diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java index 24f829f..5c3e91d 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java @@ -877,7 +877,9 @@ private int grantOrRevokePrivilegesV2(List principals, private HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc) throws HiveException { - + if(privSubjectDesc == null){ + return new HivePrivilegeObject(null, null, null); + } String [] dbTable = Utilities.getDbTableName(privSubjectDesc.getObject()); return new HivePrivilegeObject(getPrivObjectType(privSubjectDesc), dbTable[0], dbTable[1]); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index e4f5aac..283968c 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -372,6 +372,39 @@ public void revokeRole(List hivePrincipals, List roleName public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException { try { + + // First authorize the call + if (principal == null) { + // only the admin is allowed to list privileges for any user + if (!isUserAdmin()) { + throw new HiveAccessControlException("User : " + currentUserName + " has to specify" + + " a user name or role in the show grant. " + ADMIN_ONLY_MSG); + } + } else { + //principal is specified, authorize on it + if (!isUserAdmin()) { + // if user is not an admin user, allow the request only if the user is + // requesting for privileges for themselves or a role they belong to + switch (principal.getType()) { + case USER: + if (!principal.getName().equals(currentUserName)) { + throw new HiveAccessControlException("User : " + currentUserName + " is not" + + " allowed check privileges of another user : " + principal.getName() + ". " + + ADMIN_ONLY_MSG); + } + break; + case ROLE: + if (!userBelongsToRole(principal.getName())) { + throw new HiveAccessControlException("User : " + currentUserName + " is not" + + " allowed check privileges of a role it does not belong to : " + + principal.getName() + ". " + ADMIN_ONLY_MSG); + } + break; + default: + throw new AssertionError("Unexpected principal type " + principal.getType()); + } + } + } IMetaStoreClient mClient = metastoreClientFactory.getHiveMetastoreClient(); List resPrivInfos = new ArrayList(); String principalName = principal == null ? null : principal.getName(); @@ -396,6 +429,15 @@ public void revokeRole(List hivePrincipals, List roleName // result object HiveObjectRef msObjRef = msObjPriv.getHiveObject(); + + if (!isSupportedObjectType(msObjRef.getObjectType())) { + // metastore returns object type such as global GLOBAL + // when no object is specified. + // such privileges are not applicable to this authorization mode, so + // ignore them + continue; + } + HivePrivilegeObject resPrivObj = new HivePrivilegeObject( getPluginObjType(msObjRef.getObjectType()), msObjRef.getDbName(), msObjRef.getObjectName()); @@ -416,6 +458,22 @@ public void revokeRole(List hivePrincipals, List roleName } + /** + * @param roleName + * @return true if roleName is the name of one of the roles (including the role hierarchy) + * that the user belongs to. + * @throws HiveAuthzPluginException + */ + private boolean userBelongsToRole(String roleName) throws HiveAuthzPluginException { + for (HiveRoleGrant role : getRolesFromMS()) { + // set to one of the roles user belongs to. + if (role.getRoleName().equalsIgnoreCase(roleName)) { + return true; + } + } + return false; + } + private HivePrivilegeObjectType getPluginObjType(HiveObjectType objectType) throws HiveAuthzPluginException { switch (objectType) { @@ -423,15 +481,21 @@ private HivePrivilegeObjectType getPluginObjType(HiveObjectType objectType) return HivePrivilegeObjectType.DATABASE; case TABLE: return HivePrivilegeObjectType.TABLE_OR_VIEW; - case COLUMN: - case GLOBAL: - case PARTITION: - throw new HiveAuthzPluginException("Unsupported object type " + objectType); default: throw new AssertionError("Unexpected object type " + objectType); } } + private boolean isSupportedObjectType(HiveObjectType objectType) { + switch (objectType) { + case DATABASE: + case TABLE: + return true; + default: + return false; + } + } + @Override public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException { diff --git a/ql/src/test/queries/clientnegative/authorization_insertoverwrite_nodel.q b/ql/src/test/queries/clientnegative/authorization_insertoverwrite_nodel.q index 90fe6e1..73cfe82 100644 --- a/ql/src/test/queries/clientnegative/authorization_insertoverwrite_nodel.q +++ b/ql/src/test/queries/clientnegative/authorization_insertoverwrite_nodel.q @@ -6,8 +6,11 @@ set user.name=hive_test_user; -- check insert overwrite without delete priv create table t1(i int); grant insert on table t1 to user user1; -show grant on table t1; + +show grant user hive_test_user on table t1; set user.name=user1; +show grant user user1 on table t1; + create table user1tab(i int); insert overwrite table t1 select * from user1tab; diff --git a/ql/src/test/queries/clientnegative/authorization_priv_current_role_neg.q b/ql/src/test/queries/clientnegative/authorization_priv_current_role_neg.q index bbf3b66..463358a 100644 --- a/ql/src/test/queries/clientnegative/authorization_priv_current_role_neg.q +++ b/ql/src/test/queries/clientnegative/authorization_priv_current_role_neg.q @@ -22,7 +22,10 @@ grant all on table tpriv_current_role to user user3; set role role2; -- switch to role2, grant should work grant all on table tpriv_current_role to user user4; + +set user.name=user4; show grant user user4 on table tpriv_current_role; +set user.name=user2; set role PUBLIC; -- set role to public, should fail as role2 is not one of the current roles diff --git a/ql/src/test/queries/clientnegative/authorization_show_grant_otherrole.q b/ql/src/test/queries/clientnegative/authorization_show_grant_otherrole.q new file mode 100644 index 0000000..a709d16 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_show_grant_otherrole.q @@ -0,0 +1,12 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +set user.name=hive_admin_user; +set role admin; +create role role1; + + +set user.name=user1; +show grant role role1; diff --git a/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_all.q b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_all.q new file mode 100644 index 0000000..2073cda --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_all.q @@ -0,0 +1,7 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +set user.name=user1; +show grant; diff --git a/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_alltabs.q b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_alltabs.q new file mode 100644 index 0000000..672b81b --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_alltabs.q @@ -0,0 +1,7 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +set user.name=user1; +show grant user user2; diff --git a/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_wtab.q b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_wtab.q new file mode 100644 index 0000000..7d95a9d --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_wtab.q @@ -0,0 +1,9 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +set user.name=user1; +create table t1(i int, j int, k int); + +show grant user user2 on table t1; diff --git a/ql/src/test/queries/clientpositive/authorization_grant_public_role.q b/ql/src/test/queries/clientpositive/authorization_grant_public_role.q index 8473178..9da33dc 100644 --- a/ql/src/test/queries/clientpositive/authorization_grant_public_role.q +++ b/ql/src/test/queries/clientpositive/authorization_grant_public_role.q @@ -10,7 +10,8 @@ CREATE TABLE t_gpr1(i int); GRANT ALL ON t_gpr1 TO ROLE public; -SHOW GRANT ON TABLE t_gpr1; +SHOW GRANT USER user1 ON TABLE t_gpr1; +SHOW GRANT ROLE public ON TABLE t_gpr1; set user.name=user2; SHOW CURRENT ROLES; diff --git a/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q b/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q index 02d364e..9c7a999 100644 --- a/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q +++ b/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q @@ -10,22 +10,29 @@ CREATE TABLE table_priv1(i int); -- grant insert privilege to another user GRANT INSERT ON table_priv1 TO USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv1; +set user.name=user1; -- grant select privilege to another user with grant GRANT SELECT ON table_priv1 TO USER user2 with grant option; -SHOW GRANT USER user2 ON TABLE table_priv1; set user.name=user2; --- change to other user - user2 +SHOW GRANT USER user2 ON TABLE table_priv1; + +-- changed to other user - user2 -- grant permissions to another user as user2 GRANT SELECT ON table_priv1 TO USER user3 with grant option; -SHOW GRANT USER user3 ON TABLE table_priv1; set user.name=user3; +SHOW GRANT USER user3 ON TABLE table_priv1; + -- change to other user - user3 -- grant permissions to another user as user3 GRANT SELECT ON table_priv1 TO USER user4 with grant option; + +set user.name=user4; SHOW GRANT USER user4 ON TABLE table_priv1; set user.name=user1; @@ -33,11 +40,12 @@ set user.name=user1; -- grant all with grant to user22 GRANT ALL ON table_priv1 TO USER user22 with grant option; -SHOW GRANT USER user22 ON TABLE table_priv1; set user.name=user22; +SHOW GRANT USER user22 ON TABLE table_priv1; -- grant all without grant to user33 GRANT ALL ON table_priv1 TO USER user33 with grant option; -SHOW GRANT USER user33 ON TABLE table_priv1; +set user.name=user33; +SHOW GRANT USER user33 ON TABLE table_priv1; diff --git a/ql/src/test/queries/clientpositive/authorization_insert.q b/ql/src/test/queries/clientpositive/authorization_insert.q index 5de6f50..6cce469 100644 --- a/ql/src/test/queries/clientpositive/authorization_insert.q +++ b/ql/src/test/queries/clientpositive/authorization_insert.q @@ -1,3 +1,4 @@ +set hive.users.in.admin.role=hive_admin_user; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; @@ -12,6 +13,9 @@ GRANT ALL ON TABLE t_select TO ROLE public; -- grant insert privilege to another user GRANT INSERT ON t_auth_ins TO USER userWIns; GRANT INSERT,DELETE ON t_auth_ins TO USER userWInsAndDel; + +set user.name=hive_admin_user; +set role admin; SHOW GRANT ON TABLE t_auth_ins; diff --git a/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q b/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q index ccda3b5..c8f4bc8 100644 --- a/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q +++ b/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q @@ -8,54 +8,88 @@ CREATE TABLE table_priv_rev(i int); -- grant insert privilege to user2 GRANT INSERT ON table_priv_rev TO USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; SHOW GRANT USER user2 ON ALL; +set user.name=user1; -- revoke insert privilege from user2 REVOKE INSERT ON TABLE table_priv_rev FROM USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; +set user.name=user1; -- grant all privileges one at a time -- -- grant insert privilege to user2 GRANT INSERT ON table_priv_rev TO USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; SHOW GRANT USER user2 ON ALL; +set user.name=user1; -- grant select privilege to user2, with grant option GRANT SELECT ON table_priv_rev TO USER user2 WITH GRANT OPTION; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; +set user.name=user1; -- grant update privilege to user2 GRANT UPDATE ON table_priv_rev TO USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; +set user.name=user1; -- grant delete privilege to user2 GRANT DELETE ON table_priv_rev TO USER user2; -SHOW GRANT USER user2 ON TABLE table_priv_rev; +set user.name=user2; +SHOW GRANT USER user2 ON TABLE table_priv_rev; +set user.name=user1; -- start revoking -- -- revoke update privilege from user2 REVOKE UPDATE ON TABLE table_priv_rev FROM USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; SHOW GRANT USER user2 ON ALL; +set user.name=user1; -- revoke DELETE privilege from user2 REVOKE DELETE ON TABLE table_priv_rev FROM USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; +set user.name=user1; -- revoke insert privilege from user2 REVOKE INSERT ON TABLE table_priv_rev FROM USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; +set user.name=user1; -- revoke select privilege from user2 REVOKE SELECT ON TABLE table_priv_rev FROM USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; SHOW GRANT USER user2 ON ALL; +set user.name=user1; -- grant all followed by revoke all GRANT ALL ON table_priv_rev TO USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; +set user.name=user1; REVOKE ALL ON TABLE table_priv_rev FROM USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; diff --git a/ql/src/test/queries/clientpositive/authorization_show_grant.q b/ql/src/test/queries/clientpositive/authorization_show_grant.q new file mode 100644 index 0000000..ddbd64a --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_show_grant.q @@ -0,0 +1,44 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +set user.name=hive_admin_user; +set role admin; + +-- test show grant authorization + +create role roleA; +grant role roleA to user userA; + +set user.name=user1; + +-- create table and grant privileges to a role +create table t1(i int, j int, k int); +create table t2(i int, j int, k int); + +grant select on t1 to role roleA; +grant insert on t2 to role roleA; + +grant insert,delete on t1 to user userA; +grant select,insert on t2 to user userA; + + +set user.name=hive_admin_user; +set role admin; + +-- as user in admin role, it should be possible to see other users grant +show grant user user1 on table t1; +show grant user user1; +show grant role roleA on table t1; +show grant role roleA; +show grant; + + +set user.name=userA; +-- user belonging to role should be able to see it +show grant role roleA on table t1; +show grant role roleA; + +show grant user userA on table t1; +show grant user userA; diff --git a/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q b/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q index bd7bbfe..3418e47 100644 --- a/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q +++ b/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q @@ -7,7 +7,7 @@ set user.name=user1; -- Test view authorization , and 'show grant' variants create table t1(i int, j int, k int); -show grant on table t1; +show grant user user1 on table t1; -- protecting certain columns create view vt1 as select i,k from t1; @@ -23,7 +23,9 @@ show grant user user1 on all; grant select on vt1 to user user2; grant insert on table vt1 to user user3; +set user.name=user2; show grant user user2 on table vt1; +set user.name=user3; show grant user user3 on table vt1; @@ -33,20 +35,30 @@ select * from vt1; set user.name=user1; grant all on table vt2 to user user2; + +set user.name=user2; show grant user user2 on table vt2; show grant user user2 on all; +set user.name=user1; revoke all on vt2 from user user2; + +set user.name=user2; show grant user user2 on table vt2; -show grant on table vt2; +set user.name=hive_admin_user; +set role admin; +show grant on table vt2; +set user.name=user1; revoke select on table vt1 from user user2; -show grant user user2 on table vt1; +set user.name=user2; +show grant user user2 on table vt1; show grant user user2 on all; +set user.name=user3; -- grant privileges on roles for view, after next statement show grant user user3 on table vt1; diff --git a/ql/src/test/results/clientnegative/authorization_insertoverwrite_nodel.q.out b/ql/src/test/results/clientnegative/authorization_insertoverwrite_nodel.q.out index de1d230..fa0f7f7 100644 --- a/ql/src/test/results/clientnegative/authorization_insertoverwrite_nodel.q.out +++ b/ql/src/test/results/clientnegative/authorization_insertoverwrite_nodel.q.out @@ -13,14 +13,18 @@ PREHOOK: Output: default@t1 POSTHOOK: query: grant insert on table t1 to user user1 POSTHOOK: type: GRANT_PRIVILEGE POSTHOOK: Output: default@t1 -PREHOOK: query: show grant on table t1 +PREHOOK: query: show grant user hive_test_user on table t1 PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant on table t1 +POSTHOOK: query: show grant user hive_test_user on table t1 POSTHOOK: type: SHOW_GRANT default t1 hive_test_user USER DELETE true -1 hive_test_user default t1 hive_test_user USER INSERT true -1 hive_test_user default t1 hive_test_user USER SELECT true -1 hive_test_user default t1 hive_test_user USER UPDATE true -1 hive_test_user +PREHOOK: query: show grant user user1 on table t1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user user1 on table t1 +POSTHOOK: type: SHOW_GRANT default t1 user1 USER INSERT false -1 hive_test_user PREHOOK: query: create table user1tab(i int) PREHOOK: type: CREATETABLE diff --git a/ql/src/test/results/clientnegative/authorization_show_grant_otherrole.q.out b/ql/src/test/results/clientnegative/authorization_show_grant_otherrole.q.out new file mode 100644 index 0000000..736e693 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_show_grant_otherrole.q.out @@ -0,0 +1,11 @@ +PREHOOK: query: set role admin +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role admin +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: create role role1 +PREHOOK: type: CREATEROLE +POSTHOOK: query: create role role1 +POSTHOOK: type: CREATEROLE +PREHOOK: query: show grant role role1 +PREHOOK: type: SHOW_GRANT +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error showing privileges: User : user1 is not allowed check privileges of a role it does not belong to : role1. User has to belong to ADMIN role and have it as current role, for this action. diff --git a/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_all.q.out b/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_all.q.out new file mode 100644 index 0000000..9adbd09 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_all.q.out @@ -0,0 +1,3 @@ +PREHOOK: query: show grant +PREHOOK: type: SHOW_GRANT +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error showing privileges: User : user1 has to specify a user name or role in the show grant. User has to belong to ADMIN role and have it as current role, for this action. diff --git a/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_alltabs.q.out b/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_alltabs.q.out new file mode 100644 index 0000000..dea2264 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_alltabs.q.out @@ -0,0 +1,3 @@ +PREHOOK: query: show grant user user2 +PREHOOK: type: SHOW_GRANT +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error showing privileges: User : user1 is not allowed check privileges of another user : user2. User has to belong to ADMIN role and have it as current role, for this action. diff --git a/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_wtab.q.out b/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_wtab.q.out new file mode 100644 index 0000000..4189d0e --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_wtab.q.out @@ -0,0 +1,10 @@ +PREHOOK: query: create table t1(i int, j int, k int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +POSTHOOK: query: create table t1(i int, j int, k int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t1 +PREHOOK: query: show grant user user2 on table t1 +PREHOOK: type: SHOW_GRANT +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error showing privileges: User : user1 is not allowed check privileges of another user : user2. User has to belong to ADMIN role and have it as current role, for this action. diff --git a/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out b/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out index a0a45f7..846c3af 100644 --- a/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out +++ b/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out @@ -19,18 +19,22 @@ POSTHOOK: query: -- all privileges should have been set for user GRANT ALL ON t_gpr1 TO ROLE public POSTHOOK: type: GRANT_PRIVILEGE POSTHOOK: Output: default@t_gpr1 -PREHOOK: query: SHOW GRANT ON TABLE t_gpr1 +PREHOOK: query: SHOW GRANT USER user1 ON TABLE t_gpr1 PREHOOK: type: SHOW_GRANT -POSTHOOK: query: SHOW GRANT ON TABLE t_gpr1 +POSTHOOK: query: SHOW GRANT USER user1 ON TABLE t_gpr1 POSTHOOK: type: SHOW_GRANT -default t_gpr1 public ROLE DELETE false -1 user1 -default t_gpr1 public ROLE INSERT false -1 user1 -default t_gpr1 public ROLE SELECT false -1 user1 -default t_gpr1 public ROLE UPDATE false -1 user1 default t_gpr1 user1 USER DELETE true -1 user1 default t_gpr1 user1 USER INSERT true -1 user1 default t_gpr1 user1 USER SELECT true -1 user1 default t_gpr1 user1 USER UPDATE true -1 user1 +PREHOOK: query: SHOW GRANT ROLE public ON TABLE t_gpr1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: SHOW GRANT ROLE public ON TABLE t_gpr1 +POSTHOOK: type: SHOW_GRANT +default t_gpr1 public ROLE DELETE false -1 user1 +default t_gpr1 public ROLE INSERT false -1 user1 +default t_gpr1 public ROLE SELECT false -1 user1 +default t_gpr1 public ROLE UPDATE false -1 user1 PREHOOK: query: SHOW CURRENT ROLES PREHOOK: type: SHOW_ROLES POSTHOOK: query: SHOW CURRENT ROLES diff --git a/ql/src/test/results/clientpositive/authorization_grant_table_priv.q.out b/ql/src/test/results/clientpositive/authorization_grant_table_priv.q.out index 9a6ec17..c33fb62 100644 --- a/ql/src/test/results/clientpositive/authorization_grant_table_priv.q.out +++ b/ql/src/test/results/clientpositive/authorization_grant_table_priv.q.out @@ -40,12 +40,12 @@ POSTHOOK: query: SHOW GRANT USER user2 ON TABLE table_priv1 POSTHOOK: type: SHOW_GRANT default table_priv1 user2 USER INSERT false -1 user1 default table_priv1 user2 USER SELECT true -1 user1 -PREHOOK: query: -- change to other user - user2 +PREHOOK: query: -- changed to other user - user2 -- grant permissions to another user as user2 GRANT SELECT ON table_priv1 TO USER user3 with grant option PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@table_priv1 -POSTHOOK: query: -- change to other user - user2 +POSTHOOK: query: -- changed to other user - user2 -- grant permissions to another user as user2 GRANT SELECT ON table_priv1 TO USER user3 with grant option POSTHOOK: type: GRANT_PRIVILEGE diff --git a/ql/src/test/results/clientpositive/authorization_insert.q.out b/ql/src/test/results/clientpositive/authorization_insert.q.out index f94d9a9..7aefbfe 100644 --- a/ql/src/test/results/clientpositive/authorization_insert.q.out +++ b/ql/src/test/results/clientpositive/authorization_insert.q.out @@ -36,6 +36,10 @@ PREHOOK: Output: default@t_auth_ins POSTHOOK: query: GRANT INSERT,DELETE ON t_auth_ins TO USER userWInsAndDel POSTHOOK: type: GRANT_PRIVILEGE POSTHOOK: Output: default@t_auth_ins +PREHOOK: query: set role admin +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role admin +POSTHOOK: type: SHOW_ROLES PREHOOK: query: SHOW GRANT ON TABLE t_auth_ins PREHOOK: type: SHOW_GRANT POSTHOOK: query: SHOW GRANT ON TABLE t_auth_ins diff --git a/ql/src/test/results/clientpositive/authorization_show_grant.q.out b/ql/src/test/results/clientpositive/authorization_show_grant.q.out new file mode 100644 index 0000000..c0f9689 --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_show_grant.q.out @@ -0,0 +1,138 @@ +PREHOOK: query: set role admin +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role admin +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: -- test show grant authorization + +create role roleA +PREHOOK: type: CREATEROLE +POSTHOOK: query: -- test show grant authorization + +create role roleA +POSTHOOK: type: CREATEROLE +PREHOOK: query: grant role roleA to user userA +PREHOOK: type: GRANT_ROLE +POSTHOOK: query: grant role roleA to user userA +POSTHOOK: type: GRANT_ROLE +PREHOOK: query: -- create table and grant privileges to a role +create table t1(i int, j int, k int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +POSTHOOK: query: -- create table and grant privileges to a role +create table t1(i int, j int, k int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t1 +PREHOOK: query: create table t2(i int, j int, k int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +POSTHOOK: query: create table t2(i int, j int, k int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t2 +PREHOOK: query: grant select on t1 to role roleA +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t1 +POSTHOOK: query: grant select on t1 to role roleA +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@t1 +PREHOOK: query: grant insert on t2 to role roleA +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t2 +POSTHOOK: query: grant insert on t2 to role roleA +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@t2 +PREHOOK: query: grant insert,delete on t1 to user userA +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t1 +POSTHOOK: query: grant insert,delete on t1 to user userA +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@t1 +PREHOOK: query: grant select,insert on t2 to user userA +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t2 +POSTHOOK: query: grant select,insert on t2 to user userA +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@t2 +PREHOOK: query: set role admin +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role admin +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: -- as user in admin role, it should be possible to see other users grant +show grant user user1 on table t1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: -- as user in admin role, it should be possible to see other users grant +show grant user user1 on table t1 +POSTHOOK: type: SHOW_GRANT +default t1 user1 USER DELETE true -1 hive_admin_user +default t1 user1 USER INSERT true -1 hive_admin_user +default t1 user1 USER SELECT true -1 hive_admin_user +default t1 user1 USER UPDATE true -1 hive_admin_user +PREHOOK: query: show grant user user1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user user1 +POSTHOOK: type: SHOW_GRANT +default t1 user1 USER DELETE true -1 hive_admin_user +default t1 user1 USER INSERT true -1 hive_admin_user +default t1 user1 USER SELECT true -1 hive_admin_user +default t1 user1 USER UPDATE true -1 hive_admin_user +default t2 user1 USER DELETE true -1 hive_admin_user +default t2 user1 USER INSERT true -1 hive_admin_user +default t2 user1 USER SELECT true -1 hive_admin_user +default t2 user1 USER UPDATE true -1 hive_admin_user +PREHOOK: query: show grant role roleA on table t1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant role roleA on table t1 +POSTHOOK: type: SHOW_GRANT +default t1 rolea ROLE SELECT false -1 user1 +PREHOOK: query: show grant role roleA +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant role roleA +POSTHOOK: type: SHOW_GRANT +default t1 rolea ROLE SELECT false -1 user1 +default t2 rolea ROLE INSERT false -1 user1 +PREHOOK: query: show grant +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant +POSTHOOK: type: SHOW_GRANT +default t1 rolea ROLE SELECT false -1 user1 +default t1 user1 USER DELETE true -1 hive_admin_user +default t1 user1 USER INSERT true -1 hive_admin_user +default t1 user1 USER SELECT true -1 hive_admin_user +default t1 user1 USER UPDATE true -1 hive_admin_user +default t1 userA USER DELETE false -1 user1 +default t1 userA USER INSERT false -1 user1 +default t2 rolea ROLE INSERT false -1 user1 +default t2 user1 USER DELETE true -1 hive_admin_user +default t2 user1 USER INSERT true -1 hive_admin_user +default t2 user1 USER SELECT true -1 hive_admin_user +default t2 user1 USER UPDATE true -1 hive_admin_user +default t2 userA USER INSERT false -1 user1 +default t2 userA USER SELECT false -1 user1 +PREHOOK: query: -- user belonging to role should be able to see it +show grant role roleA on table t1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: -- user belonging to role should be able to see it +show grant role roleA on table t1 +POSTHOOK: type: SHOW_GRANT +default t1 rolea ROLE SELECT false -1 user1 +PREHOOK: query: show grant role roleA +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant role roleA +POSTHOOK: type: SHOW_GRANT +default t1 rolea ROLE SELECT false -1 user1 +default t2 rolea ROLE INSERT false -1 user1 +PREHOOK: query: show grant user userA on table t1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user userA on table t1 +POSTHOOK: type: SHOW_GRANT +default t1 userA USER DELETE false -1 user1 +default t1 userA USER INSERT false -1 user1 +PREHOOK: query: show grant user userA +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user userA +POSTHOOK: type: SHOW_GRANT +default t1 userA USER DELETE false -1 user1 +default t1 userA USER INSERT false -1 user1 +default t2 userA USER INSERT false -1 user1 +default t2 userA USER SELECT false -1 user1 diff --git a/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out b/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out index 50c0247..cf3925b 100644 --- a/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out +++ b/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out @@ -9,9 +9,9 @@ create table t1(i int, j int, k int) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 -PREHOOK: query: show grant on table t1 +PREHOOK: query: show grant user user1 on table t1 PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant on table t1 +POSTHOOK: query: show grant user user1 on table t1 POSTHOOK: type: SHOW_GRANT default t1 user1 USER DELETE true -1 user1 default t1 user1 USER INSERT true -1 user1 @@ -122,6 +122,10 @@ PREHOOK: query: show grant user user2 on table vt2 PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user user2 on table vt2 POSTHOOK: type: SHOW_GRANT +PREHOOK: query: set role admin +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role admin +POSTHOOK: type: SHOW_ROLES PREHOOK: query: show grant on table vt2 PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant on table vt2