diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveLexer.g b/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveLexer.g index cdfa300..b8de58c 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveLexer.g +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveLexer.g @@ -41,6 +41,8 @@ import org.apache.hadoop.hive.conf.HiveConf; KW_TRUE : 'TRUE'; KW_FALSE : 'FALSE'; KW_ALL : 'ALL'; +KW_NONE: 'NONE'; +KW_DEFAULT : 'DEFAULT'; KW_AND : 'AND'; KW_OR : 'OR'; KW_NOT : 'NOT' | '!'; diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g b/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g index a74da0e..f272cbb 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g @@ -352,6 +352,8 @@ import java.util.HashMap; xlateMap.put("KW_TRUE", "TRUE"); xlateMap.put("KW_FALSE", "FALSE"); xlateMap.put("KW_ALL", "ALL"); + xlateMap.put("KW_NONE", "NONE"); + xlateMap.put("KW_DEFAULT", "DEFAULT"); xlateMap.put("KW_AND", "AND"); xlateMap.put("KW_OR", "OR"); xlateMap.put("KW_NOT", "NOT"); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g b/ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g index 53a461f..81ca600 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g @@ -538,5 +538,5 @@ functionIdentifier nonReserved : - KW_TRUE | KW_FALSE | KW_LIKE | KW_EXISTS | KW_ASC | KW_DESC | KW_ORDER | KW_GROUP | KW_BY | KW_AS | KW_INSERT | KW_OVERWRITE | KW_OUTER | KW_LEFT | KW_RIGHT | KW_FULL | KW_PARTITION | KW_PARTITIONS | KW_TABLE | KW_TABLES | KW_COLUMNS | KW_INDEX | KW_INDEXES | KW_REBUILD | KW_FUNCTIONS | KW_SHOW | KW_MSCK | KW_REPAIR | KW_DIRECTORY | KW_LOCAL | KW_USING | KW_CLUSTER | KW_DISTRIBUTE | KW_SORT | KW_UNION | KW_LOAD | KW_EXPORT | KW_IMPORT | KW_DATA | KW_INPATH | KW_IS | KW_NULL | KW_CREATE | KW_EXTERNAL | KW_ALTER | KW_CHANGE | KW_FIRST | KW_AFTER | KW_DESCRIBE | KW_DROP | KW_RENAME | KW_IGNORE | KW_PROTECTION | KW_TO | KW_COMMENT | KW_BOOLEAN | KW_TINYINT | KW_SMALLINT | KW_INT | KW_BIGINT | KW_FLOAT | KW_DOUBLE | KW_DATE | KW_DATETIME | KW_TIMESTAMP | KW_DECIMAL | KW_STRING | KW_ARRAY | KW_STRUCT | KW_UNIONTYPE | KW_PARTITIONED | KW_CLUSTERED | KW_SORTED | KW_INTO | KW_BUCKETS | KW_ROW | KW_ROWS | KW_FORMAT | KW_DELIMITED | KW_FIELDS | KW_TERMINATED | KW_ESCAPED | KW_COLLECTION | KW_ITEMS | KW_KEYS | KW_KEY_TYPE | KW_LINES | KW_STORED | KW_FILEFORMAT | KW_SEQUENCEFILE | KW_TEXTFILE | KW_RCFILE | KW_ORCFILE | KW_PARQUETFILE | KW_INPUTFORMAT | KW_OUTPUTFORMAT | KW_INPUTDRIVER | KW_OUTPUTDRIVER | KW_OFFLINE | KW_ENABLE | KW_DISABLE | KW_READONLY | KW_NO_DROP | KW_LOCATION | KW_BUCKET | KW_OUT | KW_OF | KW_PERCENT | KW_ADD | KW_REPLACE | KW_RLIKE | KW_REGEXP | KW_TEMPORARY | KW_EXPLAIN | KW_FORMATTED | KW_PRETTY | KW_DEPENDENCY | KW_LOGICAL | KW_SERDE | KW_WITH | KW_DEFERRED | KW_SERDEPROPERTIES | KW_DBPROPERTIES | KW_LIMIT | KW_SET | KW_UNSET | KW_TBLPROPERTIES | KW_IDXPROPERTIES | KW_VALUE_TYPE | KW_ELEM_TYPE | KW_MAPJOIN | KW_STREAMTABLE | KW_HOLD_DDLTIME | KW_CLUSTERSTATUS | KW_UTC | KW_UTCTIMESTAMP | KW_LONG | KW_DELETE | KW_PLUS | KW_MINUS | KW_FETCH | KW_INTERSECT | KW_VIEW | KW_IN | KW_DATABASES | KW_MATERIALIZED | KW_SCHEMA | KW_SCHEMAS | KW_GRANT | KW_REVOKE | KW_SSL | KW_UNDO | KW_LOCK | KW_LOCKS | KW_UNLOCK | KW_SHARED | KW_EXCLUSIVE | KW_PROCEDURE | KW_UNSIGNED | KW_WHILE | KW_READ | KW_READS | KW_PURGE | KW_RANGE | KW_ANALYZE | KW_BEFORE | KW_BETWEEN | KW_BOTH | KW_BINARY | KW_CONTINUE | KW_CURSOR | KW_TRIGGER | KW_RECORDREADER | KW_RECORDWRITER | KW_SEMI | KW_LATERAL | KW_TOUCH | KW_ARCHIVE | KW_UNARCHIVE | KW_COMPUTE | KW_STATISTICS | KW_USE | KW_OPTION | KW_CONCATENATE | KW_SHOW_DATABASE | KW_UPDATE | KW_RESTRICT | KW_CASCADE | KW_SKEWED | KW_ROLLUP | KW_CUBE | KW_DIRECTORIES | KW_FOR | KW_GROUPING | KW_SETS | KW_TRUNCATE | KW_NOSCAN | KW_USER | KW_ROLE | KW_ROLES | KW_INNER | KW_DEFINED | KW_ADMIN | KW_JAR | KW_FILE | KW_OWNER | KW_PRINCIPALS + KW_TRUE | KW_FALSE | KW_LIKE | KW_EXISTS | KW_ASC | KW_DESC | KW_ORDER | KW_GROUP | KW_BY | KW_AS | KW_INSERT | KW_OVERWRITE | KW_OUTER | KW_LEFT | KW_RIGHT | KW_FULL | KW_PARTITION | KW_PARTITIONS | KW_TABLE | KW_TABLES | KW_COLUMNS | KW_INDEX | KW_INDEXES | KW_REBUILD | KW_FUNCTIONS | KW_SHOW | KW_MSCK | KW_REPAIR | KW_DIRECTORY | KW_LOCAL | KW_USING | KW_CLUSTER | KW_DISTRIBUTE | KW_SORT | KW_UNION | KW_LOAD | KW_EXPORT | KW_IMPORT | KW_DATA | KW_INPATH | KW_IS | KW_NULL | KW_CREATE | KW_EXTERNAL | KW_ALTER | KW_CHANGE | KW_FIRST | KW_AFTER | KW_DESCRIBE | KW_DROP | KW_RENAME | KW_IGNORE | KW_PROTECTION | KW_TO | KW_COMMENT | KW_BOOLEAN | KW_TINYINT | KW_SMALLINT | KW_INT | KW_BIGINT | KW_FLOAT | KW_DOUBLE | KW_DATE | KW_DATETIME | KW_TIMESTAMP | KW_DECIMAL | KW_STRING | KW_ARRAY | KW_STRUCT | KW_UNIONTYPE | KW_PARTITIONED | KW_CLUSTERED | KW_SORTED | KW_INTO | KW_BUCKETS | KW_ROW | KW_ROWS | KW_FORMAT | KW_DELIMITED | KW_FIELDS | KW_TERMINATED | KW_ESCAPED | KW_COLLECTION | KW_ITEMS | KW_KEYS | KW_KEY_TYPE | KW_LINES | KW_STORED | KW_FILEFORMAT | KW_SEQUENCEFILE | KW_TEXTFILE | KW_RCFILE | KW_ORCFILE | KW_PARQUETFILE | KW_INPUTFORMAT | KW_OUTPUTFORMAT | KW_INPUTDRIVER | KW_OUTPUTDRIVER | KW_OFFLINE | KW_ENABLE | KW_DISABLE | KW_READONLY | KW_NO_DROP | KW_LOCATION | KW_BUCKET | KW_OUT | KW_OF | KW_PERCENT | KW_ADD | KW_REPLACE | KW_RLIKE | KW_REGEXP | KW_TEMPORARY | KW_EXPLAIN | KW_FORMATTED | KW_PRETTY | KW_DEPENDENCY | KW_LOGICAL | KW_SERDE | KW_WITH | KW_DEFERRED | KW_SERDEPROPERTIES | KW_DBPROPERTIES | KW_LIMIT | KW_SET | KW_UNSET | KW_TBLPROPERTIES | KW_IDXPROPERTIES | KW_VALUE_TYPE | KW_ELEM_TYPE | KW_MAPJOIN | KW_STREAMTABLE | KW_HOLD_DDLTIME | KW_CLUSTERSTATUS | KW_UTC | KW_UTCTIMESTAMP | KW_LONG | KW_DELETE | KW_PLUS | KW_MINUS | KW_FETCH | KW_INTERSECT | KW_VIEW | KW_IN | KW_DATABASES | KW_MATERIALIZED | KW_SCHEMA | KW_SCHEMAS | KW_GRANT | KW_REVOKE | KW_SSL | KW_UNDO | KW_LOCK | KW_LOCKS | KW_UNLOCK | KW_SHARED | KW_EXCLUSIVE | KW_PROCEDURE | KW_UNSIGNED | KW_WHILE | KW_READ | KW_READS | KW_PURGE | KW_RANGE | KW_ANALYZE | KW_BEFORE | KW_BETWEEN | KW_BOTH | KW_BINARY | KW_CONTINUE | KW_CURSOR | KW_TRIGGER | KW_RECORDREADER | KW_RECORDWRITER | KW_SEMI | KW_LATERAL | KW_TOUCH | KW_ARCHIVE | KW_UNARCHIVE | KW_COMPUTE | KW_STATISTICS | KW_USE | KW_OPTION | KW_CONCATENATE | KW_SHOW_DATABASE | KW_UPDATE | KW_RESTRICT | KW_CASCADE | KW_SKEWED | KW_ROLLUP | KW_CUBE | KW_DIRECTORIES | KW_FOR | KW_GROUPING | KW_SETS | KW_TRUNCATE | KW_NOSCAN | KW_USER | KW_ROLE | KW_ROLES | KW_INNER | KW_DEFINED | KW_ADMIN | KW_JAR | KW_FILE | KW_OWNER | KW_PRINCIPALS | KW_ALL | KW_DEFAULT | KW_NONE ; diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index f69e41b..cb53873 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -17,6 +17,8 @@ */ package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; +import com.google.common.collect.ImmutableSet; + import java.util.ArrayList; import java.util.HashMap; import java.util.HashSet; @@ -62,6 +64,9 @@ @Private public class SQLStdHiveAccessController implements HiveAccessController { + private static final String ALL = "ALL", DEFAULT = "DEFAULT", NONE = "NONE"; + private static final ImmutableSet RESERVED_ROLE_NAMES = ImmutableSet.of(ALL, DEFAULT, NONE); + private final HiveMetastoreClientFactory metastoreClientFactory; private final HiveAuthenticationProvider authenticator; private String currentUserName; @@ -176,7 +181,7 @@ public void grantPrivileges(List hivePrincipals, private List expandAllPrivileges(List hivePrivileges) { Set hivePrivSet = new HashSet(); for (HivePrivilege hivePrivilege : hivePrivileges) { - if (hivePrivilege.getName().equals("ALL")) { + if (hivePrivilege.getName().equals(ALL)) { // expand to all supported privileges for (SQLPrivilegeType privType : SQLPrivilegeType.values()) { hivePrivSet.add(new HivePrivilege(privType.name(), hivePrivilege.getColumns())); @@ -267,6 +272,10 @@ public void createRole(String roleName, HivePrincipal adminGrantor) throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + " allowed to add roles. " + ADMIN_ONLY_MSG); } + if (RESERVED_ROLE_NAMES.contains(roleName.trim().toUpperCase())) { + throw new HiveAuthzPluginException("Role name cannot be one of the reserved roles: " + + RESERVED_ROLE_NAMES); + } try { String grantorName = adminGrantor == null ? null : adminGrantor.getName(); metastoreClientFactory.getHiveMetastoreClient().create_role( @@ -462,8 +471,8 @@ public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException { initUserRoles(); - if ("NONE".equalsIgnoreCase(roleName)) { - // for set role NONE, reset roles to default roles. + if (ALL.equalsIgnoreCase(roleName)) { + // for set role ALL, reset roles to default roles. currentRoles.clear(); currentRoles.addAll(getRolesFromMS()); return; diff --git a/ql/src/test/queries/clientnegative/authorization_cannot_create_all_role.q b/ql/src/test/queries/clientnegative/authorization_cannot_create_all_role.q new file mode 100644 index 0000000..4422585 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_cannot_create_all_role.q @@ -0,0 +1,6 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; +set role ADMIN; +create role all; diff --git a/ql/src/test/queries/clientnegative/authorization_cannot_create_default_role.q b/ql/src/test/queries/clientnegative/authorization_cannot_create_default_role.q new file mode 100644 index 0000000..e07cf3d --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_cannot_create_default_role.q @@ -0,0 +1,6 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; +set role ADMIN; +create role default; diff --git a/ql/src/test/queries/clientnegative/authorization_cannot_create_none_role.q b/ql/src/test/queries/clientnegative/authorization_cannot_create_none_role.q new file mode 100644 index 0000000..4e68920 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_cannot_create_none_role.q @@ -0,0 +1,6 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; +set role ADMIN; +create role None; diff --git a/ql/src/test/queries/clientnegative/authorization_disallow_transform.q b/ql/src/test/queries/clientnegative/authorization_disallow_transform.q index bae8dc0..da5f0c68 100644 --- a/ql/src/test/queries/clientnegative/authorization_disallow_transform.q +++ b/ql/src/test/queries/clientnegative/authorization_disallow_transform.q @@ -1,3 +1,3 @@ set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; -set role NONE; +set role ALL; SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM src; diff --git a/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q b/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q index 80346d4..f7263a2 100644 --- a/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q +++ b/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q @@ -5,6 +5,6 @@ set user.name=hive_admin_user; set role ADMIN; show current roles; create role r1; -set role NONE; +set role ALL; show current roles; drop role r1; diff --git a/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q b/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q index 7fe8e29..016378d 100644 --- a/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q +++ b/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q @@ -13,7 +13,7 @@ show current roles; set role PUBLIC; show current roles; -set role NONE; +set role ALL; show current roles; set role ADMIN; diff --git a/ql/src/test/results/clientnegative/authorization_cannot_create_all_role.q.out b/ql/src/test/results/clientnegative/authorization_cannot_create_all_role.q.out new file mode 100644 index 0000000..99f20bd --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_cannot_create_all_role.q.out @@ -0,0 +1,7 @@ +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: create role all +PREHOOK: type: CREATEROLE +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Role name cannot be one of the reserved roles: [ALL, DEFAULT, NONE] diff --git a/ql/src/test/results/clientnegative/authorization_cannot_create_default_role.q.out b/ql/src/test/results/clientnegative/authorization_cannot_create_default_role.q.out new file mode 100644 index 0000000..f328beb --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_cannot_create_default_role.q.out @@ -0,0 +1,7 @@ +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: create role default +PREHOOK: type: CREATEROLE +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Role name cannot be one of the reserved roles: [ALL, DEFAULT, NONE] diff --git a/ql/src/test/results/clientnegative/authorization_cannot_create_none_role.q.out b/ql/src/test/results/clientnegative/authorization_cannot_create_none_role.q.out new file mode 100644 index 0000000..4808433 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_cannot_create_none_role.q.out @@ -0,0 +1,7 @@ +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: create role None +PREHOOK: type: CREATEROLE +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Role name cannot be one of the reserved roles: [ALL, DEFAULT, NONE] diff --git a/ql/src/test/results/clientnegative/authorization_disallow_transform.q.out b/ql/src/test/results/clientnegative/authorization_disallow_transform.q.out index 044b19e..39819b6 100644 --- a/ql/src/test/results/clientnegative/authorization_disallow_transform.q.out +++ b/ql/src/test/results/clientnegative/authorization_disallow_transform.q.out @@ -1,6 +1,6 @@ -PREHOOK: query: set role NONE +PREHOOK: query: set role ALL PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role NONE +POSTHOOK: query: set role ALL POSTHOOK: type: SHOW_ROLES PREHOOK: query: SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM src PREHOOK: type: QUERY diff --git a/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out b/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out index d2cc1dd..c03876d 100644 --- a/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out +++ b/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out @@ -12,9 +12,9 @@ PREHOOK: query: create role r1 PREHOOK: type: CREATEROLE POSTHOOK: query: create role r1 POSTHOOK: type: CREATEROLE -PREHOOK: query: set role NONE +PREHOOK: query: set role ALL PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role NONE +POSTHOOK: query: set role ALL POSTHOOK: type: SHOW_ROLES PREHOOK: query: show current roles PREHOOK: type: SHOW_ROLES diff --git a/ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out b/ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out index 5c39a06..d5fbc48 100644 --- a/ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out +++ b/ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out @@ -36,9 +36,9 @@ POSTHOOK: query: show current roles POSTHOOK: type: SHOW_ROLES PUBLIC -PREHOOK: query: set role NONE +PREHOOK: query: set role ALL PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role NONE +POSTHOOK: query: set role ALL POSTHOOK: type: SHOW_ROLES PREHOOK: query: show current roles PREHOOK: type: SHOW_ROLES