diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index 4e5df4c..ed7aaa9 100644 --- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -18,24 +18,37 @@ package org.apache.hadoop.hive.conf; +import java.io.ByteArrayOutputStream; +import java.io.File; +import java.io.IOException; +import java.io.InputStream; +import java.io.PrintStream; +import java.net.URL; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.Iterator; +import java.util.LinkedHashSet; +import java.util.List; +import java.util.Map; +import java.util.Map.Entry; +import java.util.Properties; +import java.util.Set; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + +import javax.security.auth.login.LoginException; + import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; import org.apache.hadoop.hive.shims.ShimLoader; import org.apache.hadoop.mapred.JobConf; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.util.Shell; import org.apache.hive.common.HiveCompat; -import javax.security.auth.login.LoginException; -import java.io.*; -import java.net.URL; -import java.util.*; -import java.util.Map.Entry; -import java.util.regex.Matcher; -import java.util.regex.Pattern; - /** * Hive Configuration. */ @@ -52,6 +65,9 @@ private static final Map vars = new HashMap(); private final List restrictList = new ArrayList(); + private boolean isWhiteListRestrictionEnabled = false; + private final List modWhiteList = new ArrayList(); + static { ClassLoader classLoader = Thread.currentThread().getContextClassLoader(); if (classLoader == null) { @@ -129,6 +145,7 @@ HiveConf.ConfVars.HIVE_TXN_MAX_OPEN_BATCH, }; + /** * dbVars are the parameters can be set per database. If these * parameters are set as a database property, when switching to that @@ -804,6 +821,11 @@ HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS("hive.security.authorization.createtable.owner.grants", ""), + // if this is not set default value is added by sql standard authorizer. + // Default value can't be set in this constructor as it would refer names in other ConfVars + // whose constructor would not have been called + HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST("hive.security.authorization.sqlstd.confwhitelist", ""), + // Print column names in output HIVE_CLI_PRINT_HEADER("hive.cli.print.header", false), @@ -998,6 +1020,7 @@ // Check if a plan contains a Cross Product. // If there is one, output a warning to the Session's console. HIVE_CHECK_CROSS_PRODUCT("hive.exec.check.crossproducts", true), + ; public final String varname; @@ -1172,8 +1195,15 @@ private static synchronized InputStream getConfVarInputStream() { } public void verifyAndSet(String name, String value) throws IllegalArgumentException { + if (isWhiteListRestrictionEnabled) { + if (!modWhiteList.contains(name)) { + throw new IllegalArgumentException("Cannot modify " + name + " at runtime. " + + "It is not in list of params that are allowed to be modified at runtime"); + } + } if (restrictList.contains(name)) { - throw new IllegalArgumentException("Cannot modify " + name + " at runtime"); + throw new IllegalArgumentException("Cannot modify " + name + " at runtime. It is in the list" + + "of parameters that can't be modified at runtime"); } set(name, value); } @@ -1601,6 +1631,29 @@ public void addToRestrictList(String restrictListStr) { } /** + * Set if whitelist check is enabled for parameter modification + * + * @param isEnabled + */ + @LimitedPrivate(value = { "Currently only for use by HiveAuthorizer" }) + public void setIsModWhiteListEnabled(boolean isEnabled) { + this.isWhiteListRestrictionEnabled = isEnabled; + } + + /** + * Add config parameter name to whitelist of parameters that can be modified + * + * @param paramname + */ + @LimitedPrivate(value = { "Currently only for use by HiveAuthorizer" }) + public void addToModifiableWhiteList(String paramname) { + if (paramname == null) { + return; + } + modWhiteList.add(paramname); + } + + /** * Add the HIVE_CONF_RESTRICTED_LIST values to restrictList, * including HIVE_CONF_RESTRICTED_LIST itself */ diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java index 04ab232..abe5ffa 100644 --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java @@ -112,4 +112,30 @@ private Connection getConnection(String userName) throws SQLException { return DriverManager.getConnection(miniHS2.getJdbcURL(), userName, "bar"); } + @Test + public void testAllowedCommands() throws Exception { + + // using different code blocks so that jdbc variables are not accidently re-used + // between the actions. Different connection/statement object should be used for each action. + { + // create tables as user1 + Connection hs2Conn = getConnection("user1"); + boolean caughtException = false; + Statement stmt = hs2Conn.createStatement(); + // create tables + try { + stmt.execute("dfs -ls /tmp/"); + } catch (SQLException e){ + caughtException = true; + assertTrue("Checking error message content", + e.getMessage().contains("Insufficient privileges to execute")); + } + finally { + stmt.close(); + hs2Conn.close(); + } + assertTrue("Exception expected ", caughtException); + } + } + } diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java new file mode 100644 index 0000000..4474ce5 --- /dev/null +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java @@ -0,0 +1,54 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; + +import org.apache.hadoop.classification.InterfaceAudience.Private; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; +import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController; + +/** + * Extends SQLStdHiveAccessController to relax the restriction of not being able to run dfs + * and set commands, so that it is easy to test using .q file tests. + * To be used for testing purposes only! + */ +@Private +public class SQLStdHiveAccessControllerForTest extends SQLStdHiveAccessController { + + SQLStdHiveAccessControllerForTest(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, + HiveAuthenticationProvider authenticator) throws HiveAuthzPluginException { + super(metastoreClientFactory, conf, authenticator); + } + + + @Override + public void applyAuthorizationConfigPolicy(HiveConf hiveConf) { + super.applyAuthorizationConfigPolicy(hiveConf); + + // allow set and dfs commands + hiveConf.setVar(ConfVars.HIVE_SECURITY_COMMAND_WHITELIST, "set,dfs"); + + // remove restrictions on the variables that can be set using set command + hiveConf.setIsModWhiteListEnabled(false); + + } + +} diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java new file mode 100644 index 0000000..89e18b3 --- /dev/null +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java @@ -0,0 +1,42 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; + +import org.apache.hadoop.hive.common.classification.InterfaceAudience.Private; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerImpl; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; + +@Private +public class SQLStdHiveAuthorizerFactoryForTest implements HiveAuthorizerFactory{ + @Override + public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, + HiveConf conf, HiveAuthenticationProvider authenticator) throws HiveAuthzPluginException { + SQLStdHiveAccessController privilegeManager = + new SQLStdHiveAccessControllerForTest(metastoreClientFactory, conf, authenticator); + return new HiveAuthorizerImpl( + privilegeManager, + new SQLStdHiveAuthorizationValidator(metastoreClientFactory, conf, authenticator, + privilegeManager) + ); + } +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java b/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java index 51b5bdc..70c76b1 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java @@ -28,10 +28,7 @@ import java.util.Set; import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.ql.Driver; -import org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; import org.apache.hadoop.hive.ql.session.SessionState; /** @@ -61,18 +58,8 @@ public static CommandProcessor getForHiveCommand(String[] cmd, HiveConf conf) conf = new HiveConf(); } Set availableCommands = new HashSet(); - if (!HiveAuthorizerFactory.class.isAssignableFrom - (conf.getClass(ConfVars.HIVE_AUTHORIZATION_MANAGER.varname,DefaultHiveAuthorizationProvider.class))) { - // we are not on authV2, add processors. - for (String availableCommand : conf.getVar(HiveConf.ConfVars.HIVE_SECURITY_COMMAND_WHITELIST).split(",")) { - availableCommands.add(availableCommand.toLowerCase().trim()); - } - } - - if (conf.getBoolVar(ConfVars.HIVE_IN_TEST)) { - // because test case uses these. - availableCommands.add("set"); - availableCommands.add("dfs"); + for (String availableCommand : conf.getVar(HiveConf.ConfVars.HIVE_SECURITY_COMMAND_WHITELIST).split(",")) { + availableCommands.add(availableCommand.toLowerCase().trim()); } if (!availableCommands.contains(cmd[0].trim().toLowerCase())) { throw new SQLException("Insufficient privileges to execute " + cmd[0], "42000"); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java index 0e65fa2..ede408b 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java @@ -21,6 +21,7 @@ import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving; +import org.apache.hadoop.hive.conf.HiveConf; /** * Interface that is invoked by access control commands, including grant/revoke role/privileges, @@ -68,4 +69,6 @@ void revokeRole(List hivePrincipals, List roles, boolean List getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException; + + void applyAuthorizationConfigPolicy(HiveConf hiveConf); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java index 3a2825d..dbef61a 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java @@ -21,6 +21,7 @@ import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving; +import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider; /** @@ -171,9 +172,26 @@ void checkPrivileges(HiveOperationType hiveOpType, List inp List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException, HiveAccessControlException; + /** + * Set the current role to roleName argument + * @param roleName + * @throws HiveAccessControlException + * @throws HiveAuthzPluginException + */ void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException; + /** + * @return List having names of current roles + * @throws HiveAuthzPluginException + */ List getCurrentRoleNames() throws HiveAuthzPluginException; + /** + * Modify the given HiveConf object to configure authorization related parameters + * or other parameters related to hive security + * @param hiveConf + */ + public void applyAuthorizationConfigPolicy(HiveConf hiveConf); + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java index b1bdb67..558d4ff 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java @@ -21,6 +21,7 @@ import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving; +import org.apache.hadoop.hive.conf.HiveConf; /** * Convenience implementation of HiveAuthorizer. @@ -120,4 +121,9 @@ public void setCurrentRole(String roleName) throws HiveAccessControlException, H throws HiveAuthzPluginException, HiveAccessControlException { return accessController.getRoleGrantInfoForPrincipal(principal); } + + @Override + public void applyAuthorizationConfigPolicy(HiveConf hiveConf) { + accessController.applyAuthorizationConfigPolicy(hiveConf); + } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index 57658db..e4f5aac 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -24,8 +24,11 @@ import java.util.Map; import java.util.Set; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; import org.apache.hadoop.classification.InterfaceAudience.Private; import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.metastore.HiveMetaStore; import org.apache.hadoop.hive.metastore.IMetaStoreClient; import org.apache.hadoop.hive.metastore.api.GetPrincipalsInRoleRequest; @@ -43,6 +46,7 @@ import org.apache.hadoop.hive.metastore.api.RolePrincipalGrant; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils; +import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; @@ -55,6 +59,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; import org.apache.thrift.TException; +import com.google.common.base.Joiner; import com.google.common.collect.ImmutableSet; /** @@ -76,8 +81,9 @@ + "have it as current role, for this action."; private final String HAS_ADMIN_PRIV_MSG = "grantor need to have ADMIN privileges on role being" + " granted and have it as a current role for this action."; + public static final Log LOG = LogFactory.getLog(SQLStdHiveAccessController.class); - SQLStdHiveAccessController(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, + public SQLStdHiveAccessController(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider authenticator) throws HiveAuthzPluginException { this.metastoreClientFactory = metastoreClientFactory; this.authenticator = authenticator; @@ -523,4 +529,100 @@ private boolean doesUserHasAdminOption(List roleNames) throws HiveAuthzP } } + + /** + * Default list of modifiable config parameters for sql standard authorization + */ + static final String [] defaultModWhiteListSqlStdAuth = new String [] { + ConfVars.BYTESPERREDUCER.varname, + ConfVars.MAXREDUCERS.varname, + ConfVars.HIVEMAPSIDEAGGREGATE.varname, + ConfVars.HIVEMAPAGGRHASHMEMORY.varname, + ConfVars.HIVEMAPAGGRMEMORYTHRESHOLD.varname, + ConfVars.HIVEMAPAGGRHASHMINREDUCTION.varname, + ConfVars.HIVEGROUPBYSKEW.varname, + ConfVars.HIVE_OPTIMIZE_MULTI_GROUPBY_COMMON_DISTINCTS.varname, + ConfVars.HIVEOPTGBYUSINGINDEX.varname, + ConfVars.HIVEOPTPPD.varname, + ConfVars.HIVEOPTPPD_STORAGE.varname, + ConfVars.HIVEOPTPPD_STORAGE.varname, + ConfVars.HIVEPPDRECOGNIZETRANSITIVITY.varname, + ConfVars.HIVEOPTGROUPBY.varname, + ConfVars.HIVEOPTSORTDYNAMICPARTITION.varname, + ConfVars.HIVE_OPTIMIZE_SKEWJOIN_COMPILETIME.varname, + ConfVars.HIVE_OPTIMIZE_UNION_REMOVE.varname, + ConfVars.HIVEMULTIGROUPBYSINGLEREDUCER.varname, + ConfVars.HIVE_MAP_GROUPBY_SORT.varname, + ConfVars.HIVE_MAP_GROUPBY_SORT_TESTMODE.varname, + ConfVars.HIVESKEWJOIN.varname, + ConfVars.HIVE_OPTIMIZE_SKEWJOIN_COMPILETIME.varname, + ConfVars.HIVEMAPREDMODE.varname, + ConfVars.HIVEENFORCEBUCKETMAPJOIN.varname, + ConfVars.COMPRESSRESULT.varname, + ConfVars.COMPRESSINTERMEDIATE.varname, + ConfVars.EXECPARALLEL.varname, + ConfVars.EXECPARALLETHREADNUMBER.varname, + ConfVars.EXECPARALLETHREADNUMBER.varname, + ConfVars.HIVEROWOFFSET.varname, + ConfVars.HIVEMERGEMAPFILES.varname, + ConfVars.HIVEMERGEMAPREDFILES.varname, + ConfVars.HIVEMERGETEZFILES.varname, + ConfVars.HIVEIGNOREMAPJOINHINT.varname, + ConfVars.HIVECONVERTJOIN.varname, + ConfVars.HIVECONVERTJOINNOCONDITIONALTASK.varname, + ConfVars.HIVECONVERTJOINNOCONDITIONALTASKTHRESHOLD.varname, + ConfVars.HIVECONVERTJOINUSENONSTAGED.varname, + ConfVars.HIVECONVERTJOINNOCONDITIONALTASK.varname, + ConfVars.HIVECONVERTJOINNOCONDITIONALTASKTHRESHOLD.varname, + ConfVars.HIVECONVERTJOINUSENONSTAGED.varname, + ConfVars.HIVEENFORCEBUCKETING.varname, + ConfVars.HIVEENFORCESORTING.varname, + ConfVars.HIVEENFORCESORTMERGEBUCKETMAPJOIN.varname, + ConfVars.HIVE_AUTO_SORTMERGE_JOIN.varname, + ConfVars.HIVE_EXECUTION_ENGINE.varname, + ConfVars.HIVE_VECTORIZATION_ENABLED.varname, + ConfVars.HIVEMAPJOINUSEOPTIMIZEDKEYS.varname, + ConfVars.HIVEMAPJOINLAZYHASHTABLE.varname, + ConfVars.HIVE_CHECK_CROSS_PRODUCT.varname, + ConfVars.HIVE_COMPAT.varname, + ConfVars.DYNAMICPARTITIONINGMODE.varname, + "mapred.reduce.tasks", + "mapred.output.compression.codec", + "mapred.map.output.compression.codec", + "mapreduce.job.reduce.slowstart.completedmaps", + "mapreduce.job.queuename", + }; + + @Override + public void applyAuthorizationConfigPolicy(HiveConf hiveConf) { + // grant all privileges for table to its owner + hiveConf.setVar(ConfVars.HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS, "INSERT,SELECT,UPDATE,DELETE"); + + // Configure PREEXECHOOKS with DisallowTransformHook to disallow transform queries + String hooks = hiveConf.getVar(ConfVars.PREEXECHOOKS).trim(); + if (hooks.isEmpty()) { + hooks = DisallowTransformHook.class.getName(); + } else { + hooks = hooks + "," +DisallowTransformHook.class.getName(); + } + LOG.debug("Configuring hooks : " + hooks); + hiveConf.setVar(ConfVars.PREEXECHOOKS, hooks); + + // set security command list to only allow set command + hiveConf.setVar(ConfVars.HIVE_SECURITY_COMMAND_WHITELIST, "set"); + + // restrict the variables that can be set using set command to a list in whitelist + hiveConf.setIsModWhiteListEnabled(true); + String whiteListParamsStr = hiveConf.getVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST); + if (whiteListParamsStr == null || whiteListParamsStr.trim().equals("")){ + // set the default configs in whitelist + whiteListParamsStr = Joiner.on(",").join(defaultModWhiteListSqlStdAuth); + hiveConf.setVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST, whiteListParamsStr); + } + for(String whiteListParam : whiteListParamsStr.split(",")){ + hiveConf.addToModifiableWhiteList(whiteListParam); + } + + } + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java index 2496282..229c063 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java @@ -24,7 +24,6 @@ import org.apache.commons.logging.LogFactory; import org.apache.hadoop.fs.Path; import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.metastore.HiveMetaStore; import org.apache.hadoop.hive.metastore.IMetaStoreClient; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; @@ -43,7 +42,7 @@ private final HiveConf conf; private final HiveAuthenticationProvider authenticator; private final SQLStdHiveAccessController privController; - public static final Log LOG = LogFactory.getLog(HiveMetaStore.class); + public static final Log LOG = LogFactory.getLog(SQLStdHiveAuthorizationValidator.class); public SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider authenticator, diff --git a/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java b/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java index 93eccf8..33973e4 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java @@ -58,7 +58,6 @@ import org.apache.hadoop.hive.ql.plan.HiveOperation; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider; -import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactoryImpl; @@ -161,6 +160,9 @@ private String currentDatabase; + private final String CONFIG_AUTHZ_SETTINGS_APPLIED_MARKER = + "hive.internal.ss.authz.settings.applied.marker"; + /** * Lineage state. */ @@ -371,34 +373,26 @@ private void setupAuth() { } try { - authenticator = HiveUtils.getAuthenticator(getConf(), + authenticator = HiveUtils.getAuthenticator(conf, HiveConf.ConfVars.HIVE_AUTHENTICATOR_MANAGER); authenticator.setSessionState(this); - authorizer = HiveUtils.getAuthorizeProviderManager(getConf(), + authorizer = HiveUtils.getAuthorizeProviderManager(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER, authenticator, true); if (authorizer == null) { // if it was null, the new authorization plugin must be specified in // config - HiveAuthorizerFactory authorizerFactory = HiveUtils.getAuthorizerFactory(getConf(), + HiveAuthorizerFactory authorizerFactory = HiveUtils.getAuthorizerFactory(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER); authorizerV2 = authorizerFactory.createHiveAuthorizer(new HiveMetastoreClientFactoryImpl(), - getConf(), authenticator); - // grant all privileges for table to its owner - getConf().setVar(ConfVars.HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS, "INSERT,SELECT,UPDATE,DELETE"); - String hooks = getConf().getVar(ConfVars.PREEXECHOOKS).trim(); - if (hooks.isEmpty()) { - hooks = DisallowTransformHook.class.getName(); - } else { - hooks = hooks + "," +DisallowTransformHook.class.getName(); - } - LOG.debug("Configuring hooks : " + hooks); - getConf().setVar(ConfVars.PREEXECHOOKS, hooks); - } + conf, authenticator); - createTableGrants = CreateTableAutomaticGrant.create(getConf()); + authorizerV2.applyAuthorizationConfigPolicy(conf); + // create the create table grants with new config + createTableGrants = CreateTableAutomaticGrant.create(conf); + } } catch (HiveException e) { throw new RuntimeException(e); @@ -1015,4 +1009,28 @@ public String getUserName() { return userName; } + /** + * If authorization mode is v2, then pass it through authorizer so that it can apply + * any security configuration changes. + * @param hiveConf + * @return + * @throws HiveException + */ + public void applyAuthorizationPolicy() throws HiveException { + if(!isAuthorizationModeV2()){ + // auth v1 interface does not have this functionality + return; + } + + // avoid processing the same config multiple times, check marker + if (conf.get(CONFIG_AUTHZ_SETTINGS_APPLIED_MARKER, "").equals(Boolean.TRUE.toString())) { + return; + } + + authorizerV2.applyAuthorizationConfigPolicy(conf); + // set a marker that this conf has been processed. + conf.set(CONFIG_AUTHZ_SETTINGS_APPLIED_MARKER, Boolean.TRUE.toString()); + + } + } diff --git a/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestSessionUserName.java b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestSessionUserName.java index 41b1ba8..273c4b9 100644 --- a/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestSessionUserName.java +++ b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestSessionUserName.java @@ -24,6 +24,7 @@ import org.apache.hadoop.hive.ql.metadata.Hive; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerImpl; @@ -112,8 +113,9 @@ private HiveConf getAuthV2HiveConf() { public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider authenticator) { username = authenticator.getUserName(); - return new HiveAuthorizerImpl(null, null); + HiveAccessController acontroller = Mockito.mock(HiveAccessController.class); + return new HiveAuthorizerImpl(acontroller, null); } - } + } } diff --git a/ql/src/test/org/apache/hadoop/hive/ql/processors/TestCommandProcessorFactory.java b/ql/src/test/org/apache/hadoop/hive/ql/processors/TestCommandProcessorFactory.java index 9c89498..ac5053a 100644 --- a/ql/src/test/org/apache/hadoop/hive/ql/processors/TestCommandProcessorFactory.java +++ b/ql/src/test/org/apache/hadoop/hive/ql/processors/TestCommandProcessorFactory.java @@ -23,7 +23,6 @@ import junit.framework.Assert; import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.ql.session.SessionState; import org.junit.Before; import org.junit.Test; @@ -55,7 +54,6 @@ public void testAvailableCommands() throws Exception { String cmd = command.name().toLowerCase(); Assert.assertNotNull("Cmd " + cmd + " not return null", CommandProcessorFactory.getForHiveCommand(new String[]{cmd}, conf)); } - conf.setBoolVar(ConfVars.HIVE_IN_TEST, false); conf.set(HiveConf.ConfVars.HIVE_SECURITY_COMMAND_WHITELIST.toString(), ""); for (HiveCommand command : HiveCommand.values()) { String cmd = command.name(); @@ -67,6 +65,5 @@ public void testAvailableCommands() throws Exception { Assert.assertEquals("42000", e.getSQLState()); } } - conf.setBoolVar(ConfVars.HIVE_IN_TEST, true); } } diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessController.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessController.java new file mode 100644 index 0000000..06f9258 --- /dev/null +++ b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessController.java @@ -0,0 +1,121 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hadoop.hive.ql.security.HadoopDefaultAuthenticator; +import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.junit.Test; + +import com.google.common.base.Joiner; + +/** + * Test SQLStdHiveAccessController + */ +public class TestSQLStdHiveAccessController { + + /** + * Test if SQLStdHiveAccessController is applying configuration security + * policy on hiveconf correctly + * + * @throws HiveAuthzPluginException + */ + @Test + public void checkConfigProcessing() throws HiveAuthzPluginException { + HiveConf processedConf = new HiveConf(); + + SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null, + processedConf, new HadoopDefaultAuthenticator()); + accessController.applyAuthorizationConfigPolicy(processedConf); + + // check that unsafe commands have been disabled + assertEquals("only set command should be allowed", + processedConf.getVar(ConfVars.HIVE_SECURITY_COMMAND_WHITELIST), "set"); + + // check that hook to disable transforms has been added + assertTrue("Check for transform query disabling hook", + processedConf.getVar(ConfVars.PREEXECHOOKS).contains(DisallowTransformHook.class.getName())); + + verifyParamSettability(SQLStdHiveAccessController.defaultModWhiteListSqlStdAuth, processedConf); + + } + + /** + * Verify that params in settableParams can be modified, and other random ones can't be modified + * @param settableParams + * @param processedConf + */ + private void verifyParamSettability(String [] settableParams, HiveConf processedConf) { + // verify that the whitlelist params can be set + for (String param : settableParams) { + try { + processedConf.verifyAndSet(param, "dummy"); + } catch (IllegalArgumentException e) { + fail("Unable to set value for parameter in whitelist " + param + " " + e); + } + } + + // verify that non whitelist params can't be set + assertConfModificationException(processedConf, "dummy.param"); + // does not make sense to have any of the metastore config variables to be + // modifiable + for (ConfVars metaVar : HiveConf.metaVars) { + assertConfModificationException(processedConf, metaVar.varname); + } + } + + /** + * Test that modifying HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST config works + * @throws HiveAuthzPluginException + */ + @Test + public void checkConfigProcessingCustomSetWhitelist() throws HiveAuthzPluginException { + + HiveConf processedConf = new HiveConf(); + // add custom value, including one from the default, one new one + String [] settableParams = {SQLStdHiveAccessController.defaultModWhiteListSqlStdAuth[0], "abcs.dummy.test.param"}; + processedConf.setVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST, + Joiner.on(",").join(settableParams)); + + + SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null, + processedConf, new HadoopDefaultAuthenticator()); + accessController.applyAuthorizationConfigPolicy(processedConf); + verifyParamSettability(settableParams, processedConf); + + + } + + + private void assertConfModificationException(HiveConf processedConf, String param) { + boolean caughtEx = false; + try { + processedConf.verifyAndSet(param, "dummy"); + } catch (IllegalArgumentException e) { + caughtEx = true; + } + assertTrue("Exception should be thrown while modifying the param " + param, caughtEx); + } + +} diff --git a/ql/src/test/queries/clientnegative/authorization_addjar.q b/ql/src/test/queries/clientnegative/authorization_addjar.q index 024d878..a1709da 100644 --- a/ql/src/test/queries/clientnegative/authorization_addjar.q +++ b/ql/src/test/queries/clientnegative/authorization_addjar.q @@ -1,3 +1,7 @@ set hive.security.authorization.enabled=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; + +-- running a sql query to initialize the authorization - not needed in real HS2 mode +show tables; + add jar ${system:maven.local.repository}/org/apache/hive/hcatalog/hive-hcatalog-core/${system:hive.version}/hive-hcatalog-core-${system:hive.version}.jar; diff --git a/ql/src/test/queries/clientnegative/authorization_addpartition.q b/ql/src/test/queries/clientnegative/authorization_addpartition.q index 41d96f0..8abdd2b 100644 --- a/ql/src/test/queries/clientnegative/authorization_addpartition.q +++ b/ql/src/test/queries/clientnegative/authorization_addpartition.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_alter_db_owner.q b/ql/src/test/queries/clientnegative/authorization_alter_db_owner.q index 24e26ce..f716262 100644 --- a/ql/src/test/queries/clientnegative/authorization_alter_db_owner.q +++ b/ql/src/test/queries/clientnegative/authorization_alter_db_owner.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=user1; diff --git a/ql/src/test/queries/clientnegative/authorization_alter_db_owner_default.q b/ql/src/test/queries/clientnegative/authorization_alter_db_owner_default.q index b12125f..f904935 100644 --- a/ql/src/test/queries/clientnegative/authorization_alter_db_owner_default.q +++ b/ql/src/test/queries/clientnegative/authorization_alter_db_owner_default.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=user1; diff --git a/ql/src/test/queries/clientnegative/authorization_cannot_create_all_role.q b/ql/src/test/queries/clientnegative/authorization_cannot_create_all_role.q index 4422585..de91e91 100644 --- a/ql/src/test/queries/clientnegative/authorization_cannot_create_all_role.q +++ b/ql/src/test/queries/clientnegative/authorization_cannot_create_all_role.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; set role ADMIN; diff --git a/ql/src/test/queries/clientnegative/authorization_cannot_create_default_role.q b/ql/src/test/queries/clientnegative/authorization_cannot_create_default_role.q index e07cf3d..42a42f6 100644 --- a/ql/src/test/queries/clientnegative/authorization_cannot_create_default_role.q +++ b/ql/src/test/queries/clientnegative/authorization_cannot_create_default_role.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; set role ADMIN; diff --git a/ql/src/test/queries/clientnegative/authorization_cannot_create_none_role.q b/ql/src/test/queries/clientnegative/authorization_cannot_create_none_role.q index 4e68920..0d14cde 100644 --- a/ql/src/test/queries/clientnegative/authorization_cannot_create_none_role.q +++ b/ql/src/test/queries/clientnegative/authorization_cannot_create_none_role.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; set role ADMIN; diff --git a/ql/src/test/queries/clientnegative/authorization_caseinsensitivity.q b/ql/src/test/queries/clientnegative/authorization_caseinsensitivity.q index d6db786..d5ea284 100644 --- a/ql/src/test/queries/clientnegative/authorization_caseinsensitivity.q +++ b/ql/src/test/queries/clientnegative/authorization_caseinsensitivity.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; set role ADMIN; diff --git a/ql/src/test/queries/clientnegative/authorization_create_func1.q b/ql/src/test/queries/clientnegative/authorization_create_func1.q index 1a974ca..02bbe09 100644 --- a/ql/src/test/queries/clientnegative/authorization_create_func1.q +++ b/ql/src/test/queries/clientnegative/authorization_create_func1.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=hive_test_user; diff --git a/ql/src/test/queries/clientnegative/authorization_create_func2.q b/ql/src/test/queries/clientnegative/authorization_create_func2.q index 936bf2d..8760fa8 100644 --- a/ql/src/test/queries/clientnegative/authorization_create_func2.q +++ b/ql/src/test/queries/clientnegative/authorization_create_func2.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=hive_test_user; diff --git a/ql/src/test/queries/clientnegative/authorization_create_macro1.q b/ql/src/test/queries/clientnegative/authorization_create_macro1.q index a8d1d3d..c904a10 100644 --- a/ql/src/test/queries/clientnegative/authorization_create_macro1.q +++ b/ql/src/test/queries/clientnegative/authorization_create_macro1.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=hive_test_user; diff --git a/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q b/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q index ff4294f..a84fe64 100644 --- a/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q +++ b/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q @@ -1,3 +1,3 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; -- this test will fail because hive_test_user is not in admin role. create role r1; diff --git a/ql/src/test/queries/clientnegative/authorization_createview.q b/ql/src/test/queries/clientnegative/authorization_createview.q index f7ee26f..9b1f2ea 100644 --- a/ql/src/test/queries/clientnegative/authorization_createview.q +++ b/ql/src/test/queries/clientnegative/authorization_createview.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_ctas.q b/ql/src/test/queries/clientnegative/authorization_ctas.q index 8507c42..1cf74a3 100644 --- a/ql/src/test/queries/clientnegative/authorization_ctas.q +++ b/ql/src/test/queries/clientnegative/authorization_ctas.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q b/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q index bb62a67..47663c9 100644 --- a/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q +++ b/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=user1; diff --git a/ql/src/test/queries/clientnegative/authorization_dfs.q b/ql/src/test/queries/clientnegative/authorization_dfs.q new file mode 100644 index 0000000..7d47a7b --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_dfs.q @@ -0,0 +1,7 @@ +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; + +-- running a sql query to initialize the authorization - not needed in real HS2 mode +show tables; +dfs -ls ${system:test.tmp.dir}/ + diff --git a/ql/src/test/queries/clientnegative/authorization_disallow_transform.q b/ql/src/test/queries/clientnegative/authorization_disallow_transform.q index da5f0c68..64b300c 100644 --- a/ql/src/test/queries/clientnegative/authorization_disallow_transform.q +++ b/ql/src/test/queries/clientnegative/authorization_disallow_transform.q @@ -1,3 +1,3 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set role ALL; SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM src; diff --git a/ql/src/test/queries/clientnegative/authorization_drop_db_cascade.q b/ql/src/test/queries/clientnegative/authorization_drop_db_cascade.q index ff7b572..edeae9b 100644 --- a/ql/src/test/queries/clientnegative/authorization_drop_db_cascade.q +++ b/ql/src/test/queries/clientnegative/authorization_drop_db_cascade.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=user1; diff --git a/ql/src/test/queries/clientnegative/authorization_drop_db_empty.q b/ql/src/test/queries/clientnegative/authorization_drop_db_empty.q index e16b973..46d4d0f 100644 --- a/ql/src/test/queries/clientnegative/authorization_drop_db_empty.q +++ b/ql/src/test/queries/clientnegative/authorization_drop_db_empty.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=user1; diff --git a/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q b/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q index f7263a2..a7aa17f 100644 --- a/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q +++ b/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; set role ADMIN; diff --git a/ql/src/test/queries/clientnegative/authorization_droppartition.q b/ql/src/test/queries/clientnegative/authorization_droppartition.q index a381bba..f05e945 100644 --- a/ql/src/test/queries/clientnegative/authorization_droppartition.q +++ b/ql/src/test/queries/clientnegative/authorization_droppartition.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_grant_table_allpriv.q b/ql/src/test/queries/clientnegative/authorization_grant_table_allpriv.q index 17d2b46..f3c86b9 100644 --- a/ql/src/test/queries/clientnegative/authorization_grant_table_allpriv.q +++ b/ql/src/test/queries/clientnegative/authorization_grant_table_allpriv.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=user1; diff --git a/ql/src/test/queries/clientnegative/authorization_grant_table_dup.q b/ql/src/test/queries/clientnegative/authorization_grant_table_dup.q index 8025660..7808cb3 100644 --- a/ql/src/test/queries/clientnegative/authorization_grant_table_dup.q +++ b/ql/src/test/queries/clientnegative/authorization_grant_table_dup.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=user1; diff --git a/ql/src/test/queries/clientnegative/authorization_grant_table_fail1.q b/ql/src/test/queries/clientnegative/authorization_grant_table_fail1.q index 140f5b0..8dc8e45 100644 --- a/ql/src/test/queries/clientnegative/authorization_grant_table_fail1.q +++ b/ql/src/test/queries/clientnegative/authorization_grant_table_fail1.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=user1; diff --git a/ql/src/test/queries/clientnegative/authorization_grant_table_fail_nogrant.q b/ql/src/test/queries/clientnegative/authorization_grant_table_fail_nogrant.q index 8d20919..d51c1c3 100644 --- a/ql/src/test/queries/clientnegative/authorization_grant_table_fail_nogrant.q +++ b/ql/src/test/queries/clientnegative/authorization_grant_table_fail_nogrant.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=user1; diff --git a/ql/src/test/queries/clientnegative/authorization_insert_noinspriv.q b/ql/src/test/queries/clientnegative/authorization_insert_noinspriv.q index 14fd307..2fa3cb2 100644 --- a/ql/src/test/queries/clientnegative/authorization_insert_noinspriv.q +++ b/ql/src/test/queries/clientnegative/authorization_insert_noinspriv.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_insert_noselectpriv.q b/ql/src/test/queries/clientnegative/authorization_insert_noselectpriv.q index ee6dd20..b9bee4e 100644 --- a/ql/src/test/queries/clientnegative/authorization_insert_noselectpriv.q +++ b/ql/src/test/queries/clientnegative/authorization_insert_noselectpriv.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_invalid_priv_v2.q b/ql/src/test/queries/clientnegative/authorization_invalid_priv_v2.q index be6a4e8..9c72408 100644 --- a/ql/src/test/queries/clientnegative/authorization_invalid_priv_v2.q +++ b/ql/src/test/queries/clientnegative/authorization_invalid_priv_v2.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; create table if not exists authorization_invalid_v2 (key int, value string); grant index on table authorization_invalid_v2 to user hive_test_user; diff --git a/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_rename.q b/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_rename.q index 3f7b7df..8a3300c 100644 --- a/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_rename.q +++ b/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_rename.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=user1; diff --git a/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_serdeprop.q b/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_serdeprop.q index a06ac18..0172c4c 100644 --- a/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_serdeprop.q +++ b/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_serdeprop.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=user1; diff --git a/ql/src/test/queries/clientnegative/authorization_not_owner_drop_tab.q b/ql/src/test/queries/clientnegative/authorization_not_owner_drop_tab.q index 03eca67..2d0e52d 100644 --- a/ql/src/test/queries/clientnegative/authorization_not_owner_drop_tab.q +++ b/ql/src/test/queries/clientnegative/authorization_not_owner_drop_tab.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=user1; diff --git a/ql/src/test/queries/clientnegative/authorization_not_owner_drop_view.q b/ql/src/test/queries/clientnegative/authorization_not_owner_drop_view.q index d92cc55..76bbab4 100644 --- a/ql/src/test/queries/clientnegative/authorization_not_owner_drop_view.q +++ b/ql/src/test/queries/clientnegative/authorization_not_owner_drop_view.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=user1; diff --git a/ql/src/test/queries/clientnegative/authorization_priv_current_role_neg.q b/ql/src/test/queries/clientnegative/authorization_priv_current_role_neg.q index b8d5189..bbf3b66 100644 --- a/ql/src/test/queries/clientnegative/authorization_priv_current_role_neg.q +++ b/ql/src/test/queries/clientnegative/authorization_priv_current_role_neg.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; set role ADMIN; diff --git a/ql/src/test/queries/clientnegative/authorization_revoke_table_fail1.q b/ql/src/test/queries/clientnegative/authorization_revoke_table_fail1.q index f2e3eab..e19bf37 100644 --- a/ql/src/test/queries/clientnegative/authorization_revoke_table_fail1.q +++ b/ql/src/test/queries/clientnegative/authorization_revoke_table_fail1.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=user1; diff --git a/ql/src/test/queries/clientnegative/authorization_revoke_table_fail2.q b/ql/src/test/queries/clientnegative/authorization_revoke_table_fail2.q index edb5b65..4b0cf32 100644 --- a/ql/src/test/queries/clientnegative/authorization_revoke_table_fail2.q +++ b/ql/src/test/queries/clientnegative/authorization_revoke_table_fail2.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=user1; diff --git a/ql/src/test/queries/clientnegative/authorization_role_cycles1.q b/ql/src/test/queries/clientnegative/authorization_role_cycles1.q index dd39383..a819d20 100644 --- a/ql/src/test/queries/clientnegative/authorization_role_cycles1.q +++ b/ql/src/test/queries/clientnegative/authorization_role_cycles1.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; set role ADMIN; diff --git a/ql/src/test/queries/clientnegative/authorization_role_cycles2.q b/ql/src/test/queries/clientnegative/authorization_role_cycles2.q index aebdce9..423f030 100644 --- a/ql/src/test/queries/clientnegative/authorization_role_cycles2.q +++ b/ql/src/test/queries/clientnegative/authorization_role_cycles2.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientnegative/authorization_role_grant.q b/ql/src/test/queries/clientnegative/authorization_role_grant.q index 06c23ef..c5c500a 100644 --- a/ql/src/test/queries/clientnegative/authorization_role_grant.q +++ b/ql/src/test/queries/clientnegative/authorization_role_grant.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientnegative/authorization_rolehierarchy_privs.q b/ql/src/test/queries/clientnegative/authorization_rolehierarchy_privs.q index 496141a..d9f4c7c 100644 --- a/ql/src/test/queries/clientnegative/authorization_rolehierarchy_privs.q +++ b/ql/src/test/queries/clientnegative/authorization_rolehierarchy_privs.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_select.q b/ql/src/test/queries/clientnegative/authorization_select.q index 721de69..3987179 100644 --- a/ql/src/test/queries/clientnegative/authorization_select.q +++ b/ql/src/test/queries/clientnegative/authorization_select.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_select_view.q b/ql/src/test/queries/clientnegative/authorization_select_view.q index ac526e3..a4071cd 100644 --- a/ql/src/test/queries/clientnegative/authorization_select_view.q +++ b/ql/src/test/queries/clientnegative/authorization_select_view.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_set_role_neg1.q b/ql/src/test/queries/clientnegative/authorization_set_role_neg1.q index 482b8ea..9ba3a82 100644 --- a/ql/src/test/queries/clientnegative/authorization_set_role_neg1.q +++ b/ql/src/test/queries/clientnegative/authorization_set_role_neg1.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; -- an error should be thrown if 'set role ' is done for role that does not exist diff --git a/ql/src/test/queries/clientnegative/authorization_set_role_neg2.q b/ql/src/test/queries/clientnegative/authorization_set_role_neg2.q index 77fc8f4..03f748f 100644 --- a/ql/src/test/queries/clientnegative/authorization_set_role_neg2.q +++ b/ql/src/test/queries/clientnegative/authorization_set_role_neg2.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; set role ADMIN; diff --git a/ql/src/test/queries/clientnegative/authorization_show_parts_nosel.q b/ql/src/test/queries/clientnegative/authorization_show_parts_nosel.q index e2514cc..d8190de 100644 --- a/ql/src/test/queries/clientnegative/authorization_show_parts_nosel.q +++ b/ql/src/test/queries/clientnegative/authorization_show_parts_nosel.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=user1; diff --git a/ql/src/test/queries/clientnegative/authorization_show_role_principals_no_admin.q b/ql/src/test/queries/clientnegative/authorization_show_role_principals_no_admin.q index 34bbf87..2afe87f 100644 --- a/ql/src/test/queries/clientnegative/authorization_show_role_principals_no_admin.q +++ b/ql/src/test/queries/clientnegative/authorization_show_role_principals_no_admin.q @@ -1,3 +1,3 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; -- This test will fail because hive_test_user is not in admin role show principals role1; diff --git a/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q b/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q index c16d840..0fc9fca 100644 --- a/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q +++ b/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q @@ -1,3 +1,3 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; -- This test will fail because hive_test_user is not in admin role show roles; diff --git a/ql/src/test/queries/clientnegative/authorization_truncate.q b/ql/src/test/queries/clientnegative/authorization_truncate.q index e7ba559..285600b 100644 --- a/ql/src/test/queries/clientnegative/authorization_truncate.q +++ b/ql/src/test/queries/clientnegative/authorization_truncate.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_add_partition.q b/ql/src/test/queries/clientnegative/authorization_uri_add_partition.q index 45a436f..d82ac71 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_add_partition.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_add_partition.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_alterpart_loc.q b/ql/src/test/queries/clientnegative/authorization_uri_alterpart_loc.q index 12e6e8c..d38ba74 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_alterpart_loc.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_alterpart_loc.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_altertab_setloc.q b/ql/src/test/queries/clientnegative/authorization_uri_altertab_setloc.q index e5e6b9c..c446b86 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_altertab_setloc.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_altertab_setloc.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_create_table1.q b/ql/src/test/queries/clientnegative/authorization_uri_create_table1.q index 83c1086..c8e1fb4 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_create_table1.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_create_table1.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_create_table_ext.q b/ql/src/test/queries/clientnegative/authorization_uri_create_table_ext.q index c4ae6f4..c8549b4 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_create_table_ext.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_create_table_ext.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_createdb.q b/ql/src/test/queries/clientnegative/authorization_uri_createdb.q index a278dc2..edfdf5a 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_createdb.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_createdb.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_index.q b/ql/src/test/queries/clientnegative/authorization_uri_index.q index db04d68..1a8f9cb 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_index.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_index.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_insert.q b/ql/src/test/queries/clientnegative/authorization_uri_insert.q index 53abe43..81b6e52 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_insert.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_insert.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_insert_local.q b/ql/src/test/queries/clientnegative/authorization_uri_insert_local.q index 1b7671d..0a2fd89 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_insert_local.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_insert_local.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_load_data.q b/ql/src/test/queries/clientnegative/authorization_uri_load_data.q index 853f55d..6af41f0 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_load_data.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_load_data.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorize_create_tbl.q b/ql/src/test/queries/clientnegative/authorize_create_tbl.q index 431fb88..d8beac3 100644 --- a/ql/src/test/queries/clientnegative/authorize_create_tbl.q +++ b/ql/src/test/queries/clientnegative/authorize_create_tbl.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientpositive/authorization_1_sql_std.q b/ql/src/test/queries/clientpositive/authorization_1_sql_std.q index 553b662..79ae17a 100644 --- a/ql/src/test/queries/clientpositive/authorization_1_sql_std.q +++ b/ql/src/test/queries/clientpositive/authorization_1_sql_std.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientpositive/authorization_admin_almighty1.q b/ql/src/test/queries/clientpositive/authorization_admin_almighty1.q index ba7bd98..45c4a7d 100644 --- a/ql/src/test/queries/clientpositive/authorization_admin_almighty1.q +++ b/ql/src/test/queries/clientpositive/authorization_admin_almighty1.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_test_user; diff --git a/ql/src/test/queries/clientpositive/authorization_create_func1.q b/ql/src/test/queries/clientpositive/authorization_create_func1.q index 47ec439..65a7b33 100644 --- a/ql/src/test/queries/clientpositive/authorization_create_func1.q +++ b/ql/src/test/queries/clientpositive/authorization_create_func1.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientpositive/authorization_create_macro1.q b/ql/src/test/queries/clientpositive/authorization_create_macro1.q index e1fd0fa..fb60500 100644 --- a/ql/src/test/queries/clientpositive/authorization_create_macro1.q +++ b/ql/src/test/queries/clientpositive/authorization_create_macro1.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientpositive/authorization_create_table_owner_privs.q b/ql/src/test/queries/clientpositive/authorization_create_table_owner_privs.q index 4dde2b0..17f4861 100644 --- a/ql/src/test/queries/clientpositive/authorization_create_table_owner_privs.q +++ b/ql/src/test/queries/clientpositive/authorization_create_table_owner_privs.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=user1; diff --git a/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q b/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q index c18f5b4..02d364e 100644 --- a/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q +++ b/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=user1; diff --git a/ql/src/test/queries/clientpositive/authorization_owner_actions.q b/ql/src/test/queries/clientpositive/authorization_owner_actions.q index 9f322af..85d8b11 100644 --- a/ql/src/test/queries/clientpositive/authorization_owner_actions.q +++ b/ql/src/test/queries/clientpositive/authorization_owner_actions.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=user1; diff --git a/ql/src/test/queries/clientpositive/authorization_owner_actions_db.q b/ql/src/test/queries/clientpositive/authorization_owner_actions_db.q index b87199d..36ab260 100644 --- a/ql/src/test/queries/clientpositive/authorization_owner_actions_db.q +++ b/ql/src/test/queries/clientpositive/authorization_owner_actions_db.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q b/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q index 2e384d7..ccda3b5 100644 --- a/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q +++ b/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q @@ -1,4 +1,4 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=user1; diff --git a/ql/src/test/queries/clientpositive/authorization_role_grant1.q b/ql/src/test/queries/clientpositive/authorization_role_grant1.q index a1a9ef9..f89d0dc 100644 --- a/ql/src/test/queries/clientpositive/authorization_role_grant1.q +++ b/ql/src/test/queries/clientpositive/authorization_role_grant1.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientpositive/authorization_role_grant2.q b/ql/src/test/queries/clientpositive/authorization_role_grant2.q index b3858c7..984d7ed 100644 --- a/ql/src/test/queries/clientpositive/authorization_role_grant2.q +++ b/ql/src/test/queries/clientpositive/authorization_role_grant2.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.cli.print.header=true; diff --git a/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q b/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q index 016378d..6b5af6e 100644 --- a/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q +++ b/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; set role ADMIN; diff --git a/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q b/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q index fdbeed4..bd7bbfe 100644 --- a/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q +++ b/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q @@ -1,5 +1,5 @@ set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; set user.name=user1; diff --git a/ql/src/test/results/clientnegative/authorization_addjar.q.out b/ql/src/test/results/clientnegative/authorization_addjar.q.out index 47be882..d206dca 100644 --- a/ql/src/test/results/clientnegative/authorization_addjar.q.out +++ b/ql/src/test/results/clientnegative/authorization_addjar.q.out @@ -1 +1,16 @@ +PREHOOK: query: -- running a sql query to initialize the authorization - not needed in real HS2 mode +show tables +PREHOOK: type: SHOWTABLES +POSTHOOK: query: -- running a sql query to initialize the authorization - not needed in real HS2 mode +show tables +POSTHOOK: type: SHOWTABLES +alltypesorc +src +src1 +src_json +src_sequencefile +src_thrift +srcbucket +srcbucket2 +srcpart Failed processing command add Insufficient privileges to execute add diff --git a/ql/src/test/results/clientnegative/authorization_dfs.q.out b/ql/src/test/results/clientnegative/authorization_dfs.q.out new file mode 100644 index 0000000..d685e78 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_dfs.q.out @@ -0,0 +1,16 @@ +PREHOOK: query: -- running a sql query to initialize the authorization - not needed in real HS2 mode +show tables +PREHOOK: type: SHOWTABLES +POSTHOOK: query: -- running a sql query to initialize the authorization - not needed in real HS2 mode +show tables +POSTHOOK: type: SHOWTABLES +alltypesorc +src +src1 +src_json +src_sequencefile +src_thrift +srcbucket +srcbucket2 +srcpart +Failed processing command dfs Insufficient privileges to execute dfs diff --git a/service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java b/service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java index f730119..a9d5902 100644 --- a/service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java +++ b/service/src/java/org/apache/hive/service/cli/session/HiveSessionImpl.java @@ -91,7 +91,7 @@ public HiveSessionImpl(TProtocolVersion protocol, String username, String passwo //set conf properties specified by user from client side if (sessionConfMap != null) { for (Map.Entry entry : sessionConfMap.entrySet()) { - hiveConf.set(entry.getKey(), entry.getValue()); + hiveConf.verifyAndSet(entry.getKey(), entry.getValue()); } } // set an explicit session name to control the download directory name diff --git a/service/src/java/org/apache/hive/service/cli/session/SessionManager.java b/service/src/java/org/apache/hive/service/cli/session/SessionManager.java index d7d3126..05e742c 100644 --- a/service/src/java/org/apache/hive/service/cli/session/SessionManager.java +++ b/service/src/java/org/apache/hive/service/cli/session/SessionManager.java @@ -31,6 +31,8 @@ import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.ql.hooks.HookUtils; +import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hive.service.CompositeService; import org.apache.hive.service.auth.TSetIpAddressProcessor; import org.apache.hive.service.cli.HiveSQLException; @@ -57,6 +59,12 @@ public SessionManager() { @Override public synchronized void init(HiveConf hiveConf) { + try { + applyAuthorizationConfigPolicy(hiveConf); + } catch (HiveException e) { + throw new RuntimeException("Error applying authorization policy on hive configuration", e); + } + this.hiveConf = hiveConf; int backgroundPoolSize = hiveConf.getIntVar(ConfVars.HIVE_SERVER2_ASYNC_EXEC_THREADS); LOG.info("HiveServer2: Async execution thread pool size: " + backgroundPoolSize); @@ -74,6 +82,13 @@ public synchronized void init(HiveConf hiveConf) { super.init(hiveConf); } + private void applyAuthorizationConfigPolicy(HiveConf newHiveConf) throws HiveException { + // authorization setup using SessionState should be revisited eventually, as + // authorization and authentication are not session specific settings + SessionState ss = SessionState.start(newHiveConf); + ss.applyAuthorizationPolicy(); + } + @Override public synchronized void start() { super.start();