) throws Exception {
- return ms.getPartitionsByFilter(db_name, tbl_name, filter, max_parts);
+ return ms.getPartitionsByFilter(db_name, tbl_name, filter,
+ max_parts);
}
});
} catch (MetaException e) {
throw e;
} catch (Exception e) {
- assert(e instanceof RuntimeException);
- throw (RuntimeException)e;
+ assert (e instanceof RuntimeException);
+ throw (RuntimeException) e;
+ }
+
+ if (ret != null && ret.size() > 0) {
+ for (Partition part : ret) {
+ final String partName = Warehouse.makePartName(t.getPartitionKeys(),
+ part.getValues());
+ PrincipalPrivilegeSet partAuth = null;
+ try {
+ partAuth = executeWithRetry(new Command() {
+ @Override
+ PrincipalPrivilegeSet run(RawStore ms) throws Exception {
+ PrincipalPrivilegeSet auth = ms.getPartitionPrivilegeSet(
+ db_name, tbl_name, partName, userName, groupNames);
+ return auth;
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ assert (e instanceof RuntimeException);
+ throw (RuntimeException) e;
+ }
+
+ part.setPrivileges(partAuth);
+ }
}
return ret;
@@ -2163,6 +2280,505 @@
return ret;
}
+ @Override
+ public PrincipalPrivilegeSet get_column_privilege_set(final String dbName,
+ final String tableName, final String partName, final String columnName,
+ final String userName, final List groupNames) throws MetaException,
+ TException {
+ incrementCounter("get_column_privilege_set");
+
+ PrincipalPrivilegeSet ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ PrincipalPrivilegeSet run(RawStore ms) throws Exception {
+ return ms.getColumnPrivilegeSet(dbName, tableName, partName, columnName, userName, groupNames);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public PrincipalPrivilegeSet get_db_privilege_set(final String dbName,
+ final String userName, final List groupNames) throws MetaException,
+ TException {
+ incrementCounter("get_db_privilege_set");
+
+ PrincipalPrivilegeSet ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ PrincipalPrivilegeSet run(RawStore ms) throws Exception {
+ return ms.getDBPrivilegeSet(dbName, userName, groupNames);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public PrincipalPrivilegeSet get_partition_privilege_set(
+ final String dbName, final String tableName, final String partName,
+ final String userName, final List groupNames)
+ throws MetaException, TException {
+ incrementCounter("get_partition_privilege_set");
+
+ PrincipalPrivilegeSet ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ PrincipalPrivilegeSet run(RawStore ms) throws Exception {
+ return ms.getPartitionPrivilegeSet(dbName, tableName, partName,
+ userName, groupNames);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public PrincipalPrivilegeSet get_table_privilege_set(final String dbName,
+ final String tableName, final String userName,
+ final List groupNames) throws MetaException, TException {
+ incrementCounter("get_table_privilege_set");
+
+ PrincipalPrivilegeSet ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ PrincipalPrivilegeSet run(RawStore ms) throws Exception {
+ return ms.getTablePrivilegeSet(dbName, tableName, userName,
+ groupNames);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public boolean add_role_member(final String roleName,
+ final String userName, final boolean isRole, final boolean isGroup,
+ final String databaseName) throws MetaException, TException {
+ incrementCounter("add_role_member");
+
+ Boolean ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ Boolean run(RawStore ms) throws Exception {
+ Role role = ms.getRole(roleName, databaseName);
+ return ms.addRoleMember(role, userName, isRole, isGroup);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ public List list_roles(final String principalName,
+ final boolean isRole, final boolean isGroup, final String databaseName) throws MetaException, TException {
+ incrementCounter("list_roles");
+
+ List ret = null;
+ try {
+ ret = executeWithRetry(new Command>() {
+ @Override
+ List run(RawStore ms) throws Exception {
+ List result = new ArrayList();
+ List roleMap = ms.listRoles(principalName,
+ isRole, isGroup, databaseName);
+ if (roleMap!=null) {
+ Database db = get_database(databaseName);
+ for (MSecurityUserRoleMap role : roleMap) {
+ MSecurityRoleEntity r = role.getRole();
+ result.add(new Role(r.getRoleName(), db, r
+ .getCreateTime(), r.getOwnerName()));
+ }
+ }
+ return result;
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public boolean create_role(final String roleName, final String ownerName,
+ final String databName)
+ throws MetaException, TException {
+ incrementCounter("create_role");
+
+ Boolean ret = null;
+ try {
+
+ ret = executeWithRetry(new Command() {
+ @Override
+ Boolean run(RawStore ms) throws Exception {
+ return ms.addRole(roleName, ownerName, databName);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public boolean drop_role(final String roleName, final String databaseName)
+ throws MetaException, TException {
+ incrementCounter("drop_role");
+
+ Boolean ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ Boolean run(RawStore ms) throws Exception {
+ return ms.removeRole(roleName, databaseName);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public boolean grant_privileges(final String userName, final boolean isRole,
+ final boolean isGroup, final PrivilegeBag privileges, final String grantor) throws MetaException,
+ TException {
+ incrementCounter("grant_privileges");
+
+ Boolean ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ Boolean run(RawStore ms) throws Exception {
+ return ms.grantPrivileges(userName, isRole, isGroup, privileges, grantor);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public boolean remove_role_member(final String roleName, final String userName,
+ final boolean isRole, final boolean isGroup, final String databaseName) throws MetaException, TException {
+ incrementCounter("remove_role_member");
+
+ Boolean ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ Boolean run(RawStore ms) throws Exception {
+ Role mRole = ms.getRole(roleName, databaseName);
+ return ms.removeRoleMember(mRole, userName, isRole, isGroup);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public boolean revoke_privileges(final String userName, final boolean isRole,
+ final boolean isGroup, final PrivilegeBag privileges) throws MetaException,
+ TException {
+ incrementCounter("revoke_privileges");
+
+ Boolean ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ Boolean run(RawStore ms) throws Exception {
+ return ms.revokePrivileges(userName, isRole, isGroup, privileges);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public PrincipalPrivilegeSet get_user_privilege_set(final String userName,
+ final List groupNames) throws MetaException, TException {
+ incrementCounter("get_user_privilege_set");
+
+ PrincipalPrivilegeSet ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ PrincipalPrivilegeSet run(RawStore ms) throws Exception {
+ return ms.getUserPrivilegeSet(userName, groupNames);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public boolean revoke_all_privileges(final String userName,
+ final boolean isRole, final boolean isGroup,
+ final boolean removeUserPriv, final List dbs,
+ final List tables, final List parts,
+ final Map> columns) throws MetaException,
+ TException {
+ incrementCounter("revoke_all_privileges");
+
+ Boolean ret = null;
+ try {
+ ret = executeWithRetry(new Command() {
+ @Override
+ Boolean run(RawStore ms) throws Exception {
+ return ms.revokeAllPrivileges(userName, isRole, isGroup,
+ removeUserPriv, dbs, tables, parts, columns);
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public List list_security_column_grant(
+ final String principalName, final boolean isGroup,
+ final boolean isRole, final String dbName, final String tableName,
+ final String partName, final String columnName) throws MetaException,
+ TException {
+ incrementCounter("list_security_column_grant");
+
+ List ret = null;
+ try {
+ ret = executeWithRetry(new Command>() {
+ @Override
+ List run(RawStore ms) throws Exception {
+ List mCols = ms.listMSecurityTabOrPartColumnGrant(principalName,
+ isGroup, isRole, dbName, tableName, partName, columnName);
+ Table tbl = ms.getTable(dbName, tableName);
+ Partition part = null;
+ if (partName != null) {
+ part = get_partition_by_name(dbName, tableName, partName);
+ }
+
+ if (mCols.size() > 0) {
+ List result = new ArrayList();
+ for (int i = 0; i < mCols.size(); i++) {
+ MSecurityColumn sCol = mCols.get(i);
+ SecurityColumn col = new SecurityColumn(
+ sCol.getPrincipalName(), sCol.getIsRole(), sCol
+ .getIsGroup(), sCol.getPrivileges(), sCol
+ .getCreateTime(), sCol.getGrantor(), tbl, part, sCol
+ .getColumnName());
+ result.add(col);
+ }
+ return result;
+ }
+ return null;
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public List list_security_db_grant(final String principalName,
+ final boolean isGroup, final boolean isRole, final String dbName)
+ throws MetaException, TException {
+ incrementCounter("list_security_db_grant");
+
+ List ret = null;
+ try {
+ ret = executeWithRetry(new Command>() {
+ @Override
+ List run(RawStore ms) throws Exception {
+ List mDbs = ms.listMSecurityPrincipalDBGrant(
+ principalName, isGroup, isRole, dbName);
+ Database db = ms.getDatabase(dbName);
+ if (mDbs.size() > 0) {
+ List result = new ArrayList();
+ for (int i = 0; i < mDbs.size(); i++) {
+ MSecurityDB sDB = mDbs.get(i);
+ SecurityDB secdb = new SecurityDB(sDB.getPrincipalName(), sDB
+ .getIsRole(), sDB.getIsGroup(), sDB.getPrivileges(), sDB
+ .getCreateTime(), sDB.getGrantor(), db);
+ result.add(secdb);
+ }
+ return result;
+ }
+ return null;
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public List list_security_partition_grant(
+ final String principalName, final boolean isGroup,
+ final boolean isRole, final String dbName, final String tableName,
+ final String partName) throws MetaException, TException {
+ incrementCounter("list_security_partition_grant");
+
+ List ret = null;
+ try {
+ ret = executeWithRetry(new Command>() {
+ @Override
+ List run(RawStore ms) throws Exception {
+ List mParts = ms
+ .listMSecurityPrincipalPartitionGrant(principalName, isGroup,
+ isRole, dbName, tableName, partName);
+ Partition partObj = get_partition_by_name(dbName, tableName,
+ partName);
+ if (mParts.size() > 0) {
+ List result = new ArrayList();
+ for (int i = 0; i < mParts.size(); i++) {
+ MSecurityTablePartition sPart = mParts.get(i);
+ SecurityTablePartition secPart = new SecurityTablePartition(
+ sPart.getPrincipalName(), sPart.getIsRole(), sPart
+ .getIsGroup(), sPart.getPrivileges(), sPart
+ .getCreateTime(), sPart.getGrantor(), null, partObj);
+ result.add(secPart);
+ }
+ return result;
+ }
+ return null;
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public List list_security_table_grant(
+ final String principalName, final boolean isGroup,
+ final boolean isRole, final String dbName, final String tableName)
+ throws MetaException, TException {
+ incrementCounter("list_security_table_grant");
+
+ List ret = null;
+ try {
+ ret = executeWithRetry(new Command>() {
+ @Override
+ List run(RawStore ms) throws Exception {
+ List mTbls = ms
+ .listMSecurityPrincipalTableGrant(principalName, isGroup,
+ isRole, dbName, tableName);
+ Table tblObj = ms.getTable(dbName, tableName);
+ if (mTbls.size() > 0) {
+ List result = new ArrayList();
+ for (int i = 0; i < mTbls.size(); i++) {
+ MSecurityTablePartition sTbl = mTbls.get(i);
+ SecurityTablePartition secPart = new SecurityTablePartition(
+ sTbl.getPrincipalName(), sTbl.getIsRole(), sTbl
+ .getIsGroup(), sTbl.getPrivileges(), sTbl
+ .getCreateTime(), sTbl.getGrantor(), tblObj, null);
+ result.add(secPart);
+ }
+ return result;
+ }
+ return null;
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
+ @Override
+ public List list_security_user_grant(
+ final String principlaName, final boolean isRole, final boolean isGroup)
+ throws MetaException, TException {
+ incrementCounter("list_security_user_grant");
+
+ List ret = null;
+ try {
+ ret = executeWithRetry(new Command>() {
+ @Override
+ List run(RawStore ms) throws Exception {
+ List mUsers = ms.listMSecurityPrincipalUserGrant(
+ principlaName, isRole, isGroup);
+ if (mUsers.size() > 0) {
+ List result = new ArrayList();
+ for (int i = 0; i < mUsers.size(); i++) {
+ MSecurityUser sUsr = mUsers.get(i);
+ SecurityUser secUser = new SecurityUser(
+ sUsr.getPrincipalName(), sUsr.getIsRole(), sUsr
+ .getIsGroup(), sUsr.getPrivileges(), sUsr
+ .getCreateTime(), sUsr.getGrantor());
+ result.add(secUser);
+ }
+ return result;
+ }
+ return null;
+ }
+ });
+ } catch (MetaException e) {
+ throw e;
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ return ret;
+ }
+
}
/**
Index: metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java
===================================================================
--- metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java (revision 1037574)
+++ metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java (working copy)
@@ -40,6 +40,13 @@
import org.apache.hadoop.hive.metastore.api.MetaException;
import org.apache.hadoop.hive.metastore.api.NoSuchObjectException;
import org.apache.hadoop.hive.metastore.api.Partition;
+import org.apache.hadoop.hive.metastore.api.PrincipalPrivilegeSet;
+import org.apache.hadoop.hive.metastore.api.PrivilegeBag;
+import org.apache.hadoop.hive.metastore.api.Role;
+import org.apache.hadoop.hive.metastore.api.SecurityColumn;
+import org.apache.hadoop.hive.metastore.api.SecurityDB;
+import org.apache.hadoop.hive.metastore.api.SecurityTablePartition;
+import org.apache.hadoop.hive.metastore.api.SecurityUser;
import org.apache.hadoop.hive.metastore.api.Table;
import org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore;
import org.apache.hadoop.hive.metastore.api.Type;
@@ -515,6 +522,23 @@
return deepCopyPartitions(
client.get_partitions_ps(db_name, tbl_name, part_vals, max_parts));
}
+
+ @Override
+ public List listPartitionsWithAuthInfo(String db_name,
+ String tbl_name, short max_parts, String user_name, List group_names)
+ throws NoSuchObjectException, MetaException, TException {
+ return deepCopyPartitions(
+ client.get_partitions_with_auth(db_name, tbl_name, max_parts, user_name, group_names));
+ }
+
+ @Override
+ public List listPartitionsWithAuthInfo(String db_name,
+ String tbl_name, List part_vals, short max_parts,
+ String user_name, List group_names) throws NoSuchObjectException,
+ MetaException, TException {
+ return deepCopyPartitions(client.get_partitions_ps_with_auth(db_name,
+ tbl_name, part_vals, max_parts, user_name, group_names));
+ }
/**
* Get list of partitions matching specified filter
@@ -564,6 +588,14 @@
List part_vals) throws NoSuchObjectException, MetaException, TException {
return deepCopy(client.get_partition(db_name, tbl_name, part_vals));
}
+
+ @Override
+ public Partition getPartitionWithAuthInfo(String db_name, String tbl_name,
+ List part_vals, String user_name, List group_names)
+ throws MetaException, UnknownTableException, NoSuchObjectException,
+ TException {
+ return deepCopy(client.get_partition_with_auth(db_name, tbl_name, part_vals, user_name, group_names));
+ }
/**
* @param name
@@ -891,4 +923,132 @@
return client.drop_index_by_name(dbName, tblName, name, deleteData);
}
+ @Override
+ public boolean add_role_member(String roleName, String userName,
+ boolean isRole, boolean isGroup, String dbName) throws MetaException, TException {
+ return client.add_role_member(roleName, userName, isRole, isGroup, dbName);
+ }
+
+ @Override
+ public boolean create_role(String roleName, String ownerName, String dbName)
+ throws MetaException, TException {
+ return client.create_role(roleName, ownerName, dbName);
+ }
+
+ @Override
+ public boolean drop_role(String roleName, String dbName) throws MetaException, TException {
+ return client.drop_role(roleName, dbName);
+ }
+
+ @Override
+ public List list_roles(String principalName,
+ boolean isRole, boolean isGroup, String dbName) throws MetaException, TException {
+ return client.list_roles(principalName, isRole, isGroup, dbName);
+ }
+
+ @Override
+ public PrincipalPrivilegeSet get_column_privilege_set(String dbName,
+ String tableName, String partName, String columnName, String userName,
+ List groupNames) throws MetaException, TException {
+ return client.get_column_privilege_set(dbName, tableName, partName,
+ columnName, userName, groupNames);
+ }
+
+ @Override
+ public PrincipalPrivilegeSet get_db_privilege_set(String dbName,
+ String userName, List groupNames) throws MetaException,
+ TException {
+ return client.get_db_privilege_set(dbName, userName, groupNames);
+ }
+
+ @Override
+ public PrincipalPrivilegeSet get_partition_privilege_set(String dbName,
+ String tableName, String partName, String userName,
+ List groupNames) throws MetaException, TException {
+ return client.get_partition_privilege_set(dbName, tableName, partName,
+ userName, groupNames);
+ }
+
+ @Override
+ public PrincipalPrivilegeSet get_table_privilege_set(String dbName,
+ String tableName, String userName, List groupNames)
+ throws MetaException, TException {
+ return client.get_table_privilege_set(dbName, tableName, userName,
+ groupNames);
+ }
+
+ @Override
+ public PrincipalPrivilegeSet get_user_privilege_set(String userName,
+ List groupNames) throws MetaException, TException {
+ return client.get_user_privilege_set(userName, groupNames);
+ }
+
+ @Override
+ public boolean grant_privileges(String userName, boolean isRole,
+ boolean isGroup, PrivilegeBag privileges, String grantor)
+ throws MetaException, TException {
+ return client.grant_privileges(userName, isRole, isGroup, privileges,
+ grantor);
+ }
+
+ @Override
+ public boolean remove_role_member(String roleName, String userName,
+ boolean isRole, boolean isGroup, String dbName) throws MetaException, TException {
+ return client.remove_role_member(roleName, userName, isRole, isGroup, dbName);
+ }
+
+ @Override
+ public boolean revoke_all_privileges(String userName, boolean isRole,
+ boolean isGroup, boolean removeUserPriv, List dbs,
+ List tables, List parts,
+ Map> columns) throws MetaException, TException {
+ return client.revoke_all_privileges(userName, isRole, isGroup,
+ removeUserPriv, dbs, tables, parts, columns);
+ }
+
+ @Override
+ public boolean revoke_privileges(String userName, boolean isRole,
+ boolean isGroup, PrivilegeBag privileges) throws MetaException,
+ TException {
+ return client.revoke_privileges(userName, isRole, isGroup, privileges);
+ }
+
+ @Override
+ public List list_security_column_grant(String principalName,
+ boolean isGroup, boolean isRole, String dbName, String tableName,
+ String partName, String columnName) throws MetaException, TException {
+ return client.list_security_column_grant(principalName, isGroup, isRole,
+ dbName, tableName, partName, columnName);
+ }
+
+ @Override
+ public List list_security_db_grant(String principalName,
+ boolean isGroup, boolean isRole, String dbName) throws MetaException,
+ TException {
+ return client
+ .list_security_db_grant(principalName, isGroup, isRole, dbName);
+ }
+
+ @Override
+ public List list_security_partition_grant(
+ String principalName, boolean isGroup, boolean isRole, String dbName,
+ String tableName, String partName) throws MetaException, TException {
+ return client.list_security_partition_grant(principalName, isGroup, isRole,
+ dbName, tableName, partName);
+ }
+
+ @Override
+ public List list_security_table_grant(
+ String principalName, boolean isGroup, boolean isRole, String dbName,
+ String tableName) throws MetaException, TException {
+ return client.list_security_table_grant(principalName, isGroup, isRole,
+ dbName, tableName);
+ }
+
+ @Override
+ public List list_security_user_grant(String principlaName,
+ boolean isRole, boolean isGroup) throws MetaException, TException {
+ return client.list_security_user_grant(principlaName, isRole, isGroup);
+ }
+
}
Index: metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java
===================================================================
--- metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java (revision 1037574)
+++ metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java (working copy)
@@ -31,6 +31,13 @@
import org.apache.hadoop.hive.metastore.api.MetaException;
import org.apache.hadoop.hive.metastore.api.NoSuchObjectException;
import org.apache.hadoop.hive.metastore.api.Partition;
+import org.apache.hadoop.hive.metastore.api.PrincipalPrivilegeSet;
+import org.apache.hadoop.hive.metastore.api.PrivilegeBag;
+import org.apache.hadoop.hive.metastore.api.Role;
+import org.apache.hadoop.hive.metastore.api.SecurityColumn;
+import org.apache.hadoop.hive.metastore.api.SecurityDB;
+import org.apache.hadoop.hive.metastore.api.SecurityTablePartition;
+import org.apache.hadoop.hive.metastore.api.SecurityUser;
import org.apache.hadoop.hive.metastore.api.Table;
import org.apache.hadoop.hive.metastore.api.UnknownDBException;
import org.apache.hadoop.hive.metastore.api.UnknownTableException;
@@ -263,6 +270,23 @@
public Partition getPartition(String dbName, String tblName,
String name) throws MetaException, UnknownTableException, NoSuchObjectException, TException;
+
+ /**
+ * @param dbName
+ * @param tableName
+ * @param pvals
+ * @param userName
+ * @param groupNames
+ * @return
+ * @throws MetaException
+ * @throws UnknownTableException
+ * @throws NoSuchObjectException
+ * @throws TException
+ */
+ public Partition getPartitionWithAuthInfo(String dbName, String tableName,
+ List pvals, String userName, List groupNames)
+ throws MetaException, UnknownTableException, NoSuchObjectException, TException;
+
/**
* @param tbl_name
* @param db_name
@@ -285,6 +309,33 @@
List part_vals, short max_parts) throws MetaException, TException;
/**
+ * @param dbName
+ * @param tableName
+ * @param s
+ * @param userName
+ * @param groupNames
+ * @return
+ * @throws NoSuchObjectException
+ */
+ public List listPartitionsWithAuthInfo(String dbName,
+ String tableName, short s, String userName, List groupNames)
+ throws MetaException, TException, NoSuchObjectException;
+
+ /**
+ * @param dbName
+ * @param tableName
+ * @param partialPvals
+ * @param s
+ * @param userName
+ * @param groupNames
+ * @return
+ * @throws NoSuchObjectException
+ */
+ public List listPartitionsWithAuthInfo(String dbName,
+ String tableName, List partialPvals, short s, String userName,
+ List groupNames) throws MetaException, TException, NoSuchObjectException;
+
+ /**
* @param tbl
* @throws AlreadyExistsException
* @throws InvalidObjectException
@@ -478,4 +529,297 @@
public boolean dropIndex(String db_name, String tbl_name,
String name, boolean deleteData) throws NoSuchObjectException,
MetaException, TException;
+
+ /**
+ * @param user_name
+ * user name
+ * @param group_names
+ * group names
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public PrincipalPrivilegeSet get_user_privilege_set(String user_name,
+ List group_names) throws MetaException, TException;
+
+ /**
+ * @param db_name
+ * database name
+ * @param user_name
+ * user name
+ * @param group_names
+ * group names
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public PrincipalPrivilegeSet get_db_privilege_set(String db_name,
+ String user_name, List group_names) throws MetaException,
+ TException;
+
+ /**
+ * @param db_name
+ * db name
+ * @param table_name
+ * table name
+ * @param user_name
+ * user name
+ * @param group_names
+ * group names
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public PrincipalPrivilegeSet get_table_privilege_set(String db_name,
+ String table_name, String user_name, List group_names)
+ throws MetaException, TException;
+
+ /**
+ * @param db_name
+ * db name
+ * @param table_name
+ * table name
+ * @param part_name
+ * partition name
+ * @param user_name
+ * user name
+ * @param group_names
+ * group names
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public PrincipalPrivilegeSet get_partition_privilege_set(String db_name,
+ String table_name, String part_name, String user_name,
+ List group_names) throws MetaException, TException;
+
+ /**
+ * @param db_name
+ * database name
+ * @param table_name
+ * table name
+ * @param part_name
+ * partition name
+ * @param column_name
+ * column name
+ * @param user_name
+ * user name
+ * @param group_names
+ * group names
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public PrincipalPrivilegeSet get_column_privilege_set(String db_name,
+ String table_name, String part_name, String column_name,
+ String user_name, List group_names) throws MetaException,
+ TException;
+
+ /**
+ * @param role_name
+ * role name
+ * @param owner_name
+ * owner name
+ * @param db_name
+ *
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public boolean create_role(String role_name, String owner_name, String db_name)
+ throws MetaException, TException;
+
+ /**
+ * @param role_name
+ * role name
+ * @param db_name
+ *
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public boolean drop_role(String role_name, String db_name) throws MetaException, TException;
+
+ /**
+ * @param role_name
+ * role name
+ * @param user_name
+ * user name
+ * @param is_role
+ * is the given user name a role name
+ * @param is_group
+ * is the given user name a group name
+ * @param db_name
+ *
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public boolean add_role_member(String role_name, String user_name,
+ boolean is_role, boolean is_group, String db_name) throws MetaException, TException;
+
+ /**
+ * @param role_name
+ * role name
+ * @param user_name
+ * user name
+ * @param is_role
+ * is the given user name a role
+ * @param is_group
+ * is the given group name a group
+ * @param db_name
+ *
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public boolean remove_role_member(String role_name, String user_name,
+ boolean is_role, boolean is_group, String db_name) throws MetaException, TException;
+
+ /**
+ * @param principalName
+ * @param isRole
+ * @param isGroup
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public List list_roles(String principalName, boolean isRole,
+ boolean isGroup, String db_name) throws MetaException, TException;
+
+ /**
+ * @param user_name
+ * user name
+ * @param is_role
+ * is the given user name a role
+ * @param is_group
+ * is the given user name a group
+ * @param privileges
+ * a bag of privilege - including user level, db level, table level,
+ * and column level
+ * @param grantor
+ * the name of the grantor
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public boolean grant_privileges(String user_name, boolean is_role,
+ boolean is_group, PrivilegeBag privileges, String grantor)
+ throws MetaException, TException;
+
+ /**
+ * @param user_name
+ * user name
+ * @param is_role
+ * is the given user name a role
+ * @param is_group
+ * is the given user name a group
+ * @param privileges
+ * a bag of privileges
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public boolean revoke_privileges(String user_name, boolean is_role,
+ boolean is_group, PrivilegeBag privileges) throws MetaException,
+ TException;
+
+ /**
+ * @param user_name
+ * user name
+ * @param is_role
+ * is the given user name a role
+ * @param is_group
+ * is the given user name a group
+ * @param remove_user_priv
+ * true if need to remove all user level privileges that were
+ * assigned the the given principal
+ * @param dbs
+ * a list of database on which all db level privileges for the given
+ * principal are going to be remove.
+ * @param tables
+ * a list of tables on which all table level privileges for the given
+ * principal are going to be removed.
+ * @param parts
+ * a list of partitions on on which all partition level privileges
+ * for the given principal are going to be removed.
+ * @param columns
+ * a list of columns on on which all column level privileges for the
+ * given principal are going to be removed.
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public boolean revoke_all_privileges(String user_name, boolean is_role,
+ boolean is_group, boolean remove_user_priv, List dbs,
+ List tables, List parts,
+ Map> columns) throws MetaException, TException;
+
+ /**
+ * @param principla_name
+ * @param is_role
+ * @param is_group
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public List list_security_user_grant(String principla_name,
+ boolean is_role, boolean is_group) throws MetaException, TException;
+
+ /**
+ * @param principal_name
+ * @param is_group
+ * @param is_role
+ * @param db_name
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public List list_security_db_grant(String principal_name,
+ boolean is_group, boolean is_role, String db_name) throws MetaException,
+ TException;
+
+ /**
+ * @param principal_name
+ * @param is_group
+ * @param is_role
+ * @param db_name
+ * @param table_name
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public List list_security_table_grant(
+ String principal_name, boolean is_group, boolean is_role, String db_name,
+ String table_name) throws MetaException, TException;
+
+ /**
+ * @param principal_name
+ * @param is_group
+ * @param is_role
+ * @param db_name
+ * @param table_name
+ * @param part_name
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public List list_security_partition_grant(
+ String principal_name, boolean is_group, boolean is_role, String db_name,
+ String table_name, String part_name) throws MetaException, TException;
+
+ /**
+ * @param principal_name
+ * @param is_group
+ * @param is_role
+ * @param db_name
+ * @param table_name
+ * @param column_name
+ * @return
+ * @throws MetaException
+ * @throws TException
+ */
+ public List list_security_column_grant(String principal_name,
+ boolean is_group, boolean is_role, String db_name, String table_name,
+ String part_name, String column_name) throws MetaException, TException;
}
Index: metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java
===================================================================
--- metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java (revision 1037574)
+++ metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java (working copy)
@@ -44,7 +44,9 @@
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configurable;
import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.common.FileUtils;
import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.metastore.api.ColumnPrivilegeBag;
import org.apache.hadoop.hive.metastore.api.Database;
import org.apache.hadoop.hive.metastore.api.FieldSchema;
import org.apache.hadoop.hive.metastore.api.Index;
@@ -53,6 +55,9 @@
import org.apache.hadoop.hive.metastore.api.NoSuchObjectException;
import org.apache.hadoop.hive.metastore.api.Order;
import org.apache.hadoop.hive.metastore.api.Partition;
+import org.apache.hadoop.hive.metastore.api.PrincipalPrivilegeSet;
+import org.apache.hadoop.hive.metastore.api.PrivilegeBag;
+import org.apache.hadoop.hive.metastore.api.Role;
import org.apache.hadoop.hive.metastore.api.SerDeInfo;
import org.apache.hadoop.hive.metastore.api.StorageDescriptor;
import org.apache.hadoop.hive.metastore.api.Table;
@@ -62,6 +67,12 @@
import org.apache.hadoop.hive.metastore.model.MIndex;
import org.apache.hadoop.hive.metastore.model.MOrder;
import org.apache.hadoop.hive.metastore.model.MPartition;
+import org.apache.hadoop.hive.metastore.model.MSecurityColumn;
+import org.apache.hadoop.hive.metastore.model.MSecurityDB;
+import org.apache.hadoop.hive.metastore.model.MSecurityRoleEntity;
+import org.apache.hadoop.hive.metastore.model.MSecurityTablePartition;
+import org.apache.hadoop.hive.metastore.model.MSecurityUser;
+import org.apache.hadoop.hive.metastore.model.MSecurityUserRoleMap;
import org.apache.hadoop.hive.metastore.model.MSerDeInfo;
import org.apache.hadoop.hive.metastore.model.MStorageDescriptor;
import org.apache.hadoop.hive.metastore.model.MTable;
@@ -520,6 +531,51 @@
openTransaction();
MTable mtbl = convertToMTable(tbl);
pm.makePersistent(mtbl);
+ PrincipalPrivilegeSet principalPrivs = tbl.getPrivileges();
+ List