diff --git metastore/if/hive_metastore.thrift metastore/if/hive_metastore.thrift index b3f01d6..be14acc 100755 --- metastore/if/hive_metastore.thrift +++ metastore/if/hive_metastore.thrift @@ -138,16 +138,6 @@ struct Role { 1: string roleName, 2: i32 createTime, 3: string ownerName, - - // Following fields are populated by list_roles - // They are ignored during other commands such as role creation - // See RolePrincipalGrant which gives a 'normalized' representation - // of this information - 4: optional string principalName, - 5: optional string principalType, - 6: optional bool grantOption, - 7: optional i32 grantTime, - 8: optional string grantor } // Representation of a grant for a principal to a role @@ -161,12 +151,21 @@ struct RolePrincipalGrant { 7: PrincipalType grantorPrincipalType } +struct GetRoleGrantsForPrincipalRequest { + 1: required string principal_name, + 2: required PrincipalType principal_type +} + +struct GetRoleGrantsForPrincipalResponse { + 1: required list principalGrants; +} + struct GetPrincipalsInRoleRequest { - 1: string roleName; + 1: required string roleName; } struct GetPrincipalsInRoleResponse { - 1: list principalGrants; + 1: required list principalGrants; } // namespace for tables @@ -945,6 +944,11 @@ service ThriftHiveMetastore extends fb303.FacebookService // redundant as it would match the role_name argument of this function GetPrincipalsInRoleResponse get_principals_in_role(1: GetPrincipalsInRoleRequest request) throws(1:MetaException o1) + // get grant information of all roles granted to the given principal + // Note that in the returned list of RolePrincipalGrants, the principal name,type is + // redundant as it would match the principal name,type arguments of this function + GetRoleGrantsForPrincipalResponse get_role_grants_for_principal(1: GetRoleGrantsForPrincipalRequest request) throws(1:MetaException o1) + PrincipalPrivilegeSet get_privilege_set(1:HiveObjectRef hiveObject, 2:string user_name, 3: list group_names) throws(1:MetaException o1) list list_privileges(1:string principal_name, 2:PrincipalType principal_type, diff --git metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java index d5c7ba7..6c67996 100644 --- metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java +++ metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java @@ -80,6 +80,8 @@ import org.apache.hadoop.hive.metastore.api.GetOpenTxnsResponse; import org.apache.hadoop.hive.metastore.api.GetPrincipalsInRoleRequest; import org.apache.hadoop.hive.metastore.api.GetPrincipalsInRoleResponse; +import org.apache.hadoop.hive.metastore.api.GetRoleGrantsForPrincipalRequest; +import org.apache.hadoop.hive.metastore.api.GetRoleGrantsForPrincipalResponse; import org.apache.hadoop.hive.metastore.api.HeartbeatRequest; import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege; import org.apache.hadoop.hive.metastore.api.HiveObjectRef; @@ -4013,11 +4015,6 @@ private boolean isNewRoleAParent(String newRole, String curRole) throws MetaExce for (MRoleMap roleMap : roleMaps) { MRole mrole = roleMap.getRole(); Role role = new Role(mrole.getRoleName(), mrole.getCreateTime(), mrole.getOwnerName()); - role.setPrincipalName(roleMap.getPrincipalName()); - role.setPrincipalType(roleMap.getPrincipalType()); - role.setGrantOption(roleMap.getGrantOption()); - role.setGrantTime(roleMap.getAddTime()); - role.setGrantor(roleMap.getGrantor()); result.add(role); } } @@ -4887,33 +4884,10 @@ public GetPrincipalsInRoleResponse get_principals_in_role(GetPrincipalsInRoleReq throws MetaException, TException { incrementCounter("get_principals_in_role"); - String role_name = request.getRoleName(); - List rolePrinGrantList = new ArrayList(); Exception ex = null; + List roleMaps = null; try { - List roleMaps = getMS().listRoleMembers(role_name); - if (roleMaps != null) { - //convert each MRoleMap object into a thrift RolePrincipalGrant object - for (MRoleMap roleMap : roleMaps) { - String mapRoleName = roleMap.getRole().getRoleName(); - if (!role_name.equals(mapRoleName)) { - // should not happen - throw new AssertionError("Role name " + mapRoleName + " does not match role name arg " - + role_name); - } - RolePrincipalGrant rolePrinGrant = new RolePrincipalGrant( - role_name, - roleMap.getPrincipalName(), - PrincipalType.valueOf(roleMap.getPrincipalType()), - roleMap.getGrantOption(), - roleMap.getAddTime(), - roleMap.getGrantor(), - PrincipalType.valueOf(roleMap.getGrantorType()) - ); - rolePrinGrantList.add(rolePrinGrant); - } - } - + roleMaps = getMS().listRoleMembers(request.getRoleName()); } catch (MetaException e) { throw e; } catch (Exception e) { @@ -4922,10 +4896,59 @@ public GetPrincipalsInRoleResponse get_principals_in_role(GetPrincipalsInRoleReq } finally { endFunction("get_principals_in_role", ex == null, ex); } - return new GetPrincipalsInRoleResponse(rolePrinGrantList); + return new GetPrincipalsInRoleResponse(getRolePrincipalGrants(roleMaps)); } - } + @Override + public GetRoleGrantsForPrincipalResponse get_role_grants_for_principal( + GetRoleGrantsForPrincipalRequest request) throws MetaException, TException { + + incrementCounter("get_role_grants_for_principal"); + Exception ex = null; + List roleMaps = null; + try { + roleMaps = getMS().listRoles(request.getPrincipal_name(), request.getPrincipal_type()); + } catch (MetaException e) { + throw e; + } catch (Exception e) { + ex = e; + rethrowException(e); + } finally { + endFunction("get_role_grants_for_principal", ex == null, ex); + } + + List roleGrantsList = getRolePrincipalGrants(roleMaps); + // all users by default belongs to public role + roleGrantsList.add(new RolePrincipalGrant(PUBLIC, request.getPrincipal_name(), request + .getPrincipal_type(), false, 0, null, null)); + return new GetRoleGrantsForPrincipalResponse(roleGrantsList); + } + + /** + * Convert each MRoleMap object into a thrift RolePrincipalGrant object + * @param roleMaps + * @return + */ + private List getRolePrincipalGrants(List roleMaps) { + List rolePrinGrantList = new ArrayList(); + if (roleMaps != null) { + for (MRoleMap roleMap : roleMaps) { + RolePrincipalGrant rolePrinGrant = new RolePrincipalGrant( + roleMap.getRole().getRoleName(), + roleMap.getPrincipalName(), + PrincipalType.valueOf(roleMap.getPrincipalType()), + roleMap.getGrantOption(), + roleMap.getAddTime(), + roleMap.getGrantor(), + PrincipalType.valueOf(roleMap.getGrantorType()) + ); + rolePrinGrantList.add(rolePrinGrant); + } + } + return rolePrinGrantList; + } + + } public static IHMSHandler newHMSHandler(String name, HiveConf hiveConf) throws MetaException { return RetryingHMSHandler.getProxy(hiveConf, name); diff --git metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java index 0550589..6c53e05 100644 --- metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java +++ metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java @@ -71,6 +71,8 @@ import org.apache.hadoop.hive.metastore.api.GetOpenTxnsResponse; import org.apache.hadoop.hive.metastore.api.GetPrincipalsInRoleRequest; import org.apache.hadoop.hive.metastore.api.GetPrincipalsInRoleResponse; +import org.apache.hadoop.hive.metastore.api.GetRoleGrantsForPrincipalRequest; +import org.apache.hadoop.hive.metastore.api.GetRoleGrantsForPrincipalResponse; import org.apache.hadoop.hive.metastore.api.HeartbeatRequest; import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege; import org.apache.hadoop.hive.metastore.api.HiveObjectRef; @@ -1462,6 +1464,12 @@ public GetPrincipalsInRoleResponse get_principals_in_role(GetPrincipalsInRoleReq } @Override + public GetRoleGrantsForPrincipalResponse get_role_grants_for_principal( + GetRoleGrantsForPrincipalRequest getRolePrincReq) throws MetaException, TException { + return client.get_role_grants_for_principal(getRolePrincReq); + } + + @Override public boolean grant_privileges(PrivilegeBag privileges) throws MetaException, TException { return client.grant_privileges(privileges); @@ -1709,4 +1717,5 @@ public Function getFunction(String dbName, String funcName) throws MetaException, TException { return client.get_functions(dbName, pattern); } + } diff --git metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java index 47c49aa..93544d2 100644 --- metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java +++ metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java @@ -49,6 +49,8 @@ import org.apache.hadoop.hive.metastore.api.GetOpenTxnsResponse; import org.apache.hadoop.hive.metastore.api.GetPrincipalsInRoleRequest; import org.apache.hadoop.hive.metastore.api.GetPrincipalsInRoleResponse; +import org.apache.hadoop.hive.metastore.api.GetRoleGrantsForPrincipalRequest; +import org.apache.hadoop.hive.metastore.api.GetRoleGrantsForPrincipalResponse; import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege; import org.apache.hadoop.hive.metastore.api.HiveObjectRef; import org.apache.hadoop.hive.metastore.api.Index; @@ -1268,6 +1270,18 @@ public IncompatibleMetastoreException(String message) { * @throws MetaException * @throws TException */ - GetPrincipalsInRoleResponse get_principals_in_role(GetPrincipalsInRoleRequest getPrincRoleReq) throws MetaException, - TException; + GetPrincipalsInRoleResponse get_principals_in_role(GetPrincipalsInRoleRequest getPrincRoleReq) + throws MetaException, TException; + + /** + * get all role-grants for roles that have been granted to given principal + * Note that in the returned list of RolePrincipalGrants, the principal information + * redundant as it would match the principal information in request + * @param getRolePrincReq + * @return + * @throws MetaException + * @throws TException + */ + GetRoleGrantsForPrincipalResponse get_role_grants_for_principal( + GetRoleGrantsForPrincipalRequest getRolePrincReq) throws MetaException, TException; } diff --git ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java index e185f12..aab7081 100644 --- ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java +++ ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java @@ -74,7 +74,7 @@ import org.apache.hadoop.hive.metastore.api.PrincipalType; import org.apache.hadoop.hive.metastore.api.PrivilegeBag; import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo; -import org.apache.hadoop.hive.metastore.api.Role; +import org.apache.hadoop.hive.metastore.api.RolePrincipalGrant; import org.apache.hadoop.hive.metastore.api.SerDeInfo; import org.apache.hadoop.hive.metastore.api.ShowCompactResponse; import org.apache.hadoop.hive.metastore.api.ShowCompactResponseElement; @@ -172,7 +172,6 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRole; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hadoop.hive.serde.serdeConstants; @@ -933,8 +932,8 @@ private int roleDDL(RoleDDLDesc roleDDLDesc) throws HiveException, IOException { db.dropRole(roleDDLDesc.getName()); } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLE_GRANT)) { boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); - List roles = db.showRoleGrant(roleDDLDesc.getName(), roleDDLDesc.getPrincipalType()); - writeToFile(writeRoleInfo(roles, testMode), roleDDLDesc.getResFile()); + List roleGrants = db.getRoleGrantInfoForPrincipal(roleDDLDesc.getName(), roleDDLDesc.getPrincipalType()); + writeToFile(writeRoleGrantsInfo(roleGrants, testMode), roleDDLDesc.getResFile()); } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLES)) { List roleNames = db.getAllRoleNames(); //sort the list to get sorted (deterministic) output (for ease of testing) @@ -984,20 +983,16 @@ private int roleDDLV2(RoleDDLDesc roleDDLDesc) throws HiveException, IOException break; case SHOW_ROLE_GRANT: boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); - List roles = authorizer.getRoles(new HivePrincipal(roleDDLDesc.getName(), - getHivePrincipalType(roleDDLDesc.getPrincipalType()))); - writeToFile(writeHiveRoleInfo(roles, testMode), roleDDLDesc.getResFile()); + List roles = authorizer.getRoleGrantInfoForPrincipal( + new HivePrincipal(roleDDLDesc.getName(), getHivePrincipalType(roleDDLDesc.getPrincipalType()))); + writeToFile(writeRolesGrantedInfo(roles, testMode), roleDDLDesc.getResFile()); break; case SHOW_ROLES: List allRoles = authorizer.getAllRoles(); writeListToFileAfterSort(allRoles, roleDDLDesc.getResFile()); break; case SHOW_CURRENT_ROLE: - List currentRoles = authorizer.getCurrentRoles(); - List roleNames = new ArrayList(currentRoles.size()); - for (HiveRole role : currentRoles) { - roleNames.add(role.getRoleName()); - } + List roleNames = authorizer.getCurrentRoleNames(); writeListToFileAfterSort(roleNames, roleDDLDesc.getResFile()); break; case SET_ROLE: @@ -1005,7 +1000,7 @@ private int roleDDLV2(RoleDDLDesc roleDDLDesc) throws HiveException, IOException break; case SHOW_ROLE_PRINCIPALS: testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); - List roleGrants = authorizer.getPrincipalsInRoleInfo(roleDDLDesc.getName()); + List roleGrants = authorizer.getPrincipalGrantInfoForRole(roleDDLDesc.getName()); writeToFile(writeHiveRoleGrantInfo(roleGrants, testMode), roleDDLDesc.getResFile()); break; default: @@ -2814,7 +2809,7 @@ private int showCompactions(ShowCompactionsDesc desc) throws HiveException { LOG.warn("show compactions: " + stringifyException(e)); return 1; } finally { - IOUtils.closeStream((FSDataOutputStream)os); + IOUtils.closeStream(os); } return 0; } @@ -2855,7 +2850,7 @@ private int showTxns(ShowTxnsDesc desc) throws HiveException { LOG.warn("show transactions: " + stringifyException(e)); return 1; } finally { - IOUtils.closeStream((FSDataOutputStream)os); + IOUtils.closeStream(os); } return 0; } @@ -3412,37 +3407,31 @@ static String writeGrantInfo(List privileges, boolean testM return builder.toString(); } - static String writeRoleInfo(List roles, boolean testMode) { - if (roles == null || roles.isEmpty()) { + static String writeRoleGrantsInfo(List roleGrants, boolean testMode) { + if (roleGrants == null || roleGrants.isEmpty()) { return ""; } StringBuilder builder = new StringBuilder(); //sort the list to get sorted (deterministic) output (for ease of testing) - Collections.sort(roles); - for (Role role : roles) { - appendNonNull(builder, role.getRoleName(), true); - appendNonNull(builder, testMode ? -1 : role.getCreateTime() * 1000L); - appendNonNull(builder, role.getPrincipalName()); - appendNonNull(builder, role.getPrincipalType()); - appendNonNull(builder, role.isGrantOption()); - appendNonNull(builder, testMode ? -1 : role.getGrantTime() * 1000L); - appendNonNull(builder, role.getGrantor()); + Collections.sort(roleGrants); + for (RolePrincipalGrant roleGrant : roleGrants) { + appendNonNull(builder, roleGrant.getRoleName(), true); + appendNonNull(builder, roleGrant.isGrantOption()); + appendNonNull(builder, testMode ? -1 : roleGrant.getGrantTime() * 1000L); + appendNonNull(builder, roleGrant.getGrantorName()); } return builder.toString(); } - static String writeHiveRoleInfo(List roles, boolean testMode) { + static String writeRolesGrantedInfo(List roles, boolean testMode) { if (roles == null || roles.isEmpty()) { return ""; } StringBuilder builder = new StringBuilder(); //sort the list to get sorted (deterministic) output (for ease of testing) Collections.sort(roles); - for (HiveRole role : roles) { + for (HiveRoleGrant role : roles) { appendNonNull(builder, role.getRoleName(), true); - appendNonNull(builder, testMode ? -1 : role.getCreateTime() * 1000L); - appendNonNull(builder, role.getPrincipalName()); - appendNonNull(builder, role.getPrincipalType()); appendNonNull(builder, role.isGrantOption()); appendNonNull(builder, testMode ? -1 : role.getGrantTime() * 1000L); appendNonNull(builder, role.getGrantor()); diff --git ql/src/java/org/apache/hadoop/hive/ql/metadata/Hive.java ql/src/java/org/apache/hadoop/hive/ql/metadata/Hive.java index ace6cb5..5d5fa78 100644 --- ql/src/java/org/apache/hadoop/hive/ql/metadata/Hive.java +++ ql/src/java/org/apache/hadoop/hive/ql/metadata/Hive.java @@ -73,6 +73,8 @@ import org.apache.hadoop.hive.metastore.api.FieldSchema; import org.apache.hadoop.hive.metastore.api.Function; import org.apache.hadoop.hive.metastore.api.GetOpenTxnsInfoResponse; +import org.apache.hadoop.hive.metastore.api.GetRoleGrantsForPrincipalRequest; +import org.apache.hadoop.hive.metastore.api.GetRoleGrantsForPrincipalResponse; import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege; import org.apache.hadoop.hive.metastore.api.HiveObjectRef; import org.apache.hadoop.hive.metastore.api.HiveObjectType; @@ -85,6 +87,7 @@ import org.apache.hadoop.hive.metastore.api.PrincipalType; import org.apache.hadoop.hive.metastore.api.PrivilegeBag; import org.apache.hadoop.hive.metastore.api.Role; +import org.apache.hadoop.hive.metastore.api.RolePrincipalGrant; import org.apache.hadoop.hive.metastore.api.SerDeInfo; import org.apache.hadoop.hive.metastore.api.ShowCompactResponse; import org.apache.hadoop.hive.metastore.api.SkewedInfo; @@ -2013,14 +2016,17 @@ public void dropRole(String roleName) throws HiveException { } } - public List showRoleGrant(String principalName, PrincipalType principalType) throws HiveException { + public List getRoleGrantInfoForPrincipal(String principalName, PrincipalType principalType) throws HiveException { try { - return getMSC().list_roles(principalName, principalType); + GetRoleGrantsForPrincipalRequest req = new GetRoleGrantsForPrincipalRequest(principalName, principalType); + GetRoleGrantsForPrincipalResponse resp = getMSC().get_role_grants_for_principal(req); + return resp.getPrincipalGrants(); } catch (Exception e) { throw new HiveException(e); } } + public boolean grantRole(String roleName, String userName, PrincipalType principalType, String grantor, PrincipalType grantorType, boolean grantOption) throws HiveException { diff --git ql/src/java/org/apache/hadoop/hive/ql/plan/RoleDDLDesc.java ql/src/java/org/apache/hadoop/hive/ql/plan/RoleDDLDesc.java index bc9d47e..b4da3d1 100644 --- ql/src/java/org/apache/hadoop/hive/ql/plan/RoleDDLDesc.java +++ ql/src/java/org/apache/hadoop/hive/ql/plan/RoleDDLDesc.java @@ -48,8 +48,8 @@ * thrift ddl for the result of show role grant principalName */ private static final String roleShowGrantSchema = - "role,create_time,principal_name,principal_type,grant_option,grant_time,grantor#" + - "string:bigint:string:string:boolean:bigint:string"; + "role,grant_option,grant_time,grantor#" + + "string:boolean:bigint:string"; /** * thrift ddl for the result of describe role roleName diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java index 50bd592..0e65fa2 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java @@ -45,9 +45,6 @@ void createRole(String roleName, HivePrincipal adminGrantor) void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException; - List getRoles(HivePrincipal hivePrincipal) - throws HiveAuthzPluginException, HiveAccessControlException; - void grantRole(List hivePrincipals, List roles, boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException; @@ -64,7 +61,11 @@ void revokeRole(List hivePrincipals, List roles, boolean void setCurrentRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException; - List getCurrentRoles() throws HiveAuthzPluginException; + List getCurrentRoleNames() throws HiveAuthzPluginException; + + List getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, + HiveAccessControlException; - List getPrincipalsInRoleInfo(String roleName) throws HiveAuthzPluginException, HiveAccessControlException; + List getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, + HiveAccessControlException; } diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java index 48064c4..3a2825d 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java @@ -93,27 +93,26 @@ void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException; /** - * Get roles that this user/role belongs to - * @param hivePrincipal - user or role - * @return list of roles + * Get the grant information for principals granted the given role + * @param roleName + * @return * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ - List getRoles(HivePrincipal hivePrincipal) + List getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException; /** - * Get the grant information for principals granted the given role - * @param roleName + * Get the grant information of roles the given principal belongs to + * @param principal * @return * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ - List getPrincipalsInRoleInfo(String roleName) + List getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException; - /** * Grant roles in given roles list to principals in given hivePrincipals list * @param hivePrincipals @@ -174,9 +173,7 @@ void checkPrivileges(HiveOperationType hiveOpType, List inp void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException; - List getCurrentRoles() throws HiveAuthzPluginException; + List getCurrentRoleNames() throws HiveAuthzPluginException; - //other functions to be added - - //showUsersInRole(rolename) } diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java index 2577ae5..b1bdb67 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java @@ -66,11 +66,6 @@ public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAcces } @Override - public List getRoles(HivePrincipal hivePrincipal) throws HiveAuthzPluginException, HiveAccessControlException { - return accessController.getRoles(hivePrincipal); - } - - @Override public void grantRole(List hivePrincipals, List roles, boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { accessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc); @@ -110,13 +105,19 @@ public void setCurrentRole(String roleName) throws HiveAccessControlException, H } @Override - public List getCurrentRoles() throws HiveAuthzPluginException { - return accessController.getCurrentRoles(); + public List getCurrentRoleNames() throws HiveAuthzPluginException { + return accessController.getCurrentRoleNames(); + } + + @Override + public List getPrincipalGrantInfoForRole(String roleName) + throws HiveAuthzPluginException, HiveAccessControlException { + return accessController.getPrincipalGrantInfoForRole(roleName); } @Override - public List getPrincipalsInRoleInfo(String roleName) + public List getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException { - return accessController.getPrincipalsInRoleInfo(roleName); + return accessController.getRoleGrantInfoForPrincipal(principal); } } diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRole.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRole.java deleted file mode 100644 index 7f3d78a..0000000 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRole.java +++ /dev/null @@ -1,134 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.hive.ql.security.authorization.plugin; - -import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; -import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving; -import org.apache.hadoop.hive.metastore.api.Role; - -import com.google.common.collect.ComparisonChain; - -// same with thrift.Role -@LimitedPrivate(value = { "" }) -@Evolving -public class HiveRole implements Comparable { - - private String roleName; - private int createTime; - private String ownerName; - private String principalName; - private String principalType; - private boolean grantOption; - private int grantTime; - private String grantor; - - public HiveRole() {} - - public HiveRole(Role role) { - roleName = role.getRoleName(); - createTime = role.getCreateTime(); - ownerName = role.getOwnerName(); - principalName = role.getPrincipalName(); - principalType = role.getPrincipalType(); - grantOption = role.isGrantOption(); - grantTime = role.getGrantTime(); - grantor = role.getGrantor(); - } - - public String getRoleName() { - return roleName; - } - - public void setRoleName(String roleName) { - this.roleName = roleName; - } - - public int getCreateTime() { - return createTime; - } - - public void setCreateTime(int createTime) { - this.createTime = createTime; - } - - public String getOwnerName() { - return ownerName; - } - - public void setOwnerName(String ownerName) { - this.ownerName = ownerName; - } - - public String getPrincipalName() { - return principalName; - } - - public void setPrincipalName(String principalName) { - this.principalName = principalName; - } - - public String getPrincipalType() { - return principalType; - } - - public void setPrincipalType(String principalType) { - this.principalType = principalType; - } - - public boolean isGrantOption() { - return grantOption; - } - - public void setGrantOption(boolean grantOption) { - this.grantOption = grantOption; - } - - public int getGrantTime() { - return grantTime; - } - - public void setGrantTime(int grantTime) { - this.grantTime = grantTime; - } - - public String getGrantor() { - return grantor; - } - - public void setGrantor(String grantor) { - this.grantor = grantor; - } - - @Override - public int compareTo(HiveRole other) { - if(other == null){ - return 1; - } - return ComparisonChain.start().compare(roleName, other.roleName) - .compare(createTime, other.createTime) - .compare(principalName, other.principalName) - .compare(principalType, other.principalType) - .compare(grantOption, other.grantOption) - .compare(grantTime, other.grantTime) - .compare(grantor, other.grantor) - .result(); - - } - - -} diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRoleGrant.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRoleGrant.java index 03f129a..ce07f32 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRoleGrant.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRoleGrant.java @@ -47,7 +47,8 @@ public HiveRoleGrant(RolePrincipalGrant thriftRoleGrant) { this.grantOption = thriftRoleGrant.isGrantOption(); this.grantTime = thriftRoleGrant.getGrantTime(); this.grantor = thriftRoleGrant.getGrantorName(); - this.grantorType = thriftRoleGrant.getGrantorPrincipalType().name(); + this.grantorType = thriftRoleGrant.getGrantorPrincipalType() == null ? null : + thriftRoleGrant.getGrantorPrincipalType().name(); } diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java index fdbf3c3..f99109b 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java @@ -27,7 +27,6 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRole; /** * Utility class to authorize grant/revoke privileges @@ -36,7 +35,7 @@ static void authorize(List hivePrincipals, List hivePrivileges, HivePrivilegeObject hivePrivObject, boolean grantOption, IMetaStoreClient metastoreClient, - String userName, List curRoles, boolean isAdmin) + String userName, List curRoles, boolean isAdmin) throws HiveAuthzPluginException, HiveAccessControlException { // check if this user has grant privileges for this privileges on this @@ -51,7 +50,7 @@ static void authorize(List hivePrincipals, List hi private static void checkRequiredPrivileges( RequiredPrivileges reqPrivileges, HivePrivilegeObject hivePrivObject, - IMetaStoreClient metastoreClient, String userName, List curRoles, boolean isAdmin) + IMetaStoreClient metastoreClient, String userName, List curRoles, boolean isAdmin) throws HiveAuthzPluginException, HiveAccessControlException { // keep track of the principals on which privileges have been checked for diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java index 03d12ca..95da54a 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java @@ -54,7 +54,6 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRole; import org.apache.thrift.TException; public class SQLAuthorizationUtils { @@ -176,7 +175,7 @@ public static void validatePrivileges(List hivePrivileges) throws * @throws HiveAuthzPluginException */ static RequiredPrivileges getPrivilegesFromMetaStore(IMetaStoreClient metastoreClient, - String userName, HivePrivilegeObject hivePrivObject, List curRoles, boolean isAdmin) + String userName, HivePrivilegeObject hivePrivObject, List curRoles, boolean isAdmin) throws HiveAuthzPluginException { // get privileges for this user and its role on this object @@ -215,7 +214,7 @@ static RequiredPrivileges getPrivilegesFromMetaStore(IMetaStoreClient metastoreC * @return */ private static void filterPrivsByCurrentRoles(PrincipalPrivilegeSet thriftPrivs, - List curRoles) { + List curRoles) { // check if there are privileges to be filtered if(thriftPrivs == null || thriftPrivs.getRolePrivileges() == null || thriftPrivs.getRolePrivilegesSize() == 0 @@ -226,11 +225,10 @@ private static void filterPrivsByCurrentRoles(PrincipalPrivilegeSet thriftPrivs, // add the privs for roles in curRoles to new role-to-priv map Map> filteredRolePrivs = new HashMap>(); - for(HiveRole role : curRoles){ - String roleName = role.getRoleName(); - List privs = thriftPrivs.getRolePrivileges().get(roleName); + for(String role : curRoles){ + List privs = thriftPrivs.getRolePrivileges().get(role); if(privs != null){ - filteredRolePrivs.put(roleName, privs); + filteredRolePrivs.put(role, privs); } } thriftPrivs.setRolePrivileges(filteredRolePrivs); diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index 5b24578..22a2ec8 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -30,6 +30,8 @@ import org.apache.hadoop.hive.metastore.IMetaStoreClient; import org.apache.hadoop.hive.metastore.api.GetPrincipalsInRoleRequest; import org.apache.hadoop.hive.metastore.api.GetPrincipalsInRoleResponse; +import org.apache.hadoop.hive.metastore.api.GetRoleGrantsForPrincipalRequest; +import org.apache.hadoop.hive.metastore.api.GetRoleGrantsForPrincipalResponse; import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege; import org.apache.hadoop.hive.metastore.api.HiveObjectRef; import org.apache.hadoop.hive.metastore.api.HiveObjectType; @@ -50,7 +52,6 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRole; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; import org.apache.thrift.TException; @@ -69,8 +70,8 @@ private final HiveMetastoreClientFactory metastoreClientFactory; private final HiveAuthenticationProvider authenticator; private String currentUserName; - private List currentRoles; - private HiveRole adminRole; + private List currentRoles; + private HiveRoleGrant adminRole; private final String ADMIN_ONLY_MSG = "User has to belong to ADMIN role and " + "have it as current role, for this action."; private final String HAS_ADMIN_PRIV_MSG = "grantor need to have ADMIN privileges on role being" @@ -100,15 +101,13 @@ private void initUserRoles() throws HiveAuthzPluginException { this.currentRoles = getRolesFromMS(); } - private List getRolesFromMS() throws HiveAuthzPluginException { - List roles; + private List getRolesFromMS() throws HiveAuthzPluginException { try { - roles = metastoreClientFactory.getHiveMetastoreClient().list_roles(currentUserName, - PrincipalType.USER); - Map name2Rolesmap = new HashMap(); + List roles = getRoleGrants(currentUserName, PrincipalType.USER); + Map name2Rolesmap = new HashMap(); getAllRoleAncestors(name2Rolesmap, roles); - List currentRoles = new ArrayList(roles.size()); - for (HiveRole role : name2Rolesmap.values()) { + List currentRoles = new ArrayList(roles.size()); + for (HiveRoleGrant role : name2Rolesmap.values()) { if (!HiveMetaStore.ADMIN.equalsIgnoreCase(role.getRoleName())) { currentRoles.add(role); } else { @@ -122,25 +121,33 @@ private void initUserRoles() throws HiveAuthzPluginException { } } + private List getRoleGrants(String principalName, PrincipalType principalType) + throws MetaException, TException, HiveAuthzPluginException { + GetRoleGrantsForPrincipalRequest req = new GetRoleGrantsForPrincipalRequest(principalName, principalType); + IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); + GetRoleGrantsForPrincipalResponse resp = metastoreClient.get_role_grants_for_principal(req); + return resp.getPrincipalGrants(); + } + /** * Add role names of parentRoles and its parents to processedRolesMap * * @param processedRolesMap - * @param parentRoles + * @param roleGrants * @throws TException * @throws HiveAuthzPluginException * @throws MetaException */ - private void getAllRoleAncestors(Map processedRolesMap, List parentRoles) + private void getAllRoleAncestors(Map processedRolesMap, List roleGrants) throws MetaException, HiveAuthzPluginException, TException { - for (Role parentRole : parentRoles) { - String parentRoleName = parentRole.getRoleName(); + for (RolePrincipalGrant parentRoleGrant : roleGrants) { + String parentRoleName = parentRoleGrant.getRoleName(); if (processedRolesMap.get(parentRoleName) == null) { // unprocessed role: get its parents, add it to processed, and call this // function recursively - List nextParentRoles = metastoreClientFactory.getHiveMetastoreClient().list_roles( - parentRoleName, PrincipalType.ROLE); - processedRolesMap.put(parentRoleName, new HiveRole(parentRole)); + + List nextParentRoles = getRoleGrants(parentRoleName, PrincipalType.ROLE); + processedRolesMap.put(parentRoleName, new HiveRoleGrant(parentRoleGrant)); getAllRoleAncestors(processedRolesMap, nextParentRoles); } } @@ -157,7 +164,7 @@ public void grantPrivileges(List hivePrincipals, IMetaStoreClient metastoreClient = metastoreClientFactory.getHiveMetastoreClient(); // authorize the grant GrantPrivAuthUtils.authorize(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, - metastoreClient, authenticator.getUserName(), getCurrentRoles(), isUserAdmin()); + metastoreClient, authenticator.getUserName(), getCurrentRoleNames(), isUserAdmin()); // grant PrivilegeBag privBag = SQLAuthorizationUtils.getThriftPrivilegesBag(hivePrincipals, hivePrivileges, hivePrivObject, @@ -169,6 +176,15 @@ public void grantPrivileges(List hivePrincipals, } } + @Override + public List getCurrentRoleNames() throws HiveAuthzPluginException { + List roleNames = new ArrayList(); + for(HiveRoleGrant role : getCurrentRoles()){ + roleNames.add(role.getRoleName()); + } + return roleNames; + } + private List expandAndValidatePrivileges(List hivePrivileges) throws HiveAuthzPluginException { // expand ALL privileges, if any @@ -256,22 +272,6 @@ public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAcces } @Override - public List getRoles(HivePrincipal hivePrincipal) throws HiveAuthzPluginException { - try { - List roles = metastoreClientFactory.getHiveMetastoreClient().list_roles( - hivePrincipal.getName(), AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType())); - List hiveRoles = new ArrayList(roles.size()); - for (Role role : roles){ - hiveRoles.add(new HiveRole(role)); - } - return hiveRoles; - } catch (Exception e) { - throw new HiveAuthzPluginException("Error listing roles for user " - + hivePrincipal.getName() + ": " + e.getMessage(), e); - } - } - - @Override public void grantRole(List hivePrincipals, List roleNames, boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { @@ -342,7 +342,7 @@ public void revokeRole(List hivePrincipals, List roleName @Override - public List getPrincipalsInRoleInfo(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { + public List getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can list role if (!isUserAdmin()) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" @@ -437,7 +437,7 @@ public void setCurrentRole(String roleName) throws HiveAccessControlException, currentRoles.addAll(getRolesFromMS()); return; } - for (HiveRole role : getRolesFromMS()) { + for (HiveRoleGrant role : getRolesFromMS()) { // set to one of the roles user belongs to. if (role.getRoleName().equalsIgnoreCase(roleName)) { currentRoles.clear(); @@ -456,8 +456,7 @@ public void setCurrentRole(String roleName) throws HiveAccessControlException, +roleName); } - @Override - public List getCurrentRoles() throws HiveAuthzPluginException { + public List getCurrentRoles() throws HiveAuthzPluginException { initUserRoles(); return currentRoles; } @@ -467,13 +466,13 @@ public void setCurrentRole(String roleName) throws HiveAccessControlException, * @throws HiveAuthzPluginException */ boolean isUserAdmin() throws HiveAuthzPluginException { - List roles; + List roles; try { roles = getCurrentRoles(); } catch (Exception e) { throw new HiveAuthzPluginException(e); } - for (HiveRole role : roles) { + for (HiveRoleGrant role : roles) { if (role.getRoleName().equalsIgnoreCase(HiveMetaStore.ADMIN)) { return true; } @@ -482,7 +481,7 @@ boolean isUserAdmin() throws HiveAuthzPluginException { } private boolean doesUserHasAdminOption(List roleNames) throws HiveAuthzPluginException { - List currentRoles; + List currentRoles; try { currentRoles = getCurrentRoles(); } catch (Exception e) { @@ -490,7 +489,7 @@ private boolean doesUserHasAdminOption(List roleNames) throws HiveAuthzP } for (String roleName : roleNames) { boolean roleFound = false; - for (HiveRole currentRole : currentRoles) { + for (HiveRoleGrant currentRole : currentRoles) { if (roleName.equalsIgnoreCase(currentRole.getRoleName())) { roleFound = true; if (!currentRole.isGrantOption()) { @@ -507,4 +506,21 @@ private boolean doesUserHasAdminOption(List roleNames) throws HiveAuthzP return true; } + @Override + public List getRoleGrantInfoForPrincipal(HivePrincipal principal) + throws HiveAuthzPluginException, HiveAccessControlException { + try { + List roleGrants = getRoleGrants(principal.getName(), + AuthorizationUtils.getThriftPrincipalType(principal.getType())); + List hiveRoleGrants = new ArrayList(roleGrants.size()); + for (RolePrincipalGrant roleGrant : roleGrants) { + hiveRoleGrants.add(new HiveRoleGrant(roleGrant)); + } + return hiveRoleGrants; + } catch (Exception e) { + throw new HiveAuthzPluginException("Error getting role grant information for user " + + principal.getName() + ": " + e.getMessage(), e); + } + } + } diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java index 7bb5a88..2496282 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java @@ -100,7 +100,7 @@ private void checkPrivileges(SQLPrivTypeGrant[] reqPrivs, List missingPriv = requiredInpPrivs.findMissingPrivs(availPrivs); SQLAuthorizationUtils.assertNoMissingPrivilege(missingPriv, new HivePrincipal(userName, diff --git ql/src/test/queries/clientpositive/authorization_role_grant2.q ql/src/test/queries/clientpositive/authorization_role_grant2.q index 00a67a2..b3858c7 100644 --- ql/src/test/queries/clientpositive/authorization_role_grant2.q +++ ql/src/test/queries/clientpositive/authorization_role_grant2.q @@ -2,6 +2,7 @@ set hive.users.in.admin.role=hive_admin_user; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.cli.print.header=true; set user.name=hive_admin_user; set role ADMIN; diff --git ql/src/test/results/clientnegative/authorization_fail_7.q.out ql/src/test/results/clientnegative/authorization_fail_7.q.out index 00e457d..ffff69d 100644 --- ql/src/test/results/clientnegative/authorization_fail_7.q.out +++ ql/src/test/results/clientnegative/authorization_fail_7.q.out @@ -27,8 +27,8 @@ PREHOOK: query: show role grant user hive_test_user PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user hive_test_user POSTHOOK: type: SHOW_ROLE_GRANT -PUBLIC -1 false -1 -hive_test_role_fail -1 hive_test_user USER false -1 hive_test_user +PUBLIC false -1 +hive_test_role_fail false -1 hive_test_user PREHOOK: query: show grant role hive_test_role_fail on table authorization_fail PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant role hive_test_role_fail on table authorization_fail diff --git ql/src/test/results/clientnegative/authorization_role_grant.q.out ql/src/test/results/clientnegative/authorization_role_grant.q.out index de17ae9..0f88444 100644 --- ql/src/test/results/clientnegative/authorization_role_grant.q.out +++ ql/src/test/results/clientnegative/authorization_role_grant.q.out @@ -32,9 +32,9 @@ PREHOOK: query: show role grant user user2 PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user2 POSTHOOK: type: SHOW_ROLE_GRANT -PUBLIC -1 false -1 -role_noadmin -1 user2 USER false -1 hive_admin_user -src_role_wadmin -1 user2 USER true -1 hive_admin_user +PUBLIC false -1 +role_noadmin false -1 hive_admin_user +src_role_wadmin true -1 hive_admin_user PREHOOK: query: set role role_noadmin PREHOOK: type: SHOW_ROLES POSTHOOK: query: set role role_noadmin diff --git ql/src/test/results/clientpositive/authorization_1.q.out ql/src/test/results/clientpositive/authorization_1.q.out index 916125b..1c52151 100644 --- ql/src/test/results/clientpositive/authorization_1.q.out +++ ql/src/test/results/clientpositive/authorization_1.q.out @@ -267,8 +267,8 @@ PREHOOK: query: show role grant user hive_test_user PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user hive_test_user POSTHOOK: type: SHOW_ROLE_GRANT -src_role -1 hive_test_user USER false -1 hive_test_user -PUBLIC -1 false -1 +PUBLIC false -1 +src_role false -1 hive_test_user PREHOOK: query: --column grant to role grant select(key) on table src_autho_test to role src_role diff --git ql/src/test/results/clientpositive/authorization_1_sql_std.q.out ql/src/test/results/clientpositive/authorization_1_sql_std.q.out index 2302da0..3e39801 100644 --- ql/src/test/results/clientpositive/authorization_1_sql_std.q.out +++ ql/src/test/results/clientpositive/authorization_1_sql_std.q.out @@ -48,8 +48,8 @@ PREHOOK: query: show role grant user user_sauth PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user_sauth POSTHOOK: type: SHOW_ROLE_GRANT -PUBLIC -1 false -1 -src_role -1 user_sauth USER false -1 hive_admin_user +PUBLIC false -1 +src_role false -1 hive_admin_user PREHOOK: query: --table grant to role grant select on table src_autho_test to role src_role diff --git ql/src/test/results/clientpositive/authorization_5.q.out ql/src/test/results/clientpositive/authorization_5.q.out index f1c07d0..3353adf 100644 --- ql/src/test/results/clientpositive/authorization_5.q.out +++ ql/src/test/results/clientpositive/authorization_5.q.out @@ -38,8 +38,8 @@ PREHOOK: query: SHOW ROLE GRANT USER hive_test_user PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: SHOW ROLE GRANT USER hive_test_user POSTHOOK: type: SHOW_ROLE_GRANT -db_test_role -1 hive_test_user USER false -1 hive_test_user -PUBLIC -1 false -1 +PUBLIC false -1 +db_test_role false -1 hive_test_user PREHOOK: query: GRANT drop ON DATABASE test_db TO ROLE db_test_role PREHOOK: type: GRANT_PRIVILEGE POSTHOOK: query: GRANT drop ON DATABASE test_db TO ROLE db_test_role diff --git ql/src/test/results/clientpositive/authorization_role_grant1.q.out ql/src/test/results/clientpositive/authorization_role_grant1.q.out index 48e0f59..305dd9d 100644 --- ql/src/test/results/clientpositive/authorization_role_grant1.q.out +++ ql/src/test/results/clientpositive/authorization_role_grant1.q.out @@ -18,8 +18,8 @@ PREHOOK: query: show role grant user user2 PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user2 POSTHOOK: type: SHOW_ROLE_GRANT -PUBLIC -1 false -1 -src_role2 -1 user2 USER false -1 hive_admin_user +PUBLIC false -1 +src_role2 false -1 hive_admin_user PREHOOK: query: show roles PREHOOK: type: SHOW_ROLES POSTHOOK: query: show roles @@ -38,7 +38,7 @@ PREHOOK: query: show role grant user user2 PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user2 POSTHOOK: type: SHOW_ROLE_GRANT -PUBLIC -1 false -1 +PUBLIC false -1 PREHOOK: query: show roles PREHOOK: type: SHOW_ROLES POSTHOOK: query: show roles @@ -67,8 +67,8 @@ PREHOOK: query: show role grant user user2 PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user2 POSTHOOK: type: SHOW_ROLE_GRANT -PUBLIC -1 false -1 -src_role_wadmin -1 user2 USER true -1 hive_admin_user +PUBLIC false -1 +src_role_wadmin true -1 hive_admin_user PREHOOK: query: -- revoke role without role keyword revoke src_role_wadmin from user user2 PREHOOK: type: REVOKE_ROLE @@ -79,7 +79,7 @@ PREHOOK: query: show role grant user user2 PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user2 POSTHOOK: type: SHOW_ROLE_GRANT -PUBLIC -1 false -1 +PUBLIC false -1 PREHOOK: query: -- drop roles show roles PREHOOK: type: SHOW_ROLES diff --git ql/src/test/results/clientpositive/authorization_role_grant2.q.out ql/src/test/results/clientpositive/authorization_role_grant2.q.out index d08b906..f294311 100644 --- ql/src/test/results/clientpositive/authorization_role_grant2.q.out +++ ql/src/test/results/clientpositive/authorization_role_grant2.q.out @@ -22,12 +22,14 @@ PREHOOK: query: show role grant user user2 PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user2 POSTHOOK: type: SHOW_ROLE_GRANT -PUBLIC -1 false -1 -src_role_wadmin -1 user2 USER true -1 hive_admin_user +role grant_option grant_time grantor +PUBLIC false -1 +src_role_wadmin true -1 hive_admin_user PREHOOK: query: show principals src_role_wadmin PREHOOK: type: SHOW_ROLE_PRINCIPALS POSTHOOK: query: show principals src_role_wadmin POSTHOOK: type: SHOW_ROLE_PRINCIPALS +principal_name principal_type grant_option grantor grantor_type grant_time user2 USER true hive_admin_user USER -1 PREHOOK: query: set role src_role_wadmin PREHOOK: type: SHOW_ROLES @@ -41,8 +43,9 @@ PREHOOK: query: show role grant user user3 PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user3 POSTHOOK: type: SHOW_ROLE_GRANT -PUBLIC -1 false -1 -src_role_wadmin -1 user3 USER false -1 user2 +role grant_option grant_time grantor +PUBLIC false -1 +src_role_wadmin false -1 user2 PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES POSTHOOK: query: set role ADMIN @@ -51,6 +54,7 @@ PREHOOK: query: show principals src_role_wadmin PREHOOK: type: SHOW_ROLE_PRINCIPALS POSTHOOK: query: show principals src_role_wadmin POSTHOOK: type: SHOW_ROLE_PRINCIPALS +principal_name principal_type grant_option grantor grantor_type grant_time user2 USER true hive_admin_user USER -1 user3 USER false user2 USER -1 PREHOOK: query: set role src_role_wadmin @@ -65,7 +69,8 @@ PREHOOK: query: show role grant user user3 PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user3 POSTHOOK: type: SHOW_ROLE_GRANT -PUBLIC -1 false -1 +role grant_option grant_time grantor +PUBLIC false -1 PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES POSTHOOK: query: set role ADMIN @@ -74,4 +79,5 @@ PREHOOK: query: show principals src_role_wadmin PREHOOK: type: SHOW_ROLE_PRINCIPALS POSTHOOK: query: show principals src_role_wadmin POSTHOOK: type: SHOW_ROLE_PRINCIPALS +principal_name principal_type grant_option grantor grantor_type grant_time user2 USER true hive_admin_user USER -1 diff --git ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out index 0a986e6..b431c35 100644 --- ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out +++ ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out @@ -173,8 +173,8 @@ PREHOOK: query: show role grant user user4 PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user4 POSTHOOK: type: SHOW_ROLE_GRANT -PUBLIC -1 false -1 -role_v -1 user4 USER false -1 hive_admin_user +PUBLIC false -1 +role_v false -1 hive_admin_user PREHOOK: query: show roles PREHOOK: type: SHOW_ROLES POSTHOOK: query: show roles