diff --git metastore/src/java/org/apache/hadoop/hive/metastore/Warehouse.java metastore/src/java/org/apache/hadoop/hive/metastore/Warehouse.java index 6d9b559..79bfb70 100755 --- metastore/src/java/org/apache/hadoop/hive/metastore/Warehouse.java +++ metastore/src/java/org/apache/hadoop/hive/metastore/Warehouse.java @@ -557,4 +557,17 @@ public static String makePartName(List partCols, return values; } + public static List getPartValuesFromPartSpec(Map partSpec) { + List values = new ArrayList(); + values.addAll(partSpec.values()); + return values; + } + + public static Map makeSpecFromVals(List partCols, List vals) { + Map spec = new LinkedHashMap(); + for (int i = 0; i < vals.size(); i++) { + spec.put(partCols.get(i).getName(), vals.get(i)); + } + return spec; + } } diff --git ql/src/java/org/apache/hadoop/hive/ql/ErrorMsg.java ql/src/java/org/apache/hadoop/hive/ql/ErrorMsg.java index bc18ef5..5be2e92 100644 --- ql/src/java/org/apache/hadoop/hive/ql/ErrorMsg.java +++ ql/src/java/org/apache/hadoop/hive/ql/ErrorMsg.java @@ -377,10 +377,14 @@ INVALID_DIR(10252, "{0} is not a directory", true), NO_VALID_LOCATIONS(10253, "Could not find any valid location to place the jars. " + "Please update hive.jar.directory or hive.user.install.directory with a valid location", false), - UNNSUPPORTED_AUTHORIZATION_PRINCIPAL_TYPE_GROUP(10254, + UNSUPPORTED_AUTHORIZATION_PRINCIPAL_TYPE_GROUP(10254, "Principal type GROUP is not supported in this authorization setting", "28000"), INVALID_TABLE_NAME(10255, "Invalid table name {0}", true), INSERT_INTO_IMMUTABLE_TABLE(10256, "Inserting into a non-empty immutable table is not allowed"), + UNSUPPORTED_AUTHORIZATION_RESOURCE_TYPE_GLOBAL(10257, + "Resource type GLOBAL is not supported in this authorization setting", "28000"), + UNSUPPORTED_AUTHORIZATION_RESOURCE_TYPE_COLUMN(10258, + "Resource type COLUMN is not supported in this authorization setting", "28000"), TXNMGR_NOT_SPECIFIED(10260, "Transaction manager not specified correctly, " + "set hive.txn.manager"), diff --git ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java index ca51e71..8f6221c 100644 --- ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java +++ ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java @@ -38,13 +38,11 @@ import java.util.Iterator; import java.util.List; import java.util.Map; -import java.util.Properties; import java.util.Map.Entry; import java.util.Set; import java.util.SortedSet; import java.util.TreeSet; -import org.apache.commons.lang.ArrayUtils; import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; @@ -65,17 +63,12 @@ import org.apache.hadoop.hive.metastore.api.Database; import org.apache.hadoop.hive.metastore.api.FieldSchema; import org.apache.hadoop.hive.metastore.api.GetOpenTxnsInfoResponse; -import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege; -import org.apache.hadoop.hive.metastore.api.HiveObjectRef; -import org.apache.hadoop.hive.metastore.api.HiveObjectType; import org.apache.hadoop.hive.metastore.api.Index; import org.apache.hadoop.hive.metastore.api.InvalidOperationException; import org.apache.hadoop.hive.metastore.api.MetaException; import org.apache.hadoop.hive.metastore.api.NoSuchObjectException; import org.apache.hadoop.hive.metastore.api.Order; import org.apache.hadoop.hive.metastore.api.PrincipalType; -import org.apache.hadoop.hive.metastore.api.PrivilegeBag; -import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo; import org.apache.hadoop.hive.metastore.api.RolePrincipalGrant; import org.apache.hadoop.hive.metastore.api.SerDeInfo; import org.apache.hadoop.hive.metastore.api.ShowCompactResponse; @@ -116,7 +109,6 @@ import org.apache.hadoop.hive.ql.metadata.formatting.MetaDataFormatter; import org.apache.hadoop.hive.ql.parse.AlterTablePartMergeFilesDesc; import org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer; -import org.apache.hadoop.hive.ql.parse.SemanticException; import org.apache.hadoop.hive.ql.plan.AddPartitionDesc; import org.apache.hadoop.hive.ql.plan.AlterDatabaseDesc; import org.apache.hadoop.hive.ql.plan.AlterIndexDesc; @@ -167,15 +159,13 @@ import org.apache.hadoop.hive.ql.plan.UnlockTableDesc; import org.apache.hadoop.hive.ql.plan.api.StageType; import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils; -import org.apache.hadoop.hive.ql.security.authorization.Privilege; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveV1Authorizer; import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hadoop.hive.serde.serdeConstants; import org.apache.hadoop.hive.serde2.Deserializer; @@ -523,44 +513,25 @@ private int mergeFiles(Hive db, AlterTablePartMergeFilesDesc mergeFilesDesc) return ret; } - private int grantOrRevokeRole(GrantRevokeRoleDDL grantOrRevokeRoleDDL) - throws HiveException { - try { - boolean grantRole = grantOrRevokeRoleDDL.getGrant(); - List principals = grantOrRevokeRoleDDL.getPrincipalDesc(); - List roles = grantOrRevokeRoleDDL.getRoles(); - - if(SessionState.get().isAuthorizationModeV2()){ - return grantOrRevokeRoleV2(grantOrRevokeRoleDDL); - } - - for (PrincipalDesc principal : principals) { - String userName = principal.getName(); - for (String roleName : roles) { - if (grantRole) { - db.grantRole(roleName, userName, principal.getType(), - grantOrRevokeRoleDDL.getGrantor(), grantOrRevokeRoleDDL - .getGrantorType(), grantOrRevokeRoleDDL.isGrantOption()); - } else { - db.revokeRole(roleName, userName, principal.getType()); - } - } - } - } catch (Exception e) { - throw new HiveException(e); + private HiveAuthorizer getSessionAuthorizer() { + HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); + if (authorizer == null) { + authorizer = new HiveV1Authorizer(conf, db); } - return 0; + return authorizer; } - private int grantOrRevokeRoleV2(GrantRevokeRoleDDL grantOrRevokeRoleDDL) throws HiveException { - HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); + private int grantOrRevokeRole(GrantRevokeRoleDDL grantOrRevokeRoleDDL) + throws HiveException { + HiveAuthorizer authorizer = getSessionAuthorizer(); //convert to the types needed for plugin api HivePrincipal grantorPrinc = null; if(grantOrRevokeRoleDDL.getGrantor() != null){ grantorPrinc = new HivePrincipal(grantOrRevokeRoleDDL.getGrantor(), - getHivePrincipalType(grantOrRevokeRoleDDL.getGrantorType())); + AuthorizationUtils.getHivePrincipalType(grantOrRevokeRoleDDL.getGrantorType())); } - List hivePrincipals = getHivePrincipals(grantOrRevokeRoleDDL.getPrincipalDesc()); + List hivePrincipals = + AuthorizationUtils.getHivePrincipals(grantOrRevokeRoleDDL.getPrincipalDesc()); List roles = grantOrRevokeRoleDDL.getRoles(); if(grantOrRevokeRoleDDL.getGrant()){ @@ -576,125 +547,13 @@ private int grantOrRevokeRoleV2(GrantRevokeRoleDDL grantOrRevokeRoleDDL) throws private int showGrants(ShowGrantDesc showGrantDesc) throws HiveException { - if(SessionState.get().isAuthorizationModeV2()){ - return showGrantsV2(showGrantDesc); - } - - PrincipalDesc principalDesc = showGrantDesc.getPrincipalDesc(); - PrivilegeObjectDesc hiveObjectDesc = showGrantDesc.getHiveObj(); - String principalName = principalDesc == null ? null : principalDesc.getName(); - PrincipalType type = principalDesc == null ? null : principalDesc.getType(); - List privs = new ArrayList(); - try { - if (hiveObjectDesc == null) { - privs.addAll(db.showPrivilegeGrant(HiveObjectType.GLOBAL, principalName, type, - null, null, null, null)); - } else if (hiveObjectDesc != null && hiveObjectDesc.getObject() == null) { - privs.addAll(db.showPrivilegeGrant(null, principalName, type, null, null, null, null)); - } else { - String obj = hiveObjectDesc.getObject(); - boolean notFound = true; - String dbName = null; - String tableName = null; - Table tableObj = null; - Database dbObj = null; - - if (hiveObjectDesc.getTable()) { - String[] dbTab = obj.split("\\."); - if (dbTab.length == 2) { - dbName = dbTab[0]; - tableName = dbTab[1]; - } else { - dbName = SessionState.get().getCurrentDatabase(); - tableName = obj; - } - dbObj = db.getDatabase(dbName); - tableObj = db.getTable(dbName, tableName); - notFound = (dbObj == null || tableObj == null); - } else { - dbName = hiveObjectDesc.getObject(); - dbObj = db.getDatabase(dbName); - notFound = (dbObj == null); - } - if (notFound) { - throw new HiveException(obj + " can not be found"); - } - - String partName = null; - List partValues = null; - if (hiveObjectDesc.getPartSpec() != null) { - partName = Warehouse - .makePartName(hiveObjectDesc.getPartSpec(), false); - partValues = Warehouse.getPartValuesFromPartName(partName); - } - - if (!hiveObjectDesc.getTable()) { - // show database level privileges - privs.addAll(db.showPrivilegeGrant(HiveObjectType.DATABASE, - principalName, type, dbName, null, null, null)); - } else { - if (showGrantDesc.getColumns() != null) { - // show column level privileges - for (String columnName : showGrantDesc.getColumns()) { - privs.addAll(db.showPrivilegeGrant( - HiveObjectType.COLUMN, principalName, - type, dbName, tableName, partValues, - columnName)); - } - } else if (hiveObjectDesc.getPartSpec() != null) { - // show partition level privileges - privs.addAll(db.showPrivilegeGrant( - HiveObjectType.PARTITION, principalName, type, - dbName, tableName, partValues, null)); - } else { - // show table level privileges - privs.addAll(db.showPrivilegeGrant( - HiveObjectType.TABLE, principalName, type, - dbName, tableName, null, null)); - } - } - } - boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); - writeToFile(writeGrantInfo(privs, testMode), showGrantDesc.getResFile()); - } catch (FileNotFoundException e) { - LOG.info("show table status: " + stringifyException(e)); - return 1; - } catch (IOException e) { - LOG.info("show table status: " + stringifyException(e)); - return 1; - } catch (Exception e) { - e.printStackTrace(); - throw new HiveException(e); - } - return 0; - } - - private int showGrantsV2(ShowGrantDesc showGrantDesc) throws HiveException { - HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); + HiveAuthorizer authorizer = getSessionAuthorizer(); try { List privInfos = authorizer.showPrivileges( - getHivePrincipal(showGrantDesc.getPrincipalDesc()), - getHivePrivilegeObject(showGrantDesc.getHiveObj()) - ); - List privList = new ArrayList(); - for(HivePrivilegeInfo privInfo : privInfos){ - HivePrincipal principal = privInfo.getPrincipal(); - HivePrivilegeObject privObj = privInfo.getObject(); - HivePrivilege priv = privInfo.getPrivilege(); - - PrivilegeGrantInfo grantInfo = - AuthorizationUtils.getThriftPrivilegeGrantInfo(priv, privInfo.getGrantorPrincipal(), - privInfo.isGrantOption(), privInfo.getGrantTime()); - - //only grantInfo is used - HiveObjectPrivilege thriftObjectPriv = new HiveObjectPrivilege(new HiveObjectRef( - AuthorizationUtils.getThriftHiveObjType(privObj.getType()),privObj.getDbname(), - privObj.getTableViewURI(),null,null), principal.getName(), - AuthorizationUtils.getThriftPrincipalType(principal.getType()), grantInfo); - privList.add(thriftObjectPriv); - } + AuthorizationUtils.getHivePrincipal(showGrantDesc.getPrincipalDesc()), + AuthorizationUtils.getHivePrivilegeObject(showGrantDesc.getHiveObj(), showGrantDesc.getColumns())); boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); - writeToFile(writeGrantInfo(privList, testMode), showGrantDesc.getResFile()); + writeToFile(writeGrantInfo(privInfos, testMode), showGrantDesc.getResFile()); } catch (IOException e) { throw new HiveException("Error in show grant statement", e); } @@ -706,155 +565,15 @@ private int grantOrRevokePrivileges(List principals, String grantor, PrincipalType grantorType, boolean grantOption, boolean isGrant) throws HiveException { - if(SessionState.get().isAuthorizationModeV2()){ - return grantOrRevokePrivilegesV2(principals, privileges, privSubjectDesc, grantor, - grantorType, grantOption, isGrant); - } - - if (privileges == null || privileges.size() == 0) { - console.printError("No privilege found."); - return 1; - } - - String dbName = null; - String tableName = null; - Table tableObj = null; - Database dbObj = null; - - try { - - if (privSubjectDesc != null) { - if (privSubjectDesc.getPartSpec() != null && isGrant) { - throw new HiveException("Grant does not support partition level."); - } - String obj = privSubjectDesc.getObject(); - - //get the db, table objects - if (privSubjectDesc.getTable()) { - String[] dbTable = Utilities.getDbTableName(obj); - dbName = dbTable[0]; - tableName = dbTable[1]; - - dbObj = db.getDatabase(dbName); - if (dbObj == null) { - throwNotFound("Database", dbName); - } - tableObj = db.getTable(dbName, tableName); - if (tableObj == null) { - throwNotFound("Table", obj); - } - } else { - dbName = privSubjectDesc.getObject(); - dbObj = db.getDatabase(dbName); - if (dbObj == null) { - throwNotFound("Database", dbName); - } - } - } - - PrivilegeBag privBag = new PrivilegeBag(); - if (privSubjectDesc == null) { - for (int idx = 0; idx < privileges.size(); idx++) { - Privilege priv = privileges.get(idx).getPrivilege(); - if (privileges.get(idx).getColumns() != null - && privileges.get(idx).getColumns().size() > 0) { - throw new HiveException( - "For user-level privileges, column sets should be null. columns=" - + privileges.get(idx).getColumns().toString()); - } - - privBag.addToPrivileges(new HiveObjectPrivilege(new HiveObjectRef( - HiveObjectType.GLOBAL, null, null, null, null), null, null, - new PrivilegeGrantInfo(priv.toString(), 0, grantor, grantorType, - grantOption))); - } - } else { - org.apache.hadoop.hive.metastore.api.Partition partObj = null; - List partValues = null; - if (tableObj != null) { - if ((!tableObj.isPartitioned()) - && privSubjectDesc.getPartSpec() != null) { - throw new HiveException( - "Table is not partitioned, but partition name is present: partSpec=" - + privSubjectDesc.getPartSpec().toString()); - } - - if (privSubjectDesc.getPartSpec() != null) { - partObj = db.getPartition(tableObj, privSubjectDesc.getPartSpec(), - false).getTPartition(); - partValues = partObj.getValues(); - } - } - - for (PrivilegeDesc privDesc : privileges) { - List columns = privDesc.getColumns(); - Privilege priv = privDesc.getPrivilege(); - if (columns != null && columns.size() > 0) { - if (!priv.supportColumnLevel()) { - throw new HiveException(priv.toString() - + " does not support column level."); - } - if (privSubjectDesc == null || tableName == null) { - throw new HiveException( - "For user-level/database-level privileges, column sets should be null. columns=" - + columns); - } - for (int i = 0; i < columns.size(); i++) { - privBag.addToPrivileges(new HiveObjectPrivilege( - new HiveObjectRef(HiveObjectType.COLUMN, dbName, tableName, - partValues, columns.get(i)), null, null, new PrivilegeGrantInfo(priv.toString(), 0, grantor, grantorType, grantOption))); - } - } else { - if (privSubjectDesc.getTable()) { - if (privSubjectDesc.getPartSpec() != null) { - privBag.addToPrivileges(new HiveObjectPrivilege( - new HiveObjectRef(HiveObjectType.PARTITION, dbName, - tableName, partValues, null), null, null, new PrivilegeGrantInfo(priv.toString(), 0, grantor, grantorType, grantOption))); - } else { - privBag - .addToPrivileges(new HiveObjectPrivilege( - new HiveObjectRef(HiveObjectType.TABLE, dbName, - tableName, null, null), null, null, new PrivilegeGrantInfo(priv.toString(), 0, grantor, grantorType, grantOption))); - } - } else { - privBag.addToPrivileges(new HiveObjectPrivilege( - new HiveObjectRef(HiveObjectType.DATABASE, dbName, null, - null, null), null, null, new PrivilegeGrantInfo(priv.toString(), 0, grantor, grantorType, grantOption))); - } - } - } - } - - for (PrincipalDesc principal : principals) { - for (int i = 0; i < privBag.getPrivileges().size(); i++) { - HiveObjectPrivilege objPrivs = privBag.getPrivileges().get(i); - objPrivs.setPrincipalName(principal.getName()); - objPrivs.setPrincipalType(principal.getType()); - } - if (isGrant) { - db.grantPrivileges(privBag); - } else { - db.revokePrivileges(privBag); - } - } - } catch (Exception e) { - console.printError("Error: " + e.getMessage()); - return 1; - } - - return 0; - } - - private int grantOrRevokePrivilegesV2(List principals, - List privileges, PrivilegeObjectDesc privSubjectDesc, String grantor, - PrincipalType grantorType, boolean grantOption, boolean isGrant) throws HiveException { - HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); + HiveAuthorizer authorizer = getSessionAuthorizer(); //Convert to object types used by the authorization plugin interface - List hivePrincipals = getHivePrincipals(principals); - List hivePrivileges = getHivePrivileges(privileges); - HivePrivilegeObject hivePrivObject = getHivePrivilegeObject(privSubjectDesc); - HivePrincipal grantorPrincipal = new HivePrincipal(grantor, getHivePrincipalType(grantorType)); + List hivePrincipals = AuthorizationUtils.getHivePrincipals(principals); + List hivePrivileges = AuthorizationUtils.getHivePrivileges(privileges); + HivePrivilegeObject hivePrivObject = AuthorizationUtils.getHivePrivilegeObject(privSubjectDesc, null); + + HivePrincipal grantorPrincipal = new HivePrincipal( + grantor, AuthorizationUtils.getHivePrincipalType(grantorType)); if(isGrant){ authorizer.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject, @@ -867,121 +586,8 @@ private int grantOrRevokePrivilegesV2(List principals, return 0; } - private HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc) - throws HiveException { - - String [] dbTable = Utilities.getDbTableName(privSubjectDesc.getObject()); - return new HivePrivilegeObject(getPrivObjectType(privSubjectDesc), dbTable[0], dbTable[1]); - } - - private HivePrincipalType getHivePrincipalType(PrincipalType type) throws HiveException { - if(type == null){ - return null; - } - - switch(type){ - case USER: - return HivePrincipalType.USER; - case ROLE: - return HivePrincipalType.ROLE; - case GROUP: - throw new HiveException(ErrorMsg.UNNSUPPORTED_AUTHORIZATION_PRINCIPAL_TYPE_GROUP); - default: - //should not happen as we take care of all existing types - throw new AssertionError("Unsupported authorization type specified"); - } - } - - private HivePrivilegeObjectType getPrivObjectType(PrivilegeObjectDesc privSubjectDesc) { - if (privSubjectDesc.getObject() == null) { - return null; - } - return privSubjectDesc.getTable() ? HivePrivilegeObjectType.TABLE_OR_VIEW : HivePrivilegeObjectType.DATABASE; - } - - private List getHivePrivileges(List privileges) { - List hivePrivileges = new ArrayList(); - for(PrivilegeDesc privilege : privileges){ - hivePrivileges.add( - new HivePrivilege(privilege.getPrivilege().toString(), privilege.getColumns())); - } - return hivePrivileges; - } - - private List getHivePrincipals(List principals) throws HiveException { - ArrayList hivePrincipals = new ArrayList(); - for(PrincipalDesc principal : principals){ - hivePrincipals.add(getHivePrincipal(principal)); - } - return hivePrincipals; - } - - private HivePrincipal getHivePrincipal(PrincipalDesc principal) throws HiveException { - if (principal == null) { - return null; - } - return new HivePrincipal(principal.getName(), - AuthorizationUtils.getHivePrincipalType(principal.getType())); - } - - private void throwNotFound(String objType, String objName) throws HiveException { - throw new HiveException(objType + " " + objName + " not found"); - } - - private int roleDDL(RoleDDLDesc roleDDLDesc) throws HiveException, IOException { - if(SessionState.get().isAuthorizationModeV2()){ - return roleDDLV2(roleDDLDesc); - } - - DataOutputStream outStream = null; - RoleDDLDesc.RoleOperation operation = roleDDLDesc.getOperation(); - try { - if (operation.equals(RoleDDLDesc.RoleOperation.CREATE_ROLE)) { - db.createRole(roleDDLDesc.getName(), roleDDLDesc.getRoleOwnerName()); - } else if (operation.equals(RoleDDLDesc.RoleOperation.DROP_ROLE)) { - db.dropRole(roleDDLDesc.getName()); - } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLE_GRANT)) { - boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); - List roleGrants = db.getRoleGrantInfoForPrincipal(roleDDLDesc.getName(), roleDDLDesc.getPrincipalType()); - writeToFile(writeRoleGrantsInfo(roleGrants, testMode), roleDDLDesc.getResFile()); - } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLES)) { - List roleNames = db.getAllRoleNames(); - //sort the list to get sorted (deterministic) output (for ease of testing) - Collections.sort(roleNames); - Path resFile = new Path(roleDDLDesc.getResFile()); - FileSystem fs = resFile.getFileSystem(conf); - outStream = fs.create(resFile); - for (String roleName : roleNames) { - outStream.writeBytes(roleName); - outStream.write(terminator); - } - outStream.close(); - outStream = null; - } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLE_PRINCIPALS)) { - throw new HiveException("Show role principals is not currently supported in " - + "authorization mode V1"); - } - else { - throw new HiveException("Unkown role operation " - + operation.getOperationName()); - } - } catch (HiveException e) { - console.printError("Error in role operation " - + operation.getOperationName() + " on role name " - + roleDDLDesc.getName() + ", error message " + e.getMessage()); - return 1; - } catch (IOException e) { - LOG.info("role ddl exception: " + stringifyException(e)); - return 1; - } finally { - IOUtils.closeStream(outStream); - } - - return 0; - } - - private int roleDDLV2(RoleDDLDesc roleDDLDesc) throws HiveException, IOException { - HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); + private int roleDDL(RoleDDLDesc roleDDLDesc) throws Exception { + HiveAuthorizer authorizer = getSessionAuthorizer(); RoleDDLDesc.RoleOperation operation = roleDDLDesc.getOperation(); //call the appropriate hive authorizer function switch(operation){ @@ -994,7 +600,7 @@ private int roleDDLV2(RoleDDLDesc roleDDLDesc) throws HiveException, IOException case SHOW_ROLE_GRANT: boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); List roles = authorizer.getRoleGrantInfoForPrincipal( - new HivePrincipal(roleDDLDesc.getName(), getHivePrincipalType(roleDDLDesc.getPrincipalType()))); + AuthorizationUtils.getHivePrincipal(roleDDLDesc.getName(), roleDDLDesc.getPrincipalType())); writeToFile(writeRolesGrantedInfo(roles, testMode), roleDDLDesc.getResFile()); break; case SHOW_ROLES: @@ -1265,7 +871,7 @@ private int alterTableAlterPart(Hive db, AlterTableAlterPartDesc alterPartitionD assert(tbl.isPartitioned()); List newPartitionKeys = new ArrayList(); - + //Check if the existing partition values can be type casted to the new column type // with a non null value before trying to alter the partition column type. try { @@ -1277,19 +883,19 @@ private int alterTableAlterPart(Hive db, AlterTableAlterPartDesc alterPartitionD break; } } - + if (colIndex == -1 || colIndex == tbl.getTTable().getPartitionKeys().size()) { - throw new HiveException("Cannot find partition column " + + throw new HiveException("Cannot find partition column " + alterPartitionDesc.getPartKeySpec().getName()); } - + TypeInfo expectedType = TypeInfoUtils.getTypeInfoFromTypeString(alterPartitionDesc.getPartKeySpec().getType()); ObjectInspector outputOI = TypeInfoUtils.getStandardWritableObjectInspectorFromTypeInfo(expectedType); Converter converter = ObjectInspectorConverters.getConverter( - PrimitiveObjectInspectorFactory.javaStringObjectInspector, outputOI); - + PrimitiveObjectInspectorFactory.javaStringObjectInspector, outputOI); + // For all the existing partitions, check if the value can be type casted to a non-null object for(Partition part : partitions) { if (part.getName().equals(conf.getVar(HiveConf.ConfVars.DEFAULTPARTITIONNAME))) { @@ -1298,23 +904,23 @@ private int alterTableAlterPart(Hive db, AlterTableAlterPartDesc alterPartitionD try { String value = part.getValues().get(colIndex); Object convertedValue = - converter.convert(value); + converter.convert(value); if (convertedValue == null) { throw new HiveException(" Converting from " + TypeInfoFactory.stringTypeInfo + " to " + expectedType + " for value : " + value + " resulted in NULL object"); } } catch (Exception e) { - throw new HiveException("Exception while converting " + + throw new HiveException("Exception while converting " + TypeInfoFactory.stringTypeInfo + " to " + expectedType + " for value : " + part.getValues().get(colIndex)); - } + } } } catch(Exception e) { throw new HiveException( "Exception while checking type conversion of existing partition values to " + alterPartitionDesc.getPartKeySpec() + " : " + e.getMessage()); } - + for(FieldSchema col : tbl.getTTable().getPartitionKeys()) { if (col.getName().compareTo(alterPartitionDesc.getPartKeySpec().getName()) == 0) { newPartitionKeys.add(alterPartitionDesc.getPartKeySpec()); @@ -2725,7 +2331,7 @@ public int compare(HiveLock o1, HiveLock o2) { LOG.warn("show function: " + stringifyException(e)); return 1; } catch (Exception e) { - throw new HiveException(e.toString()); + throw new HiveException(e.toString(), e); } finally { IOUtils.closeStream(outStream); } @@ -3444,28 +3050,41 @@ private static void fixDecimalColumnTypeName(List cols) { } } - static String writeGrantInfo(List privileges, boolean testMode) { + static String writeGrantInfo(List privileges, boolean testMode) { if (privileges == null || privileges.isEmpty()) { return ""; } StringBuilder builder = new StringBuilder(); //sort the list to get sorted (deterministic) output (for ease of testing) - Collections.sort(privileges); - - for (HiveObjectPrivilege privilege : privileges) { - HiveObjectRef resource = privilege.getHiveObject(); - PrivilegeGrantInfo grantInfo = privilege.getGrantInfo(); - - appendNonNull(builder, resource.getDbName(), true); - appendNonNull(builder, resource.getObjectName()); - appendNonNull(builder, resource.getPartValues()); - appendNonNull(builder, resource.getColumnName()); - appendNonNull(builder, privilege.getPrincipalName()); - appendNonNull(builder, privilege.getPrincipalType()); - appendNonNull(builder, grantInfo.getPrivilege()); - appendNonNull(builder, grantInfo.isGrantOption()); - appendNonNull(builder, testMode ? -1 : grantInfo.getCreateTime() * 1000L); - appendNonNull(builder, grantInfo.getGrantor()); + Collections.sort(privileges, new Comparator() { + @Override + public int compare(HivePrivilegeInfo o1, HivePrivilegeInfo o2) { + int compare = o1.getObject().compareTo(o2.getObject()); + if (compare == 0) { + compare = o1.getPrincipal().compareTo(o2.getPrincipal()); + } + if (compare == 0) { + compare = o1.getPrivilege().compareTo(o2.getPrivilege()); + } + return compare; + } + }); + + for (HivePrivilegeInfo privilege : privileges) { + HivePrincipal principal = privilege.getPrincipal(); + HivePrivilegeObject resource = privilege.getObject(); + HivePrincipal grantor = privilege.getGrantorPrincipal(); + + appendNonNull(builder, resource.getDbname(), true); + appendNonNull(builder, resource.getTableViewURI()); + appendNonNull(builder, resource.getPartKeys()); + appendNonNull(builder, resource.getColumns()); + appendNonNull(builder, principal.getName()); + appendNonNull(builder, principal.getType()); + appendNonNull(builder, privilege.getPrivilege().getName()); + appendNonNull(builder, privilege.isGrantOption()); + appendNonNull(builder, testMode ? -1 : privilege.getGrantTime() * 1000L); + appendNonNull(builder, grantor.getName()); } return builder.toString(); } diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java index a95d784..bbaeae0 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java @@ -18,18 +18,29 @@ package org.apache.hadoop.hive.ql.security.authorization; import org.apache.hadoop.classification.InterfaceAudience.LimitedPrivate; +import org.apache.hadoop.hive.metastore.Warehouse; +import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege; import org.apache.hadoop.hive.metastore.api.HiveObjectRef; import org.apache.hadoop.hive.metastore.api.HiveObjectType; import org.apache.hadoop.hive.metastore.api.PrincipalType; import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo; import org.apache.hadoop.hive.ql.ErrorMsg; +import org.apache.hadoop.hive.ql.exec.Utilities; import org.apache.hadoop.hive.ql.hooks.Entity.Type; import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.plan.PrincipalDesc; +import org.apache.hadoop.hive.ql.plan.PrivilegeDesc; +import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; +import org.apache.hadoop.hive.ql.session.SessionState; + +import java.util.ArrayList; +import java.util.List; /** * Utility code shared by hive internal code and sql standard authorization plugin implementation @@ -44,13 +55,19 @@ * @throws HiveException */ public static HivePrincipalType getHivePrincipalType(PrincipalType type) throws HiveException { + if (type == null){ + return null; + } switch(type){ case USER: return HivePrincipalType.USER; case ROLE: return HivePrincipalType.ROLE; case GROUP: - throw new HiveException(ErrorMsg.UNNSUPPORTED_AUTHORIZATION_PRINCIPAL_TYPE_GROUP); + if (SessionState.get().getAuthorizationMode() == SessionState.AuthorizationMode.V2) { + throw new HiveException(ErrorMsg.UNSUPPORTED_AUTHORIZATION_PRINCIPAL_TYPE_GROUP); + } + return HivePrincipalType.GROUP; default: //should not happen as we take care of all existing types throw new AssertionError("Unsupported authorization type specified"); @@ -64,6 +81,9 @@ public static HivePrincipalType getHivePrincipalType(PrincipalType type) throws * @return */ public static HivePrivilegeObjectType getHivePrivilegeObjectType(Type type) { + if (type == null){ + return null; + } switch(type){ case DATABASE: return HivePrivilegeObjectType.DATABASE; @@ -81,6 +101,89 @@ public static HivePrivilegeObjectType getHivePrivilegeObjectType(Type type) { } } + public static HivePrivilegeObjectType getPrivObjectType(PrivilegeObjectDesc privSubjectDesc) { + if (privSubjectDesc.getObject() == null) { + return null; + } + return privSubjectDesc.getTable() ? HivePrivilegeObjectType.TABLE_OR_VIEW : + HivePrivilegeObjectType.DATABASE; + } + + public static List getHivePrivileges(List privileges) { + List hivePrivileges = new ArrayList(); + for(PrivilegeDesc privilege : privileges){ + Privilege priv = privilege.getPrivilege(); + hivePrivileges.add( + new HivePrivilege(priv.toString(), privilege.getColumns(), priv.getScopeList())); + } + return hivePrivileges; + } + + public static List getHivePrincipals(List principals) + throws HiveException { + ArrayList hivePrincipals = new ArrayList(); + for(PrincipalDesc principal : principals){ + hivePrincipals.add(getHivePrincipal(principal)); + } + return hivePrincipals; + } + + public static HivePrincipal getHivePrincipal(PrincipalDesc principal) throws HiveException { + if (principal == null) { + return null; + } + return getHivePrincipal(principal.getName(), principal.getType()); + } + + public static HivePrincipal getHivePrincipal(String name, PrincipalType type) throws HiveException { + return new HivePrincipal(name, AuthorizationUtils.getHivePrincipalType(type)); + } + + public static List getPrivilegeInfos(List privs) + throws HiveException { + List hivePrivs = new ArrayList(); + for (HiveObjectPrivilege priv : privs) { + PrivilegeGrantInfo grantorInfo = priv.getGrantInfo(); + HiveObjectRef privObject = priv.getHiveObject(); + HivePrincipal hivePrincipal = + getHivePrincipal(priv.getPrincipalName(), priv.getPrincipalType()); + HivePrincipal grantor = + getHivePrincipal(grantorInfo.getGrantor(), grantorInfo.getGrantorType()); + HivePrivilegeObject object = getHiveObjectRef(privObject); + HivePrivilege privilege = new HivePrivilege(grantorInfo.getPrivilege(), null); + hivePrivs.add(new HivePrivilegeInfo(hivePrincipal, privilege, object, grantor, + grantorInfo.isGrantOption(), grantorInfo.getCreateTime())); + } + return hivePrivs; + } + + public static HivePrivilegeObject getHiveObjectRef(HiveObjectRef privObj) throws HiveException { + if (privObj == null) { + return null; + } + HivePrivilegeObjectType objType = getHiveObjType(privObj.getObjectType()); + return new HivePrivilegeObject(objType, privObj.getDbName(), privObj.getObjectName(), + privObj.getPartValues(), privObj.getColumnName()); + } + + public static HivePrivilegeObject getHivePrivilegeObject( + PrivilegeObjectDesc privSubjectDesc, List columns) throws HiveException { + if (privSubjectDesc == null) { + return null; + } + String[] dbTable; + if (privSubjectDesc.getTable()) { + dbTable = Utilities.getDbTableName(privSubjectDesc.getObject()); + } else { + dbTable = new String[] {privSubjectDesc.getObject(), null}; + } + HivePrivilegeObjectType objectType = getPrivObjectType(privSubjectDesc); + List partSpec = null; + if (privSubjectDesc.getPartSpec() != null) { + partSpec = Warehouse.getPartValuesFromPartSpec(privSubjectDesc.getPartSpec()); + } + return new HivePrivilegeObject(objectType, dbTable[0], dbTable[1], partSpec, columns); + } /** * Convert authorization plugin principal type to thrift principal type @@ -95,6 +198,8 @@ public static PrincipalType getThriftPrincipalType(HivePrincipalType type) { switch(type){ case USER: return PrincipalType.USER; + case GROUP: + return PrincipalType.GROUP; case ROLE: return PrincipalType.ROLE; default: @@ -102,7 +207,6 @@ public static PrincipalType getThriftPrincipalType(HivePrincipalType type) { } } - /** * Get thrift privilege grant info * @param privilege @@ -130,12 +234,16 @@ public static HiveObjectType getThriftHiveObjType(HivePrivilegeObjectType type) return null; } switch(type){ + case GLOBAL: + return HiveObjectType.GLOBAL; case DATABASE: return HiveObjectType.DATABASE; case TABLE_OR_VIEW: return HiveObjectType.TABLE; case PARTITION: return HiveObjectType.PARTITION; + case COLUMN: + return HiveObjectType.COLUMN; case LOCAL_URI: case DFS_URI: throw new HiveException("Unsupported type " + type); @@ -145,6 +253,33 @@ public static HiveObjectType getThriftHiveObjType(HivePrivilegeObjectType type) } } + // V1 to V2 conversion. + private static HivePrivilegeObjectType getHiveObjType(HiveObjectType type) throws HiveException { + if (type == null) { + return null; + } + switch(type){ + case GLOBAL: + if (SessionState.get().getAuthorizationMode() == SessionState.AuthorizationMode.V2) { + throw new HiveException(ErrorMsg.UNSUPPORTED_AUTHORIZATION_RESOURCE_TYPE_GLOBAL); + } + return HivePrivilegeObjectType.GLOBAL; + case DATABASE: + return HivePrivilegeObjectType.DATABASE; + case TABLE: + return HivePrivilegeObjectType.TABLE_OR_VIEW; + case PARTITION: + return HivePrivilegeObjectType.PARTITION; + case COLUMN: + if (SessionState.get().getAuthorizationMode() == SessionState.AuthorizationMode.V2) { + throw new HiveException(ErrorMsg.UNSUPPORTED_AUTHORIZATION_RESOURCE_TYPE_COLUMN); + } + return HivePrivilegeObjectType.COLUMN; + default: + //should not happen as we have accounted for all types + throw new AssertionError("Unsupported type " + type); + } + } /** * Convert thrift HiveObjectRef to plugin HivePrivilegeObject diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/Privilege.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/Privilege.java index f9d1b4b..ba8ce26 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/Privilege.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/Privilege.java @@ -18,7 +18,9 @@ package org.apache.hadoop.hive.ql.security.authorization; +import java.util.ArrayList; import java.util.EnumSet; +import java.util.List; /** * Privilege defines a privilege in Hive. Each privilege has a name and scope associated with it. @@ -65,6 +67,17 @@ public boolean supportTableLevel() { && supportedScopeSet.contains(PrivilegeScope.TABLE_LEVEL_SCOPE); } + public List getScopeList() { + if (supportedScopeSet == null) { + return null; + } + List scopes = new ArrayList(); + for (PrivilegeScope scope : supportedScopeSet) { + scopes.add(scope.name()); + } + return scopes; + } + @Override public String toString() { return this.getPriv().toString(); diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java index 62b8994..488d05b 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java @@ -25,10 +25,19 @@ */ @LimitedPrivate(value = { "" }) @Evolving -public class HivePrincipal { +public class HivePrincipal implements Comparable { + + @Override + public int compareTo(HivePrincipal o) { + int compare = name.compareTo(o.name); + if (compare == 0) { + compare = type.compareTo(o.type); + } + return compare; + } public enum HivePrincipalType{ - USER, ROLE, UNKNOWN + USER, GROUP, ROLE, UNKNOWN } @Override diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java index 126300a..5e64b8d 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java @@ -22,13 +22,14 @@ import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving; +import org.apache.hadoop.hive.ql.security.authorization.PrivilegeScope; /** * Represents the hive privilege being granted/revoked */ @LimitedPrivate(value = { "" }) @Evolving -public class HivePrivilege { +public class HivePrivilege implements Comparable { @Override public String toString() { return "Privilege [name=" + name + ", columns=" + columns + "]"; @@ -36,10 +37,16 @@ public String toString() { private final String name; private final List columns; + private final List supportedScope; - public HivePrivilege(String name, List columns){ + public HivePrivilege(String name, List columns) { + this(name, columns, null); + } + + public HivePrivilege(String name, List columns, List supportedScope) { this.name = name.toUpperCase(Locale.US); this.columns = columns; + this.supportedScope = supportedScope; } public String getName() { @@ -50,6 +57,10 @@ public String getName() { return columns; } + public List getSupportedScope() { + return supportedScope; + } + @Override public int hashCode() { final int prime = 31; @@ -82,5 +93,27 @@ public boolean equals(Object obj) { } + public boolean supportsScope(PrivilegeScope scope) { + return supportedScope != null && supportedScope.contains(scope.name()); + } + + public int compareTo(HivePrivilege privilege) { + int compare = columns != null ? + (privilege.columns != null ? compare(columns, privilege.columns) : 1) : + (privilege.columns != null ? -1 : 0); + if (compare == 0) { + compare = name.compareTo(privilege.name); + } + return compare; + } + private int compare(List o1, List o2) { + for (int i = 0; i < Math.min(o1.size(), o2.size()); i++) { + int compare = o1.get(i).compareTo(o2.get(i)); + if (compare != 0) { + return compare; + } + } + return o1.size() > o2.size() ? 1 : (o1.size() < o2.size() ? -1 : 0); + } } diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java index a3a689d..46ebe3e 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java @@ -20,12 +20,16 @@ import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; import org.apache.hadoop.hive.common.classification.InterfaceStability.Unstable; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + /** * Represents the object on which privilege is being granted/revoked */ @LimitedPrivate(value = { "" }) @Unstable -public class HivePrivilegeObject { +public class HivePrivilegeObject implements Comparable { @Override public String toString() { @@ -35,28 +39,80 @@ public String toString() { name = dbname; break; case TABLE_OR_VIEW: + case PARTITION: name = (dbname == null ? "" : dbname + ".") + tableviewname; + if (partKeys != null) { + name += partKeys.toString(); + } break; + case COLUMN: case LOCAL_URI: case DFS_URI: name = tableviewname; break; - case PARTITION: - break; } return "Object [type=" + type + ", name=" + name + "]"; } - public enum HivePrivilegeObjectType { DATABASE, TABLE_OR_VIEW, PARTITION, LOCAL_URI, DFS_URI}; + @Override + public int compareTo(HivePrivilegeObject o) { + int compare = type.compareTo(o.type); + if (compare == 0) { + compare = dbname.compareTo(o.dbname); + } + if (compare == 0) { + compare = tableviewname != null ? + (o.tableviewname != null ? tableviewname.compareTo(o.tableviewname) : 1) : + (o.tableviewname != null ? -1 : 0); + } + if (compare == 0) { + compare = partKeys != null ? + (o.partKeys != null ? compare(partKeys, o.partKeys) : 1) : + (o.partKeys != null ? -1 : 0); + } + if (compare == 0) { + compare = columns != null ? + (o.columns != null ? compare(columns, o.columns) : 1) : + (o.columns != null ? -1 : 0); + } + return compare; + } + + private int compare(List o1, List o2) { + for (int i = 0; i < Math.min(o1.size(), o2.size()); i++) { + int compare = o1.get(i).compareTo(o2.get(i)); + if (compare != 0) { + return compare; + } + } + return o1.size() > o2.size() ? 1 : (o1.size() < o2.size() ? -1 : 0); + } + + public enum HivePrivilegeObjectType { GLOBAL, DATABASE, TABLE_OR_VIEW, PARTITION, COLUMN, LOCAL_URI, DFS_URI}; private final HivePrivilegeObjectType type; private final String dbname; private final String tableviewname; + private final List partKeys; + private final List columns; - public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI){ + public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI) { + this(type, dbname, tableViewURI, null, (List)null); + } + + public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI, + List partKeys, String column) { + this(type, dbname, tableViewURI, partKeys, + column == null ? null : new ArrayList(Arrays.asList(column))); + } + + public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI, + List partKeys, List columns) { this.type = type; this.dbname = dbname; this.tableviewname = tableViewURI; + this.partKeys = partKeys; + this.columns = columns; } public HivePrivilegeObjectType getType() { @@ -70,4 +126,12 @@ public String getDbname() { public String getTableViewURI() { return tableviewname; } + + public List getPartKeys() { + return partKeys; + } + + public List getColumns() { + return columns; + } } diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java new file mode 100644 index 0000000..4245fde --- /dev/null +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java @@ -0,0 +1,373 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.metastore.Warehouse; +import org.apache.hadoop.hive.metastore.api.Database; +import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege; +import org.apache.hadoop.hive.metastore.api.HiveObjectRef; +import org.apache.hadoop.hive.metastore.api.HiveObjectType; +import org.apache.hadoop.hive.metastore.api.Partition; +import org.apache.hadoop.hive.metastore.api.PrincipalType; +import org.apache.hadoop.hive.metastore.api.PrivilegeBag; +import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo; +import org.apache.hadoop.hive.metastore.api.Role; +import org.apache.hadoop.hive.metastore.api.RolePrincipalGrant; +import org.apache.hadoop.hive.ql.metadata.Hive; +import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.metadata.Table; +import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils; +import org.apache.hadoop.hive.ql.security.authorization.PrivilegeScope; +import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController; +import org.apache.hadoop.hive.ql.session.SessionState; + +import java.util.ArrayList; +import java.util.List; +import java.util.Map; + +public class HiveV1Authorizer implements HiveAuthorizer { + + private final HiveConf conf; + private final Hive hive; + + public HiveV1Authorizer(HiveConf conf, Hive hive) { + this.conf = conf; + this.hive = hive; + } + + @Override + public VERSION getVersion() { + return VERSION.V1; + } + + @Override + public void checkPrivileges(HiveOperationType hiveOpType, List inputsHObjs, + List outputHObjs) + throws HiveAuthzPluginException, HiveAccessControlException { + throw new UnsupportedOperationException("Should not be called for v1 authorizer"); + } + + @Override + public void grantPrivileges( + List principals, List privileges, HivePrivilegeObject privObject, + HivePrincipal grantor, boolean grantOption) + throws HiveAuthzPluginException, HiveAccessControlException { + try { + PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption); + grantOrRevokePrivs(principals, privBag, true); + } catch (Exception e) { + throw new HiveAuthzPluginException(e); + } + } + + @Override + public void revokePrivileges( + List principals, List privileges, HivePrivilegeObject privObject, + HivePrincipal grantor, boolean grantOption) + throws HiveAuthzPluginException, HiveAccessControlException { + try { + PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption); + grantOrRevokePrivs(principals, privBag, false); + } catch (Exception e) { + throw new HiveAuthzPluginException(e); + } + } + + private void grantOrRevokePrivs(List principals, PrivilegeBag privBag, boolean isGrant) + throws HiveException { + for (HivePrincipal principal : principals) { + PrincipalType type = AuthorizationUtils.getThriftPrincipalType(principal.getType()); + for (HiveObjectPrivilege priv : privBag.getPrivileges()) { + priv.setPrincipalName(principal.getName()); + priv.setPrincipalType(type); + } + if (isGrant) { + hive.grantPrivileges(privBag); + } else { + hive.revokePrivileges(privBag); + } + } + } + + private PrivilegeBag toPrivilegeBag(List privileges, + HivePrivilegeObject privObject, HivePrincipal grantor, boolean grantOption) + throws HiveException { + + PrivilegeBag privBag = new PrivilegeBag(); + if (privileges.isEmpty()) { + return privBag; + } + String grantorName = grantor.getName(); + PrincipalType grantorType = AuthorizationUtils.getThriftPrincipalType(grantor.getType()); + if (privObject == null) { + for (HivePrivilege priv : privileges) { + List columns = priv.getColumns(); + if (columns != null && !columns.isEmpty()) { + throw new HiveException( + "For user-level privileges, column sets should be null. columns=" + + columns.toString()); + } + privBag.addToPrivileges(new HiveObjectPrivilege(new HiveObjectRef( + HiveObjectType.GLOBAL, null, null, null, null), null, null, + new PrivilegeGrantInfo(priv.getName(), 0, grantor.getName(), grantorType, + grantOption))); + } + return privBag; + } + + if (privObject.getPartKeys() != null && grantOption) { + throw new HiveException("Grant does not support partition level."); + } + Database dbObj = hive.getDatabase(privObject.getDbname()); + if (dbObj == null) { + throw new HiveException("Database " + privObject.getDbname() + " does not exists"); + } + Table tableObj = null; + if (privObject.getTableViewURI() != null) { + tableObj = hive.getTable(dbObj.getName(), privObject.getTableViewURI()); + } + + List partValues = null; + if (tableObj != null) { + if ((!tableObj.isPartitioned()) + && privObject.getPartKeys() != null) { + throw new HiveException( + "Table is not partitioned, but partition name is present: partSpec=" + + privObject.getPartKeys()); + } + + if (privObject.getPartKeys() != null) { + Map partSpec = + Warehouse.makeSpecFromVals(tableObj.getPartitionKeys(), privObject.getPartKeys()); + Partition partObj = hive.getPartition(tableObj, partSpec, false).getTPartition(); + partValues = partObj.getValues(); + } + } + + for (HivePrivilege priv : privileges) { + List columns = priv.getColumns(); + if (columns != null && !columns.isEmpty()) { + if (!priv.supportsScope(PrivilegeScope.COLUMN_LEVEL_SCOPE)) { + throw new HiveException(priv.getName() + " does not support column level privilege."); + } + if (tableObj == null) { + throw new HiveException( + "For user-level/database-level privileges, column sets should be null. columns=" + + columns); + } + for (int i = 0; i < columns.size(); i++) { + privBag.addToPrivileges(new HiveObjectPrivilege( + new HiveObjectRef(HiveObjectType.COLUMN, dbObj.getName(), tableObj.getTableName(), + partValues, columns.get(i)), null, null, + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + } + } else if (tableObj == null) { + privBag.addToPrivileges(new HiveObjectPrivilege( + new HiveObjectRef(HiveObjectType.DATABASE, dbObj.getName(), null, + null, null), null, null, + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + } else if (partValues == null) { + privBag.addToPrivileges(new HiveObjectPrivilege( + new HiveObjectRef(HiveObjectType.TABLE, dbObj.getName(), tableObj.getTableName(), + null, null), null, null, + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + } else { + privBag.addToPrivileges(new HiveObjectPrivilege( + new HiveObjectRef(HiveObjectType.PARTITION, dbObj.getName(), tableObj.getTableName(), + partValues, null), null, null, + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + } + } + return privBag; + } + + @Override + public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException, HiveAccessControlException { + try { + hive.createRole(roleName, adminGrantor == null ? null : adminGrantor.getName()); + } catch (HiveException e) { + throw new HiveAuthzPluginException(e); + } + } + + @Override + public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { + try { + hive.dropRole(roleName); + } catch (HiveException e) { + throw new HiveAuthzPluginException(e); + } + } + + @Override + public List getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { + try { + return SQLStdHiveAccessController.getHiveRoleGrants(hive.getMSC(), roleName); + } catch (Exception e) { + throw new HiveAuthzPluginException(e); + } + } + + @Override + public List getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException { + PrincipalType type = AuthorizationUtils.getThriftPrincipalType(principal.getType()); + try { + List grants = new ArrayList(); + for (RolePrincipalGrant grant : hive.getRoleGrantInfoForPrincipal(principal.getName(), type)) { + grants.add(new HiveRoleGrant(grant)); + } + return grants; + } catch (HiveException e) { + throw new HiveAuthzPluginException(e); + } + } + + @Override + public void grantRole(List principals, List roles, boolean grantOption, + HivePrincipal grantor) throws HiveAuthzPluginException, HiveAccessControlException { + try { + grantOrRevokeRole(principals, roles, grantOption, grantor, true); + } catch (HiveException e) { + throw new HiveAuthzPluginException(e); + } + } + + @Override + public void revokeRole(List principals, List roles, boolean grantOption, + HivePrincipal grantor) throws HiveAuthzPluginException, HiveAccessControlException { + try { + grantOrRevokeRole(principals, roles, grantOption, grantor, false); + } catch (HiveException e) { + throw new HiveAuthzPluginException(e); + } + } + + private void grantOrRevokeRole(List principals, List roles, + boolean grantOption, HivePrincipal grantor, boolean isGrant) throws HiveException { + PrincipalType grantorType = AuthorizationUtils.getThriftPrincipalType(grantor.getType()); + for (HivePrincipal principal : principals) { + PrincipalType principalType = AuthorizationUtils.getThriftPrincipalType(principal.getType()); + String userName = principal.getName(); + for (String roleName : roles) { + if (isGrant) { + hive.grantRole(roleName, userName, principalType, + grantor.getName(), grantorType, grantOption); + } else { + hive.revokeRole(roleName, userName, principalType); + } + } + } + } + + @Override + public List getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException { + try { + return hive.getAllRoleNames(); + } catch (HiveException e) { + throw new HiveAuthzPluginException(e); + } + } + + @Override + public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) + throws HiveAuthzPluginException, HiveAccessControlException { + String name = principal == null ? null : principal.getName(); + PrincipalType type = + AuthorizationUtils.getThriftPrincipalType(principal == null ? null : principal.getType()); + + List privs = new ArrayList(); + try { + if (privObj == null) { + // show user level privileges + privs.addAll(hive.showPrivilegeGrant(HiveObjectType.GLOBAL, name, type, + null, null, null, null)); + } else if (privObj.getDbname() == null) { + // show all privileges + privs.addAll(hive.showPrivilegeGrant(null, name, type, null, null, null, null)); + } else { + Database dbObj = hive.getDatabase(privObj.getDbname());; + if (dbObj == null) { + throw new HiveException("Database " + privObj.getDbname() + " does not exists"); + } + Table tableObj = null; + if (privObj.getTableViewURI() != null) { + tableObj = hive.getTable(dbObj.getName(), privObj.getTableViewURI()); + } + List partValues = privObj.getPartKeys(); + + if (tableObj == null) { + // show database level privileges + privs.addAll(hive.showPrivilegeGrant(HiveObjectType.DATABASE, + name, type, dbObj.getName(), null, null, null)); + } else { + List columns = privObj.getColumns(); + if (columns != null && !columns.isEmpty()) { + // show column level privileges + for (String columnName : columns) { + privs.addAll(hive.showPrivilegeGrant(HiveObjectType.COLUMN, name, type, + dbObj.getName(), tableObj.getTableName(), partValues, columnName)); + } + } else if (partValues == null) { + // show table level privileges + privs.addAll(hive.showPrivilegeGrant(HiveObjectType.TABLE, name, type, + dbObj.getName(), tableObj.getTableName(), null, null)); + } else { + // show partition level privileges + privs.addAll(hive.showPrivilegeGrant(HiveObjectType.PARTITION, name, type, + dbObj.getName(), tableObj.getTableName(), partValues, null)); + } + } + } + return AuthorizationUtils.getPrivilegeInfos(privs); + } catch (Exception ex) { + throw new HiveAuthzPluginException(ex); + } + } + + @Override + public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException { + throw new HiveAuthzPluginException("Unsupported operation 'setCurrentRole' for V1 auth"); + } + + @Override + public List getCurrentRoleNames() throws HiveAuthzPluginException { + + String userName = SessionState.get().getUserName(); + if (userName == null) { + userName = SessionState.getUserFromAuthenticator(); + } + if (userName == null) { + throw new HiveAuthzPluginException("Cannot resolve current user name"); + } + try { + List roleNames = new ArrayList(); + for (Role role : hive.listRoles(userName, PrincipalType.USER)) { + roleNames.add(role.getRoleName()); + } + return roleNames; + } catch (HiveException e) { + throw new HiveAuthzPluginException(e); + } + } + + @Override + public void applyAuthorizationConfigPolicy(HiveConf hiveConf) { + } +} diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index e4f5aac..ade3b36 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -355,19 +355,24 @@ public void revokeRole(List hivePrincipals, List roleName + " allowed get principals in a role. " + ADMIN_ONLY_MSG); } try { - GetPrincipalsInRoleResponse princGrantInfo = - metastoreClientFactory.getHiveMetastoreClient().get_principals_in_role(new GetPrincipalsInRoleRequest(roleName)); - - List hiveRoleGrants = new ArrayList(); - for(RolePrincipalGrant thriftRoleGrant : princGrantInfo.getPrincipalGrants()){ - hiveRoleGrants.add(new HiveRoleGrant(thriftRoleGrant)); - } - return hiveRoleGrants; + return getHiveRoleGrants(metastoreClientFactory.getHiveMetastoreClient(), roleName); } catch (Exception e) { throw new HiveAuthzPluginException("Error getting principals for all roles", e); } } + public static List getHiveRoleGrants(IMetaStoreClient client, String roleName) + throws Exception { + GetPrincipalsInRoleRequest request = new GetPrincipalsInRoleRequest(roleName); + GetPrincipalsInRoleResponse princGrantInfo = client.get_principals_in_role(request); + + List hiveRoleGrants = new ArrayList(); + for(RolePrincipalGrant thriftRoleGrant : princGrantInfo.getPrincipalGrants()){ + hiveRoleGrants.add(new HiveRoleGrant(thriftRoleGrant)); + } + return hiveRoleGrants; + } + @Override public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException { @@ -398,7 +403,7 @@ public void revokeRole(List hivePrincipals, List roleName HiveObjectRef msObjRef = msObjPriv.getHiveObject(); HivePrivilegeObject resPrivObj = new HivePrivilegeObject( getPluginObjType(msObjRef.getObjectType()), msObjRef.getDbName(), - msObjRef.getObjectName()); + msObjRef.getObjectName(), msObjRef.getPartValues(), msObjRef.getColumnName()); // result grantor principal HivePrincipal grantorPrincipal = new HivePrincipal(msGrantInfo.getGrantor(), diff --git ql/src/test/results/clientpositive/authorization_1.q.out ql/src/test/results/clientpositive/authorization_1.q.out index 0ff4b04..dac0820 100644 --- ql/src/test/results/clientpositive/authorization_1.q.out +++ ql/src/test/results/clientpositive/authorization_1.q.out @@ -23,7 +23,7 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test hive_test_user USER Select false -1 hive_test_user +default src_autho_test hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table src_autho_test(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table src_autho_test(key) @@ -88,7 +88,7 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table src_autho_test(key) POSTHOOK: type: SHOW_GRANT -default src_autho_test key hive_test_user USER Select false -1 hive_test_user +default src_autho_test [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: select key from src_autho_test order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@src_autho_test @@ -145,7 +145,7 @@ PREHOOK: query: show grant group hive_test_group1 on table src_autho_test PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test hive_test_group1 GROUP Select false -1 hive_test_user +default src_autho_test hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: show grant group hive_test_group1 on table src_autho_test(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table src_autho_test(key) @@ -210,7 +210,7 @@ PREHOOK: query: show grant group hive_test_group1 on table src_autho_test(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table src_autho_test(key) POSTHOOK: type: SHOW_GRANT -default src_autho_test key hive_test_group1 GROUP Select false -1 hive_test_user +default src_autho_test [key] hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: select key from src_autho_test order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@src_autho_test @@ -287,7 +287,7 @@ PREHOOK: query: show grant role src_role on table src_autho_test(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant role src_role on table src_autho_test(key) POSTHOOK: type: SHOW_GRANT -default src_autho_test key src_role ROLE Select false -1 hive_test_user +default src_autho_test [key] src_role ROLE SELECT false -1 hive_test_user PREHOOK: query: select key from src_autho_test order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@src_autho_test @@ -364,7 +364,7 @@ PREHOOK: query: show grant role src_role on table src_autho_test PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant role src_role on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test src_role ROLE Select false -1 hive_test_user +default src_autho_test src_role ROLE SELECT false -1 hive_test_user PREHOOK: query: show grant role src_role on table src_autho_test(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant role src_role on table src_autho_test(key) diff --git ql/src/test/results/clientpositive/authorization_2.q.out ql/src/test/results/clientpositive/authorization_2.q.out index 9acb42b..f46031b 100644 --- ql/src/test/results/clientpositive/authorization_2.q.out +++ ql/src/test/results/clientpositive/authorization_2.q.out @@ -54,9 +54,9 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part POSTHOOK: type: SHOW_GRANT -default authorization_part hive_test_user USER Create false -1 hive_test_user -default authorization_part hive_test_user USER Drop false -1 hive_test_user -default authorization_part hive_test_user USER Update false -1 hive_test_user +default authorization_part hive_test_user USER CREATE false -1 hive_test_user +default authorization_part hive_test_user USER DROP false -1 hive_test_user +default authorization_part hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: alter table authorization_part add partition (ds='2010') PREHOOK: type: ALTERTABLE_ADDPARTS PREHOOK: Output: default@authorization_part @@ -68,9 +68,9 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part parti PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_part [2010] hive_test_user USER Create false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Drop false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Update false -1 hive_test_user +default authorization_part [2010] hive_test_user USER CREATE false -1 hive_test_user +default authorization_part [2010] hive_test_user USER DROP false -1 hive_test_user +default authorization_part [2010] hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: grant select(key) on table authorization_part to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@authorization_part @@ -101,14 +101,14 @@ POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) POSTHOOK: type: SHOW_GRANT POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part [2010] key hive_test_user USER Select false -1 hive_test_user +default authorization_part [2010] [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table authorization_part(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) POSTHOOK: type: SHOW_GRANT POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part key hive_test_user USER Select false -1 hive_test_user +default authorization_part [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part @@ -161,7 +161,7 @@ POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) POSTHOOK: type: SHOW_GRANT POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part [2010] key hive_test_user USER Select false -1 hive_test_user +default authorization_part [2010] [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part @@ -226,9 +226,9 @@ show grant user hive_test_user on table authorization_part POSTHOOK: type: SHOW_GRANT POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part hive_test_user USER Create false -1 hive_test_user -default authorization_part hive_test_user USER Drop false -1 hive_test_user -default authorization_part hive_test_user USER Update false -1 hive_test_user +default authorization_part hive_test_user USER CREATE false -1 hive_test_user +default authorization_part hive_test_user USER DROP false -1 hive_test_user +default authorization_part hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: alter table authorization_part add partition (ds='2010') PREHOOK: type: ALTERTABLE_ADDPARTS PREHOOK: Output: default@authorization_part @@ -244,9 +244,9 @@ POSTHOOK: query: show grant user hive_test_user on table authorization_part part POSTHOOK: type: SHOW_GRANT POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part [2010] hive_test_user USER Create false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Drop false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Update false -1 hive_test_user +default authorization_part [2010] hive_test_user USER CREATE false -1 hive_test_user +default authorization_part [2010] hive_test_user USER DROP false -1 hive_test_user +default authorization_part [2010] hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: grant select on table authorization_part to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@authorization_part @@ -285,10 +285,10 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part [2010] hive_test_user USER Create false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Drop false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Select false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Update false -1 hive_test_user +default authorization_part [2010] hive_test_user USER CREATE false -1 hive_test_user +default authorization_part [2010] hive_test_user USER DROP false -1 hive_test_user +default authorization_part [2010] hive_test_user USER SELECT false -1 hive_test_user +default authorization_part [2010] hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table authorization_part PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part @@ -297,10 +297,10 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part hive_test_user USER Create false -1 hive_test_user -default authorization_part hive_test_user USER Drop false -1 hive_test_user -default authorization_part hive_test_user USER Select false -1 hive_test_user -default authorization_part hive_test_user USER Update false -1 hive_test_user +default authorization_part hive_test_user USER CREATE false -1 hive_test_user +default authorization_part hive_test_user USER DROP false -1 hive_test_user +default authorization_part hive_test_user USER UPDATE false -1 hive_test_user +default authorization_part hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part @@ -353,9 +353,9 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part hive_test_user USER Create false -1 hive_test_user -default authorization_part hive_test_user USER Drop false -1 hive_test_user -default authorization_part hive_test_user USER Update false -1 hive_test_user +default authorization_part hive_test_user USER CREATE false -1 hive_test_user +default authorization_part hive_test_user USER DROP false -1 hive_test_user +default authorization_part hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010') PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010') @@ -364,10 +364,10 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part [2010] hive_test_user USER Create false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Drop false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Select false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Update false -1 hive_test_user +default authorization_part [2010] hive_test_user USER CREATE false -1 hive_test_user +default authorization_part [2010] hive_test_user USER DROP false -1 hive_test_user +default authorization_part [2010] hive_test_user USER SELECT false -1 hive_test_user +default authorization_part [2010] hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part @@ -420,9 +420,9 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part [2010] hive_test_user USER Create false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Drop false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Update false -1 hive_test_user +default authorization_part [2010] hive_test_user USER CREATE false -1 hive_test_user +default authorization_part [2010] hive_test_user USER DROP false -1 hive_test_user +default authorization_part [2010] hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: alter table authorization_part drop partition (ds='2010') PREHOOK: type: ALTERTABLE_DROPPARTS PREHOOK: Input: default@authorization_part @@ -512,7 +512,7 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part [2010] key hive_test_group1 GROUP Select false -1 hive_test_user +default authorization_part [2010] [key] hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: show grant group hive_test_group1 on table authorization_part(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table authorization_part(key) @@ -523,7 +523,7 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part key hive_test_group1 GROUP Select false -1 hive_test_user +default authorization_part [key] hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part @@ -592,7 +592,7 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part [2010] key hive_test_group1 GROUP Select false -1 hive_test_user +default authorization_part [2010] [key] hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part @@ -754,7 +754,7 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part [2010] hive_test_group1 GROUP Select false -1 hive_test_user +default authorization_part [2010] hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: show grant group hive_test_group1 on table authorization_part PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table authorization_part @@ -767,7 +767,7 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part hive_test_group1 GROUP Select false -1 hive_test_user +default authorization_part hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part @@ -844,7 +844,7 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part [2010] hive_test_group1 GROUP Select false -1 hive_test_user +default authorization_part [2010] hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part diff --git ql/src/test/results/clientpositive/authorization_3.q.out ql/src/test/results/clientpositive/authorization_3.q.out index 834909c..8de1daf 100644 --- ql/src/test/results/clientpositive/authorization_3.q.out +++ ql/src/test/results/clientpositive/authorization_3.q.out @@ -25,8 +25,8 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test hive_test_user USER Drop false -1 hive_test_user -default src_autho_test hive_test_user USER Select false -1 hive_test_user +default src_autho_test hive_test_user USER DROP false -1 hive_test_user +default src_autho_test hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: revoke select on table src_autho_test from user hive_test_user PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@src_autho_test @@ -49,8 +49,8 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test hive_test_user USER Drop false -1 hive_test_user -default src_autho_test hive_test_user USER Select false -1 hive_test_user +default src_autho_test hive_test_user USER DROP false -1 hive_test_user +default src_autho_test hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: revoke drop,select on table src_autho_test from user hive_test_user PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@src_autho_test @@ -67,7 +67,7 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test hive_test_user USER Drop false -1 hive_test_user +default src_autho_test hive_test_user USER DROP false -1 hive_test_user PREHOOK: query: revoke drop,select(key), select(value) on table src_autho_test from user hive_test_user PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@src_autho_test diff --git ql/src/test/results/clientpositive/authorization_4.q.out ql/src/test/results/clientpositive/authorization_4.q.out index 1b745d8..881c128 100644 --- ql/src/test/results/clientpositive/authorization_4.q.out +++ ql/src/test/results/clientpositive/authorization_4.q.out @@ -19,7 +19,7 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test hive_test_user USER All false -1 hive_test_user +default src_autho_test hive_test_user USER ALL false -1 hive_test_user PREHOOK: query: select key from src_autho_test order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@src_autho_test diff --git ql/src/test/results/clientpositive/authorization_5.q.out ql/src/test/results/clientpositive/authorization_5.q.out index 6f75dd1..7da3d70 100644 --- ql/src/test/results/clientpositive/authorization_5.q.out +++ ql/src/test/results/clientpositive/authorization_5.q.out @@ -24,8 +24,8 @@ PREHOOK: query: SHOW GRANT USER hive_test_user ON DATABASE test_db PREHOOK: type: SHOW_GRANT POSTHOOK: query: SHOW GRANT USER hive_test_user ON DATABASE test_db POSTHOOK: type: SHOW_GRANT -test_db hive_test_user USER Drop false -1 hive_test_user -test_db hive_test_user USER Select false -1 hive_test_user +test_db hive_test_user USER DROP false -1 hive_test_user +test_db hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: CREATE ROLE db_test_role PREHOOK: type: CREATEROLE POSTHOOK: query: CREATE ROLE db_test_role @@ -52,8 +52,8 @@ PREHOOK: query: SHOW GRANT ROLE db_test_role ON DATABASE test_db PREHOOK: type: SHOW_GRANT POSTHOOK: query: SHOW GRANT ROLE db_test_role ON DATABASE test_db POSTHOOK: type: SHOW_GRANT -test_db db_test_role ROLE Drop false -1 hive_test_user -test_db db_test_role ROLE Select false -1 hive_test_user +test_db db_test_role ROLE DROP false -1 hive_test_user +test_db db_test_role ROLE SELECT false -1 hive_test_user PREHOOK: query: DROP DATABASE IF EXISTS test_db PREHOOK: type: DROPDATABASE PREHOOK: Input: database:test_db diff --git ql/src/test/results/clientpositive/authorization_6.q.out ql/src/test/results/clientpositive/authorization_6.q.out index 41696b1..610ef56 100644 --- ql/src/test/results/clientpositive/authorization_6.q.out +++ ql/src/test/results/clientpositive/authorization_6.q.out @@ -54,9 +54,9 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part POSTHOOK: type: SHOW_GRANT -default authorization_part hive_test_user USER Create false -1 hive_test_user -default authorization_part hive_test_user USER Drop false -1 hive_test_user -default authorization_part hive_test_user USER Update false -1 hive_test_user +default authorization_part hive_test_user USER CREATE false -1 hive_test_user +default authorization_part hive_test_user USER DROP false -1 hive_test_user +default authorization_part hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: grant select(key) on table authorization_part to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@authorization_part @@ -93,7 +93,7 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2011).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2011).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part [2010] key hive_test_user USER Select false -1 hive_test_user +default authorization_part [2010] [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table authorization_part(key) partition (ds='2011') PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) partition (ds='2011') @@ -102,7 +102,7 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2011).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2011).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part [2011] key hive_test_user USER Select false -1 hive_test_user +default authorization_part [2011] [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table authorization_part(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) @@ -111,7 +111,7 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2011).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2011).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part key hive_test_user USER Select false -1 hive_test_user +default authorization_part [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds>='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part @@ -211,8 +211,8 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2010).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2011).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2011).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part hive_test_user USER Create false -1 hive_test_user -default authorization_part hive_test_user USER Update false -1 hive_test_user +default authorization_part hive_test_user USER CREATE false -1 hive_test_user +default authorization_part hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: grant select(key) on table authorization_part to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@authorization_part @@ -289,7 +289,7 @@ POSTHOOK: Lineage: authorization_part PARTITION(ds=2011).key EXPRESSION [(src_au POSTHOOK: Lineage: authorization_part PARTITION(ds=2011).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2011).key EXPRESSION [(src_auth_tmp)src_auth_tmp.FieldSchema(name:key, type:string, comment:null), ] POSTHOOK: Lineage: authorization_part PARTITION(ds=2011).value SIMPLE [(src_auth_tmp)src_auth_tmp.FieldSchema(name:value, type:string, comment:null), ] -default authorization_part key hive_test_user USER Select false -1 hive_test_user +default authorization_part [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds>='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part diff --git ql/src/test/results/clientpositive/authorization_9.q.out ql/src/test/results/clientpositive/authorization_9.q.out index 226ce28..e80d400 100644 --- ql/src/test/results/clientpositive/authorization_9.q.out +++ ql/src/test/results/clientpositive/authorization_9.q.out @@ -29,20 +29,20 @@ PREHOOK: query: show grant user hive_test_user on database default PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on database default POSTHOOK: type: SHOW_GRANT -default hive_test_user USER Select false -1 hive_test_user +default hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table dummy PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table dummy POSTHOOK: type: SHOW_GRANT -default dummy hive_test_user USER Select false -1 hive_test_user +default dummy hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on all PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on all POSTHOOK: type: SHOW_GRANT -default hive_test_user USER Select false -1 hive_test_user -default dummy hive_test_user USER Select false -1 hive_test_user -default dummy key hive_test_user USER Select false -1 hive_test_user -default dummy value hive_test_user USER Select false -1 hive_test_user +default hive_test_user USER SELECT false -1 hive_test_user +default dummy hive_test_user USER SELECT false -1 hive_test_user +default dummy [key] hive_test_user USER SELECT false -1 hive_test_user +default dummy [value] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: grant select on database default to user hive_test_user2 PREHOOK: type: GRANT_PRIVILEGE POSTHOOK: query: grant select on database default to user hive_test_user2 @@ -63,12 +63,12 @@ PREHOOK: query: show grant on all PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant on all POSTHOOK: type: SHOW_GRANT - admin ROLE All true -1 admin -default hive_test_user USER Select false -1 hive_test_user -default hive_test_user2 USER Select false -1 hive_test_user -default dummy hive_test_user USER Select false -1 hive_test_user -default dummy hive_test_user2 USER Select false -1 hive_test_user -default dummy key hive_test_user USER Select false -1 hive_test_user -default dummy key hive_test_user2 USER Select false -1 hive_test_user -default dummy value hive_test_user USER Select false -1 hive_test_user -default dummy value hive_test_user2 USER Select false -1 hive_test_user + admin ROLE ALL true -1 admin +default hive_test_user USER SELECT false -1 hive_test_user +default hive_test_user2 USER SELECT false -1 hive_test_user +default dummy hive_test_user USER SELECT false -1 hive_test_user +default dummy hive_test_user2 USER SELECT false -1 hive_test_user +default dummy [key] hive_test_user USER SELECT false -1 hive_test_user +default dummy [value] hive_test_user USER SELECT false -1 hive_test_user +default dummy [key] hive_test_user2 USER SELECT false -1 hive_test_user +default dummy [value] hive_test_user2 USER SELECT false -1 hive_test_user