diff --git a/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java b/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java index 5fc4af4..487d292 100644 --- a/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java +++ b/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java @@ -42,7 +42,6 @@ import java.util.Properties; import java.util.Set; import java.util.Timer; -import java.util.concurrent.atomic.AtomicBoolean; import java.util.concurrent.locks.Condition; import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReentrantLock; @@ -3999,8 +3998,6 @@ private boolean isNewRoleAParent(String newRole, String curRole) throws MetaExce result.add(role); } } - // all users by default belongs to public role - result.add(new Role(PUBLIC,0,PUBLIC)); return result; } catch (MetaException e) { throw e; @@ -4909,9 +4906,6 @@ public GetRoleGrantsForPrincipalResponse get_role_grants_for_principal( } List roleGrantsList = getRolePrincipalGrants(roleMaps); - // all users by default belongs to public role - roleGrantsList.add(new RolePrincipalGrant(PUBLIC, request.getPrincipal_name(), request - .getPrincipal_type(), false, 0, null, null)); return new GetRoleGrantsForPrincipalResponse(roleGrantsList); } @@ -4931,7 +4925,9 @@ public GetRoleGrantsForPrincipalResponse get_role_grants_for_principal( roleMap.getGrantOption(), roleMap.getAddTime(), roleMap.getGrantor(), - PrincipalType.valueOf(roleMap.getGrantorType()) + // no grantor type for public role, hence the null check + roleMap.getGrantorType() == null ? null + : PrincipalType.valueOf(roleMap.getGrantorType()) ); rolePrinGrantList.add(rolePrinGrant); } diff --git a/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java b/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java index 3ea87a0..4b4f4f2 100644 --- a/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java +++ b/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java @@ -3235,7 +3235,20 @@ private void getAllRoleAncestors(Set processedRoleNames, List rollbackTransaction(); } } + + if (principalType == PrincipalType.USER) { + // All users belong to public role implicitly, add that role + if (mRoleMember == null) { + mRoleMember = new ArrayList(); + } else { + mRoleMember = new ArrayList(mRoleMember); + } + MRole publicRole = new MRole(HiveMetaStore.PUBLIC, 0, HiveMetaStore.PUBLIC); + mRoleMember.add(new MRoleMap(principalName, principalType.toString(), publicRole, 0, + null, null, false)); + } return mRoleMember; + } @SuppressWarnings("unchecked") diff --git a/ql/src/test/queries/clientpositive/authorization_grant_public_role.q b/ql/src/test/queries/clientpositive/authorization_grant_public_role.q new file mode 100644 index 0000000..8473178 --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_grant_public_role.q @@ -0,0 +1,18 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; + +set user.name=user1; +-- current user has been set (comment line before the set cmd is resulting in parse error!!) + +CREATE TABLE t_gpr1(i int); + +-- all privileges should have been set for user + +GRANT ALL ON t_gpr1 TO ROLE public; + +SHOW GRANT ON TABLE t_gpr1; + +set user.name=user2; +SHOW CURRENT ROLES; +-- user2 should be able to do a describe table, as pubic is in the current roles +DESC t_gpr1; diff --git a/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out b/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out new file mode 100644 index 0000000..a0a45f7 --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out @@ -0,0 +1,48 @@ +PREHOOK: query: -- current user has been set (comment line before the set cmd is resulting in parse error!!) + +CREATE TABLE t_gpr1(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +POSTHOOK: query: -- current user has been set (comment line before the set cmd is resulting in parse error!!) + +CREATE TABLE t_gpr1(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t_gpr1 +PREHOOK: query: -- all privileges should have been set for user + +GRANT ALL ON t_gpr1 TO ROLE public +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t_gpr1 +POSTHOOK: query: -- all privileges should have been set for user + +GRANT ALL ON t_gpr1 TO ROLE public +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@t_gpr1 +PREHOOK: query: SHOW GRANT ON TABLE t_gpr1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: SHOW GRANT ON TABLE t_gpr1 +POSTHOOK: type: SHOW_GRANT +default t_gpr1 public ROLE DELETE false -1 user1 +default t_gpr1 public ROLE INSERT false -1 user1 +default t_gpr1 public ROLE SELECT false -1 user1 +default t_gpr1 public ROLE UPDATE false -1 user1 +default t_gpr1 user1 USER DELETE true -1 user1 +default t_gpr1 user1 USER INSERT true -1 user1 +default t_gpr1 user1 USER SELECT true -1 user1 +default t_gpr1 user1 USER UPDATE true -1 user1 +PREHOOK: query: SHOW CURRENT ROLES +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: SHOW CURRENT ROLES +POSTHOOK: type: SHOW_ROLES +public + +PREHOOK: query: -- user2 should be able to do a describe table, as pubic is in the current roles +DESC t_gpr1 +PREHOOK: type: DESCTABLE +PREHOOK: Input: default@t_gpr1 +POSTHOOK: query: -- user2 should be able to do a describe table, as pubic is in the current roles +DESC t_gpr1 +POSTHOOK: type: DESCTABLE +POSTHOOK: Input: default@t_gpr1 +i int