diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java index d8d900b..d24bc00 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java @@ -877,7 +877,9 @@ private int grantOrRevokePrivilegesV2(List principals, private HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc) throws HiveException { - + if(privSubjectDesc == null){ + return new HivePrivilegeObject(null, null, null); + } String [] dbTable = Utilities.getDbTableName(privSubjectDesc.getObject()); return new HivePrivilegeObject(getPrivObjectType(privSubjectDesc), dbTable[0], dbTable[1]); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index e4f5aac..6ede03c 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -372,6 +372,20 @@ public void revokeRole(List hivePrincipals, List roleName public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException { try { + + // First authorize the call + if (principal == null) { + // only the admin is allowed to list privileges for any user + if (!isUserAdmin()) { + throw new HiveAccessControlException("User : " + currentUserName + " has to specify" + + " a user name or role in the show grant. " + ADMIN_ONLY_MSG); + } + } else { + //principal is specified, authorize on it + if (!isUserAdmin()) { + ensureShowGrantAllowed(principal); + } + } IMetaStoreClient mClient = metastoreClientFactory.getHiveMetastoreClient(); List resPrivInfos = new ArrayList(); String principalName = principal == null ? null : principal.getName(); @@ -396,6 +410,15 @@ public void revokeRole(List hivePrincipals, List roleName // result object HiveObjectRef msObjRef = msObjPriv.getHiveObject(); + + if (!isSupportedObjectType(msObjRef.getObjectType())) { + // metastore returns object type such as global GLOBAL + // when no object is specified. + // such privileges are not applicable to this authorization mode, so + // ignore them + continue; + } + HivePrivilegeObject resPrivObj = new HivePrivilegeObject( getPluginObjType(msObjRef.getObjectType()), msObjRef.getDbName(), msObjRef.getObjectName()); @@ -416,6 +439,46 @@ public void revokeRole(List hivePrincipals, List roleName } + private void ensureShowGrantAllowed(HivePrincipal principal) + throws HiveAccessControlException, HiveAuthzPluginException { + // if user is not an admin user, allow the request only if the user is + // requesting for privileges for themselves or a role they belong to + switch (principal.getType()) { + case USER: + if (!principal.getName().equals(currentUserName)) { + throw new HiveAccessControlException("User : " + currentUserName + " is not" + + " allowed check privileges of another user : " + principal.getName() + ". " + + ADMIN_ONLY_MSG); + } + break; + case ROLE: + if (!userBelongsToRole(principal.getName())) { + throw new HiveAccessControlException("User : " + currentUserName + " is not" + + " allowed check privileges of a role it does not belong to : " + + principal.getName() + ". " + ADMIN_ONLY_MSG); + } + break; + default: + throw new AssertionError("Unexpected principal type " + principal.getType()); + } + } + + /** + * @param roleName + * @return true if roleName is the name of one of the roles (including the role hierarchy) + * that the user belongs to. + * @throws HiveAuthzPluginException + */ + private boolean userBelongsToRole(String roleName) throws HiveAuthzPluginException { + for (HiveRoleGrant role : getRolesFromMS()) { + // set to one of the roles user belongs to. + if (role.getRoleName().equalsIgnoreCase(roleName)) { + return true; + } + } + return false; + } + private HivePrivilegeObjectType getPluginObjType(HiveObjectType objectType) throws HiveAuthzPluginException { switch (objectType) { @@ -423,15 +486,21 @@ private HivePrivilegeObjectType getPluginObjType(HiveObjectType objectType) return HivePrivilegeObjectType.DATABASE; case TABLE: return HivePrivilegeObjectType.TABLE_OR_VIEW; - case COLUMN: - case GLOBAL: - case PARTITION: - throw new HiveAuthzPluginException("Unsupported object type " + objectType); default: throw new AssertionError("Unexpected object type " + objectType); } } + private boolean isSupportedObjectType(HiveObjectType objectType) { + switch (objectType) { + case DATABASE: + case TABLE: + return true; + default: + return false; + } + } + @Override public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException { @@ -462,7 +531,7 @@ public void setCurrentRole(String roleName) throws HiveAccessControlException, +roleName); } - public List getCurrentRoles() throws HiveAuthzPluginException { + private List getCurrentRoles() throws HiveAuthzPluginException { initUserRoles(); return currentRoles; } @@ -516,6 +585,11 @@ private boolean doesUserHasAdminOption(List roleNames) throws HiveAuthzP public List getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException { try { + // first authorize the call + if (!isUserAdmin()) { + ensureShowGrantAllowed(principal); + } + List roleGrants = getRoleGrants(principal.getName(), AuthorizationUtils.getThriftPrincipalType(principal.getType())); List hiveRoleGrants = new ArrayList(roleGrants.size()); diff --git a/ql/src/test/queries/clientnegative/authorization_insertoverwrite_nodel.q b/ql/src/test/queries/clientnegative/authorization_insertoverwrite_nodel.q index 90fe6e1..73cfe82 100644 --- a/ql/src/test/queries/clientnegative/authorization_insertoverwrite_nodel.q +++ b/ql/src/test/queries/clientnegative/authorization_insertoverwrite_nodel.q @@ -6,8 +6,11 @@ set user.name=hive_test_user; -- check insert overwrite without delete priv create table t1(i int); grant insert on table t1 to user user1; -show grant on table t1; + +show grant user hive_test_user on table t1; set user.name=user1; +show grant user user1 on table t1; + create table user1tab(i int); insert overwrite table t1 select * from user1tab; diff --git a/ql/src/test/queries/clientnegative/authorization_priv_current_role_neg.q b/ql/src/test/queries/clientnegative/authorization_priv_current_role_neg.q index bbf3b66..463358a 100644 --- a/ql/src/test/queries/clientnegative/authorization_priv_current_role_neg.q +++ b/ql/src/test/queries/clientnegative/authorization_priv_current_role_neg.q @@ -22,7 +22,10 @@ grant all on table tpriv_current_role to user user3; set role role2; -- switch to role2, grant should work grant all on table tpriv_current_role to user user4; + +set user.name=user4; show grant user user4 on table tpriv_current_role; +set user.name=user2; set role PUBLIC; -- set role to public, should fail as role2 is not one of the current roles diff --git a/ql/src/test/queries/clientnegative/authorization_role_grant_otherrole.q b/ql/src/test/queries/clientnegative/authorization_role_grant_otherrole.q new file mode 100644 index 0000000..f91abdb --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_role_grant_otherrole.q @@ -0,0 +1,12 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; + +set user.name=hive_admin_user; +set role ADMIN; + +create role accounting; + +set user.name=user1; +-- user does not belong to this role, so the show role grant should fail +show role grant role accounting; diff --git a/ql/src/test/queries/clientnegative/authorization_role_grant_otheruser.q b/ql/src/test/queries/clientnegative/authorization_role_grant_otheruser.q new file mode 100644 index 0000000..a530043 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_role_grant_otheruser.q @@ -0,0 +1,15 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; + +set user.name=ruser1; +show role grant user ruser1; + +set user.name=hive_admin_user; +set role ADMIN; +show role grant user ruser1; +show role grant user ruser2; + +set user.name=ruser1; +-- show role grant for another user as non admin user should fail +show role grant user ruser2; diff --git a/ql/src/test/queries/clientnegative/authorization_show_grant_otherrole.q b/ql/src/test/queries/clientnegative/authorization_show_grant_otherrole.q new file mode 100644 index 0000000..a709d16 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_show_grant_otherrole.q @@ -0,0 +1,12 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +set user.name=hive_admin_user; +set role admin; +create role role1; + + +set user.name=user1; +show grant role role1; diff --git a/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_all.q b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_all.q new file mode 100644 index 0000000..2073cda --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_all.q @@ -0,0 +1,7 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +set user.name=user1; +show grant; diff --git a/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_alltabs.q b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_alltabs.q new file mode 100644 index 0000000..672b81b --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_alltabs.q @@ -0,0 +1,7 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +set user.name=user1; +show grant user user2; diff --git a/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_wtab.q b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_wtab.q new file mode 100644 index 0000000..7d95a9d --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_wtab.q @@ -0,0 +1,9 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +set user.name=user1; +create table t1(i int, j int, k int); + +show grant user user2 on table t1; diff --git a/ql/src/test/queries/clientpositive/authorization_grant_public_role.q b/ql/src/test/queries/clientpositive/authorization_grant_public_role.q index 8473178..9da33dc 100644 --- a/ql/src/test/queries/clientpositive/authorization_grant_public_role.q +++ b/ql/src/test/queries/clientpositive/authorization_grant_public_role.q @@ -10,7 +10,8 @@ CREATE TABLE t_gpr1(i int); GRANT ALL ON t_gpr1 TO ROLE public; -SHOW GRANT ON TABLE t_gpr1; +SHOW GRANT USER user1 ON TABLE t_gpr1; +SHOW GRANT ROLE public ON TABLE t_gpr1; set user.name=user2; SHOW CURRENT ROLES; diff --git a/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q b/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q index 02d364e..9c7a999 100644 --- a/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q +++ b/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q @@ -10,22 +10,29 @@ CREATE TABLE table_priv1(i int); -- grant insert privilege to another user GRANT INSERT ON table_priv1 TO USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv1; +set user.name=user1; -- grant select privilege to another user with grant GRANT SELECT ON table_priv1 TO USER user2 with grant option; -SHOW GRANT USER user2 ON TABLE table_priv1; set user.name=user2; --- change to other user - user2 +SHOW GRANT USER user2 ON TABLE table_priv1; + +-- changed to other user - user2 -- grant permissions to another user as user2 GRANT SELECT ON table_priv1 TO USER user3 with grant option; -SHOW GRANT USER user3 ON TABLE table_priv1; set user.name=user3; +SHOW GRANT USER user3 ON TABLE table_priv1; + -- change to other user - user3 -- grant permissions to another user as user3 GRANT SELECT ON table_priv1 TO USER user4 with grant option; + +set user.name=user4; SHOW GRANT USER user4 ON TABLE table_priv1; set user.name=user1; @@ -33,11 +40,12 @@ set user.name=user1; -- grant all with grant to user22 GRANT ALL ON table_priv1 TO USER user22 with grant option; -SHOW GRANT USER user22 ON TABLE table_priv1; set user.name=user22; +SHOW GRANT USER user22 ON TABLE table_priv1; -- grant all without grant to user33 GRANT ALL ON table_priv1 TO USER user33 with grant option; -SHOW GRANT USER user33 ON TABLE table_priv1; +set user.name=user33; +SHOW GRANT USER user33 ON TABLE table_priv1; diff --git a/ql/src/test/queries/clientpositive/authorization_insert.q b/ql/src/test/queries/clientpositive/authorization_insert.q index 5de6f50..6cce469 100644 --- a/ql/src/test/queries/clientpositive/authorization_insert.q +++ b/ql/src/test/queries/clientpositive/authorization_insert.q @@ -1,3 +1,4 @@ +set hive.users.in.admin.role=hive_admin_user; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; @@ -12,6 +13,9 @@ GRANT ALL ON TABLE t_select TO ROLE public; -- grant insert privilege to another user GRANT INSERT ON t_auth_ins TO USER userWIns; GRANT INSERT,DELETE ON t_auth_ins TO USER userWInsAndDel; + +set user.name=hive_admin_user; +set role admin; SHOW GRANT ON TABLE t_auth_ins; diff --git a/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q b/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q index ccda3b5..c8f4bc8 100644 --- a/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q +++ b/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q @@ -8,54 +8,88 @@ CREATE TABLE table_priv_rev(i int); -- grant insert privilege to user2 GRANT INSERT ON table_priv_rev TO USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; SHOW GRANT USER user2 ON ALL; +set user.name=user1; -- revoke insert privilege from user2 REVOKE INSERT ON TABLE table_priv_rev FROM USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; +set user.name=user1; -- grant all privileges one at a time -- -- grant insert privilege to user2 GRANT INSERT ON table_priv_rev TO USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; SHOW GRANT USER user2 ON ALL; +set user.name=user1; -- grant select privilege to user2, with grant option GRANT SELECT ON table_priv_rev TO USER user2 WITH GRANT OPTION; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; +set user.name=user1; -- grant update privilege to user2 GRANT UPDATE ON table_priv_rev TO USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; +set user.name=user1; -- grant delete privilege to user2 GRANT DELETE ON table_priv_rev TO USER user2; -SHOW GRANT USER user2 ON TABLE table_priv_rev; +set user.name=user2; +SHOW GRANT USER user2 ON TABLE table_priv_rev; +set user.name=user1; -- start revoking -- -- revoke update privilege from user2 REVOKE UPDATE ON TABLE table_priv_rev FROM USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; SHOW GRANT USER user2 ON ALL; +set user.name=user1; -- revoke DELETE privilege from user2 REVOKE DELETE ON TABLE table_priv_rev FROM USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; +set user.name=user1; -- revoke insert privilege from user2 REVOKE INSERT ON TABLE table_priv_rev FROM USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; +set user.name=user1; -- revoke select privilege from user2 REVOKE SELECT ON TABLE table_priv_rev FROM USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; SHOW GRANT USER user2 ON ALL; +set user.name=user1; -- grant all followed by revoke all GRANT ALL ON table_priv_rev TO USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; +set user.name=user1; REVOKE ALL ON TABLE table_priv_rev FROM USER user2; + +set user.name=user2; SHOW GRANT USER user2 ON TABLE table_priv_rev; diff --git a/ql/src/test/queries/clientpositive/authorization_role_grant2.q b/ql/src/test/queries/clientpositive/authorization_role_grant2.q index fd6aa38..34e19a2 100644 --- a/ql/src/test/queries/clientpositive/authorization_role_grant2.q +++ b/ql/src/test/queries/clientpositive/authorization_role_grant2.q @@ -22,26 +22,43 @@ set user.name=user2; set role src_role_WadMin; -- grant role to another user grant src_Role_wadmin to user user3; + +set user.name=user3; show role grant user user3; + +set user.name=user2; -- grant role to another role -grant src_role_wadmin to role sRc_role2;; -show role grant role src_Role2;; +grant src_role_wadmin to role sRc_role2; +set user.name=hive_admin_user; +set role ADMIN; +grant src_role2 to user user3; +set user.name=user3; +-- as user3 belings to src_role2 hierarchy, its should be able to run show grant on it +show role grant role src_Role2; set user.name=hive_admin_user; set role ADMIN; + + + show principals src_ROle_wadmin; set user.name=user2; set role src_role_wadmin; -- revoke user from role revoke src_rolE_wadmin from user user3; + +set user.name=user3; show role grant user user3; +set user.name=user2; + -- revoke role from role revoke src_rolE_wadmin from role sRc_role2; -show role grant role sRc_role2; - set user.name=hive_admin_user; set role ADMIN; + +show role grant role sRc_role2; + show principals src_role_wadmin; diff --git a/ql/src/test/queries/clientpositive/authorization_show_grant.q b/ql/src/test/queries/clientpositive/authorization_show_grant.q new file mode 100644 index 0000000..5f7a33b --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_show_grant.q @@ -0,0 +1,53 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +set user.name=hive_admin_user; +set role admin; + +-- test show grant authorization + +create role roleA; +create role roleB; + +grant role roleA to user userA; +grant role roleB to role roleA; + +set user.name=user1; + +-- create table and grant privileges to a role +create table t1(i int, j int, k int); +create table t2(i int, j int, k int); + +grant select on t1 to role roleA; +grant insert on t2 to role roleA; +grant insert on t2 to role roleB; + +grant insert,delete on t1 to user userA; +grant select,insert on t2 to user userA; + + +set user.name=hive_admin_user; +set role admin; + +-- as user in admin role, it should be possible to see other users grant +show grant user user1 on table t1; +show grant user user1; +show grant role roleA on table t1; +show grant role roleA; +show grant; + + +set user.name=userA; +-- user belonging to role should be able to see it +show grant role roleA on table t1; +show grant role roleA; + +show grant role roleB on table t1; +show grant role roleB; + +show grant user userA on table t1; +show grant user userA; + + diff --git a/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q b/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q index bd7bbfe..3418e47 100644 --- a/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q +++ b/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q @@ -7,7 +7,7 @@ set user.name=user1; -- Test view authorization , and 'show grant' variants create table t1(i int, j int, k int); -show grant on table t1; +show grant user user1 on table t1; -- protecting certain columns create view vt1 as select i,k from t1; @@ -23,7 +23,9 @@ show grant user user1 on all; grant select on vt1 to user user2; grant insert on table vt1 to user user3; +set user.name=user2; show grant user user2 on table vt1; +set user.name=user3; show grant user user3 on table vt1; @@ -33,20 +35,30 @@ select * from vt1; set user.name=user1; grant all on table vt2 to user user2; + +set user.name=user2; show grant user user2 on table vt2; show grant user user2 on all; +set user.name=user1; revoke all on vt2 from user user2; + +set user.name=user2; show grant user user2 on table vt2; -show grant on table vt2; +set user.name=hive_admin_user; +set role admin; +show grant on table vt2; +set user.name=user1; revoke select on table vt1 from user user2; -show grant user user2 on table vt1; +set user.name=user2; +show grant user user2 on table vt1; show grant user user2 on all; +set user.name=user3; -- grant privileges on roles for view, after next statement show grant user user3 on table vt1; diff --git a/ql/src/test/results/clientnegative/authorization_insertoverwrite_nodel.q.out b/ql/src/test/results/clientnegative/authorization_insertoverwrite_nodel.q.out index de1d230..fa0f7f7 100644 --- a/ql/src/test/results/clientnegative/authorization_insertoverwrite_nodel.q.out +++ b/ql/src/test/results/clientnegative/authorization_insertoverwrite_nodel.q.out @@ -13,14 +13,18 @@ PREHOOK: Output: default@t1 POSTHOOK: query: grant insert on table t1 to user user1 POSTHOOK: type: GRANT_PRIVILEGE POSTHOOK: Output: default@t1 -PREHOOK: query: show grant on table t1 +PREHOOK: query: show grant user hive_test_user on table t1 PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant on table t1 +POSTHOOK: query: show grant user hive_test_user on table t1 POSTHOOK: type: SHOW_GRANT default t1 hive_test_user USER DELETE true -1 hive_test_user default t1 hive_test_user USER INSERT true -1 hive_test_user default t1 hive_test_user USER SELECT true -1 hive_test_user default t1 hive_test_user USER UPDATE true -1 hive_test_user +PREHOOK: query: show grant user user1 on table t1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user user1 on table t1 +POSTHOOK: type: SHOW_GRANT default t1 user1 USER INSERT false -1 hive_test_user PREHOOK: query: create table user1tab(i int) PREHOOK: type: CREATETABLE diff --git a/ql/src/test/results/clientnegative/authorization_role_grant_otherrole.q.out b/ql/src/test/results/clientnegative/authorization_role_grant_otherrole.q.out new file mode 100644 index 0000000..afcd10c --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_role_grant_otherrole.q.out @@ -0,0 +1,12 @@ +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: create role accounting +PREHOOK: type: CREATEROLE +POSTHOOK: query: create role accounting +POSTHOOK: type: CREATEROLE +PREHOOK: query: -- user does not belong to this role, so the show role grant should fail +show role grant role accounting +PREHOOK: type: SHOW_ROLE_GRANT +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error getting role grant information for user accounting: User : user1 is not allowed check privileges of a role it does not belong to : accounting. User has to belong to ADMIN role and have it as current role, for this action. diff --git a/ql/src/test/results/clientnegative/authorization_role_grant_otheruser.q.out b/ql/src/test/results/clientnegative/authorization_role_grant_otheruser.q.out new file mode 100644 index 0000000..37fb402 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_role_grant_otheruser.q.out @@ -0,0 +1,23 @@ +PREHOOK: query: show role grant user ruser1 +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant user ruser1 +POSTHOOK: type: SHOW_ROLE_GRANT +public false -1 +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: show role grant user ruser1 +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant user ruser1 +POSTHOOK: type: SHOW_ROLE_GRANT +public false -1 +PREHOOK: query: show role grant user ruser2 +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant user ruser2 +POSTHOOK: type: SHOW_ROLE_GRANT +public false -1 +PREHOOK: query: -- show role grant for another user as non admin user should fail +show role grant user ruser2 +PREHOOK: type: SHOW_ROLE_GRANT +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error getting role grant information for user ruser2: User : ruser1 is not allowed check privileges of another user : ruser2. User has to belong to ADMIN role and have it as current role, for this action. diff --git a/ql/src/test/results/clientnegative/authorization_show_grant_otherrole.q.out b/ql/src/test/results/clientnegative/authorization_show_grant_otherrole.q.out new file mode 100644 index 0000000..736e693 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_show_grant_otherrole.q.out @@ -0,0 +1,11 @@ +PREHOOK: query: set role admin +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role admin +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: create role role1 +PREHOOK: type: CREATEROLE +POSTHOOK: query: create role role1 +POSTHOOK: type: CREATEROLE +PREHOOK: query: show grant role role1 +PREHOOK: type: SHOW_GRANT +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error showing privileges: User : user1 is not allowed check privileges of a role it does not belong to : role1. User has to belong to ADMIN role and have it as current role, for this action. diff --git a/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_all.q.out b/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_all.q.out new file mode 100644 index 0000000..9adbd09 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_all.q.out @@ -0,0 +1,3 @@ +PREHOOK: query: show grant +PREHOOK: type: SHOW_GRANT +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error showing privileges: User : user1 has to specify a user name or role in the show grant. User has to belong to ADMIN role and have it as current role, for this action. diff --git a/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_alltabs.q.out b/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_alltabs.q.out new file mode 100644 index 0000000..dea2264 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_alltabs.q.out @@ -0,0 +1,3 @@ +PREHOOK: query: show grant user user2 +PREHOOK: type: SHOW_GRANT +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error showing privileges: User : user1 is not allowed check privileges of another user : user2. User has to belong to ADMIN role and have it as current role, for this action. diff --git a/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_wtab.q.out b/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_wtab.q.out new file mode 100644 index 0000000..4189d0e --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_show_grant_otheruser_wtab.q.out @@ -0,0 +1,10 @@ +PREHOOK: query: create table t1(i int, j int, k int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +POSTHOOK: query: create table t1(i int, j int, k int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t1 +PREHOOK: query: show grant user user2 on table t1 +PREHOOK: type: SHOW_GRANT +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error showing privileges: User : user1 is not allowed check privileges of another user : user2. User has to belong to ADMIN role and have it as current role, for this action. diff --git a/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out b/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out index a0a45f7..846c3af 100644 --- a/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out +++ b/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out @@ -19,18 +19,22 @@ POSTHOOK: query: -- all privileges should have been set for user GRANT ALL ON t_gpr1 TO ROLE public POSTHOOK: type: GRANT_PRIVILEGE POSTHOOK: Output: default@t_gpr1 -PREHOOK: query: SHOW GRANT ON TABLE t_gpr1 +PREHOOK: query: SHOW GRANT USER user1 ON TABLE t_gpr1 PREHOOK: type: SHOW_GRANT -POSTHOOK: query: SHOW GRANT ON TABLE t_gpr1 +POSTHOOK: query: SHOW GRANT USER user1 ON TABLE t_gpr1 POSTHOOK: type: SHOW_GRANT -default t_gpr1 public ROLE DELETE false -1 user1 -default t_gpr1 public ROLE INSERT false -1 user1 -default t_gpr1 public ROLE SELECT false -1 user1 -default t_gpr1 public ROLE UPDATE false -1 user1 default t_gpr1 user1 USER DELETE true -1 user1 default t_gpr1 user1 USER INSERT true -1 user1 default t_gpr1 user1 USER SELECT true -1 user1 default t_gpr1 user1 USER UPDATE true -1 user1 +PREHOOK: query: SHOW GRANT ROLE public ON TABLE t_gpr1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: SHOW GRANT ROLE public ON TABLE t_gpr1 +POSTHOOK: type: SHOW_GRANT +default t_gpr1 public ROLE DELETE false -1 user1 +default t_gpr1 public ROLE INSERT false -1 user1 +default t_gpr1 public ROLE SELECT false -1 user1 +default t_gpr1 public ROLE UPDATE false -1 user1 PREHOOK: query: SHOW CURRENT ROLES PREHOOK: type: SHOW_ROLES POSTHOOK: query: SHOW CURRENT ROLES diff --git a/ql/src/test/results/clientpositive/authorization_grant_table_priv.q.out b/ql/src/test/results/clientpositive/authorization_grant_table_priv.q.out index 9a6ec17..c33fb62 100644 --- a/ql/src/test/results/clientpositive/authorization_grant_table_priv.q.out +++ b/ql/src/test/results/clientpositive/authorization_grant_table_priv.q.out @@ -40,12 +40,12 @@ POSTHOOK: query: SHOW GRANT USER user2 ON TABLE table_priv1 POSTHOOK: type: SHOW_GRANT default table_priv1 user2 USER INSERT false -1 user1 default table_priv1 user2 USER SELECT true -1 user1 -PREHOOK: query: -- change to other user - user2 +PREHOOK: query: -- changed to other user - user2 -- grant permissions to another user as user2 GRANT SELECT ON table_priv1 TO USER user3 with grant option PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@table_priv1 -POSTHOOK: query: -- change to other user - user2 +POSTHOOK: query: -- changed to other user - user2 -- grant permissions to another user as user2 GRANT SELECT ON table_priv1 TO USER user3 with grant option POSTHOOK: type: GRANT_PRIVILEGE diff --git a/ql/src/test/results/clientpositive/authorization_insert.q.out b/ql/src/test/results/clientpositive/authorization_insert.q.out index f94d9a9..7aefbfe 100644 --- a/ql/src/test/results/clientpositive/authorization_insert.q.out +++ b/ql/src/test/results/clientpositive/authorization_insert.q.out @@ -36,6 +36,10 @@ PREHOOK: Output: default@t_auth_ins POSTHOOK: query: GRANT INSERT,DELETE ON t_auth_ins TO USER userWInsAndDel POSTHOOK: type: GRANT_PRIVILEGE POSTHOOK: Output: default@t_auth_ins +PREHOOK: query: set role admin +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role admin +POSTHOOK: type: SHOW_ROLES PREHOOK: query: SHOW GRANT ON TABLE t_auth_ins PREHOOK: type: SHOW_GRANT POSTHOOK: query: SHOW GRANT ON TABLE t_auth_ins diff --git a/ql/src/test/results/clientpositive/authorization_role_grant2.q.out b/ql/src/test/results/clientpositive/authorization_role_grant2.q.out index 2e94af3..56e7667 100644 --- a/ql/src/test/results/clientpositive/authorization_role_grant2.q.out +++ b/ql/src/test/results/clientpositive/authorization_role_grant2.q.out @@ -60,9 +60,19 @@ PREHOOK: type: GRANT_ROLE POSTHOOK: query: -- grant role to another role grant src_role_wadmin to role sRc_role2 POSTHOOK: type: GRANT_ROLE -PREHOOK: query: show role grant role src_Role2 +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: grant src_role2 to user user3 +PREHOOK: type: GRANT_ROLE +POSTHOOK: query: grant src_role2 to user user3 +POSTHOOK: type: GRANT_ROLE +PREHOOK: query: -- as user3 belings to src_role2 hierarchy, its should be able to run show grant on it +show role grant role src_Role2 PREHOOK: type: SHOW_ROLE_GRANT -POSTHOOK: query: show role grant role src_Role2 +POSTHOOK: query: -- as user3 belings to src_role2 hierarchy, its should be able to run show grant on it +show role grant role src_Role2 POSTHOOK: type: SHOW_ROLE_GRANT role grant_option grant_time grantor src_role_wadmin false -1 user2 @@ -94,21 +104,22 @@ POSTHOOK: query: show role grant user user3 POSTHOOK: type: SHOW_ROLE_GRANT role grant_option grant_time grantor public false -1 +src_role2 false -1 hive_admin_user PREHOOK: query: -- revoke role from role revoke src_rolE_wadmin from role sRc_role2 PREHOOK: type: REVOKE_ROLE POSTHOOK: query: -- revoke role from role revoke src_rolE_wadmin from role sRc_role2 POSTHOOK: type: REVOKE_ROLE +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES PREHOOK: query: show role grant role sRc_role2 PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant role sRc_role2 POSTHOOK: type: SHOW_ROLE_GRANT role grant_option grant_time grantor -PREHOOK: query: set role ADMIN -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ADMIN -POSTHOOK: type: SHOW_ROLES PREHOOK: query: show principals src_role_wadmin PREHOOK: type: SHOW_ROLE_PRINCIPALS POSTHOOK: query: show principals src_role_wadmin diff --git a/ql/src/test/results/clientpositive/authorization_show_grant.q.out b/ql/src/test/results/clientpositive/authorization_show_grant.q.out new file mode 100644 index 0000000..717637e --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_show_grant.q.out @@ -0,0 +1,162 @@ +PREHOOK: query: set role admin +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role admin +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: -- test show grant authorization + +create role roleA +PREHOOK: type: CREATEROLE +POSTHOOK: query: -- test show grant authorization + +create role roleA +POSTHOOK: type: CREATEROLE +PREHOOK: query: create role roleB +PREHOOK: type: CREATEROLE +POSTHOOK: query: create role roleB +POSTHOOK: type: CREATEROLE +PREHOOK: query: grant role roleA to user userA +PREHOOK: type: GRANT_ROLE +POSTHOOK: query: grant role roleA to user userA +POSTHOOK: type: GRANT_ROLE +PREHOOK: query: grant role roleB to role roleA +PREHOOK: type: GRANT_ROLE +POSTHOOK: query: grant role roleB to role roleA +POSTHOOK: type: GRANT_ROLE +PREHOOK: query: -- create table and grant privileges to a role +create table t1(i int, j int, k int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +POSTHOOK: query: -- create table and grant privileges to a role +create table t1(i int, j int, k int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t1 +PREHOOK: query: create table t2(i int, j int, k int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +POSTHOOK: query: create table t2(i int, j int, k int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t2 +PREHOOK: query: grant select on t1 to role roleA +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t1 +POSTHOOK: query: grant select on t1 to role roleA +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@t1 +PREHOOK: query: grant insert on t2 to role roleA +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t2 +POSTHOOK: query: grant insert on t2 to role roleA +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@t2 +PREHOOK: query: grant insert on t2 to role roleB +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t2 +POSTHOOK: query: grant insert on t2 to role roleB +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@t2 +PREHOOK: query: grant insert,delete on t1 to user userA +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t1 +POSTHOOK: query: grant insert,delete on t1 to user userA +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@t1 +PREHOOK: query: grant select,insert on t2 to user userA +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t2 +POSTHOOK: query: grant select,insert on t2 to user userA +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@t2 +PREHOOK: query: set role admin +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role admin +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: -- as user in admin role, it should be possible to see other users grant +show grant user user1 on table t1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: -- as user in admin role, it should be possible to see other users grant +show grant user user1 on table t1 +POSTHOOK: type: SHOW_GRANT +default t1 user1 USER DELETE true -1 hive_admin_user +default t1 user1 USER INSERT true -1 hive_admin_user +default t1 user1 USER SELECT true -1 hive_admin_user +default t1 user1 USER UPDATE true -1 hive_admin_user +PREHOOK: query: show grant user user1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user user1 +POSTHOOK: type: SHOW_GRANT +default t1 user1 USER DELETE true -1 hive_admin_user +default t1 user1 USER INSERT true -1 hive_admin_user +default t1 user1 USER SELECT true -1 hive_admin_user +default t1 user1 USER UPDATE true -1 hive_admin_user +default t2 user1 USER DELETE true -1 hive_admin_user +default t2 user1 USER INSERT true -1 hive_admin_user +default t2 user1 USER SELECT true -1 hive_admin_user +default t2 user1 USER UPDATE true -1 hive_admin_user +PREHOOK: query: show grant role roleA on table t1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant role roleA on table t1 +POSTHOOK: type: SHOW_GRANT +default t1 rolea ROLE SELECT false -1 user1 +PREHOOK: query: show grant role roleA +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant role roleA +POSTHOOK: type: SHOW_GRANT +default t1 rolea ROLE SELECT false -1 user1 +default t2 rolea ROLE INSERT false -1 user1 +PREHOOK: query: show grant +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant +POSTHOOK: type: SHOW_GRANT +default t1 rolea ROLE SELECT false -1 user1 +default t1 user1 USER DELETE true -1 hive_admin_user +default t1 user1 USER INSERT true -1 hive_admin_user +default t1 user1 USER SELECT true -1 hive_admin_user +default t1 user1 USER UPDATE true -1 hive_admin_user +default t1 userA USER DELETE false -1 user1 +default t1 userA USER INSERT false -1 user1 +default t2 rolea ROLE INSERT false -1 user1 +default t2 roleb ROLE INSERT false -1 user1 +default t2 user1 USER DELETE true -1 hive_admin_user +default t2 user1 USER INSERT true -1 hive_admin_user +default t2 user1 USER SELECT true -1 hive_admin_user +default t2 user1 USER UPDATE true -1 hive_admin_user +default t2 userA USER INSERT false -1 user1 +default t2 userA USER SELECT false -1 user1 +PREHOOK: query: -- user belonging to role should be able to see it +show grant role roleA on table t1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: -- user belonging to role should be able to see it +show grant role roleA on table t1 +POSTHOOK: type: SHOW_GRANT +default t1 rolea ROLE SELECT false -1 user1 +PREHOOK: query: show grant role roleA +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant role roleA +POSTHOOK: type: SHOW_GRANT +default t1 rolea ROLE SELECT false -1 user1 +default t2 rolea ROLE INSERT false -1 user1 +PREHOOK: query: show grant role roleB on table t1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant role roleB on table t1 +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: show grant role roleB +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant role roleB +POSTHOOK: type: SHOW_GRANT +default t2 roleb ROLE INSERT false -1 user1 +PREHOOK: query: show grant user userA on table t1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user userA on table t1 +POSTHOOK: type: SHOW_GRANT +default t1 userA USER DELETE false -1 user1 +default t1 userA USER INSERT false -1 user1 +PREHOOK: query: show grant user userA +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user userA +POSTHOOK: type: SHOW_GRANT +default t1 userA USER DELETE false -1 user1 +default t1 userA USER INSERT false -1 user1 +default t2 userA USER INSERT false -1 user1 +default t2 userA USER SELECT false -1 user1 diff --git a/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out b/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out index 50c0247..cf3925b 100644 --- a/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out +++ b/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out @@ -9,9 +9,9 @@ create table t1(i int, j int, k int) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 -PREHOOK: query: show grant on table t1 +PREHOOK: query: show grant user user1 on table t1 PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant on table t1 +POSTHOOK: query: show grant user user1 on table t1 POSTHOOK: type: SHOW_GRANT default t1 user1 USER DELETE true -1 user1 default t1 user1 USER INSERT true -1 user1 @@ -122,6 +122,10 @@ PREHOOK: query: show grant user user2 on table vt2 PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user user2 on table vt2 POSTHOOK: type: SHOW_GRANT +PREHOOK: query: set role admin +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role admin +POSTHOOK: type: SHOW_ROLES PREHOOK: query: show grant on table vt2 PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant on table vt2