diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g b/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g index 4d58f96..fc30498 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g @@ -1423,7 +1423,6 @@ privObjectType @init {pushMsg("privilege object type type", state);} @after {popMsg(state);} : KW_DATABASE -> ^(TOK_DB_TYPE) - | KW_VIEW -> ^(TOK_TABLE_TYPE) | KW_TABLE? -> ^(TOK_TABLE_TYPE) ; diff --git a/ql/src/test/queries/clientpositive/authorization_view.q b/ql/src/test/queries/clientpositive/authorization_view.q deleted file mode 100644 index f6f774c..0000000 --- a/ql/src/test/queries/clientpositive/authorization_view.q +++ /dev/null @@ -1,77 +0,0 @@ --- SORT_BEFORE_DIFF - -create view src_autho_test as select * from src; - -set hive.security.authorization.enabled=true; - ---view grant to user - -grant select on view src_autho_test to user hive_test_user; - -show grant user hive_test_user on view src_autho_test; -show grant user hive_test_user on view src_autho_test(key); - -revoke select on view src_autho_test from user hive_test_user; -show grant user hive_test_user on view src_autho_test; -show grant user hive_test_user on view src_autho_test(key); - ---column grant to user - -grant select(key) on view src_autho_test to user hive_test_user; - -show grant user hive_test_user on view src_autho_test; -show grant user hive_test_user on view src_autho_test(key); - -revoke select(key) on view src_autho_test from user hive_test_user; -show grant user hive_test_user on view src_autho_test; -show grant user hive_test_user on view src_autho_test(key); - ---view grant to group - -grant select on view src_autho_test to group hive_test_group1; - -show grant group hive_test_group1 on view src_autho_test; -show grant group hive_test_group1 on view src_autho_test(key); - -revoke select on view src_autho_test from group hive_test_group1; -show grant group hive_test_group1 on view src_autho_test; -show grant group hive_test_group1 on view src_autho_test(key); - ---column grant to group - -grant select(key) on view src_autho_test to group hive_test_group1; - -show grant group hive_test_group1 on view src_autho_test; -show grant group hive_test_group1 on view src_autho_test(key); - -revoke select(key) on view src_autho_test from group hive_test_group1; -show grant group hive_test_group1 on view src_autho_test; -show grant group hive_test_group1 on view src_autho_test(key); - ---role -create role src_role; -grant role src_role to user hive_test_user; -show role grant user hive_test_user; - ---column grant to role - -grant select(key) on view src_autho_test to role src_role; - -show grant role src_role on view src_autho_test; -show grant role src_role on view src_autho_test(key); - -revoke select(key) on view src_autho_test from role src_role; - ---view grant to role - -grant select on view src_autho_test to role src_role; - -show grant role src_role on view src_autho_test; -show grant role src_role on view src_autho_test(key); -revoke select on view src_autho_test from role src_role; - --- drop role -drop role src_role; - -set hive.security.authorization.enabled=false; -drop view src_autho_test; diff --git a/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q b/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q index f89e624..dddba34 100644 --- a/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q +++ b/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q @@ -1,3 +1,4 @@ +set hive.users.in.admin.role=hive_admin_user; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; @@ -12,9 +13,10 @@ create view vt1 as select i,k from t1; create view vt2 as select * from t1 where i > 1; --view grant to user +-- try with and without table keyword -grant select on view vt1 to user user2; -grant insert on view vt1 to user user3; +grant select on vt1 to user user2; +grant insert on table vt1 to user user3; show grant user user2 on table vt1; show grant user user3 on table vt1; @@ -24,12 +26,28 @@ select * from vt1; set user.name=user1; -grant all on view vt2 to user user2; +grant all on table vt2 to user user2; show grant user user2 on table vt2; -revoke all on view vt2 from user user2; +revoke all on vt2 from user user2; show grant user user2 on table vt2; -revoke select on view vt1 from user user2; +revoke select on table vt1 from user user2; show grant user user2 on table vt1; + +-- grant privileges on roles for view, after next statement show grant user user3 on table vt1; + +set user.name=hive_admin_user; +show current roles; +set role ADMIN; +create role role_v; +grant role_v to user user4 ; +show role grant user user4; +show roles; + +grant all on table vt2 to role role_v; +show grant role role_v on table vt2; + +revoke delete on table vt2 from role role_v; +show grant role role_v on table vt2; diff --git a/ql/src/test/results/clientpositive/authorization_view.q.out b/ql/src/test/results/clientpositive/authorization_view.q.out deleted file mode 100644 index 594d9d8..0000000 --- a/ql/src/test/results/clientpositive/authorization_view.q.out +++ /dev/null @@ -1,223 +0,0 @@ -PREHOOK: query: -- SORT_BEFORE_DIFF - -create view src_autho_test as select * from src -PREHOOK: type: CREATEVIEW -PREHOOK: Input: default@src -POSTHOOK: query: -- SORT_BEFORE_DIFF - -create view src_autho_test as select * from src -POSTHOOK: type: CREATEVIEW -POSTHOOK: Input: default@src -POSTHOOK: Output: default@src_autho_test -PREHOOK: query: --view grant to user - -grant select on view src_autho_test to user hive_test_user -PREHOOK: type: GRANT_PRIVILEGE -PREHOOK: Output: default@src_autho_test -POSTHOOK: query: --view grant to user - -grant select on view src_autho_test to user hive_test_user -POSTHOOK: type: GRANT_PRIVILEGE -POSTHOOK: Output: default@src_autho_test -PREHOOK: query: show grant user hive_test_user on view src_autho_test -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant user hive_test_user on view src_autho_test -POSTHOOK: type: SHOW_GRANT -default src_autho_test hive_test_user USER Select false -1 hive_test_user -PREHOOK: query: show grant user hive_test_user on view src_autho_test(key) -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant user hive_test_user on view src_autho_test(key) -POSTHOOK: type: SHOW_GRANT -PREHOOK: query: revoke select on view src_autho_test from user hive_test_user -PREHOOK: type: REVOKE_PRIVILEGE -PREHOOK: Output: default@src_autho_test -POSTHOOK: query: revoke select on view src_autho_test from user hive_test_user -POSTHOOK: type: REVOKE_PRIVILEGE -POSTHOOK: Output: default@src_autho_test -PREHOOK: query: show grant user hive_test_user on view src_autho_test -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant user hive_test_user on view src_autho_test -POSTHOOK: type: SHOW_GRANT -PREHOOK: query: show grant user hive_test_user on view src_autho_test(key) -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant user hive_test_user on view src_autho_test(key) -POSTHOOK: type: SHOW_GRANT -PREHOOK: query: --column grant to user - -grant select(key) on view src_autho_test to user hive_test_user -PREHOOK: type: GRANT_PRIVILEGE -PREHOOK: Output: default@src_autho_test -POSTHOOK: query: --column grant to user - -grant select(key) on view src_autho_test to user hive_test_user -POSTHOOK: type: GRANT_PRIVILEGE -POSTHOOK: Output: default@src_autho_test -PREHOOK: query: show grant user hive_test_user on view src_autho_test -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant user hive_test_user on view src_autho_test -POSTHOOK: type: SHOW_GRANT -PREHOOK: query: show grant user hive_test_user on view src_autho_test(key) -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant user hive_test_user on view src_autho_test(key) -POSTHOOK: type: SHOW_GRANT -default src_autho_test key hive_test_user USER Select false -1 hive_test_user -PREHOOK: query: revoke select(key) on view src_autho_test from user hive_test_user -PREHOOK: type: REVOKE_PRIVILEGE -PREHOOK: Output: default@src_autho_test -POSTHOOK: query: revoke select(key) on view src_autho_test from user hive_test_user -POSTHOOK: type: REVOKE_PRIVILEGE -POSTHOOK: Output: default@src_autho_test -PREHOOK: query: show grant user hive_test_user on view src_autho_test -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant user hive_test_user on view src_autho_test -POSTHOOK: type: SHOW_GRANT -PREHOOK: query: show grant user hive_test_user on view src_autho_test(key) -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant user hive_test_user on view src_autho_test(key) -POSTHOOK: type: SHOW_GRANT -PREHOOK: query: --view grant to group - -grant select on view src_autho_test to group hive_test_group1 -PREHOOK: type: GRANT_PRIVILEGE -PREHOOK: Output: default@src_autho_test -POSTHOOK: query: --view grant to group - -grant select on view src_autho_test to group hive_test_group1 -POSTHOOK: type: GRANT_PRIVILEGE -POSTHOOK: Output: default@src_autho_test -PREHOOK: query: show grant group hive_test_group1 on view src_autho_test -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant group hive_test_group1 on view src_autho_test -POSTHOOK: type: SHOW_GRANT -default src_autho_test hive_test_group1 GROUP Select false -1 hive_test_user -PREHOOK: query: show grant group hive_test_group1 on view src_autho_test(key) -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant group hive_test_group1 on view src_autho_test(key) -POSTHOOK: type: SHOW_GRANT -PREHOOK: query: revoke select on view src_autho_test from group hive_test_group1 -PREHOOK: type: REVOKE_PRIVILEGE -PREHOOK: Output: default@src_autho_test -POSTHOOK: query: revoke select on view src_autho_test from group hive_test_group1 -POSTHOOK: type: REVOKE_PRIVILEGE -POSTHOOK: Output: default@src_autho_test -PREHOOK: query: show grant group hive_test_group1 on view src_autho_test -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant group hive_test_group1 on view src_autho_test -POSTHOOK: type: SHOW_GRANT -PREHOOK: query: show grant group hive_test_group1 on view src_autho_test(key) -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant group hive_test_group1 on view src_autho_test(key) -POSTHOOK: type: SHOW_GRANT -PREHOOK: query: --column grant to group - -grant select(key) on view src_autho_test to group hive_test_group1 -PREHOOK: type: GRANT_PRIVILEGE -PREHOOK: Output: default@src_autho_test -POSTHOOK: query: --column grant to group - -grant select(key) on view src_autho_test to group hive_test_group1 -POSTHOOK: type: GRANT_PRIVILEGE -POSTHOOK: Output: default@src_autho_test -PREHOOK: query: show grant group hive_test_group1 on view src_autho_test -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant group hive_test_group1 on view src_autho_test -POSTHOOK: type: SHOW_GRANT -PREHOOK: query: show grant group hive_test_group1 on view src_autho_test(key) -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant group hive_test_group1 on view src_autho_test(key) -POSTHOOK: type: SHOW_GRANT -default src_autho_test key hive_test_group1 GROUP Select false -1 hive_test_user -PREHOOK: query: revoke select(key) on view src_autho_test from group hive_test_group1 -PREHOOK: type: REVOKE_PRIVILEGE -PREHOOK: Output: default@src_autho_test -POSTHOOK: query: revoke select(key) on view src_autho_test from group hive_test_group1 -POSTHOOK: type: REVOKE_PRIVILEGE -POSTHOOK: Output: default@src_autho_test -PREHOOK: query: show grant group hive_test_group1 on view src_autho_test -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant group hive_test_group1 on view src_autho_test -POSTHOOK: type: SHOW_GRANT -PREHOOK: query: show grant group hive_test_group1 on view src_autho_test(key) -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant group hive_test_group1 on view src_autho_test(key) -POSTHOOK: type: SHOW_GRANT -PREHOOK: query: --role -create role src_role -PREHOOK: type: CREATEROLE -POSTHOOK: query: --role -create role src_role -POSTHOOK: type: CREATEROLE -PREHOOK: query: grant role src_role to user hive_test_user -PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant role src_role to user hive_test_user -POSTHOOK: type: GRANT_ROLE -PREHOOK: query: show role grant user hive_test_user -PREHOOK: type: SHOW_ROLE_GRANT -POSTHOOK: query: show role grant user hive_test_user -POSTHOOK: type: SHOW_ROLE_GRANT -src_role -1 hive_test_user USER false -1 hive_test_user -PUBLIC -1 false -1 -PREHOOK: query: --column grant to role - -grant select(key) on view src_autho_test to role src_role -PREHOOK: type: GRANT_PRIVILEGE -PREHOOK: Output: default@src_autho_test -POSTHOOK: query: --column grant to role - -grant select(key) on view src_autho_test to role src_role -POSTHOOK: type: GRANT_PRIVILEGE -POSTHOOK: Output: default@src_autho_test -PREHOOK: query: show grant role src_role on view src_autho_test -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant role src_role on view src_autho_test -POSTHOOK: type: SHOW_GRANT -PREHOOK: query: show grant role src_role on view src_autho_test(key) -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant role src_role on view src_autho_test(key) -POSTHOOK: type: SHOW_GRANT -default src_autho_test key src_role ROLE Select false -1 hive_test_user -PREHOOK: query: revoke select(key) on view src_autho_test from role src_role -PREHOOK: type: REVOKE_PRIVILEGE -PREHOOK: Output: default@src_autho_test -POSTHOOK: query: revoke select(key) on view src_autho_test from role src_role -POSTHOOK: type: REVOKE_PRIVILEGE -POSTHOOK: Output: default@src_autho_test -PREHOOK: query: --view grant to role - -grant select on view src_autho_test to role src_role -PREHOOK: type: GRANT_PRIVILEGE -PREHOOK: Output: default@src_autho_test -POSTHOOK: query: --view grant to role - -grant select on view src_autho_test to role src_role -POSTHOOK: type: GRANT_PRIVILEGE -POSTHOOK: Output: default@src_autho_test -PREHOOK: query: show grant role src_role on view src_autho_test -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant role src_role on view src_autho_test -POSTHOOK: type: SHOW_GRANT -default src_autho_test src_role ROLE Select false -1 hive_test_user -PREHOOK: query: show grant role src_role on view src_autho_test(key) -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant role src_role on view src_autho_test(key) -POSTHOOK: type: SHOW_GRANT -PREHOOK: query: revoke select on view src_autho_test from role src_role -PREHOOK: type: REVOKE_PRIVILEGE -PREHOOK: Output: default@src_autho_test -POSTHOOK: query: revoke select on view src_autho_test from role src_role -POSTHOOK: type: REVOKE_PRIVILEGE -POSTHOOK: Output: default@src_autho_test -PREHOOK: query: -- drop role -drop role src_role -PREHOOK: type: DROPROLE -POSTHOOK: query: -- drop role -drop role src_role -POSTHOOK: type: DROPROLE -PREHOOK: query: drop view src_autho_test -PREHOOK: type: DROPVIEW -PREHOOK: Input: default@src_autho_test -PREHOOK: Output: default@src_autho_test -POSTHOOK: query: drop view src_autho_test -POSTHOOK: type: DROPVIEW -POSTHOOK: Input: default@src_autho_test -POSTHOOK: Output: default@src_autho_test diff --git a/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out b/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out index 3bbb015..e14ac3e 100644 --- a/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out +++ b/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out @@ -22,19 +22,21 @@ POSTHOOK: type: CREATEVIEW POSTHOOK: Input: default@t1 POSTHOOK: Output: default@vt2 PREHOOK: query: --view grant to user +-- try with and without table keyword -grant select on view vt1 to user user2 +grant select on vt1 to user user2 PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@vt1 POSTHOOK: query: --view grant to user +-- try with and without table keyword -grant select on view vt1 to user user2 +grant select on vt1 to user user2 POSTHOOK: type: GRANT_PRIVILEGE POSTHOOK: Output: default@vt1 -PREHOOK: query: grant insert on view vt1 to user user3 +PREHOOK: query: grant insert on table vt1 to user user3 PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@vt1 -POSTHOOK: query: grant insert on view vt1 to user user3 +POSTHOOK: query: grant insert on table vt1 to user user3 POSTHOOK: type: GRANT_PRIVILEGE POSTHOOK: Output: default@vt1 PREHOOK: query: show grant user user2 on table vt1 @@ -57,10 +59,10 @@ POSTHOOK: type: QUERY POSTHOOK: Input: default@t1 POSTHOOK: Input: default@vt1 #### A masked pattern was here #### -PREHOOK: query: grant all on view vt2 to user user2 +PREHOOK: query: grant all on table vt2 to user user2 PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@vt2 -POSTHOOK: query: grant all on view vt2 to user user2 +POSTHOOK: query: grant all on table vt2 to user user2 POSTHOOK: type: GRANT_PRIVILEGE POSTHOOK: Output: default@vt2 PREHOOK: query: show grant user user2 on table vt2 @@ -71,28 +73,89 @@ default vt2 user2 USER DELETE false -1 user1 default vt2 user2 USER INSERT false -1 user1 default vt2 user2 USER SELECT false -1 user1 default vt2 user2 USER UPDATE false -1 user1 -PREHOOK: query: revoke all on view vt2 from user user2 +PREHOOK: query: revoke all on vt2 from user user2 PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@vt2 -POSTHOOK: query: revoke all on view vt2 from user user2 +POSTHOOK: query: revoke all on vt2 from user user2 POSTHOOK: type: REVOKE_PRIVILEGE POSTHOOK: Output: default@vt2 PREHOOK: query: show grant user user2 on table vt2 PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user user2 on table vt2 POSTHOOK: type: SHOW_GRANT -PREHOOK: query: revoke select on view vt1 from user user2 +PREHOOK: query: revoke select on table vt1 from user user2 PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@vt1 -POSTHOOK: query: revoke select on view vt1 from user user2 +POSTHOOK: query: revoke select on table vt1 from user user2 POSTHOOK: type: REVOKE_PRIVILEGE POSTHOOK: Output: default@vt1 PREHOOK: query: show grant user user2 on table vt1 PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user user2 on table vt1 POSTHOOK: type: SHOW_GRANT -PREHOOK: query: show grant user user3 on table vt1 +PREHOOK: query: -- grant privileges on roles for view, after next statement +show grant user user3 on table vt1 PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant user user3 on table vt1 +POSTHOOK: query: -- grant privileges on roles for view, after next statement +show grant user user3 on table vt1 POSTHOOK: type: SHOW_GRANT default vt1 user3 USER INSERT false -1 user1 +PREHOOK: query: show current roles +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: show current roles +POSTHOOK: type: SHOW_ROLES +PUBLIC + +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: create role role_v +PREHOOK: type: CREATEROLE +POSTHOOK: query: create role role_v +POSTHOOK: type: CREATEROLE +PREHOOK: query: grant role_v to user user4 +PREHOOK: type: GRANT_ROLE +POSTHOOK: query: grant role_v to user user4 +POSTHOOK: type: GRANT_ROLE +PREHOOK: query: show role grant user user4 +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant user user4 +POSTHOOK: type: SHOW_ROLE_GRANT +PUBLIC -1 false -1 +role_v -1 user4 USER false -1 hive_admin_user +PREHOOK: query: show roles +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: show roles +POSTHOOK: type: SHOW_ROLES +ADMIN +PUBLIC +role_v + +PREHOOK: query: grant all on table vt2 to role role_v +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@vt2 +POSTHOOK: query: grant all on table vt2 to role role_v +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@vt2 +PREHOOK: query: show grant role role_v on table vt2 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant role role_v on table vt2 +POSTHOOK: type: SHOW_GRANT +default vt2 role_v ROLE DELETE false -1 hive_admin_user +default vt2 role_v ROLE INSERT false -1 hive_admin_user +default vt2 role_v ROLE SELECT false -1 hive_admin_user +default vt2 role_v ROLE UPDATE false -1 hive_admin_user +PREHOOK: query: revoke delete on table vt2 from role role_v +PREHOOK: type: REVOKE_PRIVILEGE +PREHOOK: Output: default@vt2 +POSTHOOK: query: revoke delete on table vt2 from role role_v +POSTHOOK: type: REVOKE_PRIVILEGE +POSTHOOK: Output: default@vt2 +PREHOOK: query: show grant role role_v on table vt2 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant role role_v on table vt2 +POSTHOOK: type: SHOW_GRANT +default vt2 role_v ROLE INSERT false -1 hive_admin_user +default vt2 role_v ROLE SELECT false -1 hive_admin_user +default vt2 role_v ROLE UPDATE false -1 hive_admin_user