diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java index 42df435..8e8f726 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java @@ -890,6 +890,9 @@ private HivePrivilegeObjectType getPrivObjectType(PrivilegeObjectDesc privSubjec } private HivePrincipal getHivePrincipal(PrincipalDesc principal) throws HiveException { + if (principal == null) { + return null; + } return new HivePrincipal(principal.getName(), AuthorizationUtils.getHivePrincipalType(principal.getType())); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java index 5e2d12c..a95d784 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java @@ -153,6 +153,9 @@ public static HiveObjectType getThriftHiveObjType(HivePrivilegeObjectType type) * @throws HiveException */ public static HiveObjectRef getThriftHiveObjectRef(HivePrivilegeObject privObj) throws HiveException { + if (privObj == null) { + return null; + } HiveObjectType objType = getThriftHiveObjType(privObj.getType()); return new HiveObjectRef(objType, privObj.getDbname(), privObj.getTableViewURI(), null, null); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index f858d66..5b24578 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -17,8 +17,6 @@ */ package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; -import com.google.common.collect.ImmutableSet; - import java.util.ArrayList; import java.util.HashMap; import java.util.HashSet; @@ -56,6 +54,8 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; import org.apache.thrift.TException; +import com.google.common.collect.ImmutableSet; + /** * Implements functionality of access control statements for sql standard based * authorization @@ -368,9 +368,13 @@ public void revokeRole(List hivePrincipals, List roleName try { IMetaStoreClient mClient = metastoreClientFactory.getHiveMetastoreClient(); List resPrivInfos = new ArrayList(); + String principalName = principal == null ? null : principal.getName(); + PrincipalType principalType = principal == null ? null : + AuthorizationUtils.getThriftPrincipalType(principal.getType()); + // get metastore/thrift privilege object using metastore api - List msObjPrivs = mClient.list_privileges(principal.getName(), - AuthorizationUtils.getThriftPrincipalType(principal.getType()), + List msObjPrivs = mClient.list_privileges(principalName, + principalType, SQLAuthorizationUtils.getThriftHiveObjectRef(privObj)); diff --git a/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q b/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q index 915237a..fdbeed4 100644 --- a/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q +++ b/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q @@ -4,7 +4,10 @@ set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.Sessi set hive.security.authorization.enabled=true; set user.name=user1; +-- Test view authorization , and 'show grant' variants + create table t1(i int, j int, k int); +show grant on table t1; -- protecting certain columns create view vt1 as select i,k from t1; @@ -36,6 +39,9 @@ show grant user user2 on all; revoke all on vt2 from user user2; show grant user user2 on table vt2; +show grant on table vt2; + + revoke select on table vt1 from user user2; show grant user user2 on table vt1; @@ -57,3 +63,4 @@ show grant role role_v on table vt2; revoke delete on table vt2 from role role_v; show grant role role_v on table vt2; +show grant on table vt2; diff --git a/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out b/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out index 89186a5..0a986e6 100644 --- a/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out +++ b/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out @@ -1,10 +1,22 @@ -PREHOOK: query: create table t1(i int, j int, k int) +PREHOOK: query: -- Test view authorization , and 'show grant' variants + +create table t1(i int, j int, k int) PREHOOK: type: CREATETABLE PREHOOK: Output: database:default -POSTHOOK: query: create table t1(i int, j int, k int) +POSTHOOK: query: -- Test view authorization , and 'show grant' variants + +create table t1(i int, j int, k int) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 +PREHOOK: query: show grant on table t1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant on table t1 +POSTHOOK: type: SHOW_GRANT +default t1 user1 USER DELETE true -1 user1 +default t1 user1 USER INSERT true -1 user1 +default t1 user1 USER SELECT true -1 user1 +default t1 user1 USER UPDATE true -1 user1 PREHOOK: query: -- protecting certain columns create view vt1 as select i,k from t1 PREHOOK: type: CREATEVIEW @@ -110,6 +122,14 @@ PREHOOK: query: show grant user user2 on table vt2 PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user user2 on table vt2 POSTHOOK: type: SHOW_GRANT +PREHOOK: query: show grant on table vt2 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant on table vt2 +POSTHOOK: type: SHOW_GRANT +default vt2 user1 USER DELETE true -1 user1 +default vt2 user1 USER INSERT true -1 user1 +default vt2 user1 USER SELECT true -1 user1 +default vt2 user1 USER UPDATE true -1 user1 PREHOOK: query: revoke select on table vt1 from user user2 PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@vt1 @@ -190,3 +210,14 @@ POSTHOOK: type: SHOW_GRANT default vt2 role_v ROLE INSERT false -1 hive_admin_user default vt2 role_v ROLE SELECT false -1 hive_admin_user default vt2 role_v ROLE UPDATE false -1 hive_admin_user +PREHOOK: query: show grant on table vt2 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant on table vt2 +POSTHOOK: type: SHOW_GRANT +default vt2 role_v ROLE INSERT false -1 hive_admin_user +default vt2 role_v ROLE SELECT false -1 hive_admin_user +default vt2 role_v ROLE UPDATE false -1 hive_admin_user +default vt2 user1 USER DELETE true -1 user1 +default vt2 user1 USER INSERT true -1 user1 +default vt2 user1 USER SELECT true -1 user1 +default vt2 user1 USER UPDATE true -1 user1