Index: ql/src/test/results/clientnegative/authorization_disallow_transform.q.out =================================================================== --- ql/src/test/results/clientnegative/authorization_disallow_transform.q.out (revision 0) +++ ql/src/test/results/clientnegative/authorization_disallow_transform.q.out (revision 0) @@ -0,0 +1,12 @@ +PREHOOK: query: set role NONE +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role NONE +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM src +PREHOOK: type: QUERY +PREHOOK: Input: default@src +#### A masked pattern was here #### +FAILED: Hive Internal Error: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException(Query with transform clause is disallowed in current configuration.) +org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Query with transform clause is disallowed in current configuration. +#### A masked pattern was here #### + Index: ql/src/test/queries/clientnegative/authorization_disallow_transform.q =================================================================== --- ql/src/test/queries/clientnegative/authorization_disallow_transform.q (revision 0) +++ ql/src/test/queries/clientnegative/authorization_disallow_transform.q (revision 0) @@ -0,0 +1,3 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set role NONE; +SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM src; Index: ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java =================================================================== --- ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java (revision 1567674) +++ ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java (working copy) @@ -56,6 +56,7 @@ import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator; import org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactoryImpl; @@ -370,6 +371,14 @@ getConf(), authenticator); // grant all privileges for table to its owner getConf().setVar(ConfVars.HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS, "insert,select,update,delete"); + String hooks = getConf().getVar(ConfVars.PREEXECHOOKS).trim(); + if (hooks.isEmpty()) { + hooks = DisallowTransformHook.class.getName(); + } else { + hooks = hooks + "," +DisallowTransformHook.class.getName(); + } + LOG.debug("Configuring hooks : " + hooks); + getConf().setVar(ConfVars.PREEXECHOOKS, hooks); } createTableGrants = CreateTableAutomaticGrant.create(getConf()); Index: ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/DisallowTransformHook.java =================================================================== --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/DisallowTransformHook.java (revision 0) +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/DisallowTransformHook.java (revision 0) @@ -0,0 +1,33 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import org.apache.hadoop.hive.ql.hooks.ExecuteWithHookContext; +import org.apache.hadoop.hive.ql.hooks.HookContext; + +public class DisallowTransformHook implements ExecuteWithHookContext { + + @Override + public void run(HookContext hookContext) throws Exception { + if (hookContext.getQueryPlan().getQueryProperties().usesScript()) { + throw new HiveAccessControlException("Query with transform clause is disallowed in" + + " current configuration."); + } + } +}