diff --git common/src/java/org/apache/hadoop/hive/conf/HiveConf.java common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index ec1f09e..fca3ac3 100644 --- common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -135,7 +135,8 @@ HiveConf.ConfVars.HMSHANDLERFORCERELOADCONF, HiveConf.ConfVars.METASTORE_PARTITION_NAME_WHITELIST_PATTERN, HiveConf.ConfVars.METASTORE_DISALLOW_INCOMPATIBLE_COL_TYPE_CHANGES, - HiveConf.ConfVars.USERS_IN_ADMIN_ROLE + HiveConf.ConfVars.USERS_IN_ADMIN_ROLE, + HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER }; /** diff --git itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java index 9b2e219..ca43932 100644 --- itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java +++ itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java @@ -267,7 +267,7 @@ public void initConf() throws Exception { (new Path(dfsUriString, "/build/ql/test/data/warehouse/")).toString()); } - + // Windows paths should be converted after MiniMrShim.setupConfiguration() // since setupConfiguration may overwrite configuration values. if (Shell.WINDOWS) { @@ -330,12 +330,12 @@ public static MiniClusterType valueForString(String type) { } } - public QTestUtil(String outDir, String logDir, MiniClusterType clusterType, String hadoopVer) + public QTestUtil(String outDir, String logDir, MiniClusterType clusterType, String hadoopVer) throws Exception { this(outDir, logDir, clusterType, null, hadoopVer); } - public QTestUtil(String outDir, String logDir, MiniClusterType clusterType, + public QTestUtil(String outDir, String logDir, MiniClusterType clusterType, String confDir, String hadoopVer) throws Exception { this.outDir = outDir; @@ -589,7 +589,7 @@ public void clearTestSideEffects() throws Exception { List roleNames = db.getAllRoleNames(); for (String roleName : roleNames) { - if (!"PUBLIC".equals(roleName)) { + if (!"PUBLIC".equalsIgnoreCase(roleName) && !"ADMIN".equalsIgnoreCase(roleName)) { db.dropRole(roleName); } } @@ -1376,7 +1376,7 @@ private static int executeCmd(String[] args) throws Exception { } private static int executeCmd(Collection args, String outFile, String errFile) throws Exception { - String[] cmdArray = (String[]) args.toArray(new String[args.size()]); + String[] cmdArray = args.toArray(new String[args.size()]); return executeCmd(cmdArray, outFile, errFile); } @@ -1520,6 +1520,7 @@ public QTRunner(QTestUtil qt, String fname) { this.fname = fname; } + @Override public void run() { try { // assumption is that environment has already been cleaned once globally diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java index f27fc65..f6f7e4a 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java @@ -47,5 +47,4 @@ public HiveAccessControlException(String msg, Throwable cause){ public HiveAccessControlException(Throwable cause){ super(cause); } - } diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java index 03ac770..474d43c 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java @@ -62,7 +62,14 @@ void revokeRole(List hivePrincipals, List roles, boolean List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException, HiveAccessControlException; - void setCurrentRole(String roleName) throws HiveAuthzPluginException; + void setCurrentRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException; List getCurrentRoles() throws HiveAuthzPluginException; + + /** + * @param principal + * @return true only if current role of user is Admin + * @throws HiveAuthzPluginException + */ + boolean isUserAdmin(HivePrincipal principal) throws HiveAuthzPluginException; } diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java index c50a78b..4ca3960 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java @@ -160,13 +160,12 @@ void checkPrivileges(HiveOperationType hiveOpType, List inp List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException, HiveAccessControlException; - void setCurrentRole(String roleName) throws HiveAuthzPluginException; + void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException; List getCurrentRoles() throws HiveAuthzPluginException; + + boolean isUserAdmin(HivePrincipal principal) throws HiveAuthzPluginException; //other functions to be added - //showUsersInRole(rolename) - //isSuperuser(username) - - } diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java index 67b2ba1..674a2d7 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java @@ -105,7 +105,7 @@ public VERSION getVersion() { } @Override - public void setCurrentRole(String roleName) throws HiveAuthzPluginException { + public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException { accessController.setCurrentRole(roleName); } @@ -114,9 +114,11 @@ public void setCurrentRole(String roleName) throws HiveAuthzPluginException { return accessController.getCurrentRoles(); } - + @Override + public boolean isUserAdmin(HivePrincipal principal) throws HiveAuthzPluginException { + return accessController.isUserAdmin(principal); + } // other access control functions - // void validateAuthority(HiveAction, inputs, outputs){ // authValidator.validateAuthority(HiveAction, inputs, outputs); // } diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index c4e8801..8a53682 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -42,6 +42,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; @@ -220,7 +221,12 @@ public void revokePrivileges(List hivePrincipals, @Override public void createRole(String roleName, HivePrincipal adminGrantor) - throws HiveAuthzPluginException { + throws HiveAuthzPluginException, HiveAccessControlException { + // only user belonging to admin role can create new roles. + if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) { + throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + + " allowed to add roles. Only users belonging to admin role can add new roles."); + } try { String grantorName = adminGrantor == null ? null : adminGrantor.getName(); metastoreClientFactory.getHiveMetastoreClient().create_role( @@ -231,7 +237,12 @@ public void createRole(String roleName, HivePrincipal adminGrantor) } @Override - public void dropRole(String roleName) throws HiveAuthzPluginException { + public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { + // only user belonging to admin role can drop existing role + if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) { + throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + + " allowed to drop role. Only users belonging to admin role can drop roles."); + } try { metastoreClientFactory.getHiveMetastoreClient().drop_role(roleName); } catch (Exception e) { @@ -257,7 +268,12 @@ public void dropRole(String roleName) throws HiveAuthzPluginException { @Override public void grantRole(List hivePrincipals, List roleNames, - boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException { + boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, + HiveAccessControlException { + if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) { + throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + + " allowed to grant role. Currently only users belonging to admin role can grant roles."); + } for (HivePrincipal hivePrincipal : hivePrincipals) { for (String roleName : roleNames) { try { @@ -279,11 +295,16 @@ public void grantRole(List hivePrincipals, List roleNames @Override public void revokeRole(List hivePrincipals, List roleNames, - boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException { + boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, + HiveAccessControlException { if (grantOption) { // removing grant privileges only is not supported in metastore api throw new HiveAuthzPluginException("Revoking only the admin privileges on " - + "role is not currently supported"); + + "role is not currently supported"); + } + if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) { + throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + + " allowed to revoke role. Currently only users belonging to admin role can revoke roles."); } for (HivePrincipal hivePrincipal : hivePrincipals) { for (String roleName : roleNames) { @@ -301,7 +322,12 @@ public void revokeRole(List hivePrincipals, List roleName } @Override - public List getAllRoles() throws HiveAuthzPluginException { + public List getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException { + // only user belonging to admin role can list role + if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) { + throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + + " allowed to list roles. Only users belonging to admin role can list roles."); + } try { return metastoreClientFactory.getHiveMetastoreClient().listRoleNames(); } catch (Exception e) { @@ -370,7 +396,8 @@ private HivePrivilegeObjectType getPluginObjType(HiveObjectType objectType) } @Override - public void setCurrentRole(String roleName) throws HiveAuthzPluginException { + public void setCurrentRole(String roleName) throws HiveAccessControlException, + HiveAuthzPluginException { if ("NONE".equalsIgnoreCase(roleName)) { // for set role NONE, reset roles to default roles. @@ -393,7 +420,7 @@ public void setCurrentRole(String roleName) throws HiveAuthzPluginException { return; } // If we are here it means, user is requesting a role he doesn't belong to. - throw new HiveAuthzPluginException(currentUserName +" doesn't belong to role " + throw new HiveAccessControlException(currentUserName +" doesn't belong to role " +roleName); } @@ -402,4 +429,20 @@ public void setCurrentRole(String roleName) throws HiveAuthzPluginException { initUserRoles(); return currentRoles; } + + @Override + public boolean isUserAdmin(HivePrincipal principal) throws HiveAuthzPluginException { + List roles; + try { + roles = getCurrentRoles(); + } catch (Exception e) { + throw new HiveAuthzPluginException(e); + } + for (HiveRole role : roles){ + if (role.getRoleName().equalsIgnoreCase(HiveMetaStore.ADMIN)) { + return true; + } + } + return false; + } } diff --git ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q new file mode 100644 index 0000000..ff4294f --- /dev/null +++ ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q @@ -0,0 +1,3 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +-- this test will fail because hive_test_user is not in admin role. +create role r1; diff --git ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q new file mode 100644 index 0000000..80346d4 --- /dev/null +++ ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q @@ -0,0 +1,10 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; +set role ADMIN; +show current roles; +create role r1; +set role NONE; +show current roles; +drop role r1; diff --git ql/src/test/queries/clientnegative/authorization_role_cycles1.q ql/src/test/queries/clientnegative/authorization_role_cycles1.q index c083e2d..dd39383 100644 --- ql/src/test/queries/clientnegative/authorization_role_cycles1.q +++ ql/src/test/queries/clientnegative/authorization_role_cycles1.q @@ -1,8 +1,12 @@ +set hive.users.in.admin.role=hive_admin_user; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; +set role ADMIN; -- this is applicable to any security mode as check is in metastore create role role1; create role role2; grant role role1 to role role2; -- this will create a cycle -grant role role2 to role role1; \ No newline at end of file +grant role role2 to role role1; diff --git ql/src/test/queries/clientnegative/authorization_role_cycles2.q ql/src/test/queries/clientnegative/authorization_role_cycles2.q index bfc07d0..aebdce9 100644 --- ql/src/test/queries/clientnegative/authorization_role_cycles2.q +++ ql/src/test/queries/clientnegative/authorization_role_cycles2.q @@ -1,4 +1,9 @@ +set hive.users.in.admin.role=hive_admin_user; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; + +set user.name=hive_admin_user; +set role ADMIN; -- this is applicable to any security mode as check is in metastore create role role1; diff --git ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q new file mode 100644 index 0000000..c16d840 --- /dev/null +++ ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q @@ -0,0 +1,3 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +-- This test will fail because hive_test_user is not in admin role +show roles; diff --git ql/src/test/queries/clientpositive/authorization_1_sql_std.q ql/src/test/queries/clientpositive/authorization_1_sql_std.q index 44d73fc..553b662 100644 --- ql/src/test/queries/clientpositive/authorization_1_sql_std.q +++ ql/src/test/queries/clientpositive/authorization_1_sql_std.q @@ -1,9 +1,12 @@ +set hive.users.in.admin.role=hive_admin_user; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; create table src_autho_test (key STRING, value STRING) ; set hive.security.authorization.enabled=true; - +set role ADMIN; --table grant to user grant select on table src_autho_test to user user_sauth; @@ -30,4 +33,4 @@ revoke select on table src_autho_test from role src_role; drop role src_role; set hive.security.authorization.enabled=false; -drop table src_autho_test; \ No newline at end of file +drop table src_autho_test; diff --git ql/src/test/queries/clientpositive/authorization_role_grant1.q ql/src/test/queries/clientpositive/authorization_role_grant1.q index ca5ef46..845e5de 100644 --- ql/src/test/queries/clientpositive/authorization_role_grant1.q +++ ql/src/test/queries/clientpositive/authorization_role_grant1.q @@ -1,7 +1,11 @@ +set hive.users.in.admin.role=hive_admin_user; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; --- enable sql standard authorization +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; +-- enable sql standard authorization -- role granting without role keyword +set role ADMIN; create role src_role2; grant src_role2 to user user2 ; show role grant user user2; diff --git ql/src/test/queries/clientpositive/authorization_set_show_current_role.q ql/src/test/queries/clientpositive/authorization_set_show_current_role.q index 1ff8192..7fe8e29 100644 --- ql/src/test/queries/clientpositive/authorization_set_show_current_role.q +++ ql/src/test/queries/clientpositive/authorization_set_show_current_role.q @@ -1,9 +1,12 @@ +set hive.users.in.admin.role=hive_admin_user; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; - +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; +set role ADMIN; show current roles; create role r1; -grant role r1 to user hive_test_user; +grant role r1 to user hive_admin_user; set role r1; show current roles; @@ -13,5 +16,6 @@ show current roles; set role NONE; show current roles; +set role ADMIN; drop role r1; diff --git ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out new file mode 100644 index 0000000..10e66b7 --- /dev/null +++ ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out @@ -0,0 +1,4 @@ +PREHOOK: query: -- this test will fail because hive_test_user is not in admin role. +create role r1 +PREHOOK: type: CREATEROLE +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_test_user is not allowed to add roles. Only users belonging to admin role can add new roles. diff --git ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out new file mode 100644 index 0000000..f4eda9e --- /dev/null +++ ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out @@ -0,0 +1,27 @@ +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: show current roles +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: show current roles +POSTHOOK: type: SHOW_ROLES +ADMIN + +PREHOOK: query: create role r1 +PREHOOK: type: CREATEROLE +POSTHOOK: query: create role r1 +POSTHOOK: type: CREATEROLE +PREHOOK: query: set role NONE +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role NONE +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: show current roles +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: show current roles +POSTHOOK: type: SHOW_ROLES +PUBLIC + +PREHOOK: query: drop role r1 +PREHOOK: type: DROPROLE +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_admin_user is not allowed to drop role. Only users belonging to admin role can drop roles. diff --git ql/src/test/results/clientnegative/authorization_role_cycles1.q.out ql/src/test/results/clientnegative/authorization_role_cycles1.q.out index da9014d..704b7b1 100644 --- ql/src/test/results/clientnegative/authorization_role_cycles1.q.out +++ ql/src/test/results/clientnegative/authorization_role_cycles1.q.out @@ -1,3 +1,7 @@ +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES PREHOOK: query: -- this is applicable to any security mode as check is in metastore create role role1 PREHOOK: type: CREATEROLE diff --git ql/src/test/results/clientnegative/authorization_role_cycles2.q.out ql/src/test/results/clientnegative/authorization_role_cycles2.q.out index f54b88e..03348a8 100644 --- ql/src/test/results/clientnegative/authorization_role_cycles2.q.out +++ ql/src/test/results/clientnegative/authorization_role_cycles2.q.out @@ -1,3 +1,7 @@ +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES PREHOOK: query: -- this is applicable to any security mode as check is in metastore create role role1 diff --git ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out new file mode 100644 index 0000000..d9c167f --- /dev/null +++ ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out @@ -0,0 +1,4 @@ +PREHOOK: query: -- This test will fail because hive_test_user is not in admin role +show roles +PREHOOK: type: SHOW_ROLES +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_test_user is not allowed to list roles. Only users belonging to admin role can list roles. diff --git ql/src/test/results/clientpositive/authorization_1_sql_std.q.out ql/src/test/results/clientpositive/authorization_1_sql_std.q.out index 8184708..9d08027 100644 --- ql/src/test/results/clientpositive/authorization_1_sql_std.q.out +++ ql/src/test/results/clientpositive/authorization_1_sql_std.q.out @@ -3,6 +3,10 @@ PREHOOK: type: CREATETABLE POSTHOOK: query: create table src_autho_test (key STRING, value STRING) POSTHOOK: type: CREATETABLE POSTHOOK: Output: default@src_autho_test +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES PREHOOK: query: --table grant to user grant select on table src_autho_test to user user_sauth @@ -17,7 +21,7 @@ PREHOOK: query: show grant user user_sauth on table src_autho_test PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user user_sauth on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test user_sauth USER SELECT false -1 hive_test_user +default src_autho_test user_sauth USER SELECT false -1 hive_admin_user PREHOOK: query: revoke select on table src_autho_test from user user_sauth PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@src_autho_test @@ -42,7 +46,7 @@ PREHOOK: query: show role grant user user_sauth PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user_sauth POSTHOOK: type: SHOW_ROLE_GRANT -src_role -1 user_sauth USER false -1 hive_test_user +src_role -1 user_sauth USER false -1 hive_admin_user PUBLIC -1 false -1 PREHOOK: query: --table grant to role @@ -58,7 +62,7 @@ PREHOOK: query: show grant role src_role on table src_autho_test PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant role src_role on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test src_role ROLE SELECT false -1 hive_test_user +default src_autho_test src_role ROLE SELECT false -1 hive_admin_user PREHOOK: query: revoke select on table src_autho_test from role src_role PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@src_autho_test diff --git ql/src/test/results/clientpositive/authorization_role_grant1.q.out ql/src/test/results/clientpositive/authorization_role_grant1.q.out index e11b7e1..bcc9b04 100644 --- ql/src/test/results/clientpositive/authorization_role_grant1.q.out +++ ql/src/test/results/clientpositive/authorization_role_grant1.q.out @@ -1,12 +1,14 @@ PREHOOK: query: -- enable sql standard authorization - -- role granting without role keyword -create role src_role2 -PREHOOK: type: CREATEROLE +set role ADMIN +PREHOOK: type: SHOW_ROLES POSTHOOK: query: -- enable sql standard authorization - -- role granting without role keyword -create role src_role2 +set role ADMIN +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: create role src_role2 +PREHOOK: type: CREATEROLE +POSTHOOK: query: create role src_role2 POSTHOOK: type: CREATEROLE PREHOOK: query: grant src_role2 to user user2 PREHOOK: type: GRANT_ROLE @@ -16,12 +18,14 @@ PREHOOK: query: show role grant user user2 PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user2 POSTHOOK: type: SHOW_ROLE_GRANT -src_role2 -1 user2 USER false -1 hive_test_user +src_role2 -1 user2 USER false -1 hive_admin_user PUBLIC -1 false -1 PREHOOK: query: show roles PREHOOK: type: SHOW_ROLES POSTHOOK: query: show roles POSTHOOK: type: SHOW_ROLES +ADMIN +PUBLIC src_role2 PREHOOK: query: -- revoke role without role keyword @@ -39,6 +43,8 @@ PREHOOK: query: show roles PREHOOK: type: SHOW_ROLES POSTHOOK: query: show roles POSTHOOK: type: SHOW_ROLES +ADMIN +PUBLIC src_role2 PREHOOK: query: ---------------------------------------- @@ -61,7 +67,7 @@ PREHOOK: query: show role grant user user2 PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user2 POSTHOOK: type: SHOW_ROLE_GRANT -src_role_wadmin -1 user2 USER false -1 hive_test_user +src_role_wadmin -1 user2 USER false -1 hive_admin_user PUBLIC -1 false -1 PREHOOK: query: -- revoke role without role keyword revoke src_role_wadmin from user user2 with admin option @@ -80,6 +86,8 @@ PREHOOK: type: SHOW_ROLES POSTHOOK: query: -- drop roles show roles POSTHOOK: type: SHOW_ROLES +ADMIN +PUBLIC src_role2 src_role_wadmin @@ -91,6 +99,8 @@ PREHOOK: query: show roles PREHOOK: type: SHOW_ROLES POSTHOOK: query: show roles POSTHOOK: type: SHOW_ROLES +ADMIN +PUBLIC src_role_wadmin PREHOOK: query: drop role src_role_wadmin @@ -101,3 +111,6 @@ PREHOOK: query: show roles PREHOOK: type: SHOW_ROLES POSTHOOK: query: show roles POSTHOOK: type: SHOW_ROLES +ADMIN +PUBLIC + diff --git ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out index 11f782a..9c0d09b 100644 --- ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out +++ ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out @@ -1,16 +1,20 @@ +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES PREHOOK: query: show current roles PREHOOK: type: SHOW_ROLES POSTHOOK: query: show current roles POSTHOOK: type: SHOW_ROLES -PUBLIC +ADMIN PREHOOK: query: create role r1 PREHOOK: type: CREATEROLE POSTHOOK: query: create role r1 POSTHOOK: type: CREATEROLE -PREHOOK: query: grant role r1 to user hive_test_user +PREHOOK: query: grant role r1 to user hive_admin_user PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant role r1 to user hive_test_user +POSTHOOK: query: grant role r1 to user hive_admin_user POSTHOOK: type: GRANT_ROLE PREHOOK: query: set role r1 PREHOOK: type: SHOW_ROLES @@ -43,6 +47,10 @@ POSTHOOK: type: SHOW_ROLES r1 PUBLIC +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES PREHOOK: query: drop role r1 PREHOOK: type: DROPROLE POSTHOOK: query: drop role r1