Index: ql/src/test/results/clientnegative/authorization_fail_7.q.out =================================================================== --- ql/src/test/results/clientnegative/authorization_fail_7.q.out (revision 1567206) +++ ql/src/test/results/clientnegative/authorization_fail_7.q.out (working copy) @@ -25,7 +25,7 @@ PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user hive_test_user POSTHOOK: type: SHOW_ROLE_GRANT -hive_test_role_fail -1 hive_test_user USER true -1 hive_test_user +hive_test_role_fail -1 hive_test_user USER false -1 hive_test_user PUBLIC -1 false -1 PREHOOK: query: show grant role hive_test_role_fail on table authorization_fail PREHOOK: type: SHOW_GRANT Index: ql/src/test/results/clientpositive/authorization_view.q.out =================================================================== --- ql/src/test/results/clientpositive/authorization_view.q.out (revision 1567206) +++ ql/src/test/results/clientpositive/authorization_view.q.out (working copy) @@ -155,7 +155,7 @@ PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user hive_test_user POSTHOOK: type: SHOW_ROLE_GRANT -src_role -1 hive_test_user USER true -1 hive_test_user +src_role -1 hive_test_user USER false -1 hive_test_user PUBLIC -1 false -1 PREHOOK: query: --column grant to role Index: ql/src/test/results/clientpositive/authorization_1.q.out =================================================================== --- ql/src/test/results/clientpositive/authorization_1.q.out (revision 1567206) +++ ql/src/test/results/clientpositive/authorization_1.q.out (working copy) @@ -267,7 +267,7 @@ PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user hive_test_user POSTHOOK: type: SHOW_ROLE_GRANT -src_role -1 hive_test_user USER true -1 hive_test_user +src_role -1 hive_test_user USER false -1 hive_test_user PUBLIC -1 false -1 PREHOOK: query: --column grant to role Index: ql/src/test/results/clientpositive/authorization_role_grant1.q.out =================================================================== --- ql/src/test/results/clientpositive/authorization_role_grant1.q.out (revision 1567206) +++ ql/src/test/results/clientpositive/authorization_role_grant1.q.out (working copy) @@ -61,13 +61,13 @@ PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user2 POSTHOOK: type: SHOW_ROLE_GRANT -src_role_wadmin -1 user2 USER false -1 hive_test_user +src_role_wadmin -1 user2 USER true -1 hive_test_user PUBLIC -1 false -1 PREHOOK: query: -- revoke role without role keyword -revoke src_role_wadmin from user user2 with admin option +revoke src_role_wadmin from user user2 PREHOOK: type: REVOKE_ROLE POSTHOOK: query: -- revoke role without role keyword -revoke src_role_wadmin from user user2 with admin option +revoke src_role_wadmin from user user2 POSTHOOK: type: REVOKE_ROLE PREHOOK: query: show role grant user user2 PREHOOK: type: SHOW_ROLE_GRANT Index: ql/src/test/results/clientpositive/authorization_5.q.out =================================================================== --- ql/src/test/results/clientpositive/authorization_5.q.out (revision 1567206) +++ ql/src/test/results/clientpositive/authorization_5.q.out (working copy) @@ -38,7 +38,7 @@ PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: SHOW ROLE GRANT USER hive_test_user POSTHOOK: type: SHOW_ROLE_GRANT -db_test_role -1 hive_test_user USER true -1 hive_test_user +db_test_role -1 hive_test_user USER false -1 hive_test_user PUBLIC -1 false -1 PREHOOK: query: GRANT drop ON DATABASE test_db TO ROLE db_test_role PREHOOK: type: GRANT_PRIVILEGE Index: ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestHiveAuthorizationTaskFactory.java =================================================================== --- ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestHiveAuthorizationTaskFactory.java (revision 1567206) +++ ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestHiveAuthorizationTaskFactory.java (working copy) @@ -222,7 +222,7 @@ GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL(); Assert.assertNotNull("Grant should not be null", grantDesc); Assert.assertTrue("Expected grant ", grantDesc.getGrant()); - Assert.assertTrue("Grant option is always true ", grantDesc.isGrantOption()); + Assert.assertFalse("With admin option is not specified", grantDesc.isGrantOption()); Assert.assertEquals(currentUser, grantDesc.getGrantor()); Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType()); for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) { @@ -242,7 +242,7 @@ GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL(); Assert.assertNotNull("Grant should not be null", grantDesc); Assert.assertTrue("Expected grant ", grantDesc.getGrant()); - Assert.assertTrue("Grant option is always true ", grantDesc.isGrantOption()); + Assert.assertFalse("With admin option is not specified", grantDesc.isGrantOption()); Assert.assertEquals(currentUser, grantDesc.getGrantor()); Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType()); for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) { @@ -262,7 +262,7 @@ GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL(); Assert.assertNotNull("Grant should not be null", grantDesc); Assert.assertTrue("Expected grant ", grantDesc.getGrant()); - Assert.assertTrue("Grant option is always true ", grantDesc.isGrantOption()); + Assert.assertFalse("With admin option is not specified", grantDesc.isGrantOption()); Assert.assertEquals(currentUser, grantDesc.getGrantor()); Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType()); for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) { @@ -282,7 +282,7 @@ GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL(); Assert.assertNotNull("Grant should not be null", grantDesc); Assert.assertFalse("Did not expect grant ", grantDesc.getGrant()); - Assert.assertTrue("Grant option is always true ", grantDesc.isGrantOption()); + Assert.assertFalse("With admin option is not specified", grantDesc.isGrantOption()); Assert.assertEquals(currentUser, grantDesc.getGrantor()); Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType()); for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) { @@ -302,7 +302,7 @@ GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL(); Assert.assertNotNull("Grant should not be null", grantDesc); Assert.assertFalse("Did not expect grant ", grantDesc.getGrant()); - Assert.assertTrue("Grant option is always true ", grantDesc.isGrantOption()); + Assert.assertFalse("With admin option is not specified", grantDesc.isGrantOption()); Assert.assertEquals(currentUser, grantDesc.getGrantor()); Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType()); for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) { @@ -322,7 +322,7 @@ GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL(); Assert.assertNotNull("Grant should not be null", grantDesc); Assert.assertFalse("Did not expect grant ", grantDesc.getGrant()); - Assert.assertTrue("Grant option is always true ", grantDesc.isGrantOption()); + Assert.assertFalse("With admin option is not specified", grantDesc.isGrantOption()); Assert.assertEquals(currentUser, grantDesc.getGrantor()); Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType()); for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) { Index: ql/src/test/queries/clientpositive/authorization_role_grant1.q =================================================================== --- ql/src/test/queries/clientpositive/authorization_role_grant1.q (revision 1567206) +++ ql/src/test/queries/clientpositive/authorization_role_grant1.q (working copy) @@ -21,7 +21,7 @@ show role grant user user2; -- revoke role without role keyword -revoke src_role_wadmin from user user2 with admin option; +revoke src_role_wadmin from user user2; show role grant user user2; Index: ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java =================================================================== --- ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java (revision 1567206) +++ ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java (working copy) @@ -236,9 +236,10 @@ //check if admin option has been specified int rolesStartPos = 1; ASTNode wAdminOption = (ASTNode) ast.getChild(1); + boolean isAdmin = false; if(wAdminOption.getToken().getType() == HiveParser.TOK_GRANT_WITH_ADMIN_OPTION){ rolesStartPos = 2; //start reading role names from next postion - //TODO: use the admin option + isAdmin = true; } List roles = new ArrayList(); @@ -253,8 +254,8 @@ } //until change is made to use the admin option. Default to false with V2 authorization - boolean isAdmin = SessionState.get().isAuthorizationModeV2() ? false : true; + GrantRevokeRoleDDL grantRevokeRoleDDL = new GrantRevokeRoleDDL(isGrant, roles, principalDesc, roleOwnerName, PrincipalType.USER, isAdmin); return TaskFactory.get(new DDLWork(inputs, outputs, grantRevokeRoleDDL), conf); Index: ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java =================================================================== --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java (revision 1567206) +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java (working copy) @@ -56,7 +56,6 @@ public class SQLStdHiveAccessController implements HiveAccessController { private final HiveMetastoreClientFactory metastoreClientFactory; - private final HiveConf conf; private final HiveAuthenticationProvider authenticator; private String currentUserName; private List currentRoles; @@ -65,7 +64,6 @@ SQLStdHiveAccessController(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider authenticator) throws HiveAuthzPluginException { this.metastoreClientFactory = metastoreClientFactory; - this.conf = conf; this.authenticator = authenticator; initUserRoles(); }