diff --git ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g index 1ce6bf3..c15c4b5 100644 --- ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g +++ ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g @@ -1377,6 +1377,7 @@ privObjectType @init {msgs.push("privilege object type type");} @after {msgs.pop();} : KW_DATABASE -> ^(TOK_DB_TYPE) + | KW_VIEW -> ^(TOK_TABLE_TYPE) | KW_TABLE? -> ^(TOK_TABLE_TYPE) ; diff --git ql/src/test/queries/clientpositive/authorization_view.q ql/src/test/queries/clientpositive/authorization_view.q new file mode 100644 index 0000000..f6f774c --- /dev/null +++ ql/src/test/queries/clientpositive/authorization_view.q @@ -0,0 +1,77 @@ +-- SORT_BEFORE_DIFF + +create view src_autho_test as select * from src; + +set hive.security.authorization.enabled=true; + +--view grant to user + +grant select on view src_autho_test to user hive_test_user; + +show grant user hive_test_user on view src_autho_test; +show grant user hive_test_user on view src_autho_test(key); + +revoke select on view src_autho_test from user hive_test_user; +show grant user hive_test_user on view src_autho_test; +show grant user hive_test_user on view src_autho_test(key); + +--column grant to user + +grant select(key) on view src_autho_test to user hive_test_user; + +show grant user hive_test_user on view src_autho_test; +show grant user hive_test_user on view src_autho_test(key); + +revoke select(key) on view src_autho_test from user hive_test_user; +show grant user hive_test_user on view src_autho_test; +show grant user hive_test_user on view src_autho_test(key); + +--view grant to group + +grant select on view src_autho_test to group hive_test_group1; + +show grant group hive_test_group1 on view src_autho_test; +show grant group hive_test_group1 on view src_autho_test(key); + +revoke select on view src_autho_test from group hive_test_group1; +show grant group hive_test_group1 on view src_autho_test; +show grant group hive_test_group1 on view src_autho_test(key); + +--column grant to group + +grant select(key) on view src_autho_test to group hive_test_group1; + +show grant group hive_test_group1 on view src_autho_test; +show grant group hive_test_group1 on view src_autho_test(key); + +revoke select(key) on view src_autho_test from group hive_test_group1; +show grant group hive_test_group1 on view src_autho_test; +show grant group hive_test_group1 on view src_autho_test(key); + +--role +create role src_role; +grant role src_role to user hive_test_user; +show role grant user hive_test_user; + +--column grant to role + +grant select(key) on view src_autho_test to role src_role; + +show grant role src_role on view src_autho_test; +show grant role src_role on view src_autho_test(key); + +revoke select(key) on view src_autho_test from role src_role; + +--view grant to role + +grant select on view src_autho_test to role src_role; + +show grant role src_role on view src_autho_test; +show grant role src_role on view src_autho_test(key); +revoke select on view src_autho_test from role src_role; + +-- drop role +drop role src_role; + +set hive.security.authorization.enabled=false; +drop view src_autho_test; diff --git ql/src/test/results/clientpositive/authorization_view.q.out ql/src/test/results/clientpositive/authorization_view.q.out new file mode 100644 index 0000000..e74be93 --- /dev/null +++ ql/src/test/results/clientpositive/authorization_view.q.out @@ -0,0 +1,259 @@ +PREHOOK: query: -- SORT_BEFORE_DIFF + +create view src_autho_test as select * from src +PREHOOK: type: CREATEVIEW +POSTHOOK: query: -- SORT_BEFORE_DIFF + +create view src_autho_test as select * from src +POSTHOOK: type: CREATEVIEW +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: --view grant to user + +grant select on view src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --view grant to user + +grant select on view src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: show grant user hive_test_user on view src_autho_test +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on view src_autho_test +POSTHOOK: type: SHOW_GRANT +database default +table src_autho_test +principalName hive_test_user +principalType USER +privilege Select +#### A masked pattern was here #### +grantor hive_test_user +PREHOOK: query: show grant user hive_test_user on view src_autho_test(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on view src_autho_test(key) +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: revoke select on view src_autho_test from user hive_test_user +PREHOOK: type: REVOKE_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: revoke select on view src_autho_test from user hive_test_user +POSTHOOK: type: REVOKE_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: show grant user hive_test_user on view src_autho_test +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on view src_autho_test +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: show grant user hive_test_user on view src_autho_test(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on view src_autho_test(key) +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: --column grant to user + +grant select(key) on view src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --column grant to user + +grant select(key) on view src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: show grant user hive_test_user on view src_autho_test +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on view src_autho_test +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: show grant user hive_test_user on view src_autho_test(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on view src_autho_test(key) +POSTHOOK: type: SHOW_GRANT +database default +table src_autho_test +columnName key +principalName hive_test_user +principalType USER +privilege Select +#### A masked pattern was here #### +grantor hive_test_user +PREHOOK: query: revoke select(key) on view src_autho_test from user hive_test_user +PREHOOK: type: REVOKE_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: revoke select(key) on view src_autho_test from user hive_test_user +POSTHOOK: type: REVOKE_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: show grant user hive_test_user on view src_autho_test +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on view src_autho_test +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: show grant user hive_test_user on view src_autho_test(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on view src_autho_test(key) +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: --view grant to group + +grant select on view src_autho_test to group hive_test_group1 +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --view grant to group + +grant select on view src_autho_test to group hive_test_group1 +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: show grant group hive_test_group1 on view src_autho_test +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant group hive_test_group1 on view src_autho_test +POSTHOOK: type: SHOW_GRANT +database default +table src_autho_test +principalName hive_test_group1 +principalType GROUP +privilege Select +#### A masked pattern was here #### +grantor hive_test_user +PREHOOK: query: show grant group hive_test_group1 on view src_autho_test(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant group hive_test_group1 on view src_autho_test(key) +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: revoke select on view src_autho_test from group hive_test_group1 +PREHOOK: type: REVOKE_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: revoke select on view src_autho_test from group hive_test_group1 +POSTHOOK: type: REVOKE_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: show grant group hive_test_group1 on view src_autho_test +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant group hive_test_group1 on view src_autho_test +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: show grant group hive_test_group1 on view src_autho_test(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant group hive_test_group1 on view src_autho_test(key) +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: --column grant to group + +grant select(key) on view src_autho_test to group hive_test_group1 +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --column grant to group + +grant select(key) on view src_autho_test to group hive_test_group1 +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: show grant group hive_test_group1 on view src_autho_test +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant group hive_test_group1 on view src_autho_test +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: show grant group hive_test_group1 on view src_autho_test(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant group hive_test_group1 on view src_autho_test(key) +POSTHOOK: type: SHOW_GRANT +database default +table src_autho_test +columnName key +principalName hive_test_group1 +principalType GROUP +privilege Select +#### A masked pattern was here #### +grantor hive_test_user +PREHOOK: query: revoke select(key) on view src_autho_test from group hive_test_group1 +PREHOOK: type: REVOKE_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: revoke select(key) on view src_autho_test from group hive_test_group1 +POSTHOOK: type: REVOKE_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: show grant group hive_test_group1 on view src_autho_test +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant group hive_test_group1 on view src_autho_test +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: show grant group hive_test_group1 on view src_autho_test(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant group hive_test_group1 on view src_autho_test(key) +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: --role +create role src_role +PREHOOK: type: CREATEROLE +POSTHOOK: query: --role +create role src_role +POSTHOOK: type: CREATEROLE +PREHOOK: query: grant role src_role to user hive_test_user +PREHOOK: type: GRANT_ROLE +POSTHOOK: query: grant role src_role to user hive_test_user +POSTHOOK: type: GRANT_ROLE +PREHOOK: query: show role grant user hive_test_user +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant user hive_test_user +POSTHOOK: type: SHOW_ROLE_GRANT +src_role +PREHOOK: query: --column grant to role + +grant select(key) on view src_autho_test to role src_role +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --column grant to role + +grant select(key) on view src_autho_test to role src_role +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: show grant role src_role on view src_autho_test +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant role src_role on view src_autho_test +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: show grant role src_role on view src_autho_test(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant role src_role on view src_autho_test(key) +POSTHOOK: type: SHOW_GRANT +database default +table src_autho_test +columnName key +principalName src_role +principalType ROLE +privilege Select +#### A masked pattern was here #### +grantor hive_test_user +PREHOOK: query: revoke select(key) on view src_autho_test from role src_role +PREHOOK: type: REVOKE_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: revoke select(key) on view src_autho_test from role src_role +POSTHOOK: type: REVOKE_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: --view grant to role + +grant select on view src_autho_test to role src_role +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --view grant to role + +grant select on view src_autho_test to role src_role +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: show grant role src_role on view src_autho_test +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant role src_role on view src_autho_test +POSTHOOK: type: SHOW_GRANT +database default +table src_autho_test +principalName src_role +principalType ROLE +privilege Select +#### A masked pattern was here #### +grantor hive_test_user +PREHOOK: query: show grant role src_role on view src_autho_test(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant role src_role on view src_autho_test(key) +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: revoke select on view src_autho_test from role src_role +PREHOOK: type: REVOKE_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: revoke select on view src_autho_test from role src_role +POSTHOOK: type: REVOKE_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: -- drop role +drop role src_role +PREHOOK: type: DROPROLE +POSTHOOK: query: -- drop role +drop role src_role +POSTHOOK: type: DROPROLE +PREHOOK: query: drop view src_autho_test +PREHOOK: type: DROPVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: drop view src_autho_test +POSTHOOK: type: DROPVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: default@src_autho_test