diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java index a73a5e0..28e3c2b 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java @@ -1974,6 +1974,8 @@ private void analyzeDescribeTable(ASTNode ast) throws SemanticException { descTblDesc.setExt(descOptions == HiveParser.KW_EXTENDED); descTblDesc.setPretty(descOptions == HiveParser.KW_PRETTY); } + + inputs.add(new ReadEntity(getTable(dbName, tableName, true))); rootTasks.add(TaskFactory.get(new DDLWork(getInputs(), getOutputs(), descTblDesc), conf)); setFetchTask(createFetchTask(DescTableDesc.getSchema())); @@ -2039,6 +2041,7 @@ private void analyzeShowPartitions(ASTNode ast) throws SemanticException { validateTable(tableName, null); showPartsDesc = new ShowPartitionsDesc(tableName, ctx.getResFile(), partSpec); + inputs.add(new ReadEntity(getTable(tableName, true))); rootTasks.add(TaskFactory.get(new DDLWork(getInputs(), getOutputs(), showPartsDesc), conf)); setFetchTask(createFetchTask(showPartsDesc.getSchema())); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java index 2f25df6..b0a804c 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java @@ -81,6 +81,7 @@ op2Priv.put(HiveOperationType.DROPTABLE, new InOutPrivs(OWNER_PRIV_AR, null)); op2Priv.put(HiveOperationType.DESCTABLE, new InOutPrivs(SEL_NOGRANT_AR, null)); + op2Priv.put(HiveOperationType.SHOWPARTITIONS, new InOutPrivs(SEL_NOGRANT_AR, null)); op2Priv.put(HiveOperationType.DESCFUNCTION, new InOutPrivs(null, null)); // meta store check command - require admin priv @@ -168,7 +169,6 @@ op2Priv.put(HiveOperationType.SHOWFUNCTIONS, new InOutPrivs(null, null)); op2Priv.put(HiveOperationType.SHOWINDEXES, new InOutPrivs(null, null)); - op2Priv.put(HiveOperationType.SHOWPARTITIONS, new InOutPrivs(null, null)); op2Priv.put(HiveOperationType.SHOWLOCKS, new InOutPrivs(null, null)); op2Priv.put(HiveOperationType.CREATEFUNCTION, new InOutPrivs(null, ADMIN_PRIV_AR)); op2Priv.put(HiveOperationType.DROPFUNCTION, new InOutPrivs(null, ADMIN_PRIV_AR)); @@ -176,7 +176,6 @@ op2Priv.put(HiveOperationType.DROPMACRO, new InOutPrivs(null, ADMIN_PRIV_AR)); op2Priv.put(HiveOperationType.SHOW_COMPACTIONS, new InOutPrivs(null, null)); op2Priv.put(HiveOperationType.SHOW_TRANSACTIONS, new InOutPrivs(null, null)); - op2Priv.put(HiveOperationType.DROPFUNCTION, new InOutPrivs(null, null)); op2Priv.put(HiveOperationType.LOCKTABLE, new InOutPrivs(null, null)); op2Priv.put(HiveOperationType.UNLOCKTABLE, new InOutPrivs(null, null)); diff --git a/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q b/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q new file mode 100644 index 0000000..bb62a67 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q @@ -0,0 +1,14 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; +set user.name=user1; + +-- check if alter table fails as different user +create table t1(i int); +desc t1; + +grant all on table t1 to user user2; +revoke select on table t1 from user user2; + +set user.name=user2; +desc t1; diff --git a/ql/src/test/queries/clientnegative/authorization_show_parts_nosel.q b/ql/src/test/queries/clientnegative/authorization_show_parts_nosel.q new file mode 100644 index 0000000..e2514cc --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_show_parts_nosel.q @@ -0,0 +1,10 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; +set user.name=user1; + +-- check if alter table fails as different user +create table t_show_parts(i int) partitioned by (j string); + +set user.name=user2; +show partitions t_show_parts; diff --git a/ql/src/test/results/clientnegative/authorization_desc_table_nosel.q.out b/ql/src/test/results/clientnegative/authorization_desc_table_nosel.q.out new file mode 100644 index 0000000..be56d34 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_desc_table_nosel.q.out @@ -0,0 +1,29 @@ +PREHOOK: query: -- check if alter table fails as different user +create table t1(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +POSTHOOK: query: -- check if alter table fails as different user +create table t1(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t1 +PREHOOK: query: desc t1 +PREHOOK: type: DESCTABLE +PREHOOK: Input: default@t1 +POSTHOOK: query: desc t1 +POSTHOOK: type: DESCTABLE +POSTHOOK: Input: default@t1 +i int +PREHOOK: query: grant all on table t1 to user user2 +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t1 +POSTHOOK: query: grant all on table t1 to user user2 +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@t1 +PREHOOK: query: revoke select on table t1 from user user2 +PREHOOK: type: REVOKE_PRIVILEGE +PREHOOK: Output: default@t1 +POSTHOOK: query: revoke select on table t1 from user user2 +POSTHOOK: type: REVOKE_PRIVILEGE +POSTHOOK: Output: default@t1 +FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [SELECT] diff --git a/ql/src/test/results/clientnegative/authorization_show_parts_nosel.q.out b/ql/src/test/results/clientnegative/authorization_show_parts_nosel.q.out new file mode 100644 index 0000000..bd502d1 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_show_parts_nosel.q.out @@ -0,0 +1,10 @@ +PREHOOK: query: -- check if alter table fails as different user +create table t_show_parts(i int) partitioned by (j string) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +POSTHOOK: query: -- check if alter table fails as different user +create table t_show_parts(i int) partitioned by (j string) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t_show_parts +FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t_show_parts] : [SELECT]