diff --git a/common/src/java/org/apache/hadoop/hive/common/FileUtils.java b/common/src/java/org/apache/hadoop/hive/common/FileUtils.java index c1f8842..e132a97 100644 --- a/common/src/java/org/apache/hadoop/hive/common/FileUtils.java +++ b/common/src/java/org/apache/hadoop/hive/common/FileUtils.java @@ -20,13 +20,19 @@ import java.io.IOException; import java.net.URI; +import java.net.URISyntaxException; import java.util.BitSet; import java.util.List; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.FileStatus; import org.apache.hadoop.fs.FileSystem; import org.apache.hadoop.fs.Path; +import org.apache.hadoop.fs.permission.FsAction; +import org.apache.hadoop.fs.permission.FsPermission; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.util.Shell; @@ -34,7 +40,7 @@ * Collection of file manipulation utilities common across Hive. */ public final class FileUtils { - + static final private Log LOG = LogFactory.getLog(FileUtils.class.getName()); /** * Variant of Path.makeQualified that qualifies the input path against the default file system * indicated by the configuration @@ -297,4 +303,137 @@ public static void listStatusRecursively(FileSystem fs, FileStatus fileStatus, } } + /** + * Find the parent of path that exists + * + * @param fs + * file system + * @param path + * @return the argument path if it exists or a parent path exists. Returns + * NULL root is only parent that exists + * @throws IOException + */ + public static Path getParentThatExists(FileSystem fs, Path path) throws IOException { + if (!fs.exists(path)) { + Path parentPath = path.getParent(); + return getParentThatExists(fs, parentPath); + } + return path; + } + + /** + * Check if the given FileStatus indicates that the action is allowed for + * userName. It checks the group and other permissions also to determine this. + * + * @param userName + * @param fsStatus + * @param action + * @return true if it is writable for userName + */ + public static boolean isActionPermittedForUser(String userName, FileStatus fsStatus, FsAction action) { + FsPermission permissions = fsStatus.getPermission(); + // check user perm + if (fsStatus.getOwner().equals(userName) + && permissions.getUserAction().implies(action)) { + return true; + } + // check other perm + if (permissions.getOtherAction().implies(action)) { + return true; + } + // check group perm after ensuring user belongs to the file owner group + String fileGroup = fsStatus.getGroup(); + String[] userGroups = UserGroupInformation.createRemoteUser(userName).getGroupNames(); + for (String group : userGroups) { + if (group.equals(fileGroup)) { + // user belongs to the file group + if (permissions.getGroupAction().implies(action)) { + return true; + } else { + return false; + } + } + } + return false; + } + + /** + * Check if user userName has permissions to perform the given FsAction action + * on all files under the file whose FileStatus fileStatus is provided + * + * @param fs + * @param fileStatus + * @param userName + * @param action + * @return + * @throws IOException + */ + public static boolean isActionPermittedForFileHierarchy(FileSystem fs, FileStatus fileStatus, + String userName, FsAction action) throws IOException { + boolean isDir = fileStatus.isDir(); + + FsAction dirActionNeeded = action; + if (isDir) { + // for dirs user needs execute privileges as well + dirActionNeeded.and(FsAction.EXECUTE); + } + if (!isActionPermittedForUser(userName, fileStatus, dirActionNeeded)) { + return false; + } + + if (!isDir) { + // no sub dirs to be checked + return true; + } + // check all children + FileStatus[] childStatuses = fs.listStatus(fileStatus.getPath()); + for (FileStatus childStatus : childStatuses) { + // check children recursively + if (!isActionPermittedForFileHierarchy(fs, childStatus, userName, action)) { + return false; + } + } + return true; + } + + /** + * A best effort attempt to determine if if the file is a local file based on the scheme if any + * @param fileName + * @return true if it was successfully able to determine that it is a local file + */ + public static boolean hasLocalFileScheme(String fileName) { + try { + // do best effor to determine if this is a local file + String scheme = new URI(fileName).getScheme(); + if (scheme != null) { + return scheme.equals("file"); + } + } catch (URISyntaxException e) { + LOG.warn("Unable to create URI from " + fileName, e); + } + return false; + } + + public static boolean isOwnerOfFileHierarchy(FileSystem fs, FileStatus fileStatus, String userName) + throws IOException { + if (!fileStatus.getOwner().equals(userName)) { + return false; + } + + if (!fileStatus.isDir()) { + // no sub dirs to be checked + return true; + } + // check all children + FileStatus[] childStatuses = fs.listStatus(fileStatus.getPath()); + for (FileStatus childStatus : childStatuses) { + // check children recursively + if (!isOwnerOfFileHierarchy(fs, childStatus, userName)) { + return false; + } + } + return true; + } + + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java index 83d5bfc..d3206d0 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java @@ -734,6 +734,10 @@ private void doAuthorizationV2(SessionState ss, HiveOperation op, HashSet getParents() { return parents; @@ -136,4 +148,5 @@ public void setDirect(boolean isDirect) { } + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/hooks/WriteEntity.java b/ql/src/java/org/apache/hadoop/hive/ql/hooks/WriteEntity.java index 0493302..ae8b4bb 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/hooks/WriteEntity.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/hooks/WriteEntity.java @@ -22,8 +22,8 @@ import org.apache.hadoop.fs.Path; import org.apache.hadoop.hive.metastore.api.Database; -import org.apache.hadoop.hive.ql.metadata.Partition; import org.apache.hadoop.hive.ql.metadata.DummyPartition; +import org.apache.hadoop.hive.ql.metadata.Partition; import org.apache.hadoop.hive.ql.metadata.Table; /** @@ -32,6 +32,8 @@ */ public class WriteEntity extends Entity implements Serializable { + private boolean isTempURI = false; + /** * Only used by serialization. */ @@ -50,7 +52,7 @@ public WriteEntity(Database database) { * Table that is written to. */ public WriteEntity(Table t) { - super(t, true); + this(t, true); } public WriteEntity(Table t, boolean complete) { @@ -80,7 +82,22 @@ public WriteEntity(DummyPartition p, boolean complete) { * Flag to decide whether this directory is local or in dfs. */ public WriteEntity(Path d, boolean islocal) { + this(d, islocal, false); + } + + /** + * Constructor for a file. + * + * @param d + * The name of the directory that is being written to. + * @param islocal + * Flag to decide whether this directory is local or in dfs. + * @param isTemp + * True if this is a temporary location such as scratch dir + */ + public WriteEntity(Path d, boolean islocal, boolean isTemp) { super(d.toString(), islocal, true); + this.isTempURI = isTemp; } /** @@ -99,4 +116,9 @@ public boolean equals(Object o) { return false; } } + + public boolean isTempURI() { + return isTempURI; + } + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/metadata/Hive.java b/ql/src/java/org/apache/hadoop/hive/ql/metadata/Hive.java index 0b7c128..f9bff1b 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/metadata/Hive.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/metadata/Hive.java @@ -2567,7 +2567,7 @@ public void cancelDelegationToken(String tokenStrForm) } } - private static String[] getQualifiedNames(String qualifiedName) { + public static String[] getQualifiedNames(String qualifiedName) { return qualifiedName.split("\\."); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java index 1f539ef..49ed6e4 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java @@ -42,6 +42,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.fs.Path; +import org.apache.hadoop.hive.common.FileUtils; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.metastore.MetaStoreUtils; @@ -666,6 +667,7 @@ private void analyzeCreateDatabase(ASTNode ast) throws SemanticException { break; case TOK_DATABASELOCATION: dbLocation = unescapeSQLString(childNode.getChild(0).getText()); + addLocationToOutputs(dbLocation); break; default: throw new SemanticException("Unrecognized token in CREATE DATABASE statement"); @@ -970,6 +972,7 @@ private void analyzeCreateIndex(ASTNode ast) throws SemanticException { break; case HiveParser.TOK_TABLELOCATION: location = unescapeSQLString(child.getChild(0).getText()); + addLocationToOutputs(location); break; case HiveParser.TOK_TABLEPROPERTIES: tblProps = DDLSemanticAnalyzer.getProps((ASTNode) child.getChild(0)); @@ -1342,12 +1345,13 @@ private void analyzeAlterTableLocation(ASTNode ast, String tableName, HashMap partSpec) throws SemanticException { String newLocation = unescapeSQLString(ast.getChild(0).getText()); - + addLocationToOutputs(newLocation); AlterTableDesc alterTblDesc = new AlterTableDesc(tableName, newLocation, partSpec); addInputsOutputsAlterTable(tableName, partSpec, alterTblDesc); rootTasks.add(TaskFactory.get(new DDLWork(getInputs(), getOutputs(), alterTblDesc), conf)); + } private void analyzeAlterTableProtectMode(ASTNode ast, String tableName, @@ -2520,7 +2524,7 @@ private void analyzeAlterTableAddParts(CommonTree ast, boolean expectView) Table tab = getTable(tblName, true); boolean isView = tab.isView(); validateAlterTableType(tab, AlterTableTypes.ADDPARTITION, expectView); - inputs.add(new ReadEntity(tab)); + outputs.add(new WriteEntity(tab)); int numCh = ast.getChildCount(); int start = ifNotExists ? 2 : 1; @@ -2547,6 +2551,17 @@ private void analyzeAlterTableAddParts(CommonTree ast, boolean expectView) throw new SemanticException("LOCATION clause illegal for view partition"); } currentLocation = unescapeSQLString(child.getChild(0).getText()); + boolean isLocal = false; + try { + // do best effor to determine if this is a local file + String scheme = new URI(currentLocation).getScheme(); + if (scheme != null) { + isLocal = scheme.equals("file"); + } + } catch (URISyntaxException e) { + LOG.warn("Unable to create URI from " + currentLocation, e); + } + inputs.add(new ReadEntity(new Path(currentLocation), isLocal)); break; default: throw new SemanticException("Unknown child: " + child); @@ -3159,6 +3174,7 @@ private void analyzeAlterTableSkewedLocation(ASTNode ast, String tableName, .getText())); validateSkewedLocationString(newLocation); locations.put(keyList, newLocation); + addLocationToOutputs(newLocation); } } } @@ -3172,6 +3188,10 @@ private void analyzeAlterTableSkewedLocation(ASTNode ast, String tableName, alterTblDesc), conf)); } + private void addLocationToOutputs(String newLocation) { + outputs.add(new WriteEntity(new Path(newLocation), FileUtils.hasLocalFileScheme(newLocation))); + } + /** * Check if the node is constant. * diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/LoadSemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/LoadSemanticAnalyzer.java index a22a15f..59aeb96 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/LoadSemanticAnalyzer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/LoadSemanticAnalyzer.java @@ -37,6 +37,7 @@ import org.apache.hadoop.hive.ql.exec.Task; import org.apache.hadoop.hive.ql.exec.TaskFactory; import org.apache.hadoop.hive.ql.exec.Utilities; +import org.apache.hadoop.hive.ql.hooks.ReadEntity; import org.apache.hadoop.hive.ql.hooks.WriteEntity; import org.apache.hadoop.hive.ql.metadata.Hive; import org.apache.hadoop.hive.ql.metadata.HiveException; @@ -217,7 +218,7 @@ public void analyzeInternal(ASTNode ast) throws SemanticException { // make sure the arguments make sense applyConstraints(fromURI, toURI, fromTree, isLocal); - + inputs.add(new ReadEntity(new Path(fromURI), isLocal)); Task rTask = null; // create copy work diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java index 77388dd..c05a3b1 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java @@ -34,7 +34,6 @@ import java.util.regex.Pattern; import java.util.regex.PatternSyntaxException; -import org.antlr.runtime.tree.BaseTree; import org.antlr.runtime.tree.Tree; import org.antlr.runtime.tree.TreeWizard; import org.antlr.runtime.tree.TreeWizard.ContextVisitor; @@ -49,6 +48,7 @@ import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.metastore.TableType; import org.apache.hadoop.hive.metastore.Warehouse; +import org.apache.hadoop.hive.metastore.api.Database; import org.apache.hadoop.hive.metastore.api.FieldSchema; import org.apache.hadoop.hive.metastore.api.MetaException; import org.apache.hadoop.hive.metastore.api.Order; @@ -79,8 +79,8 @@ import org.apache.hadoop.hive.ql.io.CombineHiveInputFormat; import org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat; import org.apache.hadoop.hive.ql.io.HiveOutputFormat; -import org.apache.hadoop.hive.ql.io.RCFileInputFormat; import org.apache.hadoop.hive.ql.io.NullRowsInputFormat; +import org.apache.hadoop.hive.ql.io.RCFileInputFormat; import org.apache.hadoop.hive.ql.lib.DefaultGraphWalker; import org.apache.hadoop.hive.ql.lib.Dispatcher; import org.apache.hadoop.hive.ql.lib.GraphWalker; @@ -397,7 +397,7 @@ public void doPhase1QBExpr(ASTNode ast, QBExpr qbexpr, String id, String alias) List wdwFns = new ArrayList(); for (int i = 0; i < selExpr.getChildCount(); ++i) { ASTNode function = (ASTNode) selExpr.getChild(i).getChild(0); - doPhase1GetAllAggregations((ASTNode) function, aggregationTrees, wdwFns); + doPhase1GetAllAggregations(function, aggregationTrees, wdwFns); } // window based aggregations are handled differently @@ -710,13 +710,13 @@ private void processCTE(QB qb, ASTNode ctes) throws SemanticException { * The scoping rules we use are: to search for a CTE from the current QB outwards. In order to * disambiguate between CTES are different levels we qualify(prefix) them with the id of the QB * they appear in when adding them to the aliasToCTEs map. - * + * */ private ASTNode findCTEFromName(QB qb, String cteName) { /* * When saving a view definition all table references in the AST are qualified; including CTE references. - * Where as CTE definitions have no DB qualifier; so we strip out the DB qualifier before searching in + * Where as CTE definitions have no DB qualifier; so we strip out the DB qualifier before searching in * aliasToCTEs map. */ String currDB = SessionState.get().getCurrentDatabase(); @@ -742,17 +742,17 @@ private ASTNode findCTEFromName(QB qb, String cteName) { } return aliasToCTEs.get(cteName); } - + /* * If a CTE is referenced in a QueryBlock: * - add it as a SubQuery for now. - * - SQ.alias is the alias used in QB. (if no alias is specified, + * - SQ.alias is the alias used in QB. (if no alias is specified, * it used the CTE name. Works just like table references) * - Adding SQ done by: * - copying AST of CTE * - setting ASTOrigin on cloned AST. * - trigger phase 1 on new QBExpr. - * - update QB data structs: remove this as a table reference, move it to a SQ invocation. + * - update QB data structs: remove this as a table reference, move it to a SQ invocation. */ private void addCTEAsSubQuery(QB qb, String cteName, String cteAlias) throws SemanticException { cteAlias = cteAlias == null ? cteName : cteAlias; @@ -812,7 +812,7 @@ private void processJoin(QB qb, ASTNode join) throws SemanticException { processPTF(qb, child); PTFInvocationSpec ptfInvocationSpec = qb.getPTFInvocationSpec(child); String inputAlias = ptfInvocationSpec == null ? null : - ((PartitionedTableFunctionSpec)ptfInvocationSpec.getFunction()).getAlias();; + ptfInvocationSpec.getFunction().getAlias();; if ( inputAlias == null ) { throw new SemanticException(generateErrorMessage(child, "PTF invocation in a Join must have an alias")); @@ -1500,6 +1500,7 @@ private void replaceViewReferenceWithDefinition(QB qb, Table tab, tree = ParseUtils.findRootNonNullToken(tree); viewTree = tree; Dispatcher nodeOriginDispatcher = new Dispatcher() { + @Override public Object dispatch(Node nd, java.util.Stack stack, Object... nodeOutputs) { ((ASTNode) nd).setOrigin(viewOrigin); @@ -2071,7 +2072,7 @@ private Operator genHavingPlan(String dest, QB qb, Operator input, output = putOpInsertMap(output, inputRR); return output; } - + private Operator genPlanForSubQueryPredicate( QB qbSQ, ISubQueryJoinInfo subQueryPredicate) throws SemanticException { @@ -2113,15 +2114,15 @@ private Operator genFilterPlan(ASTNode searchCond, QB qb, Operator input, * --> ===CONTINUE_FILTER_PROCESSING=== * endif * endif - * + * * Support for Sub Queries in Having Clause: * - By and large this works the same way as SubQueries in the Where Clause. * - The one addum is the handling of aggregation expressions from the Outer Query - * appearing in correlation clauses. + * appearing in correlation clauses. * - So such correlating predicates are allowed: * min(OuterQuert.x) = SubQuery.y * - this requires special handling when converting to joins. See QBSubQuery.rewrite - * method method for detailed comments. + * method method for detailed comments. */ List subQueriesInOriginalTree = SubQueryUtils.findSubQueries(searchCond); @@ -2159,9 +2160,9 @@ private Operator genFilterPlan(ASTNode searchCond, QB qb, Operator input, QBSubQuery subQuery = SubQueryUtils.buildSubQuery(qb.getId(), sqIdx, subQueryAST, originalSubQueryAST, ctx); - + String havingInputAlias = null; - + if ( forHavingClause ) { havingInputAlias = "gby_sq" + sqIdx; aliasToOpInfo.put(havingInputAlias, input); @@ -2185,7 +2186,7 @@ private Operator genFilterPlan(ASTNode searchCond, QB qb, Operator input, throw new SemanticException(ErrorMsg.INVALID_SUBQUERY_EXPRESSION.getMsg( subQueryAST, "SubQuery can contain only 1 item in Select List.")); } - + /* * If this is a Not In SubQuery Predicate then Join in the Null Check SubQuery. * See QBSubQuery.NotInCheck for details on why and how this is constructed. @@ -2285,7 +2286,7 @@ private Integer genColListRegex(String colRegex, String tabAlias, * if a columnInfo has multiple mappings; then add the column only once, * but carry the mappings forward. */ - Map inputColsProcessed = new HashMap(); + Map inputColsProcessed = new HashMap(); // For expr "*", aliases should be iterated in the order they are specified // in the query. for (String alias : aliases) { @@ -2898,7 +2899,7 @@ private static boolean isRegex(String pattern, HiveConf conf) { String qIdSupport = HiveConf.getVar(conf, HiveConf.ConfVars.HIVE_QUOTEDID_SUPPORT); if ( "column".equals(qIdSupport)) { return false; - } + } for (int i = 0; i < pattern.length(); i++) { if (!Character.isLetterOrDigit(pattern.charAt(i)) && pattern.charAt(i) != '_') { @@ -3131,7 +3132,7 @@ private static boolean isRegex(String pattern, HiveConf conf) { colInfo.setSkewedCol((exp instanceof ExprNodeColumnDesc) ? ((ExprNodeColumnDesc) exp) .isSkewedCol() : false); out_rwsch.put(tabAlias, colAlias, colInfo); - + if ( exp instanceof ExprNodeColumnDesc ) { ExprNodeColumnDesc colExp = (ExprNodeColumnDesc) exp; String[] altMapping = inputRR.getAlternateMappings(colExp.getColumn()); @@ -3413,11 +3414,11 @@ private Operator genGroupByPlanGroupByOperator(QBParseInfo parseInfo, // get the last colName for the reduce KEY // it represents the column name corresponding to distinct aggr, if any String lastKeyColName = null; - List inputKeyCols = ((ReduceSinkDesc) rs.getConf()).getOutputKeyColumnNames(); + List inputKeyCols = rs.getConf().getOutputKeyColumnNames(); if (inputKeyCols.size() > 0) { lastKeyColName = inputKeyCols.get(inputKeyCols.size() - 1); } - List reduceValues = ((ReduceSinkDesc) rs.getConf()).getValueCols(); + List reduceValues = rs.getConf().getValueCols(); int numDistinctUDFs = 0; for (Map.Entry entry : aggregationTrees.entrySet()) { ASTNode value = entry.getValue(); @@ -4209,8 +4210,8 @@ private ReduceSinkOperator genCommonGroupByPlanReduceSinkOperator(QB qb, List entry : nodeOutputs.entrySet()) { - ASTNode parameter = (ASTNode) entry.getKey(); - ExprNodeDesc expression = (ExprNodeDesc) entry.getValue(); + ASTNode parameter = entry.getKey(); + ExprNodeDesc expression = entry.getValue(); if (!(expression instanceof ExprNodeColumnDesc)) { continue; } @@ -4244,7 +4245,7 @@ private ReduceSinkOperator genCommonGroupByPlanReduceSinkOperator(QB qb, List mapping, List keys) { - ExprNodeDesc expr = (ExprNodeDesc) mapping.get(predicate); + ExprNodeDesc expr = mapping.get(predicate); if (expr != null && ExprNodeDescUtils.indexOf(expr, keys) >= 0) { removeRecursively(predicate, mapping); } else { @@ -5479,9 +5480,9 @@ private Operator genFileSinkPlan(String dest, QB qb, Operator input) } else { // if we are on viewfs we don't want to use /tmp as tmp dir since rename from /tmp/.. // to final /user/hive/warehouse/ will fail later, so instead pick tmp dir - // on same namespace as tbl dir. - queryTmpdir = dest_path.toUri().getScheme().equals("viewfs") ? - ctx.getExtTmpPathRelTo(dest_path.getParent().toUri()) : + // on same namespace as tbl dir. + queryTmpdir = dest_path.toUri().getScheme().equals("viewfs") ? + ctx.getExtTmpPathRelTo(dest_path.getParent().toUri()) : ctx.getExternalTmpPath(dest_path.toUri()); } if (dpCtx != null) { @@ -5577,9 +5578,9 @@ private Operator genFileSinkPlan(String dest, QB qb, Operator input) // if we are on viewfs we don't want to use /tmp as tmp dir since rename from /tmp/.. // to final /user/hive/warehouse/ will fail later, so instead pick tmp dir - // on same namespace as tbl dir. - queryTmpdir = dest_path.toUri().getScheme().equals("viewfs") ? - ctx.getExtTmpPathRelTo(dest_path.getParent().toUri()) : + // on same namespace as tbl dir. + queryTmpdir = dest_path.toUri().getScheme().equals("viewfs") ? + ctx.getExtTmpPathRelTo(dest_path.getParent().toUri()) : ctx.getExternalTmpPath(dest_path.toUri()); table_desc = Utilities.getTableDesc(dest_tab); @@ -5706,10 +5707,12 @@ private Operator genFileSinkPlan(String dest, QB qb, Operator input) tblDesc.setCols(new ArrayList(field_schemas)); } + boolean isDestTempFile = true; if (!ctx.isMRTmpFileURI(dest_path.toUri().toString())) { idToTableNameMap.put(String.valueOf(destTableId), dest_path.toUri().toString()); currentTableId = destTableId; destTableId++; + isDestTempFile = false; } boolean isDfsDir = (dest_type.intValue() == QBMetaData.DEST_DFS_FILE); @@ -5727,7 +5730,7 @@ private Operator genFileSinkPlan(String dest, QB qb, Operator input) table_desc = PlanUtils.getTableDesc(tblDesc, cols, colTypes); } - if (!outputs.add(new WriteEntity(dest_path, !isDfsDir))) { + if (!outputs.add(new WriteEntity(dest_path, !isDfsDir, isDestTempFile))) { throw new SemanticException(ErrorMsg.OUTPUT_SPECIFIED_MULTIPLE_TIMES .getMsg(dest_path.toUri().toString())); } @@ -8787,7 +8790,7 @@ public Operator genPlan(QB qb) throws SemanticException { "Cannot resolve input Operator for PTF invocation")); } lastPTFOp = genPTFPlan(spec, inOp); - String ptfAlias = ((PartitionedTableFunctionSpec)spec.getFunction()).getAlias(); + String ptfAlias = spec.getFunction().getAlias(); if ( ptfAlias != null ) { aliasToOpInfo.put(ptfAlias, lastPTFOp); } @@ -9384,7 +9387,7 @@ private ExprNodeDesc getExprNodeDescCached(ASTNode expr, RowResolver input) Map nodeOutputs = TypeCheckProcFactory.genExprNode(expr, tcCtx); - ExprNodeDesc desc = (ExprNodeDesc) nodeOutputs.get(expr); + ExprNodeDesc desc = nodeOutputs.get(expr); if (desc == null) { String errMsg = tcCtx.getError(); if (errMsg == null) { @@ -9708,6 +9711,7 @@ private ASTNode analyzeCreateTable(ASTNode ast, QB qb) case HiveParser.TOK_TABLELOCATION: location = unescapeSQLString(child.getChild(0).getText()); location = EximUtil.relativeToAbsolutePath(conf, location); + inputs.add(new ReadEntity(new Path(location), FileUtils.hasLocalFileScheme(location))); break; case HiveParser.TOK_TABLEPROPERTIES: tblProps = DDLSemanticAnalyzer.getProps((ASTNode) child.getChild(0)); @@ -9762,6 +9766,11 @@ private ASTNode analyzeCreateTable(ASTNode ast, QB qb) } } + String[] qualified = Hive.getQualifiedNames(tableName); + String dbName = qualified.length == 1 ? SessionState.get().getCurrentDatabase() : qualified[0]; + Database database = getDatabase(dbName); + outputs.add(new WriteEntity(database)); + // Handle different types of CREATE TABLE command CreateTableDesc crtTblDesc = null; switch (command_type) { @@ -9995,7 +10004,7 @@ private void processPositionAlias(ASTNode ast) throws SemanticException { int pos = Integer.parseInt(node.getText()); if (pos > 0 && pos <= selectExpCnt) { groupbyNode.setChild(child_pos, - (BaseTree) selectNode.getChild(pos - 1).getChild(0)); + selectNode.getChild(pos - 1).getChild(0)); } else { throw new SemanticException( ErrorMsg.INVALID_POSITION_ALIAS_IN_GROUPBY.getMsg( @@ -10022,7 +10031,7 @@ private void processPositionAlias(ASTNode ast) throws SemanticException { if (!isAllCol) { int pos = Integer.parseInt(node.getText()); if (pos > 0 && pos <= selectExpCnt) { - colNode.setChild(0, (BaseTree) selectNode.getChild(pos - 1).getChild(0)); + colNode.setChild(0, selectNode.getChild(pos - 1).getChild(0)); } else { throw new SemanticException( ErrorMsg.INVALID_POSITION_ALIAS_IN_ORDERBY.getMsg( @@ -10565,6 +10574,7 @@ private BoundarySpec processBoundary(int frameType, ASTNode node) throws Semant private static class ConstantExprCheck implements ContextVisitor { boolean isConstant = true; + @Override public void visit(Object t, Object parent, int childIndex, Map labels) { if ( !isConstant ) { return; @@ -10593,6 +10603,7 @@ public AggregationExprCheck(HashMap destAggrExprs) { this.destAggrExprs = destAggrExprs; } + @Override public void visit(Object t, Object parent, int childIndex, Map labels) { if ( isAggr ) { return; @@ -11106,7 +11117,7 @@ private Operator genReduceSinkPlanForWindowing(WindowingSpec spec, return selSpec; } - private void addAlternateGByKeyMappings(ASTNode gByExpr, ColumnInfo colInfo, + private void addAlternateGByKeyMappings(ASTNode gByExpr, ColumnInfo colInfo, Operator reduceSinkOp, RowResolver gByRR) { if ( gByExpr.getType() == HiveParser.DOT && gByExpr.getChild(0).getType() == HiveParser.TOK_TABLE_OR_COL ) { @@ -11129,7 +11140,7 @@ private void addAlternateGByKeyMappings(ASTNode gByExpr, ColumnInfo colInfo, * before any GBy/ReduceSinks added for the GBY operation. */ Operator parent = reduceSinkOp; - while ( parent instanceof ReduceSinkOperator || + while ( parent instanceof ReduceSinkOperator || parent instanceof GroupByOperator ) { parent = parent.getParentOperators().get(0); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/plan/HiveOperation.java b/ql/src/java/org/apache/hadoop/hive/ql/plan/HiveOperation.java index 93c89de..e661f00 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/plan/HiveOperation.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/plan/HiveOperation.java @@ -40,7 +40,8 @@ ALTERTABLE_RENAMEPART("ALTERTABLE_RENAMEPART", new Privilege[]{Privilege.DROP}, new Privilege[]{Privilege.CREATE}), ALTERTABLE_RENAME("ALTERTABLE_RENAME", new Privilege[]{Privilege.ALTER_METADATA}, null), ALTERTABLE_DROPPARTS("ALTERTABLE_DROPPARTS", new Privilege[]{Privilege.DROP}, null), - ALTERTABLE_ADDPARTS("ALTERTABLE_ADDPARTS", new Privilege[]{Privilege.CREATE}, null), + // The location is input and table is output for alter-table add partitions + ALTERTABLE_ADDPARTS("ALTERTABLE_ADDPARTS", null, new Privilege[]{Privilege.CREATE}), ALTERTABLE_TOUCH("ALTERTABLE_TOUCH", null, null), ALTERTABLE_ARCHIVE("ALTERTABLE_ARCHIVE", new Privilege[]{Privilege.ALTER_DATA}, null), ALTERTABLE_UNARCHIVE("ALTERTABLE_UNARCHIVE", new Privilege[]{Privilege.ALTER_DATA}, null), diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java index fae6844..1d40083 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java @@ -54,6 +54,12 @@ private static SQLPrivTypeGrant[] ADMIN_PRIV_AR = arr(SQLPrivTypeGrant.ADMIN_PRIV); private static SQLPrivTypeGrant[] INS_NOGRANT_AR = arr(SQLPrivTypeGrant.INSERT_NOGRANT); private static SQLPrivTypeGrant[] DEL_NOGRANT_AR = arr(SQLPrivTypeGrant.DELETE_NOGRANT); + private static SQLPrivTypeGrant[] OWNER_INS_SEL_DEL_NOGRANT_AR = + arr(SQLPrivTypeGrant.OWNER_PRIV, + SQLPrivTypeGrant.INSERT_NOGRANT, + SQLPrivTypeGrant.DELETE_NOGRANT, + SQLPrivTypeGrant.SELECT_NOGRANT); + static { @@ -62,10 +68,11 @@ op2Priv.put(HiveOperationType.EXPLAIN, new InOutPrivs(SEL_NOGRANT_AR, SEL_NOGRANT_AR)); //?? - op2Priv.put(HiveOperationType.CREATEDATABASE, new InOutPrivs(ADMIN_PRIV_AR, null)); + op2Priv.put(HiveOperationType.CREATEDATABASE, + new InOutPrivs(ADMIN_PRIV_AR, OWNER_INS_SEL_DEL_NOGRANT_AR)); op2Priv.put(HiveOperationType.DROPDATABASE, new InOutPrivs(OWNER_PRIV_AR, null)); - //this should be database usage privilege once it is supported + // this should be database usage privilege once it is supported op2Priv.put(HiveOperationType.SWITCHDATABASE, new InOutPrivs(null, null)); // lock operations not controlled for now @@ -76,7 +83,7 @@ op2Priv.put(HiveOperationType.DESCTABLE, new InOutPrivs(SEL_NOGRANT_AR, null)); op2Priv.put(HiveOperationType.DESCFUNCTION, new InOutPrivs(null, null)); - //meta store check command - require admin priv + // meta store check command - require admin priv op2Priv.put(HiveOperationType.MSCK, new InOutPrivs(ADMIN_PRIV_AR, null)); @@ -104,16 +111,16 @@ op2Priv.put(HiveOperationType.ALTERPARTITION_PROTECTMODE, new InOutPrivs(OWNER_PRIV_AR, OWNER_PRIV_AR)); op2Priv.put(HiveOperationType.ALTERTABLE_FILEFORMAT, new InOutPrivs(OWNER_PRIV_AR, OWNER_PRIV_AR)); op2Priv.put(HiveOperationType.ALTERPARTITION_FILEFORMAT, new InOutPrivs(OWNER_PRIV_AR, OWNER_PRIV_AR)); - op2Priv.put(HiveOperationType.ALTERTABLE_LOCATION, new InOutPrivs(OWNER_PRIV_AR, OWNER_PRIV_AR)); - op2Priv.put(HiveOperationType.ALTERPARTITION_LOCATION, new InOutPrivs(OWNER_PRIV_AR, OWNER_PRIV_AR)); + op2Priv.put(HiveOperationType.ALTERTABLE_LOCATION, new InOutPrivs(OWNER_PRIV_AR, OWNER_INS_SEL_DEL_NOGRANT_AR)); + op2Priv.put(HiveOperationType.ALTERPARTITION_LOCATION, new InOutPrivs(OWNER_PRIV_AR, OWNER_INS_SEL_DEL_NOGRANT_AR)); op2Priv.put(HiveOperationType.ALTERTABLE_MERGEFILES, new InOutPrivs(OWNER_PRIV_AR, OWNER_PRIV_AR)); op2Priv.put(HiveOperationType.ALTERPARTITION_MERGEFILES, new InOutPrivs(OWNER_PRIV_AR, OWNER_PRIV_AR)); op2Priv.put(HiveOperationType.ALTERTABLE_SKEWED, new InOutPrivs(OWNER_PRIV_AR, OWNER_PRIV_AR)); - op2Priv.put(HiveOperationType.ALTERTBLPART_SKEWED_LOCATION, new InOutPrivs(OWNER_PRIV_AR, OWNER_PRIV_AR)); + op2Priv.put(HiveOperationType.ALTERTBLPART_SKEWED_LOCATION, new InOutPrivs(OWNER_PRIV_AR, OWNER_INS_SEL_DEL_NOGRANT_AR)); op2Priv.put(HiveOperationType.TRUNCATETABLE, new InOutPrivs(OWNER_PRIV_AR, OWNER_PRIV_AR)); //table ownership for create/drop/alter index - op2Priv.put(HiveOperationType.CREATEINDEX, new InOutPrivs(OWNER_PRIV_AR, OWNER_PRIV_AR)); + op2Priv.put(HiveOperationType.CREATEINDEX, new InOutPrivs(OWNER_PRIV_AR, OWNER_INS_SEL_DEL_NOGRANT_AR)); op2Priv.put(HiveOperationType.DROPINDEX, new InOutPrivs(OWNER_PRIV_AR, OWNER_PRIV_AR)); op2Priv.put(HiveOperationType.ALTERINDEX_REBUILD, new InOutPrivs(OWNER_PRIV_AR, OWNER_PRIV_AR)); op2Priv.put(HiveOperationType.ALTERINDEX_PROPS, new InOutPrivs(OWNER_PRIV_AR, OWNER_PRIV_AR)); @@ -130,7 +137,8 @@ // operations that require insert/delete privileges op2Priv.put(HiveOperationType.ALTERTABLE_DROPPARTS, new InOutPrivs(DEL_NOGRANT_AR, null)); - op2Priv.put(HiveOperationType.ALTERTABLE_ADDPARTS, new InOutPrivs(INS_NOGRANT_AR, null)); + // in alter-table-add-partition, the table is output, and location is input + op2Priv.put(HiveOperationType.ALTERTABLE_ADDPARTS, new InOutPrivs(OWNER_INS_SEL_DEL_NOGRANT_AR, INS_NOGRANT_AR)); // select with grant for exporting contents op2Priv.put(HiveOperationType.EXPORT, new InOutPrivs(SEL_GRANT_AR, null)); @@ -140,12 +148,13 @@ op2Priv.put(HiveOperationType.SHOWCOLUMNS, new InOutPrivs(SEL_NOGRANT_AR, null)); op2Priv.put(HiveOperationType.SHOW_TABLESTATUS, new InOutPrivs(SEL_NOGRANT_AR, null)); op2Priv.put(HiveOperationType.SHOW_TBLPROPERTIES, new InOutPrivs(SEL_NOGRANT_AR, null)); - op2Priv.put(HiveOperationType.CREATETABLE_AS_SELECT, new InOutPrivs(SEL_NOGRANT_AR, OWNER_PRIV_AR)); + op2Priv.put(HiveOperationType.CREATETABLE_AS_SELECT, new InOutPrivs(SEL_NOGRANT_AR, null)); // QUERY,LOAD op can contain an insert & ovewrite, so require insert+delete privileges on output op2Priv.put(HiveOperationType.QUERY, new InOutPrivs(SEL_NOGRANT_AR, arr(SQLPrivTypeGrant.INSERT_NOGRANT, SQLPrivTypeGrant.DELETE_NOGRANT))); - op2Priv.put(HiveOperationType.LOAD, new InOutPrivs(SEL_NOGRANT_AR, + + op2Priv.put(HiveOperationType.LOAD, new InOutPrivs(OWNER_INS_SEL_DEL_NOGRANT_AR, arr(SQLPrivTypeGrant.INSERT_NOGRANT, SQLPrivTypeGrant.DELETE_NOGRANT))); // show create table is more sensitive information, includes table properties etc @@ -168,8 +177,9 @@ op2Priv.put(HiveOperationType.LOCKTABLE, new InOutPrivs(null, null)); op2Priv.put(HiveOperationType.UNLOCKTABLE, new InOutPrivs(null, null)); - // require db ownership - op2Priv.put(HiveOperationType.CREATETABLE, new InOutPrivs(OWNER_PRIV_AR, null)); + // require db ownership, if there is a file require SELECT , INSERT, and DELETE + op2Priv.put(HiveOperationType.CREATETABLE, + new InOutPrivs(OWNER_INS_SEL_DEL_NOGRANT_AR, null)); op2Priv.put(HiveOperationType.ALTERDATABASE, new InOutPrivs(OWNER_PRIV_AR, null)); op2Priv.put(HiveOperationType.DESCDATABASE, new InOutPrivs(null, null)); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/RequiredPrivileges.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/RequiredPrivileges.java index 10a582b..a577dfe 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/RequiredPrivileges.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/RequiredPrivileges.java @@ -58,6 +58,9 @@ public void addPrivilege(String priv, boolean withGrant) throws HiveAuthzPluginE */ public Collection findMissingPrivs(RequiredPrivileges availPrivs) { MissingPrivilegeCapturer missingPrivCapturer = new MissingPrivilegeCapturer(); + if(availPrivs == null ){ + availPrivs = new RequiredPrivileges(); //create an empty priv set + } if(availPrivs.privilegeGrantSet.contains(SQLPrivTypeGrant.ADMIN_PRIV)){ //you are an admin! You have all privileges, no missing privileges @@ -72,7 +75,7 @@ public void addPrivilege(String priv, boolean withGrant) throws HiveAuthzPluginE return missingPrivCapturer.getMissingPrivileges(); } - void addPrivilege(SQLPrivTypeGrant requiredPriv) { + public void addPrivilege(SQLPrivTypeGrant requiredPriv) { privilegeGrantSet.add(requiredPriv); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java index 4a9149f..f335a3b 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java @@ -17,6 +17,7 @@ */ package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; +import java.io.IOException; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -28,6 +29,12 @@ import java.util.Map; import java.util.Set; +import org.apache.hadoop.fs.FileStatus; +import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.fs.Path; +import org.apache.hadoop.fs.permission.FsAction; +import org.apache.hadoop.hive.common.FileUtils; +import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.metastore.IMetaStoreClient; import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege; import org.apache.hadoop.hive.metastore.api.HiveObjectRef; @@ -323,5 +330,42 @@ public static void assertNoMissingPrivilege(Collection missing } } + /** + * Map permissions for this uri to SQL Standard privileges + * @param filePath + * @param conf + * @param userName + * @return + * @throws HiveAuthzPluginException + */ + public static RequiredPrivileges getPrivilegesFromFS(Path filePath, HiveConf conf, + String userName) throws HiveAuthzPluginException { + // get the 'available privileges' from file system + + + RequiredPrivileges availPrivs = new RequiredPrivileges(); + // check file system permission + FileSystem fs; + try { + fs = FileSystem.get(filePath.toUri(), conf); + Path path = FileUtils.getParentThatExists(fs, filePath); + FileStatus fileStatus = fs.getFileStatus(path); + if (FileUtils.isOwnerOfFileHierarchy(fs, fileStatus, userName)) { + availPrivs.addPrivilege(SQLPrivTypeGrant.OWNER_PRIV); + } + if (FileUtils.isActionPermittedForFileHierarchy(fs, fileStatus, userName, FsAction.WRITE)) { + availPrivs.addPrivilege(SQLPrivTypeGrant.INSERT_NOGRANT); + availPrivs.addPrivilege(SQLPrivTypeGrant.DELETE_NOGRANT); + } + if (FileUtils.isActionPermittedForFileHierarchy(fs, fileStatus, userName, FsAction.READ)) { + availPrivs.addPrivilege(SQLPrivTypeGrant.SELECT_NOGRANT); + } + } catch (IOException e) { + String msg = "Error getting permissions for " + filePath + ": " + e.getMessage(); + throw new HiveAuthzPluginException(msg, e); + } + return availPrivs; + } + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java index 40461f7..65020c3 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java @@ -22,6 +22,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.fs.Path; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.metastore.HiveMetaStore; import org.apache.hadoop.hive.metastore.IMetaStoreClient; @@ -78,32 +79,36 @@ public void checkPrivileges(HiveOperationType hiveOpType, List hObjs, IMetaStoreClient metastoreClient, String userName) - throws HiveAuthzPluginException, HiveAccessControlException { + private void checkPrivileges(SQLPrivTypeGrant[] reqPrivs, List hObjs, + IMetaStoreClient metastoreClient, String userName) throws HiveAuthzPluginException, + HiveAccessControlException { RequiredPrivileges requiredInpPrivs = new RequiredPrivileges(); requiredInpPrivs.addAll(reqPrivs); // check if this user has these privileges on the objects for (HivePrivilegeObject hObj : hObjs) { + RequiredPrivileges availPrivs = null; if (hObj.getType() == HivePrivilegeObjectType.LOCAL_URI) { } else if (hObj.getType() == HivePrivilegeObjectType.DFS_URI) { + availPrivs = SQLAuthorizationUtils.getPrivilegesFromFS(new Path(hObj.getTableViewURI()), + conf, userName); } else if (hObj.getType() == HivePrivilegeObjectType.PARTITION) { - // sql std authorization is managing privileges at the table/view levels only + // sql std authorization is managing privileges at the table/view levels + // only // ignore partitions } else { // get the privileges that this user has on the object - RequiredPrivileges availPrivs = SQLAuthorizationUtils.getPrivilegesFromMetaStore( - metastoreClient, userName, hObj, privController.getCurrentRoles(), - privController.isUserAdmin()); - Collection missingPriv = requiredInpPrivs - .findMissingPrivs(availPrivs); - SQLAuthorizationUtils.assertNoMissingPrivilege(missingPriv, new HivePrincipal(userName, - HivePrincipalType.USER), hObj); + availPrivs = SQLAuthorizationUtils.getPrivilegesFromMetaStore(metastoreClient, userName, + hObj, privController.getCurrentRoles(), privController.isUserAdmin()); } + Collection missingPriv = requiredInpPrivs.findMissingPrivs(availPrivs); + SQLAuthorizationUtils.assertNoMissingPrivilege(missingPriv, new HivePrincipal(userName, + HivePrincipalType.USER), hObj); + } } + } diff --git a/ql/src/test/queries/clientnegative/authorization_uri_add_partition.q b/ql/src/test/queries/clientnegative/authorization_uri_add_partition.q new file mode 100644 index 0000000..45a436f --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_uri_add_partition.q @@ -0,0 +1,10 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +dfs ${system:test.dfs.mkdir} ${system:test.tmp.dir}/a_uri_add_part; +dfs -touchz ${system:test.tmp.dir}/a_uri_add_part/1.txt; +dfs -chmod 555 ${system:test.tmp.dir}/a_uri_add_part/1.txt; + +create table tpart(i int, j int) partitioned by (k string); +alter table tpart add partition (k = 'abc') location '${system:test.tmp.dir}/a_uri_add_part/'; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_create_table1.q b/ql/src/test/queries/clientnegative/authorization_uri_create_table1.q new file mode 100644 index 0000000..83c1086 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_uri_create_table1.q @@ -0,0 +1,11 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +dfs ${system:test.dfs.mkdir} ${system:test.tmp.dir}/a_uri_crtab1; +dfs -touchz ${system:test.tmp.dir}/a_uri_crtab1/1.txt; +dfs -chmod 555 ${system:test.tmp.dir}/a_uri_crtab1/1.txt; + +create table t1(i int) location '${system:test.tmp.dir}/a_uri_crtab_ext'; + +-- Attempt to create table with dir that does not have write permission should fail diff --git a/ql/src/test/queries/clientnegative/authorization_uri_create_table_ext.q b/ql/src/test/queries/clientnegative/authorization_uri_create_table_ext.q new file mode 100644 index 0000000..c4ae6f4 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_uri_create_table_ext.q @@ -0,0 +1,11 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +dfs ${system:test.dfs.mkdir} ${system:test.tmp.dir}/a_uri_crtab_ext; +dfs -touchz ${system:test.tmp.dir}/a_uri_crtab_ext/1.txt; +dfs -chmod 555 ${system:test.tmp.dir}/a_uri_crtab_ext/1.txt; + +create external table t1(i int) location '${system:test.tmp.dir}/a_uri_crtab_ext'; + +-- Attempt to create table with dir that does not have write permission should fail diff --git a/ql/src/test/queries/clientnegative/authorization_uri_load_data.q b/ql/src/test/queries/clientnegative/authorization_uri_load_data.q new file mode 100644 index 0000000..39ac2ba --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_uri_load_data.q @@ -0,0 +1,11 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +dfs ${system:test.dfs.mkdir} ${system:test.tmp.dir}/a_uri_add_part; +dfs -touchz ${system:test.tmp.dir}/a_uri_add_part/1.txt; +dfs -chmod 555 ${system:test.tmp.dir}/a_uri_add_part/1.txt; + +create table t1(i int); +load data inpath 'pfile:${system:test.tmp.dir}/a_uri_add_part/' overwrite into table t1; + diff --git a/ql/src/test/results/clientnegative/authorization_addpartition.q.out b/ql/src/test/results/clientnegative/authorization_addpartition.q.out index f4d3b4f..c22afc3 100644 --- a/ql/src/test/results/clientnegative/authorization_addpartition.q.out +++ b/ql/src/test/results/clientnegative/authorization_addpartition.q.out @@ -1,8 +1,10 @@ PREHOOK: query: -- check add partition without insert privilege create table tpart(i int, j int) partitioned by (k string) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- check add partition without insert privilege create table tpart(i int, j int) partitioned by (k string) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@tpart -FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.tpart] : [INSERT] +#### A masked pattern was here #### diff --git a/ql/src/test/results/clientnegative/authorization_createview.q.out b/ql/src/test/results/clientnegative/authorization_createview.q.out index cb81b83..c86bdfa 100644 --- a/ql/src/test/results/clientnegative/authorization_createview.q.out +++ b/ql/src/test/results/clientnegative/authorization_createview.q.out @@ -1,8 +1,10 @@ PREHOOK: query: -- check create view without select privileges create table t1(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- check create view without select privileges create table t1(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [SELECT with grant] diff --git a/ql/src/test/results/clientnegative/authorization_ctas.q.out b/ql/src/test/results/clientnegative/authorization_ctas.q.out index 1070468..f8395b7 100644 --- a/ql/src/test/results/clientnegative/authorization_ctas.q.out +++ b/ql/src/test/results/clientnegative/authorization_ctas.q.out @@ -1,8 +1,10 @@ PREHOOK: query: -- check query without select privilege fails create table t1(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- check query without select privilege fails create table t1(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [SELECT] diff --git a/ql/src/test/results/clientnegative/authorization_droppartition.q.out b/ql/src/test/results/clientnegative/authorization_droppartition.q.out index 7de553b..ca71bad 100644 --- a/ql/src/test/results/clientnegative/authorization_droppartition.q.out +++ b/ql/src/test/results/clientnegative/authorization_droppartition.q.out @@ -1,15 +1,10 @@ PREHOOK: query: -- check drop partition without delete privilege create table tpart(i int, j int) partitioned by (k string) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- check drop partition without delete privilege create table tpart(i int, j int) partitioned by (k string) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@tpart #### A masked pattern was here #### -PREHOOK: type: ALTERTABLE_ADDPARTS -PREHOOK: Input: default@tpart -#### A masked pattern was here #### -POSTHOOK: type: ALTERTABLE_ADDPARTS -POSTHOOK: Input: default@tpart -POSTHOOK: Output: default@tpart@k=abc -FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.tpart] : [DELETE] diff --git a/ql/src/test/results/clientnegative/authorization_fail_1.q.out b/ql/src/test/results/clientnegative/authorization_fail_1.q.out index ab1abe2..7af4ae8 100644 --- a/ql/src/test/results/clientnegative/authorization_fail_1.q.out +++ b/ql/src/test/results/clientnegative/authorization_fail_1.q.out @@ -1,7 +1,9 @@ PREHOOK: query: create table authorization_fail_1 (key int, value string) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: create table authorization_fail_1 (key int, value string) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@authorization_fail_1 PREHOOK: query: grant Create on table authorization_fail_1 to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE diff --git a/ql/src/test/results/clientnegative/authorization_fail_2.q.out b/ql/src/test/results/clientnegative/authorization_fail_2.q.out index 2c03b65..b2aadb7 100644 --- a/ql/src/test/results/clientnegative/authorization_fail_2.q.out +++ b/ql/src/test/results/clientnegative/authorization_fail_2.q.out @@ -1,6 +1,8 @@ PREHOOK: query: create table authorization_fail_2 (key int, value string) partitioned by (ds string) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: create table authorization_fail_2 (key int, value string) partitioned by (ds string) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@authorization_fail_2 -Authorization failed:No privilege 'Create' found for inputs { database:default, table:authorization_fail_2}. Use SHOW GRANT to get more details. +Authorization failed:No privilege 'Create' found for outputs { database:default, table:authorization_fail_2}. Use SHOW GRANT to get more details. diff --git a/ql/src/test/results/clientnegative/authorization_fail_3.q.out b/ql/src/test/results/clientnegative/authorization_fail_3.q.out index bfba08a..d3b2a7c 100644 --- a/ql/src/test/results/clientnegative/authorization_fail_3.q.out +++ b/ql/src/test/results/clientnegative/authorization_fail_3.q.out @@ -2,10 +2,12 @@ PREHOOK: query: -- SORT_BEFORE_DIFF create table authorization_fail_3 (key int, value string) partitioned by (ds string) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- SORT_BEFORE_DIFF create table authorization_fail_3 (key int, value string) partitioned by (ds string) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@authorization_fail_3 PREHOOK: query: grant Create on table authorization_fail_3 to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE @@ -15,10 +17,10 @@ POSTHOOK: type: GRANT_PRIVILEGE POSTHOOK: Output: default@authorization_fail_3 PREHOOK: query: alter table authorization_fail_3 add partition (ds='2010') PREHOOK: type: ALTERTABLE_ADDPARTS -PREHOOK: Input: default@authorization_fail_3 +PREHOOK: Output: default@authorization_fail_3 POSTHOOK: query: alter table authorization_fail_3 add partition (ds='2010') POSTHOOK: type: ALTERTABLE_ADDPARTS -POSTHOOK: Input: default@authorization_fail_3 +POSTHOOK: Output: default@authorization_fail_3 POSTHOOK: Output: default@authorization_fail_3@ds=2010 PREHOOK: query: show grant user hive_test_user on table authorization_fail_3 PREHOOK: type: SHOW_GRANT diff --git a/ql/src/test/results/clientnegative/authorization_fail_4.q.out b/ql/src/test/results/clientnegative/authorization_fail_4.q.out index 34ad4ef..3ce149b 100644 --- a/ql/src/test/results/clientnegative/authorization_fail_4.q.out +++ b/ql/src/test/results/clientnegative/authorization_fail_4.q.out @@ -2,10 +2,12 @@ PREHOOK: query: -- SORT_BEFORE_DIFF create table authorization_fail_4 (key int, value string) partitioned by (ds string) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- SORT_BEFORE_DIFF create table authorization_fail_4 (key int, value string) partitioned by (ds string) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@authorization_fail_4 PREHOOK: query: grant Alter on table authorization_fail_4 to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE @@ -29,10 +31,10 @@ POSTHOOK: type: GRANT_PRIVILEGE POSTHOOK: Output: default@authorization_fail_4 PREHOOK: query: alter table authorization_fail_4 add partition (ds='2010') PREHOOK: type: ALTERTABLE_ADDPARTS -PREHOOK: Input: default@authorization_fail_4 +PREHOOK: Output: default@authorization_fail_4 POSTHOOK: query: alter table authorization_fail_4 add partition (ds='2010') POSTHOOK: type: ALTERTABLE_ADDPARTS -POSTHOOK: Input: default@authorization_fail_4 +POSTHOOK: Output: default@authorization_fail_4 POSTHOOK: Output: default@authorization_fail_4@ds=2010 PREHOOK: query: show grant user hive_test_user on table authorization_fail_4 PREHOOK: type: SHOW_GRANT diff --git a/ql/src/test/results/clientnegative/authorization_fail_5.q.out b/ql/src/test/results/clientnegative/authorization_fail_5.q.out index a0289fb..72b074f 100644 --- a/ql/src/test/results/clientnegative/authorization_fail_5.q.out +++ b/ql/src/test/results/clientnegative/authorization_fail_5.q.out @@ -2,10 +2,12 @@ PREHOOK: query: -- SORT_BEFORE_DIFF create table authorization_fail (key int, value string) partitioned by (ds string) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- SORT_BEFORE_DIFF create table authorization_fail (key int, value string) partitioned by (ds string) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@authorization_fail PREHOOK: query: grant Alter on table authorization_fail to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE @@ -35,10 +37,10 @@ POSTHOOK: type: GRANT_PRIVILEGE POSTHOOK: Output: default@authorization_fail PREHOOK: query: alter table authorization_fail add partition (ds='2010') PREHOOK: type: ALTERTABLE_ADDPARTS -PREHOOK: Input: default@authorization_fail +PREHOOK: Output: default@authorization_fail POSTHOOK: query: alter table authorization_fail add partition (ds='2010') POSTHOOK: type: ALTERTABLE_ADDPARTS -POSTHOOK: Input: default@authorization_fail +POSTHOOK: Output: default@authorization_fail POSTHOOK: Output: default@authorization_fail@ds=2010 PREHOOK: query: show grant user hive_test_user on table authorization_fail PREHOOK: type: SHOW_GRANT diff --git a/ql/src/test/results/clientnegative/authorization_fail_6.q.out b/ql/src/test/results/clientnegative/authorization_fail_6.q.out index 47f8bd1..9c7d80e 100644 --- a/ql/src/test/results/clientnegative/authorization_fail_6.q.out +++ b/ql/src/test/results/clientnegative/authorization_fail_6.q.out @@ -2,9 +2,11 @@ PREHOOK: query: -- SORT_BEFORE_DIFF create table authorization_part_fail (key int, value string) partitioned by (ds string) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- SORT_BEFORE_DIFF create table authorization_part_fail (key int, value string) partitioned by (ds string) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@authorization_part_fail Authorization failed:No privilege 'Alter' found for inputs { database:default, table:authorization_part_fail}. Use SHOW GRANT to get more details. diff --git a/ql/src/test/results/clientnegative/authorization_fail_7.q.out b/ql/src/test/results/clientnegative/authorization_fail_7.q.out index a9bf0cc..00e457d 100644 --- a/ql/src/test/results/clientnegative/authorization_fail_7.q.out +++ b/ql/src/test/results/clientnegative/authorization_fail_7.q.out @@ -2,10 +2,12 @@ PREHOOK: query: -- SORT_BEFORE_DIFF create table authorization_fail (key int, value string) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- SORT_BEFORE_DIFF create table authorization_fail (key int, value string) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@authorization_fail PREHOOK: query: create role hive_test_role_fail PREHOOK: type: CREATEROLE @@ -25,8 +27,8 @@ PREHOOK: query: show role grant user hive_test_user PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user hive_test_user POSTHOOK: type: SHOW_ROLE_GRANT -hive_test_role_fail -1 hive_test_user USER false -1 hive_test_user PUBLIC -1 false -1 +hive_test_role_fail -1 hive_test_user USER false -1 hive_test_user PREHOOK: query: show grant role hive_test_role_fail on table authorization_fail PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant role hive_test_role_fail on table authorization_fail diff --git a/ql/src/test/results/clientnegative/authorization_grant_table_allpriv.q.out b/ql/src/test/results/clientnegative/authorization_grant_table_allpriv.q.out index 0e17c94..4aa7058 100644 --- a/ql/src/test/results/clientnegative/authorization_grant_table_allpriv.q.out +++ b/ql/src/test/results/clientnegative/authorization_grant_table_allpriv.q.out @@ -2,10 +2,12 @@ PREHOOK: query: -- current user has been set (comment line before the set cmd is CREATE TABLE table_priv_allf(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- current user has been set (comment line before the set cmd is resulting in parse error!!) CREATE TABLE table_priv_allf(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@table_priv_allf PREHOOK: query: -- grant insert to user2 WITH grant option GRANT INSERT ON table_priv_allf TO USER user2 with grant option diff --git a/ql/src/test/results/clientnegative/authorization_grant_table_fail1.q.out b/ql/src/test/results/clientnegative/authorization_grant_table_fail1.q.out index 0c83849..f042c1e 100644 --- a/ql/src/test/results/clientnegative/authorization_grant_table_fail1.q.out +++ b/ql/src/test/results/clientnegative/authorization_grant_table_fail1.q.out @@ -2,10 +2,12 @@ PREHOOK: query: -- current user has been set (comment line before the set cmd is CREATE TABLE table_priv_gfail1(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- current user has been set (comment line before the set cmd is resulting in parse error!!) CREATE TABLE table_priv_gfail1(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@table_priv_gfail1 PREHOOK: query: -- try grant insert to user3 as user2 GRANT INSERT ON table_priv_gfail1 TO USER user3 diff --git a/ql/src/test/results/clientnegative/authorization_grant_table_fail_nogrant.q.out b/ql/src/test/results/clientnegative/authorization_grant_table_fail_nogrant.q.out index 129b5fa..a906a70 100644 --- a/ql/src/test/results/clientnegative/authorization_grant_table_fail_nogrant.q.out +++ b/ql/src/test/results/clientnegative/authorization_grant_table_fail_nogrant.q.out @@ -2,10 +2,12 @@ PREHOOK: query: -- current user has been set (comment line before the set cmd is CREATE TABLE table_priv_gfail1(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- current user has been set (comment line before the set cmd is resulting in parse error!!) CREATE TABLE table_priv_gfail1(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@table_priv_gfail1 PREHOOK: query: -- grant insert to user2 WITHOUT grant option GRANT INSERT ON table_priv_gfail1 TO USER user2 diff --git a/ql/src/test/results/clientnegative/authorization_insert_noinspriv.q.out b/ql/src/test/results/clientnegative/authorization_insert_noinspriv.q.out index 6d510f1..ee8d49e 100644 --- a/ql/src/test/results/clientnegative/authorization_insert_noinspriv.q.out +++ b/ql/src/test/results/clientnegative/authorization_insert_noinspriv.q.out @@ -1,13 +1,17 @@ PREHOOK: query: -- check insert without select priv create table t1(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- check insert without select priv create table t1(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 PREHOOK: query: create table user2tab(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: create table user2tab(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@user2tab FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [INSERT, DELETE] diff --git a/ql/src/test/results/clientnegative/authorization_insert_noselectpriv.q.out b/ql/src/test/results/clientnegative/authorization_insert_noselectpriv.q.out index 5b9b93a..46ada3b 100644 --- a/ql/src/test/results/clientnegative/authorization_insert_noselectpriv.q.out +++ b/ql/src/test/results/clientnegative/authorization_insert_noselectpriv.q.out @@ -1,13 +1,17 @@ PREHOOK: query: -- check insert without select priv create table t1(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- check insert without select priv create table t1(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 PREHOOK: query: create table t2(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: create table t2(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@t2 FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [SELECT] diff --git a/ql/src/test/results/clientnegative/authorization_invalid_priv_v1.q.out b/ql/src/test/results/clientnegative/authorization_invalid_priv_v1.q.out index 10d1ca8..d1ccf03 100644 --- a/ql/src/test/results/clientnegative/authorization_invalid_priv_v1.q.out +++ b/ql/src/test/results/clientnegative/authorization_invalid_priv_v1.q.out @@ -1,6 +1,8 @@ PREHOOK: query: create table if not exists authorization_invalid_v1 (key int, value string) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: create table if not exists authorization_invalid_v1 (key int, value string) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@authorization_invalid_v1 FAILED: SemanticException Undefined privilege Delete diff --git a/ql/src/test/results/clientnegative/authorization_invalid_priv_v2.q.out b/ql/src/test/results/clientnegative/authorization_invalid_priv_v2.q.out index 62aa8da..1fb2abc 100644 --- a/ql/src/test/results/clientnegative/authorization_invalid_priv_v2.q.out +++ b/ql/src/test/results/clientnegative/authorization_invalid_priv_v2.q.out @@ -1,7 +1,9 @@ PREHOOK: query: create table if not exists authorization_invalid_v2 (key int, value string) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: create table if not exists authorization_invalid_v2 (key int, value string) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@authorization_invalid_v2 PREHOOK: query: grant index on table authorization_invalid_v2 to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE diff --git a/ql/src/test/results/clientnegative/authorization_not_owner_alter_tab_rename.q.out b/ql/src/test/results/clientnegative/authorization_not_owner_alter_tab_rename.q.out index e41702a..8a7f2d2 100644 --- a/ql/src/test/results/clientnegative/authorization_not_owner_alter_tab_rename.q.out +++ b/ql/src/test/results/clientnegative/authorization_not_owner_alter_tab_rename.q.out @@ -1,8 +1,10 @@ PREHOOK: query: -- check if alter table fails as different user create table t1(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- check if alter table fails as different user create table t1(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [OBJECT OWNERSHIP] diff --git a/ql/src/test/results/clientnegative/authorization_not_owner_alter_tab_serdeprop.q.out b/ql/src/test/results/clientnegative/authorization_not_owner_alter_tab_serdeprop.q.out index e41702a..8a7f2d2 100644 --- a/ql/src/test/results/clientnegative/authorization_not_owner_alter_tab_serdeprop.q.out +++ b/ql/src/test/results/clientnegative/authorization_not_owner_alter_tab_serdeprop.q.out @@ -1,8 +1,10 @@ PREHOOK: query: -- check if alter table fails as different user create table t1(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- check if alter table fails as different user create table t1(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [OBJECT OWNERSHIP] diff --git a/ql/src/test/results/clientnegative/authorization_not_owner_drop_tab.q.out b/ql/src/test/results/clientnegative/authorization_not_owner_drop_tab.q.out index b456aca..4378b12 100644 --- a/ql/src/test/results/clientnegative/authorization_not_owner_drop_tab.q.out +++ b/ql/src/test/results/clientnegative/authorization_not_owner_drop_tab.q.out @@ -1,8 +1,10 @@ PREHOOK: query: -- check if create table fails as different user create table t1(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- check if create table fails as different user create table t1(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [OBJECT OWNERSHIP] diff --git a/ql/src/test/results/clientnegative/authorization_not_owner_drop_view.q.out b/ql/src/test/results/clientnegative/authorization_not_owner_drop_view.q.out index 2433846..80378ac 100644 --- a/ql/src/test/results/clientnegative/authorization_not_owner_drop_view.q.out +++ b/ql/src/test/results/clientnegative/authorization_not_owner_drop_view.q.out @@ -1,9 +1,11 @@ PREHOOK: query: -- check if create table fails as different user create table t1(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- check if create table fails as different user create table t1(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 PREHOOK: query: create view vt1 as select * from t1 PREHOOK: type: CREATEVIEW diff --git a/ql/src/test/results/clientnegative/authorization_part.q.out b/ql/src/test/results/clientnegative/authorization_part.q.out index 31dfda9..17720e0 100644 --- a/ql/src/test/results/clientnegative/authorization_part.q.out +++ b/ql/src/test/results/clientnegative/authorization_part.q.out @@ -2,10 +2,12 @@ PREHOOK: query: -- SORT_BEFORE_DIFF create table authorization_part_fail (key int, value string) partitioned by (ds string) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- SORT_BEFORE_DIFF create table authorization_part_fail (key int, value string) partitioned by (ds string) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@authorization_part_fail PREHOOK: query: ALTER TABLE authorization_part_fail SET TBLPROPERTIES ("PARTITION_LEVEL_PRIVILEGE"="TRUE") PREHOOK: type: ALTERTABLE_PROPERTIES diff --git a/ql/src/test/results/clientnegative/authorization_priv_current_role_neg.q.out b/ql/src/test/results/clientnegative/authorization_priv_current_role_neg.q.out index f932a3d..8e2ce90 100644 --- a/ql/src/test/results/clientnegative/authorization_priv_current_role_neg.q.out +++ b/ql/src/test/results/clientnegative/authorization_priv_current_role_neg.q.out @@ -18,8 +18,10 @@ POSTHOOK: query: grant role role2 to user user2 POSTHOOK: type: GRANT_ROLE PREHOOK: query: create table tpriv_current_role(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: create table tpriv_current_role(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@tpriv_current_role PREHOOK: query: grant all on table tpriv_current_role to role role2 with grant option PREHOOK: type: GRANT_PRIVILEGE diff --git a/ql/src/test/results/clientnegative/authorization_revoke_table_fail1.q.out b/ql/src/test/results/clientnegative/authorization_revoke_table_fail1.q.out index 0f4c966..eb3abec 100644 --- a/ql/src/test/results/clientnegative/authorization_revoke_table_fail1.q.out +++ b/ql/src/test/results/clientnegative/authorization_revoke_table_fail1.q.out @@ -2,10 +2,12 @@ PREHOOK: query: -- current user has been set (comment line before the set cmd is CREATE TABLE table_priv_rfail1(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- current user has been set (comment line before the set cmd is resulting in parse error!!) CREATE TABLE table_priv_rfail1(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@table_priv_rfail1 PREHOOK: query: -- grant insert to user2 GRANT INSERT ON table_priv_rfail1 TO USER user2 diff --git a/ql/src/test/results/clientnegative/authorization_revoke_table_fail2.q.out b/ql/src/test/results/clientnegative/authorization_revoke_table_fail2.q.out index c671c8a..e304632 100644 --- a/ql/src/test/results/clientnegative/authorization_revoke_table_fail2.q.out +++ b/ql/src/test/results/clientnegative/authorization_revoke_table_fail2.q.out @@ -2,10 +2,12 @@ PREHOOK: query: -- current user has been set (comment line before the set cmd is CREATE TABLE table_priv_rfai2(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- current user has been set (comment line before the set cmd is resulting in parse error!!) CREATE TABLE table_priv_rfai2(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@table_priv_rfai2 PREHOOK: query: -- grant insert to user2 GRANT INSERT ON table_priv_rfai2 TO USER user2 diff --git a/ql/src/test/results/clientnegative/authorization_select.q.out b/ql/src/test/results/clientnegative/authorization_select.q.out index 1070468..f8395b7 100644 --- a/ql/src/test/results/clientnegative/authorization_select.q.out +++ b/ql/src/test/results/clientnegative/authorization_select.q.out @@ -1,8 +1,10 @@ PREHOOK: query: -- check query without select privilege fails create table t1(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- check query without select privilege fails create table t1(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [SELECT] diff --git a/ql/src/test/results/clientnegative/authorization_select_view.q.out b/ql/src/test/results/clientnegative/authorization_select_view.q.out index e70a79c..f253870 100644 --- a/ql/src/test/results/clientnegative/authorization_select_view.q.out +++ b/ql/src/test/results/clientnegative/authorization_select_view.q.out @@ -1,9 +1,11 @@ PREHOOK: query: -- check create view without select privileges create table t1(i int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- check create view without select privileges create table t1(i int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 PREHOOK: query: create view v1 as select * from t1 PREHOOK: type: CREATEVIEW diff --git a/ql/src/test/results/clientnegative/authorization_truncate.q.out b/ql/src/test/results/clientnegative/authorization_truncate.q.out index c188831..4d51bc4 100644 --- a/ql/src/test/results/clientnegative/authorization_truncate.q.out +++ b/ql/src/test/results/clientnegative/authorization_truncate.q.out @@ -1,8 +1,10 @@ PREHOOK: query: -- check add partition without insert privilege create table t1(i int, j int) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: -- check add partition without insert privilege create table t1(i int, j int) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [OBJECT OWNERSHIP] diff --git a/ql/src/test/results/clientnegative/authorization_uri_add_partition.q.out b/ql/src/test/results/clientnegative/authorization_uri_add_partition.q.out new file mode 100644 index 0000000..15b5bce --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_uri_add_partition.q.out @@ -0,0 +1,8 @@ +PREHOOK: query: create table tpart(i int, j int) partitioned by (k string) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +POSTHOOK: query: create table tpart(i int, j int) partitioned by (k string) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@tpart +#### A masked pattern was here #### diff --git a/ql/src/test/results/clientnegative/authorization_uri_create_table1.q.out b/ql/src/test/results/clientnegative/authorization_uri_create_table1.q.out new file mode 100644 index 0000000..0b8182a --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_uri_create_table1.q.out @@ -0,0 +1 @@ +#### A masked pattern was here #### diff --git a/ql/src/test/results/clientnegative/authorization_uri_create_table_ext.q.out b/ql/src/test/results/clientnegative/authorization_uri_create_table_ext.q.out new file mode 100644 index 0000000..0b8182a --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_uri_create_table_ext.q.out @@ -0,0 +1 @@ +#### A masked pattern was here #### diff --git a/ql/src/test/results/clientnegative/authorization_uri_load_data.q.out b/ql/src/test/results/clientnegative/authorization_uri_load_data.q.out new file mode 100644 index 0000000..d888153 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_uri_load_data.q.out @@ -0,0 +1,2 @@ +Command failed with exit code = -1 +Query returned non-zero code: -1, cause: null diff --git a/ql/src/test/results/clientnegative/exim_22_export_authfail.q.out b/ql/src/test/results/clientnegative/exim_22_export_authfail.q.out index 1339bbc..c7b9c49 100644 --- a/ql/src/test/results/clientnegative/exim_22_export_authfail.q.out +++ b/ql/src/test/results/clientnegative/exim_22_export_authfail.q.out @@ -1,7 +1,9 @@ PREHOOK: query: create table exim_department ( dep_id int) stored as textfile PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: create table exim_department ( dep_id int) stored as textfile POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@exim_department #### A masked pattern was here #### Authorization failed:No privilege 'Select' found for inputs { database:default, table:exim_department}. Use SHOW GRANT to get more details. diff --git a/ql/src/test/results/clientnegative/exim_23_import_exist_authfail.q.out b/ql/src/test/results/clientnegative/exim_23_import_exist_authfail.q.out index 22eaac7..c6fb9de 100644 --- a/ql/src/test/results/clientnegative/exim_23_import_exist_authfail.q.out +++ b/ql/src/test/results/clientnegative/exim_23_import_exist_authfail.q.out @@ -1,13 +1,17 @@ PREHOOK: query: create table exim_department ( dep_id int) stored as textfile PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: create table exim_department ( dep_id int) stored as textfile POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@exim_department PREHOOK: query: load data local inpath "../../data/files/test.dat" into table exim_department PREHOOK: type: LOAD +#### A masked pattern was here #### PREHOOK: Output: default@exim_department POSTHOOK: query: load data local inpath "../../data/files/test.dat" into table exim_department POSTHOOK: type: LOAD +#### A masked pattern was here #### POSTHOOK: Output: default@exim_department #### A masked pattern was here #### PREHOOK: query: export table exim_department to 'ql/test/data/exports/exim_department' @@ -36,7 +40,9 @@ POSTHOOK: query: use importer POSTHOOK: type: SWITCHDATABASE PREHOOK: query: create table exim_department ( dep_id int) stored as textfile PREHOOK: type: CREATETABLE +PREHOOK: Output: database:importer POSTHOOK: query: create table exim_department ( dep_id int) stored as textfile POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:importer POSTHOOK: Output: importer@exim_department Authorization failed:No privilege 'Alter' found for outputs { database:importer, table:exim_department}. Use SHOW GRANT to get more details. diff --git a/ql/src/test/results/clientnegative/exim_24_import_part_authfail.q.out b/ql/src/test/results/clientnegative/exim_24_import_part_authfail.q.out index 6eee71e..945d3d2 100644 --- a/ql/src/test/results/clientnegative/exim_24_import_part_authfail.q.out +++ b/ql/src/test/results/clientnegative/exim_24_import_part_authfail.q.out @@ -4,20 +4,24 @@ PREHOOK: query: create table exim_employee ( emp_id int comment "employee id") stored as textfile tblproperties("creator"="krishna") PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: create table exim_employee ( emp_id int comment "employee id") comment "employee table" partitioned by (emp_country string comment "two char iso code", emp_state string comment "free text") stored as textfile tblproperties("creator"="krishna") POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@exim_employee PREHOOK: query: load data local inpath "../../data/files/test.dat" into table exim_employee partition (emp_country="in", emp_state="tn") PREHOOK: type: LOAD +#### A masked pattern was here #### PREHOOK: Output: default@exim_employee POSTHOOK: query: load data local inpath "../../data/files/test.dat" into table exim_employee partition (emp_country="in", emp_state="tn") POSTHOOK: type: LOAD +#### A masked pattern was here #### POSTHOOK: Output: default@exim_employee POSTHOOK: Output: default@exim_employee@emp_country=in/emp_state=tn #### A masked pattern was here #### @@ -51,11 +55,13 @@ PREHOOK: query: create table exim_employee ( emp_id int comment "employee id") stored as textfile tblproperties("creator"="krishna") PREHOOK: type: CREATETABLE +PREHOOK: Output: database:importer POSTHOOK: query: create table exim_employee ( emp_id int comment "employee id") comment "employee table" partitioned by (emp_country string comment "two char iso code", emp_state string comment "free text") stored as textfile tblproperties("creator"="krishna") POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:importer POSTHOOK: Output: importer@exim_employee Authorization failed:No privilege 'Alter' found for outputs { database:importer, table:exim_employee}. Use SHOW GRANT to get more details. diff --git a/ql/src/test/results/clientnegative/exim_25_import_nonexist_authfail.q.out b/ql/src/test/results/clientnegative/exim_25_import_nonexist_authfail.q.out index fb4224c..e606d72 100644 --- a/ql/src/test/results/clientnegative/exim_25_import_nonexist_authfail.q.out +++ b/ql/src/test/results/clientnegative/exim_25_import_nonexist_authfail.q.out @@ -1,13 +1,17 @@ PREHOOK: query: create table exim_department ( dep_id int) stored as textfile PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: create table exim_department ( dep_id int) stored as textfile POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@exim_department PREHOOK: query: load data local inpath "../../data/files/test.dat" into table exim_department PREHOOK: type: LOAD +#### A masked pattern was here #### PREHOOK: Output: default@exim_department POSTHOOK: query: load data local inpath "../../data/files/test.dat" into table exim_department POSTHOOK: type: LOAD +#### A masked pattern was here #### POSTHOOK: Output: default@exim_department #### A masked pattern was here #### PREHOOK: query: export table exim_department to 'ql/test/data/exports/exim_department' diff --git a/ql/src/test/results/clientnegative/load_exist_part_authfail.q.out b/ql/src/test/results/clientnegative/load_exist_part_authfail.q.out index fbbdd1c..787b1eb 100644 --- a/ql/src/test/results/clientnegative/load_exist_part_authfail.q.out +++ b/ql/src/test/results/clientnegative/load_exist_part_authfail.q.out @@ -1,13 +1,15 @@ PREHOOK: query: create table hive_test_src ( col1 string ) partitioned by (pcol1 string) stored as textfile PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: create table hive_test_src ( col1 string ) partitioned by (pcol1 string) stored as textfile POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@hive_test_src PREHOOK: query: alter table hive_test_src add partition (pcol1 = 'test_part') PREHOOK: type: ALTERTABLE_ADDPARTS -PREHOOK: Input: default@hive_test_src +PREHOOK: Output: default@hive_test_src POSTHOOK: query: alter table hive_test_src add partition (pcol1 = 'test_part') POSTHOOK: type: ALTERTABLE_ADDPARTS -POSTHOOK: Input: default@hive_test_src +POSTHOOK: Output: default@hive_test_src POSTHOOK: Output: default@hive_test_src@pcol1=test_part Authorization failed:No privilege 'Update' found for outputs { database:default, table:hive_test_src}. Use SHOW GRANT to get more details. diff --git a/ql/src/test/results/clientnegative/load_nonpart_authfail.q.out b/ql/src/test/results/clientnegative/load_nonpart_authfail.q.out index 1c364a5..cf48b14 100644 --- a/ql/src/test/results/clientnegative/load_nonpart_authfail.q.out +++ b/ql/src/test/results/clientnegative/load_nonpart_authfail.q.out @@ -1,6 +1,8 @@ PREHOOK: query: create table hive_test_src ( col1 string ) stored as textfile PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: create table hive_test_src ( col1 string ) stored as textfile POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@hive_test_src Authorization failed:No privilege 'Update' found for outputs { database:default, table:hive_test_src}. Use SHOW GRANT to get more details. diff --git a/ql/src/test/results/clientnegative/load_part_authfail.q.out b/ql/src/test/results/clientnegative/load_part_authfail.q.out index afc0aa4..2e896a8 100644 --- a/ql/src/test/results/clientnegative/load_part_authfail.q.out +++ b/ql/src/test/results/clientnegative/load_part_authfail.q.out @@ -1,6 +1,8 @@ PREHOOK: query: create table hive_test_src ( col1 string ) partitioned by (pcol1 string) stored as textfile PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: create table hive_test_src ( col1 string ) partitioned by (pcol1 string) stored as textfile POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@hive_test_src Authorization failed:No privilege 'Update' found for outputs { database:default, table:hive_test_src}. Use SHOW GRANT to get more details. diff --git a/ql/src/test/results/clientpositive/alter_rename_partition_authorization.q.out b/ql/src/test/results/clientpositive/alter_rename_partition_authorization.q.out index 8a528a1..4433c13 100644 --- a/ql/src/test/results/clientpositive/alter_rename_partition_authorization.q.out +++ b/ql/src/test/results/clientpositive/alter_rename_partition_authorization.q.out @@ -11,8 +11,10 @@ POSTHOOK: Input: default@src POSTHOOK: Output: default@src_auth_tmp PREHOOK: query: create table authorization_part (key int, value string) partitioned by (ds string) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: create table authorization_part (key int, value string) partitioned by (ds string) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@authorization_part PREHOOK: query: ALTER TABLE authorization_part SET TBLPROPERTIES ("PARTITION_LEVEL_PRIVILEGE"="TRUE") PREHOOK: type: ALTERTABLE_PROPERTIES diff --git a/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out b/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out index a219478..2302da0 100644 --- a/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out +++ b/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out @@ -1,7 +1,9 @@ PREHOOK: query: create table src_autho_test (key STRING, value STRING) PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default POSTHOOK: query: create table src_autho_test (key STRING, value STRING) POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default POSTHOOK: Output: default@src_autho_test PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES diff --git a/ql/src/test/results/clientpositive/authorization_2.q.out b/ql/src/test/results/clientpositive/authorization_2.q.out index e21d5f5..9eef0e9 100644 --- a/ql/src/test/results/clientpositive/authorization_2.q.out +++ b/ql/src/test/results/clientpositive/authorization_2.q.out @@ -53,14 +53,14 @@ PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part POSTHOOK: type: SHOW_GRANT default authorization_part hive_test_user USER Create false -1 hive_test_user -default authorization_part hive_test_user USER Update false -1 hive_test_user default authorization_part hive_test_user USER Drop false -1 hive_test_user +default authorization_part hive_test_user USER Update false -1 hive_test_user PREHOOK: query: alter table authorization_part add partition (ds='2010') PREHOOK: type: ALTERTABLE_ADDPARTS -PREHOOK: Input: default@authorization_part +PREHOOK: Output: default@authorization_part POSTHOOK: query: alter table authorization_part add partition (ds='2010') POSTHOOK: type: ALTERTABLE_ADDPARTS -POSTHOOK: Input: default@authorization_part +POSTHOOK: Output: default@authorization_part POSTHOOK: Output: default@authorization_part@ds=2010 PREHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010') PREHOOK: type: SHOW_GRANT @@ -225,14 +225,14 @@ POSTHOOK: type: SHOW_GRANT POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] default authorization_part hive_test_user USER Create false -1 hive_test_user -default authorization_part hive_test_user USER Update false -1 hive_test_user default authorization_part hive_test_user USER Drop false -1 hive_test_user +default authorization_part hive_test_user USER Update false -1 hive_test_user PREHOOK: query: alter table authorization_part add partition (ds='2010') PREHOOK: type: ALTERTABLE_ADDPARTS -PREHOOK: Input: default@authorization_part +PREHOOK: Output: default@authorization_part POSTHOOK: query: alter table authorization_part add partition (ds='2010') POSTHOOK: type: ALTERTABLE_ADDPARTS -POSTHOOK: Input: default@authorization_part +POSTHOOK: Output: default@authorization_part POSTHOOK: Output: default@authorization_part@ds=2010 POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] @@ -296,9 +296,9 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] default authorization_part hive_test_user USER Create false -1 hive_test_user -default authorization_part hive_test_user USER Update false -1 hive_test_user default authorization_part hive_test_user USER Drop false -1 hive_test_user default authorization_part hive_test_user USER Select false -1 hive_test_user +default authorization_part hive_test_user USER Update false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part @@ -352,8 +352,8 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] default authorization_part hive_test_user USER Create false -1 hive_test_user -default authorization_part hive_test_user USER Update false -1 hive_test_user default authorization_part hive_test_user USER Drop false -1 hive_test_user +default authorization_part hive_test_user USER Update false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010') PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010') @@ -447,10 +447,10 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] PREHOOK: query: alter table authorization_part add partition (ds='2010') PREHOOK: type: ALTERTABLE_ADDPARTS -PREHOOK: Input: default@authorization_part +PREHOOK: Output: default@authorization_part POSTHOOK: query: alter table authorization_part add partition (ds='2010') POSTHOOK: type: ALTERTABLE_ADDPARTS -POSTHOOK: Input: default@authorization_part +POSTHOOK: Output: default@authorization_part POSTHOOK: Output: default@authorization_part@ds=2010 POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] @@ -677,10 +677,10 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] PREHOOK: query: alter table authorization_part add partition (ds='2010') PREHOOK: type: ALTERTABLE_ADDPARTS -PREHOOK: Input: default@authorization_part +PREHOOK: Output: default@authorization_part POSTHOOK: query: alter table authorization_part add partition (ds='2010') POSTHOOK: type: ALTERTABLE_ADDPARTS -POSTHOOK: Input: default@authorization_part +POSTHOOK: Output: default@authorization_part POSTHOOK: Output: default@authorization_part@ds=2010 POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] diff --git a/ql/src/test/results/clientpositive/exim_21_export_authsuccess.q.out b/ql/src/test/results/clientpositive/exim_21_export_authsuccess.q.out index 5b9b81c..6ec0751 100644 --- a/ql/src/test/results/clientpositive/exim_21_export_authsuccess.q.out +++ b/ql/src/test/results/clientpositive/exim_21_export_authsuccess.q.out @@ -5,9 +5,11 @@ POSTHOOK: type: CREATETABLE POSTHOOK: Output: default@exim_department PREHOOK: query: load data local inpath "../../data/files/test.dat" into table exim_department PREHOOK: type: LOAD +#### A masked pattern was here #### PREHOOK: Output: default@exim_department POSTHOOK: query: load data local inpath "../../data/files/test.dat" into table exim_department POSTHOOK: type: LOAD +#### A masked pattern was here #### POSTHOOK: Output: default@exim_department PREHOOK: query: grant Select on table exim_department to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE diff --git a/ql/src/test/results/clientpositive/exim_22_import_exist_authsuccess.q.out b/ql/src/test/results/clientpositive/exim_22_import_exist_authsuccess.q.out index 6746a44..227891f 100644 --- a/ql/src/test/results/clientpositive/exim_22_import_exist_authsuccess.q.out +++ b/ql/src/test/results/clientpositive/exim_22_import_exist_authsuccess.q.out @@ -5,9 +5,11 @@ POSTHOOK: type: CREATETABLE POSTHOOK: Output: default@exim_department PREHOOK: query: load data local inpath "../../data/files/test.dat" into table exim_department PREHOOK: type: LOAD +#### A masked pattern was here #### PREHOOK: Output: default@exim_department POSTHOOK: query: load data local inpath "../../data/files/test.dat" into table exim_department POSTHOOK: type: LOAD +#### A masked pattern was here #### POSTHOOK: Output: default@exim_department #### A masked pattern was here #### PREHOOK: query: export table exim_department to 'ql/test/data/exports/exim_department' diff --git a/ql/src/test/results/clientpositive/exim_23_import_part_authsuccess.q.out b/ql/src/test/results/clientpositive/exim_23_import_part_authsuccess.q.out index 4e0dfb0..36ad0d3 100644 --- a/ql/src/test/results/clientpositive/exim_23_import_part_authsuccess.q.out +++ b/ql/src/test/results/clientpositive/exim_23_import_part_authsuccess.q.out @@ -14,10 +14,12 @@ POSTHOOK: Output: default@exim_employee PREHOOK: query: load data local inpath "../../data/files/test.dat" into table exim_employee partition (emp_country="in", emp_state="tn") PREHOOK: type: LOAD +#### A masked pattern was here #### PREHOOK: Output: default@exim_employee POSTHOOK: query: load data local inpath "../../data/files/test.dat" into table exim_employee partition (emp_country="in", emp_state="tn") POSTHOOK: type: LOAD +#### A masked pattern was here #### POSTHOOK: Output: default@exim_employee POSTHOOK: Output: default@exim_employee@emp_country=in/emp_state=tn #### A masked pattern was here #### diff --git a/ql/src/test/results/clientpositive/exim_24_import_nonexist_authsuccess.q.out b/ql/src/test/results/clientpositive/exim_24_import_nonexist_authsuccess.q.out index 70e9385..3ff4c7e 100644 --- a/ql/src/test/results/clientpositive/exim_24_import_nonexist_authsuccess.q.out +++ b/ql/src/test/results/clientpositive/exim_24_import_nonexist_authsuccess.q.out @@ -5,9 +5,11 @@ POSTHOOK: type: CREATETABLE POSTHOOK: Output: default@exim_department PREHOOK: query: load data local inpath "../../data/files/test.dat" into table exim_department PREHOOK: type: LOAD +#### A masked pattern was here #### PREHOOK: Output: default@exim_department POSTHOOK: query: load data local inpath "../../data/files/test.dat" into table exim_department POSTHOOK: type: LOAD +#### A masked pattern was here #### POSTHOOK: Output: default@exim_department #### A masked pattern was here #### PREHOOK: query: export table exim_department to 'ql/test/data/exports/exim_department' diff --git a/ql/src/test/results/clientpositive/index_auth.q.out b/ql/src/test/results/clientpositive/index_auth.q.out index 2973eb3..4e648ee 100644 --- a/ql/src/test/results/clientpositive/index_auth.q.out +++ b/ql/src/test/results/clientpositive/index_auth.q.out @@ -5,10 +5,10 @@ POSTHOOK: type: CREATETABLE POSTHOOK: Output: default@foobar PREHOOK: query: alter table foobar add partition (ds='2008-04-08',hr='12') PREHOOK: type: ALTERTABLE_ADDPARTS -PREHOOK: Input: default@foobar +PREHOOK: Output: default@foobar POSTHOOK: query: alter table foobar add partition (ds='2008-04-08',hr='12') POSTHOOK: type: ALTERTABLE_ADDPARTS -POSTHOOK: Input: default@foobar +POSTHOOK: Output: default@foobar POSTHOOK: Output: default@foobar@ds=2008-04-08/hr=12 PREHOOK: query: CREATE INDEX srcpart_auth_index ON TABLE foobar(key) as 'BITMAP' WITH DEFERRED REBUILD PREHOOK: type: CREATEINDEX