diff --git itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java index 9ad5986..7ec5e25 100644 --- itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java +++ itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java @@ -589,7 +589,9 @@ public void clearTestSideEffects() throws Exception { List roleNames = db.getAllRoleNames(); for (String roleName : roleNames) { - db.dropRole(roleName); + if (!"PUBLIC".equals(roleName)) { + db.dropRole(roleName); + } } // allocate and initialize a new conf since a test can // modify conf by using 'set' commands diff --git metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java index 2d8e483..c8598c7 100644 --- metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java +++ metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java @@ -171,6 +171,7 @@ */ private static final int DEFAULT_HIVE_METASTORE_PORT = 9083; public static final String ADMIN = "ADMIN"; + public static final String PUBLIC = "PUBLIC"; private static HadoopThriftAuthBridge.Server saslServer; private static boolean useSasl; @@ -196,7 +197,7 @@ public TTransport getTransport(TTransport trans) { IHMSHandler { public static final Log LOG = HiveMetaStore.LOG; private static boolean createDefaultDB = false; - private static boolean adminCreated = false; + private static boolean defaultRolesCreated = false; private String rawStoreClassName; private final HiveConf hiveConf; // stores datastore (jpox) properties, // right now they come from jpox.properties @@ -351,7 +352,7 @@ private boolean init() throws MetaException { synchronized (HMSHandler.class) { createDefaultDB(); - createAdminRoleNAddUsers(); + createDefaultRolesNAddUsers(); } if (hiveConf.getBoolean("hive.metastore.metrics.enabled", false)) { @@ -474,9 +475,9 @@ private void createDefaultDB() throws MetaException { } } - private void createAdminRoleNAddUsers() throws MetaException { + private void createDefaultRolesNAddUsers() throws MetaException { - if(adminCreated) { + if(defaultRolesCreated) { LOG.debug("Admin role already created previously."); return; } @@ -497,13 +498,14 @@ private void createAdminRoleNAddUsers() throws MetaException { RawStore ms = getMS(); try { ms.addRole(ADMIN, ADMIN); + ms.addRole(PUBLIC, PUBLIC); } catch (InvalidObjectException e) { - LOG.debug("admin role already exists",e); + LOG.debug("default role already exists",e); } catch (NoSuchObjectException e) { // This should never be thrown. - LOG.warn("Unexpected exception while adding ADMIN role" , e); + LOG.warn("Unexpected exception while adding default roles" , e); } - LOG.info("Added admin role in metastore"); + LOG.info("Added default role in metastore"); // now grant all privs to admin PrivilegeBag privs = new PrivilegeBag(); privs.addToPrivileges(new HiveObjectPrivilege( new HiveObjectRef(HiveObjectType.GLOBAL, null, @@ -553,7 +555,7 @@ private void createAdminRoleNAddUsers() throws MetaException { LOG.debug(userName + " already in admin role", e); } } - adminCreated = true; + defaultRolesCreated = true; } private void logInfo(String m) { @@ -3674,7 +3676,10 @@ public boolean grant_role(final String roleName, final String grantor, final PrincipalType grantorType, final boolean grantOption) throws MetaException, TException { incrementCounter("add_role_member"); - + if (PUBLIC.equals(roleName)) { + throw new MetaException("No user can be added to " + PUBLIC +". Since all users implictly" + + " belong to " + PUBLIC + " role."); + } Boolean ret = null; try { RawStore ms = getMS(); @@ -3723,10 +3728,8 @@ private boolean isNewRoleAParent(String newRole, String curRole) throws MetaExce final PrincipalType principalType) throws MetaException, TException { incrementCounter("list_roles"); - List ret = null; + List result = new ArrayList(); try { - - List result = new ArrayList(); List roleMap = getMS().listRoles(principalName, principalType); if (roleMap != null) { for (MRoleMap role : roleMap) { @@ -3735,14 +3738,14 @@ private boolean isNewRoleAParent(String newRole, String curRole) throws MetaExce .getCreateTime(), r.getOwnerName())); } } - ret = result; + // all users by default belongs to public role + result.add(new Role(PUBLIC,0,PUBLIC)); + return result; } catch (MetaException e) { throw e; } catch (Exception e) { throw new RuntimeException(e); } - - return ret; } @Override @@ -3750,6 +3753,9 @@ public boolean create_role(final Role role) throws MetaException, TException { incrementCounter("create_role"); + if (PUBLIC.equals(role.getRoleName())) { + throw new MetaException(PUBLIC + " role implictly exists. It can't be created."); + } Boolean ret = null; try { ret = getMS().addRole(role.getRoleName(), role.getOwnerName()); @@ -3765,7 +3771,9 @@ public boolean create_role(final Role role) public boolean drop_role(final String roleName) throws MetaException, TException { incrementCounter("drop_role"); - + if (PUBLIC.equals(roleName)) { + throw new MetaException(PUBLIC + " role can't be dropped."); + } Boolean ret = null; try { ret = getMS().removeRole(roleName); @@ -3784,19 +3792,18 @@ public boolean drop_role(final String roleName) List ret = null; try { ret = getMS().listRoleNames(); + return ret; } catch (MetaException e) { throw e; } catch (Exception e) { throw new RuntimeException(e); } - return ret; } @Override public boolean grant_privileges(final PrivilegeBag privileges) throws MetaException, TException { incrementCounter("grant_privileges"); - Boolean ret = null; try { ret = getMS().grantPrivileges(privileges); @@ -3813,6 +3820,9 @@ public boolean revoke_role(final String roleName, final String userName, final PrincipalType principalType) throws MetaException, TException { incrementCounter("remove_role_member"); + if (PUBLIC.equals(roleName)) { + throw new MetaException(PUBLIC + " role can't be revoked."); + } Boolean ret = null; try { RawStore ms = getMS(); @@ -3830,7 +3840,6 @@ public boolean revoke_role(final String roleName, final String userName, public boolean revoke_privileges(final PrivilegeBag privileges) throws MetaException, TException { incrementCounter("revoke_privileges"); - Boolean ret = null; try { ret = getMS().revokePrivileges(privileges); diff --git ql/src/test/queries/clientnegative/authorization_public_create.q ql/src/test/queries/clientnegative/authorization_public_create.q new file mode 100644 index 0000000..002389f --- /dev/null +++ ql/src/test/queries/clientnegative/authorization_public_create.q @@ -0,0 +1 @@ +create role PUBLIC; diff --git ql/src/test/queries/clientnegative/authorization_public_drop.q ql/src/test/queries/clientnegative/authorization_public_drop.q new file mode 100644 index 0000000..69c5a8d --- /dev/null +++ ql/src/test/queries/clientnegative/authorization_public_drop.q @@ -0,0 +1 @@ +drop role PUBLIC; diff --git ql/src/test/queries/clientnegative/authorize_grant_public.q ql/src/test/queries/clientnegative/authorize_grant_public.q new file mode 100644 index 0000000..bfd3165 --- /dev/null +++ ql/src/test/queries/clientnegative/authorize_grant_public.q @@ -0,0 +1 @@ +grant role PUBLIC to user hive_test_user; diff --git ql/src/test/queries/clientnegative/authorize_revoke_public.q ql/src/test/queries/clientnegative/authorize_revoke_public.q new file mode 100644 index 0000000..2b29822 --- /dev/null +++ ql/src/test/queries/clientnegative/authorize_revoke_public.q @@ -0,0 +1 @@ +revoke role PUBLIC from user hive_test_user; diff --git ql/src/test/results/clientnegative/authorization_fail_7.q.out ql/src/test/results/clientnegative/authorization_fail_7.q.out index 7bfb6e6..1f72cff 100644 --- ql/src/test/results/clientnegative/authorization_fail_7.q.out +++ ql/src/test/results/clientnegative/authorization_fail_7.q.out @@ -26,6 +26,7 @@ PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user hive_test_user POSTHOOK: type: SHOW_ROLE_GRANT hive_test_role_fail +PUBLIC PREHOOK: query: show grant role hive_test_role_fail on table authorization_fail PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant role hive_test_role_fail on table authorization_fail diff --git ql/src/test/results/clientnegative/authorization_public_create.q.out ql/src/test/results/clientnegative/authorization_public_create.q.out new file mode 100644 index 0000000..bccdc53 --- /dev/null +++ ql/src/test/results/clientnegative/authorization_public_create.q.out @@ -0,0 +1,4 @@ +PREHOOK: query: create role PUBLIC +PREHOOK: type: CREATEROLE +Error in role operation create_role on role name PUBLIC, error message MetaException(message:PUBLIC role implictly exists. It can't be created.) +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask diff --git ql/src/test/results/clientnegative/authorization_public_drop.q.out ql/src/test/results/clientnegative/authorization_public_drop.q.out new file mode 100644 index 0000000..9e9cdd3 --- /dev/null +++ ql/src/test/results/clientnegative/authorization_public_drop.q.out @@ -0,0 +1,4 @@ +PREHOOK: query: drop role PUBLIC +PREHOOK: type: DROPROLE +Error in role operation drop_role on role name PUBLIC, error message MetaException(message:PUBLIC role can't be dropped.) +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask diff --git ql/src/test/results/clientnegative/authorize_grant_public.q.out ql/src/test/results/clientnegative/authorize_grant_public.q.out new file mode 100644 index 0000000..dae4331 --- /dev/null +++ ql/src/test/results/clientnegative/authorize_grant_public.q.out @@ -0,0 +1,3 @@ +PREHOOK: query: grant role PUBLIC to user hive_test_user +PREHOOK: type: GRANT_ROLE +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:No user can be added to PUBLIC. Since all users implictly belong to PUBLIC role.) diff --git ql/src/test/results/clientnegative/authorize_revoke_public.q.out ql/src/test/results/clientnegative/authorize_revoke_public.q.out new file mode 100644 index 0000000..cff88ca --- /dev/null +++ ql/src/test/results/clientnegative/authorize_revoke_public.q.out @@ -0,0 +1,3 @@ +PREHOOK: query: revoke role PUBLIC from user hive_test_user +PREHOOK: type: REVOKE_ROLE +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:PUBLIC role can't be revoked.) diff --git ql/src/test/results/clientpositive/authorization_1.q.out ql/src/test/results/clientpositive/authorization_1.q.out index 3391bcd..58ec8ec 100644 --- ql/src/test/results/clientpositive/authorization_1.q.out +++ ql/src/test/results/clientpositive/authorization_1.q.out @@ -294,6 +294,7 @@ PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user hive_test_user POSTHOOK: type: SHOW_ROLE_GRANT src_role +PUBLIC PREHOOK: query: --column grant to role grant select(key) on table src_autho_test to role src_role diff --git ql/src/test/results/clientpositive/authorization_1_sql_std.q.out ql/src/test/results/clientpositive/authorization_1_sql_std.q.out index a0b1ce0..e7d4b90 100644 --- ql/src/test/results/clientpositive/authorization_1_sql_std.q.out +++ ql/src/test/results/clientpositive/authorization_1_sql_std.q.out @@ -49,6 +49,7 @@ PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user hive_test_user POSTHOOK: type: SHOW_ROLE_GRANT src_role +PUBLIC PREHOOK: query: --table grant to role diff --git ql/src/test/results/clientpositive/authorization_5.q.out ql/src/test/results/clientpositive/authorization_5.q.out index 3aeaeca..e4914c9 100644 --- ql/src/test/results/clientpositive/authorization_5.q.out +++ ql/src/test/results/clientpositive/authorization_5.q.out @@ -49,6 +49,7 @@ PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: SHOW ROLE GRANT USER hive_test_user POSTHOOK: type: SHOW_ROLE_GRANT db_test_role +PUBLIC PREHOOK: query: GRANT drop ON DATABASE test_db TO ROLE db_test_role PREHOOK: type: GRANT_PRIVILEGE POSTHOOK: query: GRANT drop ON DATABASE test_db TO ROLE db_test_role diff --git ql/src/test/results/clientpositive/authorization_role_grant1.q.out ql/src/test/results/clientpositive/authorization_role_grant1.q.out index 981060f..61271cc 100644 --- ql/src/test/results/clientpositive/authorization_role_grant1.q.out +++ ql/src/test/results/clientpositive/authorization_role_grant1.q.out @@ -17,12 +17,14 @@ PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user2 POSTHOOK: type: SHOW_ROLE_GRANT src_role2 +PUBLIC PREHOOK: query: show roles PREHOOK: type: SHOW_ROLES POSTHOOK: query: show roles POSTHOOK: type: SHOW_ROLES src_role2 +PUBLIC PREHOOK: query: -- revoke role without role keyword revoke src_role2 from user user2 @@ -34,11 +36,14 @@ PREHOOK: query: show role grant user user2 PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user2 POSTHOOK: type: SHOW_ROLE_GRANT +PUBLIC + PREHOOK: query: show roles PREHOOK: type: SHOW_ROLES POSTHOOK: query: show roles POSTHOOK: type: SHOW_ROLES src_role2 +PUBLIC PREHOOK: query: ---------------------------------------- -- role granting without role keyword, with admin option (syntax check) @@ -61,6 +66,7 @@ PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user2 POSTHOOK: type: SHOW_ROLE_GRANT src_role_wadmin +PUBLIC PREHOOK: query: -- revoke role without role keyword revoke src_role_wadmin from user user2 with admin option @@ -72,6 +78,8 @@ PREHOOK: query: show role grant user user2 PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user2 POSTHOOK: type: SHOW_ROLE_GRANT +PUBLIC + PREHOOK: query: -- drop roles show roles PREHOOK: type: SHOW_ROLES @@ -80,6 +88,7 @@ show roles POSTHOOK: type: SHOW_ROLES src_role2 src_role_wadmin +PUBLIC PREHOOK: query: drop role src_role2 PREHOOK: type: DROPROLE @@ -90,6 +99,7 @@ PREHOOK: type: SHOW_ROLES POSTHOOK: query: show roles POSTHOOK: type: SHOW_ROLES src_role_wadmin +PUBLIC PREHOOK: query: drop role src_role_wadmin PREHOOK: type: DROPROLE @@ -99,3 +109,5 @@ PREHOOK: query: show roles PREHOOK: type: SHOW_ROLES POSTHOOK: query: show roles POSTHOOK: type: SHOW_ROLES +PUBLIC + diff --git ql/src/test/results/clientpositive/authorization_view.q.out ql/src/test/results/clientpositive/authorization_view.q.out index e74be93..67db101 100644 --- ql/src/test/results/clientpositive/authorization_view.q.out +++ ql/src/test/results/clientpositive/authorization_view.q.out @@ -180,6 +180,7 @@ PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user hive_test_user POSTHOOK: type: SHOW_ROLE_GRANT src_role +PUBLIC PREHOOK: query: --column grant to role grant select(key) on view src_autho_test to role src_role