diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java index a73a5e0..a40a88d 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java @@ -1974,6 +1974,8 @@ private void analyzeDescribeTable(ASTNode ast) throws SemanticException { descTblDesc.setExt(descOptions == HiveParser.KW_EXTENDED); descTblDesc.setPretty(descOptions == HiveParser.KW_PRETTY); } + + inputs.add(new ReadEntity(getTable(tableName))); rootTasks.add(TaskFactory.get(new DDLWork(getInputs(), getOutputs(), descTblDesc), conf)); setFetchTask(createFetchTask(DescTableDesc.getSchema())); @@ -2039,6 +2041,7 @@ private void analyzeShowPartitions(ASTNode ast) throws SemanticException { validateTable(tableName, null); showPartsDesc = new ShowPartitionsDesc(tableName, ctx.getResFile(), partSpec); + inputs.add(new ReadEntity(getTable(tableName))); rootTasks.add(TaskFactory.get(new DDLWork(getInputs(), getOutputs(), showPartsDesc), conf)); setFetchTask(createFetchTask(showPartsDesc.getSchema())); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java index 2f25df6..b0a804c 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java @@ -81,6 +81,7 @@ op2Priv.put(HiveOperationType.DROPTABLE, new InOutPrivs(OWNER_PRIV_AR, null)); op2Priv.put(HiveOperationType.DESCTABLE, new InOutPrivs(SEL_NOGRANT_AR, null)); + op2Priv.put(HiveOperationType.SHOWPARTITIONS, new InOutPrivs(SEL_NOGRANT_AR, null)); op2Priv.put(HiveOperationType.DESCFUNCTION, new InOutPrivs(null, null)); // meta store check command - require admin priv @@ -168,7 +169,6 @@ op2Priv.put(HiveOperationType.SHOWFUNCTIONS, new InOutPrivs(null, null)); op2Priv.put(HiveOperationType.SHOWINDEXES, new InOutPrivs(null, null)); - op2Priv.put(HiveOperationType.SHOWPARTITIONS, new InOutPrivs(null, null)); op2Priv.put(HiveOperationType.SHOWLOCKS, new InOutPrivs(null, null)); op2Priv.put(HiveOperationType.CREATEFUNCTION, new InOutPrivs(null, ADMIN_PRIV_AR)); op2Priv.put(HiveOperationType.DROPFUNCTION, new InOutPrivs(null, ADMIN_PRIV_AR)); @@ -176,7 +176,6 @@ op2Priv.put(HiveOperationType.DROPMACRO, new InOutPrivs(null, ADMIN_PRIV_AR)); op2Priv.put(HiveOperationType.SHOW_COMPACTIONS, new InOutPrivs(null, null)); op2Priv.put(HiveOperationType.SHOW_TRANSACTIONS, new InOutPrivs(null, null)); - op2Priv.put(HiveOperationType.DROPFUNCTION, new InOutPrivs(null, null)); op2Priv.put(HiveOperationType.LOCKTABLE, new InOutPrivs(null, null)); op2Priv.put(HiveOperationType.UNLOCKTABLE, new InOutPrivs(null, null)); diff --git a/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q b/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q new file mode 100644 index 0000000..bb62a67 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q @@ -0,0 +1,14 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; +set user.name=user1; + +-- check if alter table fails as different user +create table t1(i int); +desc t1; + +grant all on table t1 to user user2; +revoke select on table t1 from user user2; + +set user.name=user2; +desc t1; diff --git a/ql/src/test/queries/clientnegative/authorization_show_parts_nosel.q b/ql/src/test/queries/clientnegative/authorization_show_parts_nosel.q new file mode 100644 index 0000000..e2514cc --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_show_parts_nosel.q @@ -0,0 +1,10 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; +set user.name=user1; + +-- check if alter table fails as different user +create table t_show_parts(i int) partitioned by (j string); + +set user.name=user2; +show partitions t_show_parts; diff --git a/ql/src/test/results/clientnegative/authorization_desc_table_nosel.q.out b/ql/src/test/results/clientnegative/authorization_desc_table_nosel.q.out new file mode 100644 index 0000000..be56d34 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_desc_table_nosel.q.out @@ -0,0 +1,29 @@ +PREHOOK: query: -- check if alter table fails as different user +create table t1(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +POSTHOOK: query: -- check if alter table fails as different user +create table t1(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t1 +PREHOOK: query: desc t1 +PREHOOK: type: DESCTABLE +PREHOOK: Input: default@t1 +POSTHOOK: query: desc t1 +POSTHOOK: type: DESCTABLE +POSTHOOK: Input: default@t1 +i int +PREHOOK: query: grant all on table t1 to user user2 +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t1 +POSTHOOK: query: grant all on table t1 to user user2 +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@t1 +PREHOOK: query: revoke select on table t1 from user user2 +PREHOOK: type: REVOKE_PRIVILEGE +PREHOOK: Output: default@t1 +POSTHOOK: query: revoke select on table t1 from user user2 +POSTHOOK: type: REVOKE_PRIVILEGE +POSTHOOK: Output: default@t1 +FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [SELECT] diff --git a/ql/src/test/results/clientnegative/authorization_show_parts_nosel.q.out b/ql/src/test/results/clientnegative/authorization_show_parts_nosel.q.out new file mode 100644 index 0000000..bd502d1 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_show_parts_nosel.q.out @@ -0,0 +1,10 @@ +PREHOOK: query: -- check if alter table fails as different user +create table t_show_parts(i int) partitioned by (j string) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +POSTHOOK: query: -- check if alter table fails as different user +create table t_show_parts(i int) partitioned by (j string) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t_show_parts +FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t_show_parts] : [SELECT] diff --git a/ql/src/test/results/clientpositive/describe_syntax.q.out b/ql/src/test/results/clientpositive/describe_syntax.q.out index 8c3d6e5..f322ed8 100644 --- a/ql/src/test/results/clientpositive/describe_syntax.q.out +++ b/ql/src/test/results/clientpositive/describe_syntax.q.out @@ -37,9 +37,11 @@ POSTHOOK: Output: db1@t1@ds=4/part=5 PREHOOK: query: -- describe table DESCRIBE t1 PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: -- describe table DESCRIBE t1 POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 key1 int value1 string ds string @@ -52,8 +54,10 @@ ds string part string PREHOOK: query: DESCRIBE EXTENDED t1 PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: DESCRIBE EXTENDED t1 POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 key1 int value1 string ds string @@ -68,8 +72,10 @@ part string #### A masked pattern was here #### PREHOOK: query: DESCRIBE FORMATTED t1 PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: DESCRIBE FORMATTED t1 POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 # col_name data_type comment key1 int @@ -104,9 +110,11 @@ Storage Desc Params: PREHOOK: query: -- describe database.table DESCRIBE db1.t1 PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: -- describe database.table DESCRIBE db1.t1 POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 key1 int value1 string ds string @@ -119,8 +127,10 @@ ds string part string PREHOOK: query: DESCRIBE EXTENDED db1.t1 PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: DESCRIBE EXTENDED db1.t1 POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 key1 int value1 string ds string @@ -135,8 +145,10 @@ part string #### A masked pattern was here #### PREHOOK: query: DESCRIBE FORMATTED db1.t1 PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: DESCRIBE FORMATTED db1.t1 POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 # col_name data_type comment key1 int @@ -171,38 +183,50 @@ Storage Desc Params: PREHOOK: query: -- describe table column DESCRIBE t1 key1 PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: -- describe table column DESCRIBE t1 key1 POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 key1 int from deserializer PREHOOK: query: DESCRIBE EXTENDED t1 key1 PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: DESCRIBE EXTENDED t1 key1 POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 key1 int from deserializer PREHOOK: query: DESCRIBE FORMATTED t1 key1 PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: DESCRIBE FORMATTED t1 key1 POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 # col_name data_type comment key1 int from deserializer PREHOOK: query: -- describe database.tabe column DESCRIBE db1.t1 key1 PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: -- describe database.tabe column DESCRIBE db1.t1 key1 POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 key1 int from deserializer PREHOOK: query: DESCRIBE EXTENDED db1.t1 key1 PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: DESCRIBE EXTENDED db1.t1 key1 POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 key1 int from deserializer PREHOOK: query: DESCRIBE FORMATTED db1.t1 key1 PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: DESCRIBE FORMATTED db1.t1 key1 POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 # col_name data_type comment key1 int from deserializer @@ -211,30 +235,38 @@ PREHOOK: query: -- describe table.column -- fall back to the old syntax table.column DESCRIBE t1.key1 PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: -- describe table.column -- after first checking t1.key1 for database.table not valid -- fall back to the old syntax table.column DESCRIBE t1.key1 POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 key1 int from deserializer PREHOOK: query: DESCRIBE EXTENDED t1.key1 PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: DESCRIBE EXTENDED t1.key1 POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 key1 int from deserializer PREHOOK: query: DESCRIBE FORMATTED t1.key1 PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: DESCRIBE FORMATTED t1.key1 POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 # col_name data_type comment key1 int from deserializer PREHOOK: query: -- describe table partition DESCRIBE t1 PARTITION(ds='4', part='5') PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: -- describe table partition DESCRIBE t1 PARTITION(ds='4', part='5') POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 key1 int value1 string ds string @@ -247,8 +279,10 @@ ds string part string PREHOOK: query: DESCRIBE EXTENDED t1 PARTITION(ds='4', part='5') PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: DESCRIBE EXTENDED t1 PARTITION(ds='4', part='5') POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 key1 int value1 string ds string @@ -263,8 +297,10 @@ part string #### A masked pattern was here #### PREHOOK: query: DESCRIBE FORMATTED t1 PARTITION(ds='4', part='5') PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: DESCRIBE FORMATTED t1 PARTITION(ds='4', part='5') POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 # col_name data_type comment key1 int @@ -299,9 +335,11 @@ Storage Desc Params: PREHOOK: query: -- describe database.table partition DESCRIBE db1.t1 PARTITION(ds='4', part='5') PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: -- describe database.table partition DESCRIBE db1.t1 PARTITION(ds='4', part='5') POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 key1 int value1 string ds string @@ -314,8 +352,10 @@ ds string part string PREHOOK: query: DESCRIBE EXTENDED db1.t1 PARTITION(ds='4', part='5') PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: DESCRIBE EXTENDED db1.t1 PARTITION(ds='4', part='5') POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 key1 int value1 string ds string @@ -330,8 +370,10 @@ part string #### A masked pattern was here #### PREHOOK: query: DESCRIBE FORMATTED db1.t1 PARTITION(ds='4', part='5') PREHOOK: type: DESCTABLE +PREHOOK: Input: db1@t1 POSTHOOK: query: DESCRIBE FORMATTED db1.t1 PARTITION(ds='4', part='5') POSTHOOK: type: DESCTABLE +POSTHOOK: Input: db1@t1 # col_name data_type comment key1 int diff --git a/ql/src/test/results/clientpositive/show_partitions.q.out b/ql/src/test/results/clientpositive/show_partitions.q.out index 5190c53..06f1c0d 100644 --- a/ql/src/test/results/clientpositive/show_partitions.q.out +++ b/ql/src/test/results/clientpositive/show_partitions.q.out @@ -1,33 +1,43 @@ PREHOOK: query: SHOW PARTITIONS srcpart PREHOOK: type: SHOWPARTITIONS +PREHOOK: Input: default@srcpart POSTHOOK: query: SHOW PARTITIONS srcpart POSTHOOK: type: SHOWPARTITIONS +POSTHOOK: Input: default@srcpart ds=2008-04-08/hr=11 ds=2008-04-08/hr=12 ds=2008-04-09/hr=11 ds=2008-04-09/hr=12 PREHOOK: query: SHOW PARTITIONS default.srcpart PREHOOK: type: SHOWPARTITIONS +PREHOOK: Input: default@srcpart POSTHOOK: query: SHOW PARTITIONS default.srcpart POSTHOOK: type: SHOWPARTITIONS +POSTHOOK: Input: default@srcpart ds=2008-04-08/hr=11 ds=2008-04-08/hr=12 ds=2008-04-09/hr=11 ds=2008-04-09/hr=12 PREHOOK: query: SHOW PARTITIONS srcpart PARTITION(hr='11') PREHOOK: type: SHOWPARTITIONS +PREHOOK: Input: default@srcpart POSTHOOK: query: SHOW PARTITIONS srcpart PARTITION(hr='11') POSTHOOK: type: SHOWPARTITIONS +POSTHOOK: Input: default@srcpart ds=2008-04-08/hr=11 ds=2008-04-09/hr=11 PREHOOK: query: SHOW PARTITIONS srcpart PARTITION(ds='2008-04-08') PREHOOK: type: SHOWPARTITIONS +PREHOOK: Input: default@srcpart POSTHOOK: query: SHOW PARTITIONS srcpart PARTITION(ds='2008-04-08') POSTHOOK: type: SHOWPARTITIONS +POSTHOOK: Input: default@srcpart ds=2008-04-08/hr=11 ds=2008-04-08/hr=12 PREHOOK: query: SHOW PARTITIONS srcpart PARTITION(ds='2008-04-08', hr='12') PREHOOK: type: SHOWPARTITIONS +PREHOOK: Input: default@srcpart POSTHOOK: query: SHOW PARTITIONS srcpart PARTITION(ds='2008-04-08', hr='12') POSTHOOK: type: SHOWPARTITIONS +POSTHOOK: Input: default@srcpart ds=2008-04-08/hr=12