Index: metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java =================================================================== --- metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java (revision 1574985) +++ metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java (working copy) @@ -222,6 +222,7 @@ public static final Log LOG = HiveMetaStore.LOG; private static boolean createDefaultDB = false; private static boolean defaultRolesCreated = false; + private static boolean adminUsersAdded = false; private String rawStoreClassName; private final HiveConf hiveConf; // stores datastore (jpox) properties, // right now they come from jpox.properties @@ -383,7 +384,8 @@ synchronized (HMSHandler.class) { createDefaultDB(); - createDefaultRolesNAddUsers(); + createDefaultRoles(); + addAdminUsers(); } if (hiveConf.getBoolean("hive.metastore.metrics.enabled", false)) { @@ -518,12 +520,8 @@ } } - private void createDefaultRolesNAddUsers() throws MetaException { + private boolean areWeAllowedToCreate() { - if(defaultRolesCreated) { - LOG.debug("Admin role already created previously."); - return; - } Class authCls; Class authIface; try { @@ -531,13 +529,27 @@ authIface = Class.forName("org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory"); } catch (ClassNotFoundException e) { LOG.debug("No auth manager specified", e); - return; + return false; } if(!authIface.isAssignableFrom(authCls)){ - LOG.warn("Configured auth manager "+authCls.getName()+" doesn't implement "+ ConfVars. - HIVE_AUTHENTICATOR_MANAGER+ " admin role will not be created."); + LOG.warn("Configured auth manager "+authCls.getName()+" doesn't implement "+ ConfVars.HIVE_AUTHENTICATOR_MANAGER); + return false; + } + + return true; + } + + private void createDefaultRoles() throws MetaException { + + if(defaultRolesCreated) { + LOG.debug("Admin role already created previously."); return; } + + if(!areWeAllowedToCreate()) { + return; + } + RawStore ms = getMS(); try { ms.addRole(ADMIN, ADMIN); @@ -572,6 +584,18 @@ LOG.warn("Failed while granting global privs to admin", e); } + defaultRolesCreated = true; + } + + private void addAdminUsers() throws MetaException { + + if(adminUsersAdded) { + LOG.debug("Admin users already added."); + return; + } + if(!areWeAllowedToCreate()) { + return; + } // now add pre-configured users to admin role String userStr = HiveConf.getVar(hiveConf,ConfVars.USERS_IN_ADMIN_ROLE,"").trim(); if (userStr.isEmpty()) { @@ -581,15 +605,14 @@ // Since user names need to be valid unix user names, per IEEE Std 1003.1-2001 they cannot // contain comma, so we can safely split above string on comma. - Iterator users = Splitter.on(",").trimResults().omitEmptyStrings().split(userStr). - iterator(); + Iterator users = Splitter.on(",").trimResults().omitEmptyStrings().split(userStr).iterator(); if (!users.hasNext()) { LOG.info("No user is added in admin role, since config value "+ userStr + - " is in incorrect format."); + " is in incorrect format. We accept comma seprated list of users."); return; } - LOG.info("Added " + userStr + " to admin role"); Role adminRole; + RawStore ms = getMS(); try { adminRole = ms.getRole(ADMIN); } catch (NoSuchObjectException e) { @@ -600,13 +623,14 @@ String userName = users.next(); try { ms.grantRole(adminRole, userName, PrincipalType.USER, ADMIN, PrincipalType.ROLE, true); + LOG.info("Added " + userName + " to admin role"); } catch (NoSuchObjectException e) { LOG.error("Failed to add "+ userName + " in admin role",e); } catch (InvalidObjectException e) { LOG.debug(userName + " already in admin role", e); } } - defaultRolesCreated = true; + adminUsersAdded = true; } private void logInfo(String m) { @@ -4827,7 +4851,7 @@ } } - @Override + @Override public void heartbeat(HeartbeatRequest ids) throws NoSuchLockException, NoSuchTxnException, TxnAbortedException, TException { try { Index: itests/hive-unit/src/test/java/org/apache/hadoop/hive/metastore/TestAdminUser.java =================================================================== --- itests/hive-unit/src/test/java/org/apache/hadoop/hive/metastore/TestAdminUser.java (revision 0) +++ itests/hive-unit/src/test/java/org/apache/hadoop/hive/metastore/TestAdminUser.java (revision 0) @@ -0,0 +1,45 @@ +/** +* Licensed to the Apache Software Foundation (ASF) under one +* or more contributor license agreements. See the NOTICE file +* distributed with this work for additional information +* regarding copyright ownership. The ASF licenses this file +* to you under the Apache License, Version 2.0 (the +* "License"); you may not use this file except in compliance +* with the License. You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ +package org.apache.hadoop.hive.metastore; + +import java.io.IOException; + +import junit.framework.TestCase; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hadoop.hive.metastore.HiveMetaStore.HMSHandler; +import org.apache.hadoop.hive.metastore.api.PrincipalType; +import org.apache.hadoop.hive.metastore.api.Role; +import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; + +public class TestAdminUser extends TestCase{ + + public void testCreateAdminNAddUser() throws IOException, Throwable { + HiveConf conf = new HiveConf(); + conf.setVar(ConfVars.USERS_IN_ADMIN_ROLE, "adminuser"); + conf.setVar(ConfVars.HIVE_AUTHORIZATION_MANAGER,SQLStdHiveAuthorizerFactory.class.getName()); + RawStore rawStore = new HMSHandler("testcreateroot", conf).getMS(); + Role adminRole = rawStore.getRole(HiveMetaStore.ADMIN); + assertTrue(adminRole.getOwnerName().equals(HiveMetaStore.ADMIN)); + assertEquals(rawStore.listPrincipalGlobalGrants(HiveMetaStore.ADMIN, PrincipalType.ROLE) + .get(0).getPrivilege(),"All"); + assertEquals(rawStore.listRoles("adminuser", PrincipalType.USER).get(0).getRole(). + getRoleName(),HiveMetaStore.ADMIN); + } +} \ No newline at end of file