Index: itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java =================================================================== --- itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java (revision 1567278) +++ itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java (working copy) @@ -267,7 +267,7 @@ (new Path(dfsUriString, "/build/ql/test/data/warehouse/")).toString()); } - + // Windows paths should be converted after MiniMrShim.setupConfiguration() // since setupConfiguration may overwrite configuration values. if (Shell.WINDOWS) { @@ -330,12 +330,12 @@ } } - public QTestUtil(String outDir, String logDir, MiniClusterType clusterType, String hadoopVer) + public QTestUtil(String outDir, String logDir, MiniClusterType clusterType, String hadoopVer) throws Exception { this(outDir, logDir, clusterType, null, hadoopVer); } - public QTestUtil(String outDir, String logDir, MiniClusterType clusterType, + public QTestUtil(String outDir, String logDir, MiniClusterType clusterType, String confDir, String hadoopVer) throws Exception { this.outDir = outDir; @@ -589,7 +589,7 @@ List roleNames = db.getAllRoleNames(); for (String roleName : roleNames) { - if (!"PUBLIC".equals(roleName)) { + if (!"PUBLIC".equalsIgnoreCase(roleName) && !"ADMIN".equalsIgnoreCase(roleName)) { db.dropRole(roleName); } } @@ -1376,7 +1376,7 @@ } private static int executeCmd(Collection args, String outFile, String errFile) throws Exception { - String[] cmdArray = (String[]) args.toArray(new String[args.size()]); + String[] cmdArray = args.toArray(new String[args.size()]); return executeCmd(cmdArray, outFile, errFile); } @@ -1520,6 +1520,7 @@ this.fname = fname; } + @Override public void run() { try { // assumption is that environment has already been cleaned once globally Index: common/src/java/org/apache/hadoop/hive/conf/HiveConf.java =================================================================== --- common/src/java/org/apache/hadoop/hive/conf/HiveConf.java (revision 1567278) +++ common/src/java/org/apache/hadoop/hive/conf/HiveConf.java (working copy) @@ -135,7 +135,8 @@ HiveConf.ConfVars.HMSHANDLERFORCERELOADCONF, HiveConf.ConfVars.METASTORE_PARTITION_NAME_WHITELIST_PATTERN, HiveConf.ConfVars.METASTORE_DISALLOW_INCOMPATIBLE_COL_TYPE_CHANGES, - HiveConf.ConfVars.USERS_IN_ADMIN_ROLE + HiveConf.ConfVars.USERS_IN_ADMIN_ROLE, + HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER }; /** Index: ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out =================================================================== --- ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out (revision 0) +++ ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out (revision 0) @@ -0,0 +1,4 @@ +PREHOOK: query: -- This test will fail because hive_test_user is not in admin role +show roles +PREHOOK: type: SHOW_ROLES +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_test_user is not allowed to list roles. Only users belonging to admin role can list roles. Index: ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out =================================================================== --- ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out (revision 0) +++ ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out (revision 0) @@ -0,0 +1,4 @@ +PREHOOK: query: -- this test will fail because hive_test_user is not in admin role. +create role r1 +PREHOOK: type: CREATEROLE +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_test_user is not allowed to add roles. Only users belonging to admin role can add new roles. Index: ql/src/test/results/clientnegative/authorization_role_cycles1.q.out =================================================================== --- ql/src/test/results/clientnegative/authorization_role_cycles1.q.out (revision 1567278) +++ ql/src/test/results/clientnegative/authorization_role_cycles1.q.out (working copy) @@ -1,3 +1,7 @@ +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES PREHOOK: query: -- this is applicable to any security mode as check is in metastore create role role1 PREHOOK: type: CREATEROLE Index: ql/src/test/results/clientnegative/authorization_role_cycles2.q.out =================================================================== --- ql/src/test/results/clientnegative/authorization_role_cycles2.q.out (revision 1567278) +++ ql/src/test/results/clientnegative/authorization_role_cycles2.q.out (working copy) @@ -1,3 +1,7 @@ +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES PREHOOK: query: -- this is applicable to any security mode as check is in metastore create role role1 Index: ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out =================================================================== --- ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out (revision 0) +++ ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out (revision 0) @@ -0,0 +1,27 @@ +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: show current roles +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: show current roles +POSTHOOK: type: SHOW_ROLES +ADMIN + +PREHOOK: query: create role r1 +PREHOOK: type: CREATEROLE +POSTHOOK: query: create role r1 +POSTHOOK: type: CREATEROLE +PREHOOK: query: set role NONE +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role NONE +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: show current roles +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: show current roles +POSTHOOK: type: SHOW_ROLES +PUBLIC + +PREHOOK: query: drop role r1 +PREHOOK: type: DROPROLE +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_admin_user is not allowed to drop role. Only users belonging to admin role can drop roles. Index: ql/src/test/results/clientpositive/authorization_1_sql_std.q.out =================================================================== --- ql/src/test/results/clientpositive/authorization_1_sql_std.q.out (revision 1567278) +++ ql/src/test/results/clientpositive/authorization_1_sql_std.q.out (working copy) @@ -3,6 +3,10 @@ POSTHOOK: query: create table src_autho_test (key STRING, value STRING) POSTHOOK: type: CREATETABLE POSTHOOK: Output: default@src_autho_test +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES PREHOOK: query: --table grant to user grant select on table src_autho_test to user user_sauth @@ -17,7 +21,7 @@ PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user user_sauth on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test user_sauth USER SELECT false -1 hive_test_user +default src_autho_test user_sauth USER SELECT false -1 hive_admin_user PREHOOK: query: revoke select on table src_autho_test from user user_sauth PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@src_autho_test @@ -42,7 +46,7 @@ PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user_sauth POSTHOOK: type: SHOW_ROLE_GRANT -src_role -1 user_sauth USER false -1 hive_test_user +src_role -1 user_sauth USER false -1 hive_admin_user PUBLIC -1 false -1 PREHOOK: query: --table grant to role @@ -58,7 +62,7 @@ PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant role src_role on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test src_role ROLE SELECT false -1 hive_test_user +default src_autho_test src_role ROLE SELECT false -1 hive_admin_user PREHOOK: query: revoke select on table src_autho_test from role src_role PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@src_autho_test Index: ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out =================================================================== --- ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out (revision 1567278) +++ ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out (working copy) @@ -1,3 +1,7 @@ +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES PREHOOK: query: show current roles PREHOOK: type: SHOW_ROLES POSTHOOK: query: show current roles @@ -2,3 +6,3 @@ POSTHOOK: type: SHOW_ROLES -PUBLIC +ADMIN @@ -8,9 +12,9 @@ PREHOOK: type: CREATEROLE POSTHOOK: query: create role r1 POSTHOOK: type: CREATEROLE -PREHOOK: query: grant role r1 to user hive_test_user +PREHOOK: query: grant role r1 to user hive_admin_user PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant role r1 to user hive_test_user +POSTHOOK: query: grant role r1 to user hive_admin_user POSTHOOK: type: GRANT_ROLE PREHOOK: query: set role r1 PREHOOK: type: SHOW_ROLES @@ -43,6 +47,10 @@ r1 PUBLIC +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES PREHOOK: query: drop role r1 PREHOOK: type: DROPROLE POSTHOOK: query: drop role r1 Index: ql/src/test/results/clientpositive/authorization_role_grant1.q.out =================================================================== --- ql/src/test/results/clientpositive/authorization_role_grant1.q.out (revision 1567278) +++ ql/src/test/results/clientpositive/authorization_role_grant1.q.out (working copy) @@ -1,12 +1,14 @@ PREHOOK: query: -- enable sql standard authorization - -- role granting without role keyword -create role src_role2 -PREHOOK: type: CREATEROLE +set role ADMIN +PREHOOK: type: SHOW_ROLES POSTHOOK: query: -- enable sql standard authorization - -- role granting without role keyword -create role src_role2 +set role ADMIN +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: create role src_role2 +PREHOOK: type: CREATEROLE +POSTHOOK: query: create role src_role2 POSTHOOK: type: CREATEROLE PREHOOK: query: grant src_role2 to user user2 PREHOOK: type: GRANT_ROLE @@ -16,12 +18,14 @@ PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user2 POSTHOOK: type: SHOW_ROLE_GRANT -src_role2 -1 user2 USER false -1 hive_test_user +src_role2 -1 user2 USER false -1 hive_admin_user PUBLIC -1 false -1 PREHOOK: query: show roles PREHOOK: type: SHOW_ROLES POSTHOOK: query: show roles POSTHOOK: type: SHOW_ROLES +ADMIN +PUBLIC src_role2 PREHOOK: query: -- revoke role without role keyword @@ -39,6 +43,8 @@ PREHOOK: type: SHOW_ROLES POSTHOOK: query: show roles POSTHOOK: type: SHOW_ROLES +ADMIN +PUBLIC src_role2 PREHOOK: query: ---------------------------------------- @@ -61,7 +67,7 @@ PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user2 POSTHOOK: type: SHOW_ROLE_GRANT -src_role_wadmin -1 user2 USER false -1 hive_test_user +src_role_wadmin -1 user2 USER false -1 hive_admin_user PUBLIC -1 false -1 PREHOOK: query: -- revoke role without role keyword revoke src_role_wadmin from user user2 with admin option @@ -80,6 +86,8 @@ POSTHOOK: query: -- drop roles show roles POSTHOOK: type: SHOW_ROLES +ADMIN +PUBLIC src_role2 src_role_wadmin @@ -91,6 +99,8 @@ PREHOOK: type: SHOW_ROLES POSTHOOK: query: show roles POSTHOOK: type: SHOW_ROLES +ADMIN +PUBLIC src_role_wadmin PREHOOK: query: drop role src_role_wadmin @@ -101,3 +111,6 @@ PREHOOK: type: SHOW_ROLES POSTHOOK: query: show roles POSTHOOK: type: SHOW_ROLES +ADMIN +PUBLIC + Index: ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q =================================================================== --- ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q (revision 0) +++ ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q (revision 0) @@ -0,0 +1,3 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +-- This test will fail because hive_test_user is not in admin role +show roles; Index: ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q =================================================================== --- ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q (revision 0) +++ ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q (revision 0) @@ -0,0 +1,3 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +-- this test will fail because hive_test_user is not in admin role. +create role r1; Index: ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q =================================================================== --- ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q (revision 0) +++ ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q (revision 0) @@ -0,0 +1,10 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; +set role ADMIN; +show current roles; +create role r1; +set role NONE; +show current roles; +drop role r1; Index: ql/src/test/queries/clientnegative/authorization_role_cycles1.q =================================================================== --- ql/src/test/queries/clientnegative/authorization_role_cycles1.q (revision 1567278) +++ ql/src/test/queries/clientnegative/authorization_role_cycles1.q (working copy) @@ -1,8 +1,12 @@ +set hive.users.in.admin.role=hive_admin_user; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; +set role ADMIN; -- this is applicable to any security mode as check is in metastore create role role1; create role role2; grant role role1 to role role2; -- this will create a cycle -grant role role2 to role role1; \ No newline at end of file +grant role role2 to role role1; Index: ql/src/test/queries/clientnegative/authorization_role_cycles2.q =================================================================== --- ql/src/test/queries/clientnegative/authorization_role_cycles2.q (revision 1567278) +++ ql/src/test/queries/clientnegative/authorization_role_cycles2.q (working copy) @@ -1,4 +1,9 @@ +set hive.users.in.admin.role=hive_admin_user; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; + +set user.name=hive_admin_user; +set role ADMIN; -- this is applicable to any security mode as check is in metastore create role role1; Index: ql/src/test/queries/clientpositive/authorization_set_show_current_role.q =================================================================== --- ql/src/test/queries/clientpositive/authorization_set_show_current_role.q (revision 1567278) +++ ql/src/test/queries/clientpositive/authorization_set_show_current_role.q (working copy) @@ -1,9 +1,12 @@ +set hive.users.in.admin.role=hive_admin_user; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; - +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; +set role ADMIN; show current roles; create role r1; -grant role r1 to user hive_test_user; +grant role r1 to user hive_admin_user; set role r1; show current roles; @@ -13,5 +16,6 @@ set role NONE; show current roles; +set role ADMIN; drop role r1; Index: ql/src/test/queries/clientpositive/authorization_role_grant1.q =================================================================== --- ql/src/test/queries/clientpositive/authorization_role_grant1.q (revision 1567278) +++ ql/src/test/queries/clientpositive/authorization_role_grant1.q (working copy) @@ -1,7 +1,11 @@ +set hive.users.in.admin.role=hive_admin_user; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; + -- enable sql standard authorization - -- role granting without role keyword +set role ADMIN; create role src_role2; grant src_role2 to user user2 ; show role grant user user2; Index: ql/src/test/queries/clientpositive/authorization_1_sql_std.q =================================================================== --- ql/src/test/queries/clientpositive/authorization_1_sql_std.q (revision 1567278) +++ ql/src/test/queries/clientpositive/authorization_1_sql_std.q (working copy) @@ -1,9 +1,12 @@ +set hive.users.in.admin.role=hive_admin_user; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; create table src_autho_test (key STRING, value STRING) ; set hive.security.authorization.enabled=true; - +set role ADMIN; --table grant to user grant select on table src_autho_test to user user_sauth; @@ -30,4 +33,4 @@ drop role src_role; set hive.security.authorization.enabled=false; -drop table src_autho_test; \ No newline at end of file +drop table src_autho_test; Index: ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java =================================================================== --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java (revision 1567278) +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java (working copy) @@ -160,13 +160,11 @@ List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException, HiveAccessControlException; - void setCurrentRole(String roleName) throws HiveAuthzPluginException; + void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException; List getCurrentRoles() throws HiveAuthzPluginException; + //other functions to be added - //showUsersInRole(rolename) - //isSuperuser(username) - - } Index: ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java =================================================================== --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java (revision 1567278) +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java (working copy) @@ -62,7 +62,7 @@ List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException, HiveAccessControlException; - void setCurrentRole(String roleName) throws HiveAuthzPluginException; + void setCurrentRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException; List getCurrentRoles() throws HiveAuthzPluginException; } Index: ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java =================================================================== --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java (revision 1567278) +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java (working copy) @@ -42,6 +42,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; @@ -220,7 +221,12 @@ @Override public void createRole(String roleName, HivePrincipal adminGrantor) - throws HiveAuthzPluginException { + throws HiveAuthzPluginException, HiveAccessControlException { + // only user belonging to admin role can create new roles. + if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) { + throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + + " allowed to add roles. Only users belonging to admin role can add new roles."); + } try { String grantorName = adminGrantor == null ? null : adminGrantor.getName(); metastoreClientFactory.getHiveMetastoreClient().create_role( @@ -231,7 +237,12 @@ } @Override - public void dropRole(String roleName) throws HiveAuthzPluginException { + public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { + // only user belonging to admin role can drop existing role + if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) { + throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + + " allowed to drop role. Only users belonging to admin role can drop roles."); + } try { metastoreClientFactory.getHiveMetastoreClient().drop_role(roleName); } catch (Exception e) { @@ -257,7 +268,12 @@ @Override public void grantRole(List hivePrincipals, List roleNames, - boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException { + boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, + HiveAccessControlException { + if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) { + throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + + " allowed to grant role. Currently only users belonging to admin role can grant roles."); + } for (HivePrincipal hivePrincipal : hivePrincipals) { for (String roleName : roleNames) { try { @@ -279,12 +295,17 @@ @Override public void revokeRole(List hivePrincipals, List roleNames, - boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException { + boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, + HiveAccessControlException { if (grantOption) { // removing grant privileges only is not supported in metastore api throw new HiveAuthzPluginException("Revoking only the admin privileges on " - + "role is not currently supported"); + + "role is not currently supported"); } + if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) { + throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + + " allowed to revoke role. Currently only users belonging to admin role can revoke roles."); + } for (HivePrincipal hivePrincipal : hivePrincipals) { for (String roleName : roleNames) { try { @@ -301,7 +322,12 @@ } @Override - public List getAllRoles() throws HiveAuthzPluginException { + public List getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException { + // only user belonging to admin role can list role + if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) { + throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + + " allowed to list roles. Only users belonging to admin role can list roles."); + } try { return metastoreClientFactory.getHiveMetastoreClient().listRoleNames(); } catch (Exception e) { @@ -370,7 +396,8 @@ } @Override - public void setCurrentRole(String roleName) throws HiveAuthzPluginException { + public void setCurrentRole(String roleName) throws HiveAccessControlException, + HiveAuthzPluginException { if ("NONE".equalsIgnoreCase(roleName)) { // for set role NONE, reset roles to default roles. @@ -393,7 +420,7 @@ return; } // If we are here it means, user is requesting a role he doesn't belong to. - throw new HiveAuthzPluginException(currentUserName +" doesn't belong to role " + throw new HiveAccessControlException(currentUserName +" doesn't belong to role " +roleName); } @@ -402,4 +429,24 @@ initUserRoles(); return currentRoles; } + + /** + * @param principal + * @return true only if current role of user is Admin + * @throws HiveAuthzPluginException + */ + private boolean isUserAdmin(HivePrincipal principal) throws HiveAuthzPluginException { + List roles; + try { + roles = getCurrentRoles(); + } catch (Exception e) { + throw new HiveAuthzPluginException(e); + } + for (HiveRole role : roles){ + if (role.getRoleName().equalsIgnoreCase(HiveMetaStore.ADMIN)) { + return true; + } + } + return false; + } } Index: ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java =================================================================== --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java (revision 1567278) +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java (working copy) @@ -105,7 +105,7 @@ } @Override - public void setCurrentRole(String roleName) throws HiveAuthzPluginException { + public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException { accessController.setCurrentRole(roleName); } @@ -113,10 +113,7 @@ public List getCurrentRoles() throws HiveAuthzPluginException { return accessController.getCurrentRoles(); } - - // other access control functions - // void validateAuthority(HiveAction, inputs, outputs){ // authValidator.validateAuthority(HiveAction, inputs, outputs); // } Index: ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java =================================================================== --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java (revision 1567278) +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java (working copy) @@ -47,5 +47,4 @@ public HiveAccessControlException(Throwable cause){ super(cause); } - }