diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java index 2295b0d..42df435 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java @@ -657,7 +657,7 @@ private int showGrantsV2(ShowGrantDesc showGrantDesc) throws HiveException { PrivilegeGrantInfo grantInfo = AuthorizationUtils.getThriftPrivilegeGrantInfo(priv, privInfo.getGrantorPrincipal(), - privInfo.isGrantOption()); + privInfo.isGrantOption(), privInfo.getGrantTime()); //only grantInfo is used HiveObjectPrivilege thriftObjectPriv = new HiveObjectPrivilege(new HiveObjectRef( @@ -674,18 +674,6 @@ private int showGrantsV2(ShowGrantDesc showGrantDesc) throws HiveException { return 0; } - private static void sortPrivileges(List privileges) { - Collections.sort(privileges, new Comparator() { - - @Override - public int compare(HiveObjectPrivilege one, HiveObjectPrivilege other) { - return one.getGrantInfo().getPrivilege().compareTo(other.getGrantInfo().getPrivilege()); - } - - }); - - } - private int grantOrRevokePrivileges(List principals, List privileges, PrivilegeObjectDesc privSubjectDesc, String grantor, PrincipalType grantorType, boolean grantOption, boolean isGrant) @@ -854,6 +842,7 @@ private int grantOrRevokePrivilegesV2(List principals, private HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc) throws HiveException { + String [] dbTable = Utilities.getDbTableName(privSubjectDesc.getObject()); return new HivePrivilegeObject(getPrivObjectType(privSubjectDesc), dbTable[0], dbTable[1]); } @@ -877,6 +866,9 @@ private HivePrincipalType getHivePrincipalType(PrincipalType type) throws HiveEx } private HivePrivilegeObjectType getPrivObjectType(PrivilegeObjectDesc privSubjectDesc) { + if (privSubjectDesc.getObject() == null) { + return null; + } return privSubjectDesc.getTable() ? HivePrivilegeObjectType.TABLE_OR_VIEW : HivePrivilegeObjectType.DATABASE; } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/Utilities.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/Utilities.java index 23dcbda..9a74fa5 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/exec/Utilities.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/Utilities.java @@ -70,9 +70,6 @@ import java.util.Random; import java.util.Set; import java.util.UUID; -import java.util.zip.Deflater; -import java.util.zip.DeflaterOutputStream; -import java.util.zip.InflaterInputStream; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ExecutionException; import java.util.concurrent.Future; @@ -81,6 +78,9 @@ import java.util.concurrent.TimeUnit; import java.util.regex.Matcher; import java.util.regex.Pattern; +import java.util.zip.Deflater; +import java.util.zip.DeflaterOutputStream; +import java.util.zip.InflaterInputStream; import org.antlr.runtime.CommonToken; import org.apache.commons.codec.binary.Base64; @@ -2029,6 +2029,9 @@ public static String formatBinaryString(byte[] array, int start, int length) { * @throws HiveException */ public static String[] getDbTableName(String dbtable) throws HiveException{ + if(dbtable == null){ + return new String[2]; + } String[] names = dbtable.split("\\."); switch (names.length) { case 2: diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java index 638967e..5e2d12c 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java @@ -108,12 +108,13 @@ public static PrincipalType getThriftPrincipalType(HivePrincipalType type) { * @param privilege * @param grantorPrincipal * @param grantOption + * @param grantTime * @return * @throws HiveException */ public static PrivilegeGrantInfo getThriftPrivilegeGrantInfo(HivePrivilege privilege, - HivePrincipal grantorPrincipal, boolean grantOption) throws HiveException { - return new PrivilegeGrantInfo(privilege.getName(), 0 /* time gets added by server */, + HivePrincipal grantorPrincipal, boolean grantOption, int grantTime) throws HiveException { + return new PrivilegeGrantInfo(privilege.getName(), grantTime, grantorPrincipal.getName(), getThriftPrincipalType(grantorPrincipal.getType()), grantOption); } @@ -125,6 +126,9 @@ public static PrivilegeGrantInfo getThriftPrivilegeGrantInfo(HivePrivilege privi * @throws HiveException */ public static HiveObjectType getThriftHiveObjType(HivePrivilegeObjectType type) throws HiveException { + if (type == null) { + return null; + } switch(type){ case DATABASE: return HiveObjectType.DATABASE; diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeInfo.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeInfo.java index 3f9fa81..0f91ccb 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeInfo.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeInfo.java @@ -31,14 +31,17 @@ private final HivePrivilegeObject object; private final HivePrincipal grantorPrincipal; private final boolean grantOption; + private final int grantTime; public HivePrivilegeInfo(HivePrincipal principal, HivePrivilege privilege, - HivePrivilegeObject object, HivePrincipal grantorPrincipal, boolean grantOption){ + HivePrivilegeObject object, HivePrincipal grantorPrincipal, boolean grantOption, + int grantTime){ this.principal = principal; this.privilege = privilege; this.object = object; this.grantorPrincipal = grantorPrincipal; this.grantOption = grantOption; + this.grantTime = grantTime; } public HivePrincipal getPrincipal() { @@ -61,5 +64,9 @@ public boolean isGrantOption() { return grantOption; } + public int getGrantTime() { + return grantTime; + } + } \ No newline at end of file diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java index ee7bef3..03d12ca 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java @@ -35,7 +35,6 @@ import org.apache.hadoop.fs.permission.FsAction; import org.apache.hadoop.hive.common.FileUtils; import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.metastore.HiveMetaStore; import org.apache.hadoop.hive.metastore.IMetaStoreClient; import org.apache.hadoop.hive.metastore.MetaStoreUtils; import org.apache.hadoop.hive.metastore.api.Database; @@ -43,7 +42,6 @@ import org.apache.hadoop.hive.metastore.api.HiveObjectRef; import org.apache.hadoop.hive.metastore.api.HiveObjectType; import org.apache.hadoop.hive.metastore.api.MetaException; -import org.apache.hadoop.hive.metastore.api.NoSuchObjectException; import org.apache.hadoop.hive.metastore.api.PrincipalPrivilegeSet; import org.apache.hadoop.hive.metastore.api.PrivilegeBag; import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo; @@ -91,7 +89,7 @@ static PrivilegeBag getThriftPrivilegesBag(List hivePrincipals, + " is not supported in sql standard authorization mode"); } PrivilegeGrantInfo grantInfo = getThriftPrivilegeGrantInfo(privilege, grantorPrincipal, - grantOption); + grantOption, 0 /*real grant time added by metastore*/); for (HivePrincipal principal : hivePrincipals) { HiveObjectPrivilege objPriv = new HiveObjectPrivilege(privObj, principal.getName(), AuthorizationUtils.getThriftPrincipalType(principal.getType()), grantInfo); @@ -102,10 +100,11 @@ static PrivilegeBag getThriftPrivilegesBag(List hivePrincipals, } static PrivilegeGrantInfo getThriftPrivilegeGrantInfo(HivePrivilege privilege, - HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException { + HivePrincipal grantorPrincipal, boolean grantOption, int grantTime) + throws HiveAuthzPluginException { try { return AuthorizationUtils.getThriftPrivilegeGrantInfo(privilege, grantorPrincipal, - grantOption); + grantOption, grantTime); } catch (HiveException e) { throw new HiveAuthzPluginException(e); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index f69e41b..fec5eae 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -39,7 +39,6 @@ import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo; import org.apache.hadoop.hive.metastore.api.Role; import org.apache.hadoop.hive.metastore.api.RolePrincipalGrant; -import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; @@ -156,7 +155,7 @@ public void grantPrivileges(List hivePrincipals, metastoreClient, authenticator.getUserName(), getCurrentRoles(), isUserAdmin()); // grant - PrivilegeBag privBag = getThriftPrivilegesBag(hivePrincipals, hivePrivileges, hivePrivObject, + PrivilegeBag privBag = SQLAuthorizationUtils.getThriftPrivilegesBag(hivePrincipals, hivePrivileges, hivePrivObject, grantorPrincipal, grantOption); try { metastoreClient.grant_privileges(privBag); @@ -188,49 +187,6 @@ public void grantPrivileges(List hivePrincipals, return new ArrayList(hivePrivSet); } - /** - * Create thrift privileges bag - * - * @param hivePrincipals - * @param hivePrivileges - * @param hivePrivObject - * @param grantorPrincipal - * @param grantOption - * @return - * @throws HiveAuthzPluginException - */ - private PrivilegeBag getThriftPrivilegesBag(List hivePrincipals, - List hivePrivileges, HivePrivilegeObject hivePrivObject, - HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException { - - HiveObjectRef privObj = SQLAuthorizationUtils.getThriftHiveObjectRef(hivePrivObject); - PrivilegeBag privBag = new PrivilegeBag(); - for (HivePrivilege privilege : hivePrivileges) { - if (privilege.getColumns() != null && privilege.getColumns().size() > 0) { - throw new HiveAuthzPluginException("Privileges on columns not supported currently" - + " in sql standard authorization mode"); - } - - PrivilegeGrantInfo grantInfo = getThriftPrivilegeGrantInfo(privilege, grantorPrincipal, - grantOption); - for (HivePrincipal principal : hivePrincipals) { - HiveObjectPrivilege objPriv = new HiveObjectPrivilege(privObj, principal.getName(), - AuthorizationUtils.getThriftPrincipalType(principal.getType()), grantInfo); - privBag.addToPrivileges(objPriv); - } - } - return privBag; - } - - private PrivilegeGrantInfo getThriftPrivilegeGrantInfo(HivePrivilege privilege, - HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException { - try { - return AuthorizationUtils.getThriftPrivilegeGrantInfo(privilege, grantorPrincipal, - grantOption); - } catch (HiveException e) { - throw new HiveAuthzPluginException(e); - } - } @Override public void revokePrivileges(List hivePrincipals, @@ -430,7 +386,7 @@ public void revokeRole(List hivePrincipals, List roleName AuthorizationUtils.getHivePrincipalType(msGrantInfo.getGrantorType())); HivePrivilegeInfo resPrivInfo = new HivePrivilegeInfo(resPrincipal, resPrivilege, - resPrivObj, grantorPrincipal, msGrantInfo.isGrantOption()); + resPrivObj, grantorPrincipal, msGrantInfo.isGrantOption(), msGrantInfo.getCreateTime()); resPrivInfos.add(resPrivInfo); } return resPrivInfos; diff --git a/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q b/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q index f91e100..2e384d7 100644 --- a/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q +++ b/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q @@ -9,6 +9,7 @@ CREATE TABLE table_priv_rev(i int); -- grant insert privilege to user2 GRANT INSERT ON table_priv_rev TO USER user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; +SHOW GRANT USER user2 ON ALL; -- revoke insert privilege from user2 REVOKE INSERT ON TABLE table_priv_rev FROM USER user2; @@ -18,6 +19,7 @@ SHOW GRANT USER user2 ON TABLE table_priv_rev; -- grant insert privilege to user2 GRANT INSERT ON table_priv_rev TO USER user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; +SHOW GRANT USER user2 ON ALL; -- grant select privilege to user2, with grant option GRANT SELECT ON table_priv_rev TO USER user2 WITH GRANT OPTION; @@ -31,10 +33,12 @@ SHOW GRANT USER user2 ON TABLE table_priv_rev; GRANT DELETE ON table_priv_rev TO USER user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; + -- start revoking -- -- revoke update privilege from user2 REVOKE UPDATE ON TABLE table_priv_rev FROM USER user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; +SHOW GRANT USER user2 ON ALL; -- revoke DELETE privilege from user2 REVOKE DELETE ON TABLE table_priv_rev FROM USER user2; @@ -47,7 +51,7 @@ SHOW GRANT USER user2 ON TABLE table_priv_rev; -- revoke select privilege from user2 REVOKE SELECT ON TABLE table_priv_rev FROM USER user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; - +SHOW GRANT USER user2 ON ALL; -- grant all followed by revoke all GRANT ALL ON table_priv_rev TO USER user2; diff --git a/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q b/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q index dddba34..915237a 100644 --- a/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q +++ b/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q @@ -12,6 +12,8 @@ create view vt1 as select i,k from t1; -- protecting certain rows create view vt2 as select * from t1 where i > 1; +show grant user user1 on all; + --view grant to user -- try with and without table keyword @@ -21,6 +23,7 @@ grant insert on table vt1 to user user3; show grant user user2 on table vt1; show grant user user3 on table vt1; + set user.name=user2; select * from vt1; @@ -28,6 +31,7 @@ set user.name=user1; grant all on table vt2 to user user2; show grant user user2 on table vt2; +show grant user user2 on all; revoke all on vt2 from user user2; show grant user user2 on table vt2; @@ -35,6 +39,8 @@ show grant user user2 on table vt2; revoke select on table vt1 from user user2; show grant user user2 on table vt1; +show grant user user2 on all; + -- grant privileges on roles for view, after next statement show grant user user3 on table vt1; diff --git a/ql/src/test/results/clientpositive/authorization_revoke_table_priv.q.out b/ql/src/test/results/clientpositive/authorization_revoke_table_priv.q.out index c1862c9..907c889 100644 --- a/ql/src/test/results/clientpositive/authorization_revoke_table_priv.q.out +++ b/ql/src/test/results/clientpositive/authorization_revoke_table_priv.q.out @@ -22,6 +22,11 @@ PREHOOK: type: SHOW_GRANT POSTHOOK: query: SHOW GRANT USER user2 ON TABLE table_priv_rev POSTHOOK: type: SHOW_GRANT default table_priv_rev user2 USER INSERT false -1 user1 +PREHOOK: query: SHOW GRANT USER user2 ON ALL +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: SHOW GRANT USER user2 ON ALL +POSTHOOK: type: SHOW_GRANT +default table_priv_rev user2 USER INSERT false -1 user1 PREHOOK: query: -- revoke insert privilege from user2 REVOKE INSERT ON TABLE table_priv_rev FROM USER user2 PREHOOK: type: REVOKE_PRIVILEGE @@ -49,6 +54,11 @@ PREHOOK: type: SHOW_GRANT POSTHOOK: query: SHOW GRANT USER user2 ON TABLE table_priv_rev POSTHOOK: type: SHOW_GRANT default table_priv_rev user2 USER INSERT false -1 user1 +PREHOOK: query: SHOW GRANT USER user2 ON ALL +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: SHOW GRANT USER user2 ON ALL +POSTHOOK: type: SHOW_GRANT +default table_priv_rev user2 USER INSERT false -1 user1 PREHOOK: query: -- grant select privilege to user2, with grant option GRANT SELECT ON table_priv_rev TO USER user2 WITH GRANT OPTION PREHOOK: type: GRANT_PRIVILEGE @@ -111,6 +121,13 @@ POSTHOOK: type: SHOW_GRANT default table_priv_rev user2 USER DELETE false -1 user1 default table_priv_rev user2 USER INSERT false -1 user1 default table_priv_rev user2 USER SELECT true -1 user1 +PREHOOK: query: SHOW GRANT USER user2 ON ALL +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: SHOW GRANT USER user2 ON ALL +POSTHOOK: type: SHOW_GRANT +default table_priv_rev user2 USER DELETE false -1 user1 +default table_priv_rev user2 USER INSERT false -1 user1 +default table_priv_rev user2 USER SELECT true -1 user1 PREHOOK: query: -- revoke DELETE privilege from user2 REVOKE DELETE ON TABLE table_priv_rev FROM USER user2 PREHOOK: type: REVOKE_PRIVILEGE @@ -150,6 +167,10 @@ PREHOOK: query: SHOW GRANT USER user2 ON TABLE table_priv_rev PREHOOK: type: SHOW_GRANT POSTHOOK: query: SHOW GRANT USER user2 ON TABLE table_priv_rev POSTHOOK: type: SHOW_GRANT +PREHOOK: query: SHOW GRANT USER user2 ON ALL +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: SHOW GRANT USER user2 ON ALL +POSTHOOK: type: SHOW_GRANT PREHOOK: query: -- grant all followed by revoke all GRANT ALL ON table_priv_rev TO USER user2 PREHOOK: type: GRANT_PRIVILEGE diff --git a/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out b/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out index c0647af..89186a5 100644 --- a/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out +++ b/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out @@ -23,6 +23,22 @@ create view vt2 as select * from t1 where i > 1 POSTHOOK: type: CREATEVIEW POSTHOOK: Input: default@t1 POSTHOOK: Output: default@vt2 +PREHOOK: query: show grant user user1 on all +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user user1 on all +POSTHOOK: type: SHOW_GRANT +default t1 user1 USER DELETE true -1 user1 +default t1 user1 USER INSERT true -1 user1 +default t1 user1 USER SELECT true -1 user1 +default t1 user1 USER UPDATE true -1 user1 +default vt1 user1 USER DELETE true -1 user1 +default vt1 user1 USER INSERT true -1 user1 +default vt1 user1 USER SELECT true -1 user1 +default vt1 user1 USER UPDATE true -1 user1 +default vt2 user1 USER DELETE true -1 user1 +default vt2 user1 USER INSERT true -1 user1 +default vt2 user1 USER SELECT true -1 user1 +default vt2 user1 USER UPDATE true -1 user1 PREHOOK: query: --view grant to user -- try with and without table keyword @@ -75,6 +91,15 @@ default vt2 user2 USER DELETE false -1 user1 default vt2 user2 USER INSERT false -1 user1 default vt2 user2 USER SELECT false -1 user1 default vt2 user2 USER UPDATE false -1 user1 +PREHOOK: query: show grant user user2 on all +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user user2 on all +POSTHOOK: type: SHOW_GRANT +default vt1 user2 USER SELECT false -1 user1 +default vt2 user2 USER DELETE false -1 user1 +default vt2 user2 USER INSERT false -1 user1 +default vt2 user2 USER SELECT false -1 user1 +default vt2 user2 USER UPDATE false -1 user1 PREHOOK: query: revoke all on vt2 from user user2 PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@vt2 @@ -95,6 +120,10 @@ PREHOOK: query: show grant user user2 on table vt1 PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user user2 on table vt1 POSTHOOK: type: SHOW_GRANT +PREHOOK: query: show grant user user2 on all +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user user2 on all +POSTHOOK: type: SHOW_GRANT PREHOOK: query: -- grant privileges on roles for view, after next statement show grant user user3 on table vt1 PREHOOK: type: SHOW_GRANT