diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index c1afaee..0522d89 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -275,7 +275,7 @@ public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAcces public void grantRole(List hivePrincipals, List roleNames, boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { - if (!isUserAdmin()) { + if (!(isUserAdmin() || doesUserHasAdminOption())) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to grant role. Currently " + ADMIN_ONLY_MSG); } @@ -307,7 +307,7 @@ public void revokeRole(List hivePrincipals, List roleName throw new HiveAuthzPluginException("Revoking only the admin privileges on " + "role is not currently supported"); } - if (!isUserAdmin()) { + if (!(isUserAdmin() || doesUserHasAdminOption())) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to revoke role. " + ADMIN_ONLY_MSG); } @@ -453,4 +453,19 @@ boolean isUserAdmin() throws HiveAuthzPluginException { } return false; } + + private boolean doesUserHasAdminOption() throws HiveAuthzPluginException { + List roles; + try { + roles = getCurrentRoles(); + } catch (Exception e) { + throw new HiveAuthzPluginException(e); + } + for (HiveRole role : roles){ + if (role.isGrantOption()) { + return true; + } + } + return false; + } } diff --git ql/src/test/queries/clientpositive/authorization_role_grant2.q ql/src/test/queries/clientpositive/authorization_role_grant2.q new file mode 100644 index 0000000..2a10efe --- /dev/null +++ ql/src/test/queries/clientpositive/authorization_role_grant2.q @@ -0,0 +1,33 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; + +-- enable sql standard authorization +-- role granting without role keyword +set role ADMIN; +create role src_role2; +grant src_role2 to user user2 ; +show role grant user user2; +show roles; + +-- revoke role without role keyword +revoke src_role2 from user user2; +show role grant user user2; +show roles; + +---------------------------------------- +-- role granting without role keyword, with admin option (syntax check) +---------------------------------------- + +create role src_role_wadmin; +grant src_role_wadmin to user user2 with admin option; +show role grant user user2; + +set user.name=user2; +set role NONE; +grant src_role_wadmin to user user3; +show role grant user user3; +revoke src_role_wadmin from user user3; +show role grant user user3; + diff --git ql/src/test/results/clientpositive/authorization_role_grant2.q.out ql/src/test/results/clientpositive/authorization_role_grant2.q.out new file mode 100644 index 0000000..a687f1d --- /dev/null +++ ql/src/test/results/clientpositive/authorization_role_grant2.q.out @@ -0,0 +1,94 @@ +PREHOOK: query: -- enable sql standard authorization +-- role granting without role keyword +set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: -- enable sql standard authorization +-- role granting without role keyword +set role ADMIN +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: create role src_role2 +PREHOOK: type: CREATEROLE +POSTHOOK: query: create role src_role2 +POSTHOOK: type: CREATEROLE +PREHOOK: query: grant src_role2 to user user2 +PREHOOK: type: GRANT_ROLE +POSTHOOK: query: grant src_role2 to user user2 +POSTHOOK: type: GRANT_ROLE +PREHOOK: query: show role grant user user2 +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant user user2 +POSTHOOK: type: SHOW_ROLE_GRANT +PUBLIC -1 false -1 +src_role2 -1 user2 USER false -1 hive_admin_user +PREHOOK: query: show roles +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: show roles +POSTHOOK: type: SHOW_ROLES +ADMIN +PUBLIC +src_role2 + +PREHOOK: query: -- revoke role without role keyword +revoke src_role2 from user user2 +PREHOOK: type: REVOKE_ROLE +POSTHOOK: query: -- revoke role without role keyword +revoke src_role2 from user user2 +POSTHOOK: type: REVOKE_ROLE +PREHOOK: query: show role grant user user2 +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant user user2 +POSTHOOK: type: SHOW_ROLE_GRANT +PUBLIC -1 false -1 +PREHOOK: query: show roles +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: show roles +POSTHOOK: type: SHOW_ROLES +ADMIN +PUBLIC +src_role2 + +PREHOOK: query: ---------------------------------------- +-- role granting without role keyword, with admin option (syntax check) +---------------------------------------- + +create role src_role_wadmin +PREHOOK: type: CREATEROLE +POSTHOOK: query: ---------------------------------------- +-- role granting without role keyword, with admin option (syntax check) +---------------------------------------- + +create role src_role_wadmin +POSTHOOK: type: CREATEROLE +PREHOOK: query: grant src_role_wadmin to user user2 with admin option +PREHOOK: type: GRANT_ROLE +POSTHOOK: query: grant src_role_wadmin to user user2 with admin option +POSTHOOK: type: GRANT_ROLE +PREHOOK: query: show role grant user user2 +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant user user2 +POSTHOOK: type: SHOW_ROLE_GRANT +PUBLIC -1 false -1 +src_role_wadmin -1 user2 USER true -1 hive_admin_user +PREHOOK: query: set role NONE +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role NONE +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: grant src_role_wadmin to user user3 +PREHOOK: type: GRANT_ROLE +POSTHOOK: query: grant src_role_wadmin to user user3 +POSTHOOK: type: GRANT_ROLE +PREHOOK: query: show role grant user user3 +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant user user3 +POSTHOOK: type: SHOW_ROLE_GRANT +PUBLIC -1 false -1 +src_role_wadmin -1 user3 USER false -1 user2 +PREHOOK: query: revoke src_role_wadmin from user user3 +PREHOOK: type: REVOKE_ROLE +POSTHOOK: query: revoke src_role_wadmin from user user3 +POSTHOOK: type: REVOKE_ROLE +PREHOOK: query: show role grant user user3 +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant user user3 +POSTHOOK: type: SHOW_ROLE_GRANT +PUBLIC -1 false -1