diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveLexer.g b/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveLexer.g index 9354637..da745d7 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveLexer.g +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveLexer.g @@ -282,6 +282,7 @@ KW_USER: 'USER'; KW_ROLE: 'ROLE'; KW_INNER: 'INNER'; KW_EXCHANGE: 'EXCHANGE'; +KW_ADMIN: 'ADMIN'; // Operators // NOTE: if you add a new function/operator, add it to sysFuncNames so that describe function _FUNC_ will work. diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g b/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g index b34f53b..8d3cb94 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g @@ -1299,8 +1299,8 @@ grantPrivileges : KW_GRANT privList=privilegeList privilegeObject? KW_TO principalSpecification - (KW_WITH withOption)? - -> ^(TOK_GRANT $privList principalSpecification privilegeObject? withOption?) + (withGrantOption)? + -> ^(TOK_GRANT $privList principalSpecification privilegeObject? withGrantOption?) ; revokePrivileges @@ -1313,15 +1313,15 @@ revokePrivileges grantRole @init {msgs.push("grant role");} @after {msgs.pop();} - : KW_GRANT KW_ROLE identifier (COMMA identifier)* KW_TO principalSpecification - -> ^(TOK_GRANT_ROLE principalSpecification identifier+) + : KW_GRANT KW_ROLE? identifier (COMMA identifier)* KW_TO principalSpecification withAdminOption? + -> ^(TOK_GRANT_ROLE principalSpecification withAdminOption? identifier+) ; revokeRole @init {msgs.push("revoke role");} @after {msgs.pop();} - : KW_REVOKE KW_ROLE identifier (COMMA identifier)* KW_FROM principalSpecification - -> ^(TOK_REVOKE_ROLE principalSpecification identifier+) + : KW_REVOKE KW_ROLE? identifier (COMMA identifier)* KW_FROM principalSpecification withAdminOption? + -> ^(TOK_REVOKE_ROLE principalSpecification withAdminOption? identifier+) ; showRoleGrants @@ -1341,17 +1341,25 @@ showGrants privilegeIncludeColObject @init {msgs.push("privilege object including columns");} @after {msgs.pop();} - : KW_ON (table=KW_TABLE|KW_DATABASE) identifier (LPAREN cols=columnNameList RPAREN)? partitionSpec? + : KW_ON table=objectType? identifier (LPAREN cols=columnNameList RPAREN)? partitionSpec? -> ^(TOK_PRIV_OBJECT_COL identifier $table? $cols? partitionSpec?) ; privilegeObject @init {msgs.push("privilege subject");} @after {msgs.pop();} - : KW_ON (table=KW_TABLE|KW_DATABASE) identifier partitionSpec? + : KW_ON table=objectType? identifier partitionSpec? -> ^(TOK_PRIV_OBJECT identifier $table? partitionSpec?) ; + +objectType +@init {msgs.push("object type");} +@after {msgs.pop();} + : KW_TABLE|KW_DATABASE + ; + + privilegeList @init {msgs.push("grant privilege list");} @after {msgs.pop();} @@ -1394,10 +1402,17 @@ principalName | KW_ROLE identifier -> ^(TOK_ROLE identifier) ; -withOption -@init {msgs.push("grant with option");} +withGrantOption +@init {msgs.push("with grant option");} +@after {msgs.pop();} + : KW_WITH KW_GRANT KW_OPTION + -> ^(TOK_GRANT_WITH_OPTION) + ; + +withAdminOption +@init {msgs.push("with admin option");} @after {msgs.pop();} - : KW_GRANT KW_OPTION + : KW_WITH KW_ADMIN KW_OPTION -> ^(TOK_GRANT_WITH_OPTION) ; diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g b/ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g index 39d53d3..b2c3480 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g @@ -535,5 +535,4 @@ identifier nonReserved : - KW_TRUE | KW_FALSE | KW_LIKE | KW_EXISTS | KW_ASC | KW_DESC | KW_ORDER | KW_GROUP | KW_BY | KW_AS | KW_INSERT | KW_OVERWRITE | KW_OUTER | KW_LEFT | KW_RIGHT | KW_FULL | KW_PARTITION | KW_PARTITIONS | KW_TABLE | KW_TABLES | KW_COLUMNS | KW_INDEX | KW_INDEXES | KW_REBUILD | KW_FUNCTIONS | KW_SHOW | KW_MSCK | KW_REPAIR | KW_DIRECTORY | KW_LOCAL | KW_USING | KW_CLUSTER | KW_DISTRIBUTE | KW_SORT | KW_UNION | KW_LOAD | KW_EXPORT | KW_IMPORT | KW_DATA | KW_INPATH | KW_IS | KW_NULL | KW_CREATE | KW_EXTERNAL | KW_ALTER | KW_CHANGE | KW_FIRST | KW_AFTER | KW_DESCRIBE | KW_DROP | KW_RENAME | KW_IGNORE | KW_PROTECTION | KW_TO | KW_COMMENT | KW_BOOLEAN | KW_TINYINT | KW_SMALLINT | KW_INT | KW_BIGINT | KW_FLOAT | KW_DOUBLE | KW_DATE | KW_DATETIME | KW_TIMESTAMP | KW_DECIMAL | KW_STRING | KW_ARRAY | KW_STRUCT | KW_UNIONTYPE | KW_PARTITIONED | KW_CLUSTERED | KW_SORTED | KW_INTO | KW_BUCKETS | KW_ROW | KW_ROWS | KW_FORMAT | KW_DELIMITED | KW_FIELDS | KW_TERMINATED | KW_ESCAPED | KW_COLLECTION | KW_ITEMS | KW_KEYS | KW_KEY_TYPE | KW_LINES | KW_STORED | KW_FILEFORMAT | KW_SEQUENCEFILE | KW_TEXTFILE | KW_RCFILE | KW_ORCFILE | KW_INPUTFORMAT | KW_OUTPUTFORMAT | KW_INPUTDRIVER | KW_OUTPUTDRIVER | KW_OFFLINE | KW_ENABLE | KW_DISABLE | KW_READONLY | KW_NO_DROP | KW_LOCATION | KW_BUCKET | KW_OUT | KW_OF | KW_PERCENT | KW_ADD | KW_REPLACE | KW_RLIKE | KW_REGEXP | KW_TEMPORARY | KW_EXPLAIN | KW_FORMATTED | KW_PRETTY | KW_DEPENDENCY | KW_LOGICAL | KW_SERDE | KW_WITH | KW_DEFERRED | KW_SERDEPROPERTIES | KW_DBPROPERTIES | KW_LIMIT | KW_SET | KW_UNSET | KW_TBLPROPERTIES | KW_IDXPROPERTIES | KW_VALUE_TYPE | KW_ELEM_TYPE | KW_MAPJOIN | KW_STREAMTABLE | KW_HOLD_DDLTIME | KW_CLUSTERSTATUS | KW_UTC | KW_UTCTIMESTAMP | KW_LONG | KW_DELETE | KW_PLUS | KW_MINUS | KW_FETCH | KW_INTERSECT | KW_VIEW | KW_IN | KW_DATABASES | KW_MATERIALIZED | KW_SCHEMA | KW_SCHEMAS | KW_GRANT | KW_REVOKE | KW_SSL | KW_UNDO | KW_LOCK | KW_LOCKS | KW_UNLOCK | KW_SHARED | KW_EXCLUSIVE | KW_PROCEDURE | KW_UNSIGNED | KW_WHILE | KW_READ | KW_READS | KW_PURGE | KW_RANGE | KW_ANALYZE | KW_BEFORE | KW_BETWEEN | KW_BOTH | KW_BINARY | KW_CONTINUE | KW_CURSOR | KW_TRIGGER | KW_RECORDREADER | KW_RECORDWRITER | KW_SEMI | KW_LATERAL | KW_TOUCH | KW_ARCHIVE | KW_UNARCHIVE | KW_COMPUTE | KW_STATISTICS | KW_USE | KW_OPTION | KW_CONCATENATE | KW_SHOW_DATABASE | KW_UPDATE | KW_RESTRICT | KW_CASCADE | KW_SKEWED | KW_ROLLUP | KW_CUBE | KW_DIRECTORIES | KW_FOR | KW_GROUPING | KW_SETS | KW_TRUNCATE | KW_NOSCAN | KW_USER | KW_ROLE | KW_INNER | KW_DEFINED - ; + KW_TRUE | KW_FALSE | KW_LIKE | KW_EXISTS | KW_ASC | KW_DESC | KW_ORDER | KW_GROUP | KW_BY | KW_AS | KW_INSERT | KW_OVERWRITE | KW_OUTER | KW_LEFT | KW_RIGHT | KW_FULL | KW_PARTITION | KW_PARTITIONS | KW_TABLE | KW_TABLES | KW_COLUMNS | KW_INDEX | KW_INDEXES | KW_REBUILD | KW_FUNCTIONS | KW_SHOW | KW_MSCK | KW_REPAIR | KW_DIRECTORY | KW_LOCAL | KW_USING | KW_CLUSTER | KW_DISTRIBUTE | KW_SORT | KW_UNION | KW_LOAD | KW_EXPORT | KW_IMPORT | KW_DATA | KW_INPATH | KW_IS | KW_NULL | KW_CREATE | KW_EXTERNAL | KW_ALTER | KW_CHANGE | KW_FIRST | KW_AFTER | KW_DESCRIBE | KW_DROP | KW_RENAME | KW_IGNORE | KW_PROTECTION | KW_TO | KW_COMMENT | KW_BOOLEAN | KW_TINYINT | KW_SMALLINT | KW_INT | KW_BIGINT | KW_FLOAT | KW_DOUBLE | KW_DATE | KW_DATETIME | KW_TIMESTAMP | KW_DECIMAL | KW_STRING | KW_ARRAY | KW_STRUCT | KW_UNIONTYPE | KW_PARTITIONED | KW_CLUSTERED | KW_SORTED | KW_INTO | KW_BUCKETS | KW_ROW | KW_ROWS | KW_FORMAT | KW_DELIMITED | KW_FIELDS | KW_TERMINATED | KW_ESCAPED | KW_COLLECTION | KW_ITEMS | KW_KEYS | KW_KEY_TYPE | KW_LINES | KW_STORED | KW_FILEFORMAT | KW_SEQUENCEFILE | KW_TEXTFILE | KW_RCFILE | KW_ORCFILE | KW_INPUTFORMAT | KW_OUTPUTFORMAT | KW_INPUTDRIVER | KW_OUTPUTDRIVER | KW_OFFLINE | KW_ENABLE | KW_DISABLE | KW_READONLY | KW_NO_DROP | KW_LOCATION | KW_BUCKET | KW_OUT | KW_OF | KW_PERCENT | KW_ADD | KW_REPLACE | KW_RLIKE | KW_REGEXP | KW_TEMPORARY | KW_EXPLAIN | KW_FORMATTED | KW_PRETTY | KW_DEPENDENCY | KW_LOGICAL | KW_SERDE | KW_WITH | KW_DEFERRED | KW_SERDEPROPERTIES | KW_DBPROPERTIES | KW_LIMIT | KW_SET | KW_UNSET | KW_TBLPROPERTIES | KW_IDXPROPERTIES | KW_VALUE_TYPE | KW_ELEM_TYPE | KW_MAPJOIN | KW_STREAMTABLE | KW_HOLD_DDLTIME | KW_CLUSTERSTATUS | KW_UTC | KW_UTCTIMESTAMP | KW_LONG | KW_DELETE | KW_PLUS | KW_MINUS | KW_FETCH | KW_INTERSECT | KW_VIEW | KW_IN | KW_DATABASES | KW_MATERIALIZED | KW_SCHEMA | KW_SCHEMAS | KW_GRANT | KW_REVOKE | KW_SSL | KW_UNDO | KW_LOCK | KW_LOCKS | KW_UNLOCK | KW_SHARED | KW_EXCLUSIVE | KW_PROCEDURE | KW_UNSIGNED | KW_WHILE | KW_READ | KW_READS | KW_PURGE | KW_RANGE | KW_ANALYZE | KW_BEFORE | KW_BETWEEN | KW_BOTH | KW_BINARY | KW_CONTINUE | KW_CURSOR | KW_TRIGGER | KW_RECORDREADER | KW_RECORDWRITER | KW_SEMI | KW_LATERAL | KW_TOUCH | KW_ARCHIVE | KW_UNARCHIVE | KW_COMPUTE | KW_STATISTICS | KW_USE | KW_OPTION | KW_CONCATENATE | KW_SHOW_DATABASE | KW_UPDATE | KW_RESTRICT | KW_CASCADE | KW_SKEWED | KW_ROLLUP | KW_CUBE | KW_DIRECTORIES | KW_FOR | KW_GROUPING | KW_SETS | KW_TRUNCATE | KW_NOSCAN | KW_USER | KW_ROLE | KW_INNER | KW_DEFINED | KW_ADMIN diff --git a/ql/src/java/org/apache/hadoop/hive/ql/plan/PrivilegeObjectDesc.java b/ql/src/java/org/apache/hadoop/hive/ql/plan/PrivilegeObjectDesc.java index f0acb16..9417220 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/plan/PrivilegeObjectDesc.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/plan/PrivilegeObjectDesc.java @@ -23,7 +23,8 @@ @Explain(displayName="privilege subject") public class PrivilegeObjectDesc { - private boolean table; + //default type is table + private boolean table = true; private String object; diff --git a/ql/src/test/queries/clientpositive/authorization_2.q b/ql/src/test/queries/clientpositive/authorization_2.q index 4fc79b9..3353c53 100644 --- a/ql/src/test/queries/clientpositive/authorization_2.q +++ b/ql/src/test/queries/clientpositive/authorization_2.q @@ -6,7 +6,7 @@ ALTER TABLE authorization_part SET TBLPROPERTIES ("PARTITION_LEVEL_PRIVILEGE"="T set hive.security.authorization.enabled=true; -- column grant to user -grant Create on table authorization_part to user hive_test_user; +grant Create on authorization_part to user hive_test_user; grant Update on table authorization_part to user hive_test_user; grant Drop on table authorization_part to user hive_test_user; grant select on table src_auth_tmp to user hive_test_user; diff --git a/ql/src/test/queries/clientpositive/authorization_role_grant1.q b/ql/src/test/queries/clientpositive/authorization_role_grant1.q new file mode 100644 index 0000000..2fc5cb5 --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_role_grant1.q @@ -0,0 +1,20 @@ +-- role granting without role keyword +create role src_role2; +grant src_role2 to user user2 ; +show role grant user user2; + +-- revoke role without role keyword +revoke src_role2 from user user2; +show role grant user user2; + +---------------------------------------- +-- role granting without role keyword, with admin option (syntax check) +---------------------------------------- + +create role src_role_wadmin; +grant src_role_wadmin to user user2 with admin; +show role grant user user2; + +-- revoke role without role keyword +revoke src_role_wadmin from user user2 with admin; +show role grant user user2; diff --git a/ql/src/test/results/clientpositive/authorization_2.q.out b/ql/src/test/results/clientpositive/authorization_2.q.out index 20e3df8..5a51ed2 100644 --- a/ql/src/test/results/clientpositive/authorization_2.q.out +++ b/ql/src/test/results/clientpositive/authorization_2.q.out @@ -23,11 +23,11 @@ POSTHOOK: type: ALTERTABLE_PROPERTIES POSTHOOK: Input: default@authorization_part POSTHOOK: Output: default@authorization_part PREHOOK: query: -- column grant to user -grant Create on table authorization_part to user hive_test_user +grant Create on authorization_part to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@authorization_part POSTHOOK: query: -- column grant to user -grant Create on table authorization_part to user hive_test_user +grant Create on authorization_part to user hive_test_user POSTHOOK: type: GRANT_PRIVILEGE POSTHOOK: Output: default@authorization_part PREHOOK: query: grant Update on table authorization_part to user hive_test_user diff --git a/ql/src/test/results/clientpositive/authorization_role_grant1.q.out b/ql/src/test/results/clientpositive/authorization_role_grant1.q.out new file mode 100644 index 0000000..9e37e61 --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_role_grant1.q.out @@ -0,0 +1,25 @@ +PREHOOK: query: -- role granting without role keyword +create role src_role2 +PREHOOK: type: CREATEROLE +POSTHOOK: query: -- role granting without role keyword +create role src_role2 +POSTHOOK: type: CREATEROLE +PREHOOK: query: grant src_role2 to user user2 +PREHOOK: type: GRANT_ROLE +POSTHOOK: query: grant src_role2 to user user2 +POSTHOOK: type: GRANT_ROLE +PREHOOK: query: show role grant user user2 +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant user user2 +POSTHOOK: type: SHOW_ROLE_GRANT +role name:src_role2 +PREHOOK: query: -- revoke role without role keyword +revoke src_role2 from user user2 +PREHOOK: type: REVOKE_ROLE +POSTHOOK: query: -- revoke role without role keyword +revoke src_role2 from user user2 +POSTHOOK: type: REVOKE_ROLE +PREHOOK: query: show role grant user user2 +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant user user2 +POSTHOOK: type: SHOW_ROLE_GRANT