diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java index 7dfd574..c43bcea 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java @@ -179,7 +179,7 @@ // require db ownership, if there is a file require SELECT , INSERT, and DELETE op2Priv.put(HiveOperationType.CREATETABLE, - new InOutPrivs(OWNER_INS_SEL_DEL_NOGRANT_AR, null)); + new InOutPrivs(OWNER_INS_SEL_DEL_NOGRANT_AR, OWNER_PRIV_AR)); op2Priv.put(HiveOperationType.ALTERDATABASE, new InOutPrivs(OWNER_PRIV_AR, null)); op2Priv.put(HiveOperationType.DESCDATABASE, new InOutPrivs(null, null)); diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java index c59b403..eb5d331 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java @@ -35,7 +35,10 @@ import org.apache.hadoop.fs.permission.FsAction; import org.apache.hadoop.hive.common.FileUtils; import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.metastore.HiveMetaStore; import org.apache.hadoop.hive.metastore.IMetaStoreClient; +import org.apache.hadoop.hive.metastore.MetaStoreUtils; +import org.apache.hadoop.hive.metastore.api.Database; import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege; import org.apache.hadoop.hive.metastore.api.HiveObjectRef; import org.apache.hadoop.hive.metastore.api.HiveObjectType; @@ -247,26 +250,40 @@ private static void filterPrivsByCurrentRoles(PrincipalPrivilegeSet thriftPrivs, */ private static boolean isOwner(IMetaStoreClient metastoreClient, String userName, HivePrivilegeObject hivePrivObject) throws HiveAuthzPluginException { - //for now, check only table - if(hivePrivObject.getType() == HivePrivilegeObjectType.TABLE_OR_VIEW){ + //for now, check only table & db + switch (hivePrivObject.getType()) { + case TABLE_OR_VIEW : { Table thriftTableObj = null; try { thriftTableObj = metastoreClient.getTable(hivePrivObject.getDbname(), hivePrivObject.getTableViewURI()); - } catch (MetaException e) { - throwGetTableErr(e, hivePrivObject); - } catch (NoSuchObjectException e) { - throwGetTableErr(e, hivePrivObject); - } catch (TException e) { - throwGetTableErr(e, hivePrivObject); + } catch (Exception e) { + throwGetObjErr(e, hivePrivObject); } return userName.equals(thriftTableObj.getOwner()); } - return false; + case DATABASE: { + if (MetaStoreUtils.DEFAULT_DATABASE_NAME.equalsIgnoreCase(hivePrivObject.getDbname())){ + return true; + } + Database db = null; + try { + db = metastoreClient.getDatabase(hivePrivObject.getDbname()); + } catch (Exception e) { + throwGetObjErr(e, hivePrivObject); + } + return userName.equalsIgnoreCase(db.getOwnerName()); + } + case DFS_URI: + case LOCAL_URI: + case PARTITION: + default: + return false; + } } - private static void throwGetTableErr(Exception e, HivePrivilegeObject hivePrivObject) + private static void throwGetObjErr(Exception e, HivePrivilegeObject hivePrivObject) throws HiveAuthzPluginException { - String msg = "Error getting table object from metastore for" + hivePrivObject; + String msg = "Error getting object from metastore for " + hivePrivObject; throw new HiveAuthzPluginException(msg, e); } diff --git ql/src/test/queries/clientnegative/authorize_create_tbl.q ql/src/test/queries/clientnegative/authorize_create_tbl.q new file mode 100644 index 0000000..431fb88 --- /dev/null +++ ql/src/test/queries/clientnegative/authorize_create_tbl.q @@ -0,0 +1,10 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; + +set hive.security.authorization.enabled=true; +set user.name=user33; +create database db23221; +use db23221; + +set user.name=user44; +create table twew221(a string); diff --git ql/src/test/results/clientnegative/authorize_create_tbl.q.out ql/src/test/results/clientnegative/authorize_create_tbl.q.out new file mode 100644 index 0000000..ec75b1d --- /dev/null +++ ql/src/test/results/clientnegative/authorize_create_tbl.q.out @@ -0,0 +1,9 @@ +PREHOOK: query: create database db23221 +PREHOOK: type: CREATEDATABASE +POSTHOOK: query: create database db23221 +POSTHOOK: type: CREATEDATABASE +PREHOOK: query: use db23221 +PREHOOK: type: SWITCHDATABASE +POSTHOOK: query: use db23221 +POSTHOOK: type: SWITCHDATABASE +FAILED: HiveAccessControlException Permission denied. Principal [name=user44, type=USER] does not have following privileges on Object [type=DATABASE, name=db23221] : [OBJECT OWNERSHIP]