diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g b/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g index 216c361..dcbc681 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g @@ -266,8 +266,10 @@ TOK_GRANT_WITH_ADMIN_OPTION; TOK_PRIV_ALL; TOK_PRIV_ALTER_METADATA; TOK_PRIV_ALTER_DATA; +TOK_PRIV_DELETE; TOK_PRIV_DROP; TOK_PRIV_INDEX; +TOK_PRIV_INSERT; TOK_PRIV_LOCK; TOK_PRIV_SELECT; TOK_PRIV_SHOW_DATABASE; @@ -1414,6 +1416,8 @@ privilegeType | KW_LOCK -> ^(TOK_PRIV_LOCK) | KW_SELECT -> ^(TOK_PRIV_SELECT) | KW_SHOW_DATABASE -> ^(TOK_PRIV_SHOW_DATABASE) + | KW_INSERT -> ^(TOK_PRIV_INSERT) + | KW_DELETE -> ^(TOK_PRIV_DELETE) ; principalSpecification diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/Privilege.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/Privilege.java index dbbe210..f9d1b4b 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/Privilege.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/Privilege.java @@ -19,82 +19,17 @@ package org.apache.hadoop.hive.ql.security.authorization; import java.util.EnumSet; -import org.apache.hadoop.hive.ql.parse.HiveParser; /** * Privilege defines a privilege in Hive. Each privilege has a name and scope associated with it. * This class contains all of the predefined privileges in Hive. */ public class Privilege { - - public enum PrivilegeType { - ALL, - ALTER_DATA, - ALTER_METADATA, - CREATE, - DROP, - INDEX, - LOCK, - SELECT, - SHOW_DATABASE, - UNKNOWN - } - - - public static PrivilegeType getPrivTypeByToken(int token) { - switch (token) { - case HiveParser.TOK_PRIV_ALL: - return PrivilegeType.ALL; - case HiveParser.TOK_PRIV_ALTER_DATA: - return PrivilegeType.ALTER_DATA; - case HiveParser.TOK_PRIV_ALTER_METADATA: - return PrivilegeType.ALTER_METADATA; - case HiveParser.TOK_PRIV_CREATE: - return PrivilegeType.CREATE; - case HiveParser.TOK_PRIV_DROP: - return PrivilegeType.DROP; - case HiveParser.TOK_PRIV_INDEX: - return PrivilegeType.INDEX; - case HiveParser.TOK_PRIV_LOCK: - return PrivilegeType.LOCK; - case HiveParser.TOK_PRIV_SELECT: - return PrivilegeType.SELECT; - case HiveParser.TOK_PRIV_SHOW_DATABASE: - return PrivilegeType.SHOW_DATABASE; - default: - return PrivilegeType.UNKNOWN; - } - } - - public static PrivilegeType getPrivTypeByName(String privilegeName) { - String canonicalizedName = privilegeName.toLowerCase(); - if (canonicalizedName.equals("all")) { - return PrivilegeType.ALL; - } else if (canonicalizedName.equals("update")) { - return PrivilegeType.ALTER_DATA; - } else if (canonicalizedName.equals("alter")) { - return PrivilegeType.ALTER_METADATA; - } else if (canonicalizedName.equals("create")) { - return PrivilegeType.CREATE; - } else if (canonicalizedName.equals("drop")) { - return PrivilegeType.DROP; - } else if (canonicalizedName.equals("index")) { - return PrivilegeType.INDEX; - } else if (canonicalizedName.equals("lock")) { - return PrivilegeType.LOCK; - } else if (canonicalizedName.equals("select")) { - return PrivilegeType.SELECT; - } else if (canonicalizedName.equals("show_database")) { - return PrivilegeType.SHOW_DATABASE; - } - - return PrivilegeType.UNKNOWN; - } private PrivilegeType priv; - + private EnumSet supportedScopeSet; - + private Privilege(PrivilegeType priv, EnumSet scopeSet) { super(); this.priv = priv; @@ -104,7 +39,7 @@ private Privilege(PrivilegeType priv, EnumSet scopeSet) { public Privilege(PrivilegeType priv) { super(); this.priv = priv; - + } public PrivilegeType getPriv() { @@ -114,7 +49,7 @@ public PrivilegeType getPriv() { public void setPriv(PrivilegeType priv) { this.priv = priv; } - + public boolean supportColumnLevel() { return supportedScopeSet != null && supportedScopeSet.contains(PrivilegeScope.COLUMN_LEVEL_SCOPE); @@ -129,31 +64,10 @@ public boolean supportTableLevel() { return supportedScopeSet != null && supportedScopeSet.contains(PrivilegeScope.TABLE_LEVEL_SCOPE); } - + @Override public String toString() { - switch (this.priv) { - case ALL: - return "All"; - case ALTER_DATA: - return "Update"; - case ALTER_METADATA: - return "Alter"; - case CREATE: - return "Create"; - case DROP: - return "Drop"; - case INDEX: - return "Index"; - case LOCK: - return "Lock"; - case SELECT: - return "Select"; - case SHOW_DATABASE: - return "Show_Database"; - default: - return "Unknown"; - } + return this.getPriv().toString(); } public Privilege() { @@ -183,6 +97,12 @@ public Privilege() { public static Privilege SELECT = new Privilege(PrivilegeType.SELECT, PrivilegeScope.ALLSCOPE); + public static Privilege INSERT = new Privilege(PrivilegeType.INSERT, + PrivilegeScope.ALLSCOPE_EXCEPT_COLUMN); + + public static Privilege DELETE = new Privilege(PrivilegeType.DELETE, + PrivilegeScope.ALLSCOPE_EXCEPT_COLUMN); + public static Privilege SHOW_DATABASE = new Privilege(PrivilegeType.SHOW_DATABASE, EnumSet.of(PrivilegeScope.USER_LEVEL_SCOPE)); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java index 960f291..5ca7100 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java @@ -20,7 +20,7 @@ import java.util.HashMap; -import org.apache.hadoop.hive.ql.security.authorization.Privilege.PrivilegeType; +import org.apache.hadoop.hive.ql.session.SessionState; /** * PrivilegeRegistry is used to do privilege lookups. Given a privilege name, it @@ -28,9 +28,35 @@ */ public class PrivilegeRegistry { - protected static HashMap Registry = new HashMap(); + protected static HashMap Registry = null; - static { + public static Privilege getPrivilege(PrivilegeType privilegeType) { + initializeRegistry(); + return Registry.get(privilegeType); + } + + private static void initializeRegistry() { + if(Registry != null){ + //already initialized, nothing to do + return; + } + //population of registry done in separate synchronized call + populateRegistry(); + } + + /** + * Add entries to registry. This needs to be synchronized to avoid Registry being populated + * multiple times. + */ + private static synchronized void populateRegistry() { + //do check again in synchronized block + if(Registry != null){ + //already initialized, nothing to do + return; + } + Registry = new HashMap(); + + //add the privileges supported in authorization mode V1 Registry.put(Privilege.ALL.getPriv(), Privilege.ALL); Registry.put(Privilege.ALTER_DATA.getPriv(), Privilege.ALTER_DATA); Registry.put(Privilege.ALTER_METADATA.getPriv(), Privilege.ALTER_METADATA); @@ -41,18 +67,23 @@ Registry.put(Privilege.SELECT.getPriv(), Privilege.SELECT); Registry.put(Privilege.SHOW_DATABASE.getPriv(), Privilege.SHOW_DATABASE); - } - - public static Privilege getPrivilege(PrivilegeType privilegeType) { - return Registry.get(privilegeType); + if(SessionState.get().isAuthorizationModeV2()){ + //add the privileges not supported in V1 + //The list of privileges supported in V2 is implementation defined, + //so just pass everything that syntax supports. + Registry.put(Privilege.INSERT.getPriv(), Privilege.INSERT); + Registry.put(Privilege.DELETE.getPriv(), Privilege.DELETE); + } } public static Privilege getPrivilege(int privilegeToken) { - return Registry.get(Privilege.getPrivTypeByToken(privilegeToken)); + initializeRegistry(); + return Registry.get(PrivilegeType.getPrivTypeByToken(privilegeToken)); } public static Privilege getPrivilege(String privilegeName) { - return Registry.get(Privilege.getPrivTypeByName(privilegeName)); + initializeRegistry(); + return Registry.get(PrivilegeType.getPrivTypeByName(privilegeName)); } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeType.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeType.java new file mode 100644 index 0000000..ccc3528 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeType.java @@ -0,0 +1,117 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hive.ql.security.authorization; + +import java.util.HashMap; +import java.util.Map; + +import org.apache.hadoop.hive.ql.parse.HiveParser; + +/** + * Privilege type + */ +public enum PrivilegeType { + + ALL(HiveParser.TOK_PRIV_ALL, "All"), + ALTER_DATA(HiveParser.TOK_PRIV_ALTER_DATA, "Update"), + ALTER_METADATA(HiveParser.TOK_PRIV_ALTER_METADATA, "Alter"), + CREATE(HiveParser.TOK_PRIV_CREATE, "Create"), + DROP(HiveParser.TOK_PRIV_DROP, "Drop"), + INDEX(HiveParser.TOK_PRIV_INDEX, "Index"), + LOCK(HiveParser.TOK_PRIV_LOCK, "Lock"), + SELECT(HiveParser.TOK_PRIV_SELECT, "Select"), + SHOW_DATABASE(HiveParser.TOK_PRIV_SHOW_DATABASE, "Show_Database"), + INSERT(HiveParser.TOK_PRIV_INSERT, "Insert"), + DELETE(HiveParser.TOK_PRIV_DELETE, "Delete"), + UNKNOWN(null, null); + + private final String name; + private final Integer token; + + PrivilegeType(Integer token, String name){ + this.name = name; + this.token = token; + } + + @Override + public String toString(){ + return name == null ? "unkown" : name; + } + + public Integer getToken() { + return token; + } + + private static Map token2Type; + private static Map name2Type; + + /** + * Do case lookup of PrivilegeType associated with this antlr token + * @param privilegeName + * @return corresponding PrivilegeType + */ + public static PrivilegeType getPrivTypeByToken(int token) { + if(token2Type == null){ + populateToken2Type(); + } + PrivilegeType privType = token2Type.get(token); + System.err.println("XXXXXXXXXXX 7" + privType); + if(privType != null){ + return privType; + } + return PrivilegeType.UNKNOWN; + } + + private static synchronized void populateToken2Type() { + if(token2Type != null){ + return; + } + token2Type = new HashMap(); + for(PrivilegeType privType : PrivilegeType.values()){ + token2Type.put(privType.getToken(), privType); + } + } + + /** + * Do case insensitive lookup of PrivilegeType with this name + * @param privilegeName + * @return corresponding PrivilegeType + */ + public static PrivilegeType getPrivTypeByName(String privilegeName) { + if(name2Type == null){ + populateName2Type(); + } + String canonicalizedName = privilegeName.toLowerCase(); + PrivilegeType privType = name2Type.get(canonicalizedName); + if(privType != null){ + return privType; + } + return PrivilegeType.UNKNOWN; + } + + private static synchronized void populateName2Type() { + if(name2Type != null){ + return; + } + name2Type = new HashMap(); + for(PrivilegeType privType : PrivilegeType.values()){ + name2Type.put(privType.toString(), privType); + } + } +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index 7425150..f5fa572 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -18,7 +18,10 @@ package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashSet; import java.util.List; +import java.util.Set; import org.apache.hadoop.classification.InterfaceAudience.Private; import org.apache.hadoop.hive.conf.HiveConf; @@ -48,6 +51,9 @@ public class SQLStdHiveAccessController implements HiveAccessController { private HiveMetastoreClientFactory metastoreClientFactory; + private static final String [] SUPPORTED_PRIVS = {"INSERT", "UPDATE", "DELETE", "SELECT", "ALL"}; + private static final Set SUPPORTED_PRIVS_SET + = new HashSet(Arrays.asList(SUPPORTED_PRIVS)); SQLStdHiveAccessController(HiveMetastoreClientFactory metastoreClientFactory, @@ -91,6 +97,10 @@ private PrivilegeBag getThriftPrivilegesBag(List hivePrincipals, throw new HiveAuthorizationPluginException("Privileges on columns not supported currently" + " in sql standard authorization mode"); } + if(!SUPPORTED_PRIVS_SET.contains(privilege.getName())){ + throw new HiveAuthorizationPluginException("Privilege: " + privilege.getName() + + " is not supported in sql standard authorization mode"); + } PrivilegeGrantInfo grantInfo = getThriftPrivilegeGrantInfo(privilege, grantorPrincipal, grantOption); for(HivePrincipal principal : hivePrincipals){ HiveObjectPrivilege objPriv = new HiveObjectPrivilege(privObj, principal.getName(), diff --git a/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/AuthorizationTestUtil.java b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/AuthorizationTestUtil.java new file mode 100644 index 0000000..45d1dd0 --- /dev/null +++ b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/AuthorizationTestUtil.java @@ -0,0 +1,71 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.parse.authorization; + +import java.io.Serializable; +import java.util.List; + +import junit.framework.Assert; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.Context; +import org.apache.hadoop.hive.ql.exec.Task; +import org.apache.hadoop.hive.ql.metadata.Hive; +import org.apache.hadoop.hive.ql.parse.ASTNode; +import org.apache.hadoop.hive.ql.parse.DDLSemanticAnalyzer; +import org.apache.hadoop.hive.ql.parse.ParseDriver; +import org.apache.hadoop.hive.ql.parse.ParseUtils; +import org.apache.hadoop.hive.ql.plan.DDLWork; +import org.apache.hadoop.hive.ql.session.SessionState; + +public class AuthorizationTestUtil { + + public static DDLWork analyze(ASTNode ast, HiveConf conf, Hive db) throws Exception { + DDLSemanticAnalyzer analyzer = new DDLSemanticAnalyzer(conf, db); + SessionState.start(conf); + analyzer.analyze(ast, new Context(conf)); + List> rootTasks = analyzer.getRootTasks(); + return (DDLWork) inList(rootTasks).ofSize(1).get(0).getWork(); + } + + public static DDLWork analyze(String command, HiveConf conf, Hive db) throws Exception { + System.err.println("XXXXXXXXXXX 3 " + conf.getVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER)); + return analyze(parse(command), conf, db); + } + + private static ASTNode parse(String command) throws Exception { + return ParseUtils.findRootNonNullToken((new ParseDriver()).parse(command)); + } + + public static class ListSizeMatcher { + private final List list; + private ListSizeMatcher(List list) { + this.list = list; + } + private List ofSize(int size) { + Assert.assertEquals(list.toString(), size, list.size()); + return list; + } + } + + public static ListSizeMatcher inList(List list) { + return new ListSizeMatcher(list); + } + +} + diff --git a/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/ListSizeMatcher.java b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/ListSizeMatcher.java new file mode 100644 index 0000000..c6f182f --- /dev/null +++ b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/ListSizeMatcher.java @@ -0,0 +1,40 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.parse.authorization; + +import java.util.List; + +import junit.framework.Assert; + +public class ListSizeMatcher { + private final List list; + private ListSizeMatcher(List list) { + this.list = list; + } + + public List ofSize(int size) { + Assert.assertEquals(list.toString(), size, list.size()); + return list; + } + + + public static ListSizeMatcher inList(List list) { + return new ListSizeMatcher(list); + } +} + diff --git a/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/PrivilegesTestBase.java b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/PrivilegesTestBase.java new file mode 100644 index 0000000..93901ec --- /dev/null +++ b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/PrivilegesTestBase.java @@ -0,0 +1,56 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.parse.authorization; + +import junit.framework.Assert; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.metastore.api.PrincipalType; +import org.apache.hadoop.hive.ql.metadata.Hive; +import org.apache.hadoop.hive.ql.plan.DDLWork; +import org.apache.hadoop.hive.ql.plan.GrantDesc; +import org.apache.hadoop.hive.ql.plan.PrincipalDesc; +import org.apache.hadoop.hive.ql.plan.PrivilegeDesc; +import org.apache.hadoop.hive.ql.security.authorization.PrivilegeType; + +public class PrivilegesTestBase { + protected static final String DB = "default"; + protected static final String TABLE = "table1"; + protected static final String USER = "user1"; + + public static void grantUserTable(String privStr, PrivilegeType privType, HiveConf conf, Hive db) + throws Exception { + DDLWork work = AuthorizationTestUtil.analyze("GRANT " + privStr + " ON TABLE " + TABLE + " TO USER " + USER, conf, db); + GrantDesc grantDesc = work.getGrantDesc(); + Assert.assertNotNull("Grant should not be null", grantDesc); + + //check privileges + for(PrivilegeDesc privilege : ListSizeMatcher.inList(grantDesc.getPrivileges()).ofSize(1)) { + Assert.assertEquals(privType, privilege.getPrivilege().getPriv()); + } + + //check other parts + for(PrincipalDesc principal : ListSizeMatcher.inList(grantDesc.getPrincipals()).ofSize(1)) { + Assert.assertEquals(PrincipalType.USER, principal.getType()); + Assert.assertEquals(USER, principal.getName()); + } + Assert.assertTrue("Expected table", grantDesc.getPrivilegeSubjectDesc().getTable()); + Assert.assertEquals(TABLE, grantDesc.getPrivilegeSubjectDesc().getObject()); + } + +} diff --git a/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestHiveAuthorizationTaskFactory.java b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestHiveAuthorizationTaskFactory.java index 77148b8..ecf8457 100644 --- a/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestHiveAuthorizationTaskFactory.java +++ b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestHiveAuthorizationTaskFactory.java @@ -17,23 +17,18 @@ */ package org.apache.hadoop.hive.ql.parse.authorization; -import java.io.Serializable; import java.util.HashMap; -import java.util.List; import junit.framework.Assert; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.metastore.api.PrincipalType; import org.apache.hadoop.hive.ql.Context; -import org.apache.hadoop.hive.ql.exec.Task; import org.apache.hadoop.hive.ql.metadata.Hive; import org.apache.hadoop.hive.ql.metadata.Partition; import org.apache.hadoop.hive.ql.metadata.Table; -import org.apache.hadoop.hive.ql.parse.ASTNode; import org.apache.hadoop.hive.ql.parse.DDLSemanticAnalyzer; import org.apache.hadoop.hive.ql.parse.ParseDriver; -import org.apache.hadoop.hive.ql.parse.ParseUtils; import org.apache.hadoop.hive.ql.plan.DDLWork; import org.apache.hadoop.hive.ql.plan.GrantDesc; import org.apache.hadoop.hive.ql.plan.GrantRevokeRoleDDL; @@ -91,7 +86,7 @@ public void setup() throws Exception { */ @Test public void testCreateRole() throws Exception { - DDLWork work = analyze(parse("CREATE ROLE " + ROLE)); + DDLWork work = analyze("CREATE ROLE " + ROLE); RoleDDLDesc roleDesc = work.getRoleDDLDesc(); Assert.assertNotNull("Role should not be null", roleDesc); Assert.assertEquals(RoleOperation.CREATE_ROLE, roleDesc.getOperation()); @@ -103,7 +98,7 @@ public void testCreateRole() throws Exception { */ @Test public void testDropRole() throws Exception { - DDLWork work = analyze(parse("DROp ROLE " + ROLE)); + DDLWork work = analyze("DROp ROLE " + ROLE); RoleDDLDesc roleDesc = work.getRoleDDLDesc(); Assert.assertNotNull("Role should not be null", roleDesc); Assert.assertEquals(RoleOperation.DROP_ROLE, roleDesc.getOperation()); @@ -115,14 +110,14 @@ public void testDropRole() throws Exception { */ @Test public void testGrantUserTable() throws Exception { - DDLWork work = analyze(parse("GRANT " + SELECT + " ON TABLE " + TABLE + " TO USER " + USER)); + DDLWork work = analyze("GRANT " + SELECT + " ON TABLE " + TABLE + " TO USER " + USER); GrantDesc grantDesc = work.getGrantDesc(); Assert.assertNotNull("Grant should not be null", grantDesc); - for(PrincipalDesc principal : inList(grantDesc.getPrincipals()).ofSize(1)) { + for(PrincipalDesc principal : ListSizeMatcher.inList(grantDesc.getPrincipals()).ofSize(1)) { Assert.assertEquals(PrincipalType.USER, principal.getType()); Assert.assertEquals(USER, principal.getName()); } - for(PrivilegeDesc privilege : inList(grantDesc.getPrivileges()).ofSize(1)) { + for(PrivilegeDesc privilege : ListSizeMatcher.inList(grantDesc.getPrivileges()).ofSize(1)) { Assert.assertEquals(Privilege.SELECT, privilege.getPrivilege()); } Assert.assertTrue("Expected table", grantDesc.getPrivilegeSubjectDesc().getTable()); @@ -133,14 +128,14 @@ public void testGrantUserTable() throws Exception { */ @Test public void testGrantRoleTable() throws Exception { - DDLWork work = analyze(parse("GRANT " + SELECT + " ON TABLE " + TABLE + " TO ROLE " + ROLE)); + DDLWork work = analyze("GRANT " + SELECT + " ON TABLE " + TABLE + " TO ROLE " + ROLE); GrantDesc grantDesc = work.getGrantDesc(); Assert.assertNotNull("Grant should not be null", grantDesc); - for(PrincipalDesc principal : inList(grantDesc.getPrincipals()).ofSize(1)) { + for(PrincipalDesc principal : ListSizeMatcher.inList(grantDesc.getPrincipals()).ofSize(1)) { Assert.assertEquals(PrincipalType.ROLE, principal.getType()); Assert.assertEquals(ROLE, principal.getName()); } - for(PrivilegeDesc privilege : inList(grantDesc.getPrivileges()).ofSize(1)) { + for(PrivilegeDesc privilege : ListSizeMatcher.inList(grantDesc.getPrivileges()).ofSize(1)) { Assert.assertEquals(Privilege.SELECT, privilege.getPrivilege()); } Assert.assertTrue("Expected table", grantDesc.getPrivilegeSubjectDesc().getTable()); @@ -151,14 +146,14 @@ public void testGrantRoleTable() throws Exception { */ @Test public void testGrantGroupTable() throws Exception { - DDLWork work = analyze(parse("GRANT " + SELECT + " ON TABLE " + TABLE + " TO GROUP " + GROUP)); + DDLWork work = analyze("GRANT " + SELECT + " ON TABLE " + TABLE + " TO GROUP " + GROUP); GrantDesc grantDesc = work.getGrantDesc(); Assert.assertNotNull("Grant should not be null", grantDesc); - for(PrincipalDesc principal : inList(grantDesc.getPrincipals()).ofSize(1)) { + for(PrincipalDesc principal : ListSizeMatcher.inList(grantDesc.getPrincipals()).ofSize(1)) { Assert.assertEquals(PrincipalType.GROUP, principal.getType()); Assert.assertEquals(GROUP, principal.getName()); } - for(PrivilegeDesc privilege : inList(grantDesc.getPrivileges()).ofSize(1)) { + for(PrivilegeDesc privilege : ListSizeMatcher.inList(grantDesc.getPrivileges()).ofSize(1)) { Assert.assertEquals(Privilege.SELECT, privilege.getPrivilege()); } Assert.assertTrue("Expected table", grantDesc.getPrivilegeSubjectDesc().getTable()); @@ -169,14 +164,14 @@ public void testGrantGroupTable() throws Exception { */ @Test public void testRevokeUserTable() throws Exception { - DDLWork work = analyze(parse("REVOKE " + SELECT + " ON TABLE " + TABLE + " FROM USER " + USER)); + DDLWork work = analyze("REVOKE " + SELECT + " ON TABLE " + TABLE + " FROM USER " + USER); RevokeDesc grantDesc = work.getRevokeDesc(); Assert.assertNotNull("Revoke should not be null", grantDesc); - for(PrincipalDesc principal : inList(grantDesc.getPrincipals()).ofSize(1)) { + for(PrincipalDesc principal : ListSizeMatcher.inList(grantDesc.getPrincipals()).ofSize(1)) { Assert.assertEquals(PrincipalType.USER, principal.getType()); Assert.assertEquals(USER, principal.getName()); } - for(PrivilegeDesc privilege : inList(grantDesc.getPrivileges()).ofSize(1)) { + for(PrivilegeDesc privilege : ListSizeMatcher.inList(grantDesc.getPrivileges()).ofSize(1)) { Assert.assertEquals(Privilege.SELECT, privilege.getPrivilege()); } Assert.assertTrue("Expected table", grantDesc.getPrivilegeSubjectDesc().getTable()); @@ -187,14 +182,14 @@ public void testRevokeUserTable() throws Exception { */ @Test public void testRevokeRoleTable() throws Exception { - DDLWork work = analyze(parse("REVOKE " + SELECT + " ON TABLE " + TABLE + " FROM ROLE " + ROLE)); + DDLWork work = analyze("REVOKE " + SELECT + " ON TABLE " + TABLE + " FROM ROLE " + ROLE); RevokeDesc grantDesc = work.getRevokeDesc(); Assert.assertNotNull("Revoke should not be null", grantDesc); - for(PrincipalDesc principal : inList(grantDesc.getPrincipals()).ofSize(1)) { + for(PrincipalDesc principal : ListSizeMatcher.inList(grantDesc.getPrincipals()).ofSize(1)) { Assert.assertEquals(PrincipalType.ROLE, principal.getType()); Assert.assertEquals(ROLE, principal.getName()); } - for(PrivilegeDesc privilege : inList(grantDesc.getPrivileges()).ofSize(1)) { + for(PrivilegeDesc privilege : ListSizeMatcher.inList(grantDesc.getPrivileges()).ofSize(1)) { Assert.assertEquals(Privilege.SELECT, privilege.getPrivilege()); } Assert.assertTrue("Expected table", grantDesc.getPrivilegeSubjectDesc().getTable()); @@ -205,14 +200,14 @@ public void testRevokeRoleTable() throws Exception { */ @Test public void testRevokeGroupTable() throws Exception { - DDLWork work = analyze(parse("REVOKE " + SELECT + " ON TABLE " + TABLE + " FROM GROUP " + GROUP)); + DDLWork work = analyze("REVOKE " + SELECT + " ON TABLE " + TABLE + " FROM GROUP " + GROUP); RevokeDesc grantDesc = work.getRevokeDesc(); Assert.assertNotNull("Revoke should not be null", grantDesc); - for(PrincipalDesc principal : inList(grantDesc.getPrincipals()).ofSize(1)) { + for(PrincipalDesc principal : ListSizeMatcher.inList(grantDesc.getPrincipals()).ofSize(1)) { Assert.assertEquals(PrincipalType.GROUP, principal.getType()); Assert.assertEquals(GROUP, principal.getName()); } - for(PrivilegeDesc privilege : inList(grantDesc.getPrivileges()).ofSize(1)) { + for(PrivilegeDesc privilege : ListSizeMatcher.inList(grantDesc.getPrivileges()).ofSize(1)) { Assert.assertEquals(Privilege.SELECT, privilege.getPrivilege()); } Assert.assertTrue("Expected table", grantDesc.getPrivilegeSubjectDesc().getTable()); @@ -223,17 +218,17 @@ public void testRevokeGroupTable() throws Exception { */ @Test public void testGrantRoleUser() throws Exception { - DDLWork work = analyze(parse("GRANT ROLE " + ROLE + " TO USER " + USER)); + DDLWork work = analyze("GRANT ROLE " + ROLE + " TO USER " + USER); GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL(); Assert.assertNotNull("Grant should not be null", grantDesc); Assert.assertTrue("Expected grant ", grantDesc.getGrant()); Assert.assertTrue("Grant option is always true ", grantDesc.isGrantOption()); Assert.assertEquals(currentUser, grantDesc.getGrantor()); Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType()); - for(String role : inList(grantDesc.getRoles()).ofSize(1)) { + for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) { Assert.assertEquals(ROLE, role); } - for(PrincipalDesc principal : inList(grantDesc.getPrincipalDesc()).ofSize(1)) { + for(PrincipalDesc principal : ListSizeMatcher.inList(grantDesc.getPrincipalDesc()).ofSize(1)) { Assert.assertEquals(PrincipalType.USER, principal.getType()); Assert.assertEquals(USER, principal.getName()); } @@ -243,17 +238,17 @@ public void testGrantRoleUser() throws Exception { */ @Test public void testGrantRoleRole() throws Exception { - DDLWork work = analyze(parse("GRANT ROLE " + ROLE + " TO ROLE " + ROLE)); + DDLWork work = analyze("GRANT ROLE " + ROLE + " TO ROLE " + ROLE); GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL(); Assert.assertNotNull("Grant should not be null", grantDesc); Assert.assertTrue("Expected grant ", grantDesc.getGrant()); Assert.assertTrue("Grant option is always true ", grantDesc.isGrantOption()); Assert.assertEquals(currentUser, grantDesc.getGrantor()); Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType()); - for(String role : inList(grantDesc.getRoles()).ofSize(1)) { + for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) { Assert.assertEquals(ROLE, role); } - for(PrincipalDesc principal : inList(grantDesc.getPrincipalDesc()).ofSize(1)) { + for(PrincipalDesc principal : ListSizeMatcher.inList(grantDesc.getPrincipalDesc()).ofSize(1)) { Assert.assertEquals(PrincipalType.ROLE, principal.getType()); Assert.assertEquals(ROLE, principal.getName()); } @@ -263,17 +258,17 @@ public void testGrantRoleRole() throws Exception { */ @Test public void testGrantRoleGroup() throws Exception { - DDLWork work = analyze(parse("GRANT ROLE " + ROLE + " TO GROUP " + GROUP)); + DDLWork work = analyze("GRANT ROLE " + ROLE + " TO GROUP " + GROUP); GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL(); Assert.assertNotNull("Grant should not be null", grantDesc); Assert.assertTrue("Expected grant ", grantDesc.getGrant()); Assert.assertTrue("Grant option is always true ", grantDesc.isGrantOption()); Assert.assertEquals(currentUser, grantDesc.getGrantor()); Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType()); - for(String role : inList(grantDesc.getRoles()).ofSize(1)) { + for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) { Assert.assertEquals(ROLE, role); } - for(PrincipalDesc principal : inList(grantDesc.getPrincipalDesc()).ofSize(1)) { + for(PrincipalDesc principal : ListSizeMatcher.inList(grantDesc.getPrincipalDesc()).ofSize(1)) { Assert.assertEquals(PrincipalType.GROUP, principal.getType()); Assert.assertEquals(GROUP, principal.getName()); } @@ -283,17 +278,17 @@ public void testGrantRoleGroup() throws Exception { */ @Test public void testRevokeRoleUser() throws Exception { - DDLWork work = analyze(parse("REVOKE ROLE " + ROLE + " FROM USER " + USER)); + DDLWork work = analyze("REVOKE ROLE " + ROLE + " FROM USER " + USER); GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL(); Assert.assertNotNull("Grant should not be null", grantDesc); Assert.assertFalse("Did not expect grant ", grantDesc.getGrant()); Assert.assertTrue("Grant option is always true ", grantDesc.isGrantOption()); Assert.assertEquals(currentUser, grantDesc.getGrantor()); Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType()); - for(String role : inList(grantDesc.getRoles()).ofSize(1)) { + for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) { Assert.assertEquals(ROLE, role); } - for(PrincipalDesc principal : inList(grantDesc.getPrincipalDesc()).ofSize(1)) { + for(PrincipalDesc principal : ListSizeMatcher.inList(grantDesc.getPrincipalDesc()).ofSize(1)) { Assert.assertEquals(PrincipalType.USER, principal.getType()); Assert.assertEquals(USER, principal.getName()); } @@ -303,17 +298,17 @@ public void testRevokeRoleUser() throws Exception { */ @Test public void testRevokeRoleRole() throws Exception { - DDLWork work = analyze(parse("REVOKE ROLE " + ROLE + " FROM ROLE " + ROLE)); + DDLWork work = analyze("REVOKE ROLE " + ROLE + " FROM ROLE " + ROLE); GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL(); Assert.assertNotNull("Grant should not be null", grantDesc); Assert.assertFalse("Did not expect grant ", grantDesc.getGrant()); Assert.assertTrue("Grant option is always true ", grantDesc.isGrantOption()); Assert.assertEquals(currentUser, grantDesc.getGrantor()); Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType()); - for(String role : inList(grantDesc.getRoles()).ofSize(1)) { + for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) { Assert.assertEquals(ROLE, role); } - for(PrincipalDesc principal : inList(grantDesc.getPrincipalDesc()).ofSize(1)) { + for(PrincipalDesc principal : ListSizeMatcher.inList(grantDesc.getPrincipalDesc()).ofSize(1)) { Assert.assertEquals(PrincipalType.ROLE, principal.getType()); Assert.assertEquals(ROLE, principal.getName()); } @@ -323,17 +318,17 @@ public void testRevokeRoleRole() throws Exception { */ @Test public void testRevokeRoleGroup() throws Exception { - DDLWork work = analyze(parse("REVOKE ROLE " + ROLE + " FROM GROUP " + GROUP)); + DDLWork work = analyze("REVOKE ROLE " + ROLE + " FROM GROUP " + GROUP); GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL(); Assert.assertNotNull("Grant should not be null", grantDesc); Assert.assertFalse("Did not expect grant ", grantDesc.getGrant()); Assert.assertTrue("Grant option is always true ", grantDesc.isGrantOption()); Assert.assertEquals(currentUser, grantDesc.getGrantor()); Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType()); - for(String role : inList(grantDesc.getRoles()).ofSize(1)) { + for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) { Assert.assertEquals(ROLE, role); } - for(PrincipalDesc principal : inList(grantDesc.getPrincipalDesc()).ofSize(1)) { + for(PrincipalDesc principal : ListSizeMatcher.inList(grantDesc.getPrincipalDesc()).ofSize(1)) { Assert.assertEquals(PrincipalType.GROUP, principal.getType()); Assert.assertEquals(GROUP, principal.getName()); } @@ -343,7 +338,7 @@ public void testRevokeRoleGroup() throws Exception { */ @Test public void testShowRoleGrantUser() throws Exception { - DDLWork work = analyze(parse("SHOW ROLE GRANT USER " + USER)); + DDLWork work = analyze("SHOW ROLE GRANT USER " + USER); RoleDDLDesc roleDesc = work.getRoleDDLDesc(); Assert.assertNotNull("Role should not be null", roleDesc); Assert.assertEquals(RoleOperation.SHOW_ROLE_GRANT, roleDesc.getOperation()); @@ -355,7 +350,7 @@ public void testShowRoleGrantUser() throws Exception { */ @Test public void testShowRoleGrantRole() throws Exception { - DDLWork work = analyze(parse("SHOW ROLE GRANT ROLE " + ROLE)); + DDLWork work = analyze("SHOW ROLE GRANT ROLE " + ROLE); RoleDDLDesc roleDesc = work.getRoleDDLDesc(); Assert.assertNotNull("Role should not be null", roleDesc); Assert.assertEquals(RoleOperation.SHOW_ROLE_GRANT, roleDesc.getOperation()); @@ -367,7 +362,7 @@ public void testShowRoleGrantRole() throws Exception { */ @Test public void testShowRoleGrantGroup() throws Exception { - DDLWork work = analyze(parse("SHOW ROLE GRANT GROUP " + GROUP)); + DDLWork work = analyze("SHOW ROLE GRANT GROUP " + GROUP); RoleDDLDesc roleDesc = work.getRoleDDLDesc(); Assert.assertNotNull("Role should not be null", roleDesc); Assert.assertEquals(RoleOperation.SHOW_ROLE_GRANT, roleDesc.getOperation()); @@ -379,7 +374,7 @@ public void testShowRoleGrantGroup() throws Exception { */ @Test public void testShowGrantUserOnTable() throws Exception { - DDLWork work = analyze(parse("SHOW GRANT USER " + USER + " ON TABLE " + TABLE)); + DDLWork work = analyze("SHOW GRANT USER " + USER + " ON TABLE " + TABLE); ShowGrantDesc grantDesc = work.getShowGrantDesc(); Assert.assertNotNull("Show grant should not be null", grantDesc); Assert.assertEquals(PrincipalType.USER, grantDesc.getPrincipalDesc().getType()); @@ -393,7 +388,7 @@ public void testShowGrantUserOnTable() throws Exception { */ @Test public void testShowGrantRoleOnTable() throws Exception { - DDLWork work = analyze(parse("SHOW GRANT ROLE " + ROLE + " ON TABLE " + TABLE)); + DDLWork work = analyze("SHOW GRANT ROLE " + ROLE + " ON TABLE " + TABLE); ShowGrantDesc grantDesc = work.getShowGrantDesc(); Assert.assertNotNull("Show grant should not be null", grantDesc); Assert.assertEquals(PrincipalType.ROLE, grantDesc.getPrincipalDesc().getType()); @@ -407,7 +402,7 @@ public void testShowGrantRoleOnTable() throws Exception { */ @Test public void testShowGrantGroupOnTable() throws Exception { - DDLWork work = analyze(parse("SHOW GRANT GROUP " + GROUP + " ON TABLE " + TABLE)); + DDLWork work = analyze("SHOW GRANT GROUP " + GROUP + " ON TABLE " + TABLE); ShowGrantDesc grantDesc = work.getShowGrantDesc(); Assert.assertNotNull("Show grant should not be null", grantDesc); Assert.assertEquals(PrincipalType.GROUP, grantDesc.getPrincipalDesc().getType()); @@ -416,26 +411,10 @@ public void testShowGrantGroupOnTable() throws Exception { Assert.assertEquals(TABLE, grantDesc.getHiveObj().getObject()); Assert.assertTrue("Expected table", grantDesc.getHiveObj().getTable()); } - private ASTNode parse(String command) throws Exception { - return ParseUtils.findRootNonNullToken(parseDriver.parse(command)); - } - private DDLWork analyze(ASTNode ast) throws Exception { - analyzer.analyze(ast, context); - List> rootTasks = analyzer.getRootTasks(); - return (DDLWork) inList(rootTasks).ofSize(1).get(0).getWork(); - } - private static class ListSizeMatcher { - private final List list; - private ListSizeMatcher(List list) { - this.list = list; - } - private List ofSize(int size) { - Assert.assertEquals(list.toString(), size, list.size()); - return list; - } - } - private static ListSizeMatcher inList(List list) { - return new ListSizeMatcher(list); + private DDLWork analyze(String command) throws Exception { + return AuthorizationTestUtil.analyze(command, conf, db); } + + } diff --git a/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestPrivilegesV1.java b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestPrivilegesV1.java new file mode 100644 index 0000000..fd827ad --- /dev/null +++ b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestPrivilegesV1.java @@ -0,0 +1,94 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.parse.authorization; + +import java.util.HashMap; + +import junit.framework.Assert; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.metadata.Hive; +import org.apache.hadoop.hive.ql.metadata.Partition; +import org.apache.hadoop.hive.ql.metadata.Table; +import org.apache.hadoop.hive.ql.security.authorization.PrivilegeType; +import org.apache.hadoop.hive.ql.session.SessionState; +import org.junit.Before; +import org.junit.Test; +import org.mockito.Mockito; + +public class TestPrivilegesV1 extends PrivilegesTestBase{ + + private HiveConf conf; + private Hive db; + private Table table; + private Partition partition; + + @Before + public void setup() throws Exception { + conf = new HiveConf(); + db = Mockito.mock(Hive.class); + table = new Table(DB, TABLE); + partition = new Partition(table); + SessionState.start(conf); + Mockito.when(db.getTable(DB, TABLE, false)).thenReturn(table); + Mockito.when(db.getPartition(table, new HashMap(), false)) + .thenReturn(partition); + } + + /** + * Check acceptable privileges in grant statement + * @return + * @throws Exception + */ + @Test + public void testPrivInGrant() throws Exception{ + grantUserTable("all", PrivilegeType.ALL); + grantUserTable("update", PrivilegeType.ALTER_DATA); + grantUserTable("alter", PrivilegeType.ALTER_METADATA); + grantUserTable("create", PrivilegeType.CREATE); + grantUserTable("drop", PrivilegeType.DROP); + grantUserTable("index", PrivilegeType.INDEX); + grantUserTable("lock", PrivilegeType.LOCK); + grantUserTable("select", PrivilegeType.SELECT); + grantUserTable("show_database", PrivilegeType.SHOW_DATABASE); + } + + /** + * Check acceptable privileges in grant statement + * @return + * @throws Exception + */ + @Test + public void testPrivInGrantNotAccepted() throws Exception{ + grantUserTableFail("insert"); + grantUserTableFail("delete"); + } + + private void grantUserTableFail(String privName) { + try{ + grantUserTable(privName, PrivilegeType.UNKNOWN); + Assert.fail("Exception expected"); + }catch(Exception e){ + + } + } + + private void grantUserTable(String privName, PrivilegeType privType) throws Exception { + grantUserTable(privName, privType, conf, db); + } +} diff --git a/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestPrivilegesV2.java b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestPrivilegesV2.java new file mode 100644 index 0000000..9499986 --- /dev/null +++ b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestPrivilegesV2.java @@ -0,0 +1,72 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.parse.authorization; + +import java.util.HashMap; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.metadata.Hive; +import org.apache.hadoop.hive.ql.metadata.Partition; +import org.apache.hadoop.hive.ql.metadata.Table; +import org.apache.hadoop.hive.ql.security.authorization.PrivilegeType; +import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +import org.apache.hadoop.hive.ql.session.SessionState; +import org.junit.Before; +import org.junit.Test; +import org.mockito.Mockito; + +public class TestPrivilegesV2 extends PrivilegesTestBase{ + + private HiveConf conf; + private Hive db; + private Table table; + private Partition partition; + + @Before + public void setup() throws Exception { + conf = new HiveConf(); + //set authorization mode to V2 + conf.setVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER, + SQLStdHiveAuthorizerFactory.class.getName()); + db = Mockito.mock(Hive.class); + table = new Table(DB, TABLE); + SessionState.start(conf); + Mockito.when(db.getTable(DB, TABLE, false)).thenReturn(table); + Mockito.when(db.getPartition(table, new HashMap(), false)) + .thenReturn(partition); + } + + /** + * Check acceptable privileges in grant statement + * @return + * @throws Exception + */ + @Test + public void testPrivInGrant() throws Exception{ + grantUserTable("select", PrivilegeType.SELECT); + grantUserTable("insert", PrivilegeType.INSERT); + grantUserTable("delete", PrivilegeType.DELETE); + grantUserTable("update", PrivilegeType.ALTER_DATA); + grantUserTable("all", PrivilegeType.ALL); + } + + private void grantUserTable(String privName, PrivilegeType privType) throws Exception { + grantUserTable(privName, privType, conf, db); + } + +} diff --git a/ql/src/test/queries/clientnegative/authorization_invalid_priv_v1.q b/ql/src/test/queries/clientnegative/authorization_invalid_priv_v1.q new file mode 100644 index 0000000..2a1da23 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_invalid_priv_v1.q @@ -0,0 +1,6 @@ +create table if not exists authorization_invalid_v1 (key int, value string); +grant delete on table authorization_invalid_v1 to user hive_test_user; +drop table authorization_invalid_v1; + + + diff --git a/ql/src/test/queries/clientnegative/authorization_invalid_priv_v2.q b/ql/src/test/queries/clientnegative/authorization_invalid_priv_v2.q new file mode 100644 index 0000000..be6a4e8 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_invalid_priv_v2.q @@ -0,0 +1,5 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; + +create table if not exists authorization_invalid_v2 (key int, value string); +grant index on table authorization_invalid_v2 to user hive_test_user; +drop table authorization_invalid_v2; diff --git a/ql/src/test/results/clientnegative/authorization_invalid_priv_v1.q.out b/ql/src/test/results/clientnegative/authorization_invalid_priv_v1.q.out new file mode 100644 index 0000000..431f16e --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_invalid_priv_v1.q.out @@ -0,0 +1,6 @@ +PREHOOK: query: create table if not exists authorization_invalid_v1 (key int, value string) +PREHOOK: type: CREATETABLE +POSTHOOK: query: create table if not exists authorization_invalid_v1 (key int, value string) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: default@authorization_invalid_v1 +FAILED: SemanticException undefined privilege 731 diff --git a/ql/src/test/results/clientnegative/authorization_invalid_priv_v2.q.out b/ql/src/test/results/clientnegative/authorization_invalid_priv_v2.q.out new file mode 100644 index 0000000..dde4cd4 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_invalid_priv_v2.q.out @@ -0,0 +1,9 @@ +PREHOOK: query: create table if not exists authorization_invalid_v2 (key int, value string) +PREHOOK: type: CREATETABLE +POSTHOOK: query: create table if not exists authorization_invalid_v2 (key int, value string) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: default@authorization_invalid_v2 +PREHOOK: query: grant index on table authorization_invalid_v2 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@authorization_invalid_v2 +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Privilege: INDEX is not supported in sql standard authorization mode