diff --git a/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java b/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java index 78f1a8f..93eccf8 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java @@ -387,7 +387,7 @@ private void setupAuth() { authorizerV2 = authorizerFactory.createHiveAuthorizer(new HiveMetastoreClientFactoryImpl(), getConf(), authenticator); // grant all privileges for table to its owner - getConf().setVar(ConfVars.HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS, "insert,select,update,delete"); + getConf().setVar(ConfVars.HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS, "INSERT,SELECT,UPDATE,DELETE"); String hooks = getConf().getVar(ConfVars.PREEXECHOOKS).trim(); if (hooks.isEmpty()) { hooks = DisallowTransformHook.class.getName(); diff --git a/ql/src/test/queries/clientnegative/authorization_grant_table_dup.q b/ql/src/test/queries/clientnegative/authorization_grant_table_dup.q new file mode 100644 index 0000000..8025660 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_grant_table_dup.q @@ -0,0 +1,16 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; + +set user.name=user1; +-- current user has been set (comment line before the set cmd is resulting in parse error!!) + +CREATE TABLE tauth_gdup(i int); + +-- It should be possible to revert owners privileges +revoke SELECT ON tauth_gdup from user user1; + +show grant user user1 on table tauth_gdup; + +-- Owner already has all privileges granted, another grant would become duplicate +-- and result in error +GRANT INSERT ON tauth_gdup TO USER user1; diff --git a/ql/src/test/results/clientnegative/authorization_grant_table_dup.q.out b/ql/src/test/results/clientnegative/authorization_grant_table_dup.q.out new file mode 100644 index 0000000..52defe6 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_grant_table_dup.q.out @@ -0,0 +1,32 @@ +PREHOOK: query: -- current user has been set (comment line before the set cmd is resulting in parse error!!) + +CREATE TABLE tauth_gdup(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +POSTHOOK: query: -- current user has been set (comment line before the set cmd is resulting in parse error!!) + +CREATE TABLE tauth_gdup(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@tauth_gdup +#### A masked pattern was here #### +revoke SELECT ON tauth_gdup from user user1 +PREHOOK: type: REVOKE_PRIVILEGE +PREHOOK: Output: default@tauth_gdup +#### A masked pattern was here #### +revoke SELECT ON tauth_gdup from user user1 +POSTHOOK: type: REVOKE_PRIVILEGE +POSTHOOK: Output: default@tauth_gdup +PREHOOK: query: show grant user user1 on table tauth_gdup +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user user1 on table tauth_gdup +POSTHOOK: type: SHOW_GRANT +default tauth_gdup user1 USER DELETE true -1 user1 +default tauth_gdup user1 USER INSERT true -1 user1 +default tauth_gdup user1 USER UPDATE true -1 user1 +#### A masked pattern was here #### +-- and result in error +GRANT INSERT ON tauth_gdup TO USER user1 +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@tauth_gdup +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error granting privileges: InvalidObjectException(message:INSERT is already granted on table [default,tauth_gdup] by user1)