Index: hcatalog/core/src/main/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java =================================================================== --- hcatalog/core/src/main/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java (revision 1565355) +++ hcatalog/core/src/main/java/org/apache/hcatalog/security/HdfsAuthorizationProvider.java (working copy) @@ -23,6 +23,7 @@ import java.io.FileNotFoundException; import java.io.IOException; +import java.util.Arrays; import java.util.EnumSet; import java.util.List; @@ -35,6 +36,7 @@ import org.apache.hadoop.fs.Path; import org.apache.hadoop.fs.permission.FsAction; import org.apache.hadoop.fs.permission.FsPermission; +import org.apache.hadoop.hdfs.DFSConfigKeys; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.metastore.Warehouse; import org.apache.hadoop.hive.metastore.api.Database; @@ -302,6 +304,16 @@ final EnumSet actions, String user, String[] groups) throws IOException, AccessControlException { + if (groups != null) { + List groupList = Arrays.asList(groups); + String superGroupName = getSuperGroupName(fs.getConf()); + if (userBelongsToSuperGroup(superGroupName, groupList)) { + LOG.info("User \"" + user + "\" belongs to super-group \"" + superGroupName + "\". " + + "Permission granted for actions: (" + actions + ")."); + return; + } + } + final FileStatus stat; try { @@ -335,4 +347,13 @@ + path + " for user " + user); } } + + private static String getSuperGroupName(Configuration configuration) { + return configuration.get(DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_KEY, ""); + } + + private static boolean userBelongsToSuperGroup(String superGroupName, List groups) { + return groups.contains(superGroupName); + } + } Index: ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java =================================================================== --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java (revision 1565355) +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java (working copy) @@ -26,12 +26,15 @@ import javax.security.auth.login.LoginException; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.FileStatus; import org.apache.hadoop.fs.FileSystem; import org.apache.hadoop.fs.Path; import org.apache.hadoop.fs.permission.FsAction; import org.apache.hadoop.fs.permission.FsPermission; +import org.apache.hadoop.hdfs.DFSConfigKeys; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.metastore.HiveMetaStore.HMSHandler; import org.apache.hadoop.hive.metastore.Warehouse; @@ -66,6 +69,8 @@ private Warehouse wh; private boolean isRunFromMetaStore = false; + private static Log LOG = LogFactory.getLog(StorageBasedAuthorizationProvider.class); + /** * Make sure that the warehouse variable is set up properly. * @throws MetaException if unable to instantiate @@ -300,6 +305,13 @@ final EnumSet actions, String user, List groups) throws IOException, AccessControlException { + String superGroupName = getSuperGroupName(fs.getConf()); + if (userBelongsToSuperGroup(superGroupName, groups)) { + LOG.info("User \"" + user + "\" belongs to super-group \"" + superGroupName + "\". " + + "Permission granted for actions: (" + actions + ")."); + return; + } + final FileStatus stat; try { @@ -334,6 +346,14 @@ } } + private static String getSuperGroupName(Configuration configuration) { + return configuration.get(DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_KEY, ""); + } + + private static boolean userBelongsToSuperGroup(String superGroupName, List groups) { + return groups.contains(superGroupName); + } + protected Path getDbLocation(Database db) throws HiveException { try { initWh();