diff --git a/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java b/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java index 4b4f4f2..2a39163 100644 --- a/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java +++ b/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java @@ -3050,6 +3050,9 @@ public boolean grantRole(Role role, String userName, throw new InvalidObjectException("Principal " + userName + " already has the role " + role.getRoleName()); } + if (principalType == PrincipalType.ROLE) { + validateRole(userName); + } openTransaction(); MRole mRole = getMRole(role.getRoleName()); long now = System.currentTimeMillis()/1000; @@ -3066,6 +3069,19 @@ public boolean grantRole(Role role, String userName, return success; } + /** + * Verify that role with given name exists, if not throw exception + * @param roleName + * @throws NoSuchObjectException + */ + private void validateRole(String roleName) throws NoSuchObjectException { + // if grantee is a role, check if it exists + MRole granteeRole = getMRole(roleName); + if (granteeRole == null) { + throw new NoSuchObjectException("Role " + roleName + " does not exist"); + } + } + @Override public boolean revokeRole(Role role, String userName, PrincipalType principalType) throws MetaException, NoSuchObjectException { boolean success = false; @@ -3698,6 +3714,10 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce boolean grantOption = privDef.getGrantInfo().isGrantOption(); privSet.clear(); + if(principalType == PrincipalType.ROLE){ + validateRole(userName); + } + if (hiveObject.getObjectType() == HiveObjectType.GLOBAL) { List globalPrivs = this .listPrincipalGlobalGrants(userName, principalType); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java index 62b8994..dd4cd22 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java @@ -40,8 +40,16 @@ public String toString() { private final HivePrincipalType type; public HivePrincipal(String name, HivePrincipalType type){ - this.name = name; this.type = type; + if (type == HivePrincipalType.ROLE) { + // lower case role to make operations on it case insensitive + // when the old default authorization gets deprecated, this can move + // to ObjectStore code base + this.name = name.toLowerCase(); + } else { + this.name = name; + } + } public String getName() { return name; diff --git a/ql/src/test/queries/clientnegative/authorization_role_grant_nosuchrole.q b/ql/src/test/queries/clientnegative/authorization_role_grant_nosuchrole.q new file mode 100644 index 0000000..f456165 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_role_grant_nosuchrole.q @@ -0,0 +1,13 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; + +set role ADMIN; + +---------------------------------------- +-- granting role to a role that does not exist should fail +---------------------------------------- + +create role role1; +grant role1 to role nosuchrole; diff --git a/ql/src/test/queries/clientnegative/authorization_table_grant_nosuchrole.q b/ql/src/test/queries/clientnegative/authorization_table_grant_nosuchrole.q new file mode 100644 index 0000000..2065093 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_table_grant_nosuchrole.q @@ -0,0 +1,8 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; + +---------------------------------------- +-- granting object privilege to a role that does not exist should fail +---------------------------------------- +create table t1(i int); +grant ALL on t1 to role nosuchrole; diff --git a/ql/src/test/queries/clientpositive/authorization_1_sql_std.q b/ql/src/test/queries/clientpositive/authorization_1_sql_std.q index 79ae17a..381937c 100644 --- a/ql/src/test/queries/clientpositive/authorization_1_sql_std.q +++ b/ql/src/test/queries/clientpositive/authorization_1_sql_std.q @@ -24,13 +24,14 @@ show role grant user user_sauth; --table grant to role -grant select on table src_autho_test to role src_role; +-- also verify case insesitive behavior of role name +grant select on table src_autho_test to role Src_ROle; show grant role src_role on table src_autho_test; -revoke select on table src_autho_test from role src_role; +revoke select on table src_autho_test from role src_rolE; -- drop role -drop role src_role; +drop role SRc_role; set hive.security.authorization.enabled=false; drop table src_autho_test; diff --git a/ql/src/test/queries/clientpositive/authorization_role_grant1.q b/ql/src/test/queries/clientpositive/authorization_role_grant1.q index f89d0dc..051bdee 100644 --- a/ql/src/test/queries/clientpositive/authorization_role_grant1.q +++ b/ql/src/test/queries/clientpositive/authorization_role_grant1.q @@ -5,14 +5,16 @@ set user.name=hive_admin_user; -- enable sql standard authorization -- role granting without role keyword +-- also test role being treated as case insensitive set role ADMIN; -create role src_role2; -grant src_role2 to user user2 ; +create role src_Role2; + +grant SRC_role2 to user user2 ; show role grant user user2; show roles; -- revoke role without role keyword -revoke src_role2 from user user2; +revoke src_rolE2 from user user2; show role grant user user2; show roles; @@ -21,18 +23,16 @@ show roles; ---------------------------------------- create role src_role_wadmin; -grant src_role_wadmin to user user2 with admin option; +grant src_role_wadmin to user user2 with admin option; show role grant user user2; -- revoke role without role keyword revoke src_role_wadmin from user user2; show role grant user user2; - - -- drop roles show roles; -drop role src_role2; +drop role Src_role2; show roles; -drop role src_role_wadmin; +drop role sRc_role_wadmin; show roles; diff --git a/ql/src/test/queries/clientpositive/authorization_role_grant2.q b/ql/src/test/queries/clientpositive/authorization_role_grant2.q index 984d7ed..fd6aa38 100644 --- a/ql/src/test/queries/clientpositive/authorization_role_grant2.q +++ b/ql/src/test/queries/clientpositive/authorization_role_grant2.q @@ -9,25 +9,38 @@ set role ADMIN; ---------------------------------------- -- role granting with admin option ---------------------------------------- +-- Also test case sensitivity of role name -create role src_role_wadmin; -grant src_role_wadmin to user user2 with admin option; +create role srC_role_wadmin; +create role src_roLe2; +grant src_role_wadmin to user user2 with admin option; show role grant user user2; show principals src_role_wadmin; + set user.name=user2; -set role src_role_wadmin; -grant src_role_wadmin to user user3; +set role src_role_WadMin; +-- grant role to another user +grant src_Role_wadmin to user user3; show role grant user user3; +-- grant role to another role +grant src_role_wadmin to role sRc_role2;; +show role grant role src_Role2;; + + set user.name=hive_admin_user; set role ADMIN; -show principals src_role_wadmin; +show principals src_ROle_wadmin; set user.name=user2; set role src_role_wadmin; -revoke src_role_wadmin from user user3; +-- revoke user from role +revoke src_rolE_wadmin from user user3; show role grant user user3; +-- revoke role from role +revoke src_rolE_wadmin from role sRc_role2; +show role grant role sRc_role2; set user.name=hive_admin_user; set role ADMIN; diff --git a/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out b/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out new file mode 100644 index 0000000..6193103 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out @@ -0,0 +1,19 @@ +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: ---------------------------------------- +-- granting role to a role that does not exist should fail +---------------------------------------- + +create role role1 +PREHOOK: type: CREATEROLE +POSTHOOK: query: ---------------------------------------- +-- granting role to a role that does not exist should fail +---------------------------------------- + +create role role1 +POSTHOOK: type: CREATEROLE +PREHOOK: query: grant role1 to role nosuchrole +PREHOOK: type: GRANT_ROLE +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException: Error granting roles for nosuchrole to role role1: NoSuchObjectException(message:Role nosuchrole does not exist) diff --git a/ql/src/test/results/clientnegative/authorization_table_grant_nosuchrole.q.out b/ql/src/test/results/clientnegative/authorization_table_grant_nosuchrole.q.out new file mode 100644 index 0000000..4988506 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_table_grant_nosuchrole.q.out @@ -0,0 +1,17 @@ +PREHOOK: query: ---------------------------------------- +-- granting role to a role that does not exist should fail +---------------------------------------- +create table t1(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +POSTHOOK: query: ---------------------------------------- +-- granting role to a role that does not exist should fail +---------------------------------------- +create table t1(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t1 +PREHOOK: query: grant ALL on t1 to role nosuchrole +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t1 +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error granting privileges: NoSuchObjectException(message:Role nosuchrole does not exist) diff --git a/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out b/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out index 718ff31..84cd005 100644 --- a/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out +++ b/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out @@ -52,12 +52,14 @@ public false -1 src_role false -1 hive_admin_user PREHOOK: query: --table grant to role -grant select on table src_autho_test to role src_role +-- also verify case insesitive behavior of role name +grant select on table src_autho_test to role Src_ROle PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@src_autho_test POSTHOOK: query: --table grant to role -grant select on table src_autho_test to role src_role +-- also verify case insesitive behavior of role name +grant select on table src_autho_test to role Src_ROle POSTHOOK: type: GRANT_PRIVILEGE POSTHOOK: Output: default@src_autho_test PREHOOK: query: show grant role src_role on table src_autho_test @@ -65,17 +67,17 @@ PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant role src_role on table src_autho_test POSTHOOK: type: SHOW_GRANT default src_autho_test src_role ROLE SELECT false -1 hive_admin_user -PREHOOK: query: revoke select on table src_autho_test from role src_role +PREHOOK: query: revoke select on table src_autho_test from role src_rolE PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@src_autho_test -POSTHOOK: query: revoke select on table src_autho_test from role src_role +POSTHOOK: query: revoke select on table src_autho_test from role src_rolE POSTHOOK: type: REVOKE_PRIVILEGE POSTHOOK: Output: default@src_autho_test PREHOOK: query: -- drop role -drop role src_role +drop role SRc_role PREHOOK: type: DROPROLE POSTHOOK: query: -- drop role -drop role src_role +drop role SRc_role POSTHOOK: type: DROPROLE PREHOOK: query: drop table src_autho_test PREHOOK: type: DROPTABLE diff --git a/ql/src/test/results/clientpositive/authorization_role_grant1.q.out b/ql/src/test/results/clientpositive/authorization_role_grant1.q.out index 3c846eb..cdbcb26 100644 --- a/ql/src/test/results/clientpositive/authorization_role_grant1.q.out +++ b/ql/src/test/results/clientpositive/authorization_role_grant1.q.out @@ -1,18 +1,20 @@ PREHOOK: query: -- enable sql standard authorization -- role granting without role keyword +-- also test role being treated as case insensitive set role ADMIN PREHOOK: type: SHOW_ROLES POSTHOOK: query: -- enable sql standard authorization -- role granting without role keyword +-- also test role being treated as case insensitive set role ADMIN POSTHOOK: type: SHOW_ROLES -PREHOOK: query: create role src_role2 +PREHOOK: query: create role src_Role2 PREHOOK: type: CREATEROLE -POSTHOOK: query: create role src_role2 +POSTHOOK: query: create role src_Role2 POSTHOOK: type: CREATEROLE -PREHOOK: query: grant src_role2 to user user2 +PREHOOK: query: grant SRC_role2 to user user2 PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant src_role2 to user user2 +POSTHOOK: query: grant SRC_role2 to user user2 POSTHOOK: type: GRANT_ROLE PREHOOK: query: show role grant user user2 PREHOOK: type: SHOW_ROLE_GRANT @@ -29,10 +31,10 @@ public src_role2 PREHOOK: query: -- revoke role without role keyword -revoke src_role2 from user user2 +revoke src_rolE2 from user user2 PREHOOK: type: REVOKE_ROLE POSTHOOK: query: -- revoke role without role keyword -revoke src_role2 from user user2 +revoke src_rolE2 from user user2 POSTHOOK: type: REVOKE_ROLE PREHOOK: query: show role grant user user2 PREHOOK: type: SHOW_ROLE_GRANT @@ -59,9 +61,9 @@ POSTHOOK: query: ---------------------------------------- create role src_role_wadmin POSTHOOK: type: CREATEROLE -PREHOOK: query: grant src_role_wadmin to user user2 with admin option +PREHOOK: query: grant src_role_wadmin to user user2 with admin option PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant src_role_wadmin to user user2 with admin option +POSTHOOK: query: grant src_role_wadmin to user user2 with admin option POSTHOOK: type: GRANT_ROLE PREHOOK: query: show role grant user user2 PREHOOK: type: SHOW_ROLE_GRANT @@ -91,9 +93,9 @@ public src_role2 src_role_wadmin -PREHOOK: query: drop role src_role2 +PREHOOK: query: drop role Src_role2 PREHOOK: type: DROPROLE -POSTHOOK: query: drop role src_role2 +POSTHOOK: query: drop role Src_role2 POSTHOOK: type: DROPROLE PREHOOK: query: show roles PREHOOK: type: SHOW_ROLES @@ -103,9 +105,9 @@ admin public src_role_wadmin -PREHOOK: query: drop role src_role_wadmin +PREHOOK: query: drop role sRc_role_wadmin PREHOOK: type: DROPROLE -POSTHOOK: query: drop role src_role_wadmin +POSTHOOK: query: drop role sRc_role_wadmin POSTHOOK: type: DROPROLE PREHOOK: query: show roles PREHOOK: type: SHOW_ROLES diff --git a/ql/src/test/results/clientpositive/authorization_role_grant2.q.out b/ql/src/test/results/clientpositive/authorization_role_grant2.q.out index 1e8f88a..fdc79b5 100644 --- a/ql/src/test/results/clientpositive/authorization_role_grant2.q.out +++ b/ql/src/test/results/clientpositive/authorization_role_grant2.q.out @@ -5,18 +5,24 @@ POSTHOOK: type: SHOW_ROLES PREHOOK: query: ---------------------------------------- -- role granting with admin option ---------------------------------------- +-- Also test case sensitivity of role name -create role src_role_wadmin +create role srC_role_wadmin PREHOOK: type: CREATEROLE POSTHOOK: query: ---------------------------------------- -- role granting with admin option ---------------------------------------- +-- Also test case sensitivity of role name -create role src_role_wadmin +create role srC_role_wadmin POSTHOOK: type: CREATEROLE -PREHOOK: query: grant src_role_wadmin to user user2 with admin option +PREHOOK: query: create role src_roLe2 +PREHOOK: type: CREATEROLE +POSTHOOK: query: create role src_roLe2 +POSTHOOK: type: CREATEROLE +PREHOOK: query: grant src_role_wadmin to user user2 with admin option PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant src_role_wadmin to user user2 with admin option +POSTHOOK: query: grant src_role_wadmin to user user2 with admin option POSTHOOK: type: GRANT_ROLE PREHOOK: query: show role grant user user2 PREHOOK: type: SHOW_ROLE_GRANT @@ -31,13 +37,15 @@ POSTHOOK: query: show principals src_role_wadmin POSTHOOK: type: SHOW_ROLE_PRINCIPALS principal_name principal_type grant_option grantor grantor_type grant_time user2 USER true hive_admin_user USER -1 -PREHOOK: query: set role src_role_wadmin +PREHOOK: query: set role src_role_WadMin PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role src_role_wadmin +POSTHOOK: query: set role src_role_WadMin POSTHOOK: type: SHOW_ROLES -PREHOOK: query: grant src_role_wadmin to user user3 +PREHOOK: query: -- grant role to another user +grant src_Role_wadmin to user user3 PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant src_role_wadmin to user user3 +POSTHOOK: query: -- grant role to another user +grant src_Role_wadmin to user user3 POSTHOOK: type: GRANT_ROLE PREHOOK: query: show role grant user user3 PREHOOK: type: SHOW_ROLE_GRANT @@ -46,24 +54,39 @@ POSTHOOK: type: SHOW_ROLE_GRANT role grant_option grant_time grantor public false -1 src_role_wadmin false -1 user2 +PREHOOK: query: -- grant role to another role +grant src_role_wadmin to role sRc_role2 +PREHOOK: type: GRANT_ROLE +POSTHOOK: query: -- grant role to another role +grant src_role_wadmin to role sRc_role2 +POSTHOOK: type: GRANT_ROLE +PREHOOK: query: show role grant role src_Role2 +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant role src_Role2 +POSTHOOK: type: SHOW_ROLE_GRANT +role grant_option grant_time grantor +src_role_wadmin false -1 user2 PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES POSTHOOK: query: set role ADMIN POSTHOOK: type: SHOW_ROLES -PREHOOK: query: show principals src_role_wadmin +PREHOOK: query: show principals src_ROle_wadmin PREHOOK: type: SHOW_ROLE_PRINCIPALS -POSTHOOK: query: show principals src_role_wadmin +POSTHOOK: query: show principals src_ROle_wadmin POSTHOOK: type: SHOW_ROLE_PRINCIPALS principal_name principal_type grant_option grantor grantor_type grant_time +src_role2 ROLE false user2 USER -1 user2 USER true hive_admin_user USER -1 user3 USER false user2 USER -1 PREHOOK: query: set role src_role_wadmin PREHOOK: type: SHOW_ROLES POSTHOOK: query: set role src_role_wadmin POSTHOOK: type: SHOW_ROLES -PREHOOK: query: revoke src_role_wadmin from user user3 +PREHOOK: query: -- revoke user from role +revoke src_rolE_wadmin from user user3 PREHOOK: type: REVOKE_ROLE -POSTHOOK: query: revoke src_role_wadmin from user user3 +POSTHOOK: query: -- revoke user from role +revoke src_rolE_wadmin from user user3 POSTHOOK: type: REVOKE_ROLE PREHOOK: query: show role grant user user3 PREHOOK: type: SHOW_ROLE_GRANT @@ -71,6 +94,17 @@ POSTHOOK: query: show role grant user user3 POSTHOOK: type: SHOW_ROLE_GRANT role grant_option grant_time grantor public false -1 +PREHOOK: query: -- revoke role from role +revoke src_rolE_wadmin from role sRc_role2 +PREHOOK: type: REVOKE_ROLE +POSTHOOK: query: -- revoke role from role +revoke src_rolE_wadmin from role sRc_role2 +POSTHOOK: type: REVOKE_ROLE +PREHOOK: query: show role grant role sRc_role2 +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant role sRc_role2 +POSTHOOK: type: SHOW_ROLE_GRANT +role grant_option grant_time grantor PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES POSTHOOK: query: set role ADMIN