diff --git a/conf/hive-default.xml.template b/conf/hive-default.xml.template index ba5b8a9..653f5cc 100644 --- a/conf/hive-default.xml.template +++ b/conf/hive-default.xml.template @@ -1,5 +1,7 @@ - +--> + diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java index abe5ffa..3618185 100644 --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestJdbcWithSQLAuthorization.java @@ -127,8 +127,11 @@ public void testAllowedCommands() throws Exception { stmt.execute("dfs -ls /tmp/"); } catch (SQLException e){ caughtException = true; - assertTrue("Checking error message content", - e.getMessage().contains("Insufficient privileges to execute")); + String msg = "Principal [name=user1, type=USER] does not have following " + + "privileges on Object [type=COMMAND_PARAMS, name=[-ls, /tmp/]] for operation " + + "DFS : [ADMIN PRIVILEGE]"; + assertTrue("Checking content of error message:" + e.getMessage(), + e.getMessage().contains(msg)); } finally { stmt.close(); diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java index 4474ce5..bdbe8a7 100644 --- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java @@ -19,11 +19,9 @@ import org.apache.hadoop.classification.InterfaceAudience.Private; import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; -import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController; /** * Extends SQLStdHiveAccessController to relax the restriction of not being able to run dfs @@ -43,9 +41,6 @@ public void applyAuthorizationConfigPolicy(HiveConf hiveConf) { super.applyAuthorizationConfigPolicy(hiveConf); - // allow set and dfs commands - hiveConf.setVar(ConfVars.HIVE_SECURITY_COMMAND_WHITELIST, "set,dfs"); - // remove restrictions on the variables that can be set using set command hiveConf.setIsModWhiteListEnabled(false); diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java new file mode 100644 index 0000000..e009c31 --- /dev/null +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java @@ -0,0 +1,59 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; + +import java.util.List; + +import org.apache.hadoop.classification.InterfaceAudience.Private; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; + +/** + * Extends SQLStdHiveAuthorizationValidator to relax the restriction of not + * being able to run dfs,set commands. To be used for testing purposes only! + */ +@Private +public class SQLStdHiveAuthorizationValidatorForTest extends SQLStdHiveAuthorizationValidator { + + public SQLStdHiveAuthorizationValidatorForTest(HiveMetastoreClientFactory metastoreClientFactory, + HiveConf conf, HiveAuthenticationProvider authenticator, + SQLStdHiveAccessController privController) { + super(metastoreClientFactory, conf, authenticator, privController); + } + + @Override + public void checkPrivileges(HiveOperationType hiveOpType, List inputHObjs, + List outputHObjs) throws HiveAuthzPluginException, + HiveAccessControlException { + switch (hiveOpType) { + case DFS: + case SET: + // allow SET and DFS commands to be used during testing + return; + default: + super.checkPrivileges(hiveOpType, inputHObjs, outputHObjs); + } + + } + +} diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java index 89e18b3..3395513 100644 --- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java @@ -35,7 +35,7 @@ public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreC new SQLStdHiveAccessControllerForTest(metastoreClientFactory, conf, authenticator); return new HiveAuthorizerImpl( privilegeManager, - new SQLStdHiveAuthorizationValidator(metastoreClientFactory, conf, authenticator, + new SQLStdHiveAuthorizationValidatorForTest(metastoreClientFactory, conf, authenticator, privilegeManager) ); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/processors/AddResourceProcessor.java b/ql/src/java/org/apache/hadoop/hive/ql/processors/AddResourceProcessor.java index 0532666..0558c53 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/processors/AddResourceProcessor.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/processors/AddResourceProcessor.java @@ -24,6 +24,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.hive.ql.parse.VariableSubstitution; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hadoop.hive.ql.session.SessionState.LogHelper; @@ -37,9 +38,11 @@ .getName()); public static final LogHelper console = new LogHelper(LOG); + @Override public void init() { } + @Override public CommandProcessorResponse run(String command) { SessionState ss = SessionState.get(); command = new VariableSubstitution().substitute(ss.getConf(),command); @@ -52,11 +55,19 @@ public CommandProcessorResponse run(String command) { + "] []*"); return new CommandProcessorResponse(1); } + + CommandProcessorResponse authErrResp = + CommandUtil.authorizeCommand(ss, HiveOperationType.ADD, Arrays.asList(tokens)); + if(authErrResp != null){ + // there was an authorization issue + return authErrResp; + } + try { ss.add_resources(t, Arrays.asList(Arrays.copyOfRange(tokens, 1, tokens.length))); } catch (Exception e) { - return new CommandProcessorResponse(1, e.getMessage(), null); + return CommandProcessorResponse.create(e); } return new CommandProcessorResponse(0); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorResponse.java b/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorResponse.java index f29a409..7c173d3 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorResponse.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorResponse.java @@ -27,12 +27,12 @@ * is not 0. */ public class CommandProcessorResponse { - private int responseCode; - private String errorMessage; - private String SQLState; - private Schema resSchema; + private final int responseCode; + private final String errorMessage; + private final String SQLState; + private final Schema resSchema; - private Throwable exception; + private final Throwable exception; public CommandProcessorResponse(int responseCode) { this(responseCode, null, null, null, null); @@ -50,6 +50,18 @@ public CommandProcessorResponse(int responseCode, String errorMessage, String SQ this(responseCode, errorMessage, SQLState, schema, null); } + /** + * Create CommandProcessorResponse object indicating an error. + * Creates new CommandProcessorResponse with responseCode=1, and sets message + * from exception argument + * + * @param e + * @return + */ + public static CommandProcessorResponse create(Exception e) { + return new CommandProcessorResponse(1, e.getMessage(), null); + } + public CommandProcessorResponse(int responseCode, String errorMessage, String SQLState, Schema schema, Throwable exception) { this.responseCode = responseCode; diff --git a/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java b/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java new file mode 100644 index 0000000..7eceb21 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java @@ -0,0 +1,75 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hive.ql.processors; + +import java.util.Arrays; +import java.util.List; + +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; +import org.apache.hadoop.hive.ql.session.SessionState; + +class CommandUtil { + + /** + * Authorize command of given type and arguments + * + * @param ss + * @param type + * @param command + * @return null if there was no authorization error. Otherwise returns CommandProcessorResponse + * capturing the authorization error + */ + static CommandProcessorResponse authorizeCommand(SessionState ss, HiveOperationType type, + List command) { + if (ss == null) { + // ss can be null in unit tests + return null; + } + if (ss.isAuthorizationModeV2()) { + try { + authorizeCommandThrowEx(ss, type, command); + // authorized to perform action + return null; + } catch (HiveAuthzPluginException e) { + return CommandProcessorResponse.create(e); + } catch (HiveAccessControlException e) { + return CommandProcessorResponse.create(e); + } + } + return null; + } + /** + * Authorize command. Throws exception if the check fails + * @param ss + * @param type + * @param command + * @throws HiveAuthzPluginException + * @throws HiveAccessControlException + */ + static void authorizeCommandThrowEx(SessionState ss, HiveOperationType type, + List command) throws HiveAuthzPluginException, HiveAccessControlException { + HivePrivilegeObject commandObj = HivePrivilegeObject.createHivePrivilegeObject(command); + ss.getAuthorizerV2().checkPrivileges(type, Arrays.asList(commandObj), null); + } + + +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/processors/CompileProcessor.java b/ql/src/java/org/apache/hadoop/hive/ql/processors/CompileProcessor.java index 8b8475b..25ce168 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/processors/CompileProcessor.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/processors/CompileProcessor.java @@ -23,6 +23,7 @@ import java.io.FileOutputStream; import java.io.IOException; import java.nio.charset.Charset; +import java.util.Arrays; import java.util.StringTokenizer; import java.util.concurrent.atomic.AtomicInteger; @@ -34,6 +35,7 @@ import org.apache.hadoop.hive.ql.CommandNeedRetryException; import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.parse.VariableSubstitution; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hadoop.hive.ql.session.SessionState.LogHelper; import org.apache.hadoop.hive.ql.session.SessionState.ResourceType; @@ -107,18 +109,27 @@ public void init() { @Override public CommandProcessorResponse run(String command) throws CommandNeedRetryException { SessionState ss = SessionState.get(); - myId = runCount.getAndIncrement(); this.command = command; + + CommandProcessorResponse authErrResp = + CommandUtil.authorizeCommand(ss, HiveOperationType.COMPILE, Arrays.asList(command)); + if(authErrResp != null){ + // there was an authorization issue + return authErrResp; + } + + myId = runCount.getAndIncrement(); + try { parse(ss); } catch (CompileProcessorException e) { - return new CommandProcessorResponse(1, e.getMessage(), null); + return CommandProcessorResponse.create(e); } CommandProcessorResponse result = null; try { result = compile(ss); } catch (CompileProcessorException e) { - result = new CommandProcessorResponse(1, e.getMessage(), null); + return CommandProcessorResponse.create(e); } return result; } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/processors/DeleteResourceProcessor.java b/ql/src/java/org/apache/hadoop/hive/ql/processors/DeleteResourceProcessor.java index bfac5f8..9052c82 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/processors/DeleteResourceProcessor.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/processors/DeleteResourceProcessor.java @@ -24,6 +24,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.hive.ql.parse.VariableSubstitution; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hadoop.hive.ql.session.SessionState.LogHelper; @@ -36,9 +37,11 @@ public static final Log LOG = LogFactory.getLog(DeleteResourceProcessor.class.getName()); public static final LogHelper console = new LogHelper(LOG); + @Override public void init() { } + @Override public CommandProcessorResponse run(String command) { SessionState ss = SessionState.get(); command = new VariableSubstitution().substitute(ss.getConf(),command); @@ -52,7 +55,12 @@ public CommandProcessorResponse run(String command) { + "] []*"); return new CommandProcessorResponse(1); } - + CommandProcessorResponse authErrResp = + CommandUtil.authorizeCommand(ss, HiveOperationType.DELETE, Arrays.asList(tokens)); + if(authErrResp != null){ + // there was an authorization issue + return authErrResp; + } if (tokens.length >= 2) { ss.delete_resources(t, Arrays.asList(Arrays.copyOfRange(tokens, 1, tokens.length))); } else { diff --git a/ql/src/java/org/apache/hadoop/hive/ql/processors/DfsProcessor.java b/ql/src/java/org/apache/hadoop/hive/ql/processors/DfsProcessor.java index d343a3c..cc0414d 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/processors/DfsProcessor.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/processors/DfsProcessor.java @@ -19,6 +19,7 @@ package org.apache.hadoop.hive.ql.processors; import java.io.PrintStream; +import java.util.Arrays; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -27,6 +28,7 @@ import org.apache.hadoop.hive.metastore.api.FieldSchema; import org.apache.hadoop.hive.metastore.api.Schema; import org.apache.hadoop.hive.ql.parse.VariableSubstitution; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hadoop.hive.ql.session.SessionState.LogHelper; @@ -53,9 +55,11 @@ public DfsProcessor(Configuration conf, boolean addSchema) { dfsSchema.addToFieldSchemas(new FieldSchema(DFS_RESULT_HEADER, "string", "")); } + @Override public void init() { } + @Override public CommandProcessorResponse run(String command) { @@ -64,6 +68,13 @@ public CommandProcessorResponse run(String command) { command = new VariableSubstitution().substitute(ss.getConf(),command); String[] tokens = command.split("\\s+"); + CommandProcessorResponse authErrResp = + CommandUtil.authorizeCommand(ss, HiveOperationType.DFS, Arrays.asList(tokens)); + if(authErrResp != null){ + // there was an authorization issue + return authErrResp; + } + PrintStream oldOut = System.out; if (ss != null && ss.out != null) { diff --git a/ql/src/java/org/apache/hadoop/hive/ql/processors/ResetProcessor.java b/ql/src/java/org/apache/hadoop/hive/ql/processors/ResetProcessor.java index b8ecfad..e67422b 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/processors/ResetProcessor.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/processors/ResetProcessor.java @@ -18,17 +18,30 @@ package org.apache.hadoop.hive.ql.processors; +import java.util.Arrays; + import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.ql.CommandNeedRetryException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.hadoop.hive.ql.session.SessionState; public class ResetProcessor implements CommandProcessor { + @Override public void init() { } + @Override public CommandProcessorResponse run(String command) throws CommandNeedRetryException { SessionState ss = SessionState.get(); + + CommandProcessorResponse authErrResp = + CommandUtil.authorizeCommand(ss, HiveOperationType.RESET, Arrays.asList(command)); + if(authErrResp != null){ + // there was an authorization issue + return authErrResp; + } + if (ss.getOverriddenConfigurations().isEmpty()) { return new CommandProcessorResponse(0); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java index 0537b92..81366e3 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java @@ -114,7 +114,12 @@ ALTERVIEW_RENAME, ALTERTABLE_COMPACT, SHOW_COMPACTIONS, - SHOW_TRANSACTIONS - + SHOW_TRANSACTIONS, + SET, + RESET, + DFS, + ADD, + DELETE, + COMPILE } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java index db57cb6..8cdff5b 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java @@ -17,8 +17,11 @@ */ package org.apache.hadoop.hive.ql.security.authorization.plugin; +import java.util.List; + import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; import org.apache.hadoop.hive.common.classification.InterfaceStability.Unstable; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; /** * Represents the object on which privilege is being granted/revoked @@ -41,6 +44,9 @@ public String toString() { case DFS_URI: name = tableviewname; break; + case COMMAND_PARAMS: + name = commandParams.toString(); + break; case PARTITION: break; } @@ -49,7 +55,7 @@ public String toString() { } public enum HivePrivilegeObjectType { - DATABASE, TABLE_OR_VIEW, PARTITION, LOCAL_URI, DFS_URI + DATABASE, TABLE_OR_VIEW, PARTITION, LOCAL_URI, DFS_URI, COMMAND_PARAMS }; public enum HivePrivObjectActionType { @@ -58,6 +64,7 @@ public String toString() { private final HivePrivilegeObjectType type; private final String dbname; private final String tableviewname; + private final List commandParams; private final HivePrivObjectActionType actionType; public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI){ @@ -66,10 +73,26 @@ public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String t public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI, HivePrivObjectActionType actionType) { + this(type, dbname, tableViewURI, actionType, null); + } + + /** + * Create HivePrivilegeObject of type {@link HivePrivilegeObjectType.COMMAND_PARAMS} + * @param cmdParams + * @return + */ + public static HivePrivilegeObject createHivePrivilegeObject(List cmdParams) { + return new HivePrivilegeObject(HivePrivilegeObjectType.COMMAND_PARAMS, null, null, null, + cmdParams); + } + + public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI, + HivePrivObjectActionType actionType, List commandParams) { this.type = type; this.dbname = dbname; this.tableviewname = tableViewURI; this.actionType = actionType; + this.commandParams = commandParams; } public HivePrivilegeObjectType getType() { @@ -87,4 +110,8 @@ public String getTableViewURI() { public HivePrivObjectActionType getActionType() { return actionType; } + + public List getCommandParams() { + return commandParams; + } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java index f99109b..1ac6cab 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java @@ -23,6 +23,7 @@ import org.apache.hadoop.hive.metastore.IMetaStoreClient; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; @@ -45,12 +46,14 @@ static void authorize(List hivePrincipals, List hi RequiredPrivileges reqPrivs = getGrantRequiredPrivileges(hivePrivileges); // check if this user has necessary privileges (reqPrivs) on this object - checkRequiredPrivileges(reqPrivs, hivePrivObject, metastoreClient, userName, curRoles, isAdmin); + checkRequiredPrivileges(reqPrivs, hivePrivObject, metastoreClient, userName, curRoles, isAdmin, + HiveOperationType.GRANT_PRIVILEGE); } private static void checkRequiredPrivileges( RequiredPrivileges reqPrivileges, HivePrivilegeObject hivePrivObject, - IMetaStoreClient metastoreClient, String userName, List curRoles, boolean isAdmin) + IMetaStoreClient metastoreClient, String userName, List curRoles, boolean isAdmin, + HiveOperationType opType) throws HiveAuthzPluginException, HiveAccessControlException { // keep track of the principals on which privileges have been checked for @@ -63,7 +66,7 @@ private static void checkRequiredPrivileges( // check if required privileges is subset of available privileges Collection missingPrivs = reqPrivileges.findMissingPrivs(availPrivs); SQLAuthorizationUtils.assertNoMissingPrivilege(missingPrivs, new HivePrincipal(userName, - HivePrincipalType.USER), hivePrivObject); + HivePrincipalType.USER), hivePrivObject, opType); } private static RequiredPrivileges getGrantRequiredPrivileges(List hivePrivileges) diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java index 151df6a..4a3d8a7 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java @@ -310,6 +310,19 @@ private HivePrivObjectActionType getActionType() { (null, ADMIN_PRIV_AR)); op2Priv.put(HiveOperationType.DESCDATABASE, PrivRequirement.newIOPrivRequirement (null, null)); + op2Priv.put(HiveOperationType.DFS, PrivRequirement.newIOPrivRequirement +(ADMIN_PRIV_AR, ADMIN_PRIV_AR)); + op2Priv.put(HiveOperationType.RESET, PrivRequirement.newIOPrivRequirement +(null, null)); + op2Priv.put(HiveOperationType.COMPILE, PrivRequirement.newIOPrivRequirement +(ADMIN_PRIV_AR, ADMIN_PRIV_AR)); + op2Priv.put(HiveOperationType.ADD, PrivRequirement.newIOPrivRequirement +(ADMIN_PRIV_AR, ADMIN_PRIV_AR)); + op2Priv.put(HiveOperationType.DELETE, PrivRequirement.newIOPrivRequirement +(ADMIN_PRIV_AR, ADMIN_PRIV_AR)); + // set command is currently not authorized through the API + op2Priv.put(HiveOperationType.SET, PrivRequirement.newIOPrivRequirement +(null, null)); // The following actions are authorized through SQLStdHiveAccessController, // and it is not using this privilege mapping, but it might make sense to move it here @@ -332,11 +345,10 @@ private HivePrivObjectActionType getActionType() { op2Priv.put(HiveOperationType.SHOW_ROLES, PrivRequirement.newIOPrivRequirement (null, null)); op2Priv.put(HiveOperationType.SHOW_ROLE_GRANT, PrivRequirement.newIOPrivRequirement -(null, - null)); +(null, null)); op2Priv.put(HiveOperationType.SHOW_ROLE_PRINCIPALS, PrivRequirement.newIOPrivRequirement -(null, - null)); +(null, null)); + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java index beb45f5..6b635ce 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java @@ -53,6 +53,7 @@ import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; @@ -348,7 +349,7 @@ private static void addRequiredPrivs(RequiredPrivileges reqPrivs, } public static void assertNoMissingPrivilege(Collection missingPrivs, - HivePrincipal hivePrincipal, HivePrivilegeObject hivePrivObject) + HivePrincipal hivePrincipal, HivePrivilegeObject hivePrivObject, HiveOperationType opType) throws HiveAccessControlException { if (missingPrivs.size() != 0) { // there are some required privileges missing, create error message @@ -357,7 +358,8 @@ public static void assertNoMissingPrivilege(Collection missing Collections.sort(sortedmissingPrivs); String errMsg = "Permission denied. " + hivePrincipal - + " does not have following privileges on " + hivePrivObject + " : " + sortedmissingPrivs; + + " does not have following privileges on " + hivePrivObject + + " for operation " + opType + " : " + sortedmissingPrivs; throw new HiveAccessControlException(errMsg.toString()); } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index f2a4004..74e9459 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -677,9 +677,6 @@ public void applyAuthorizationConfigPolicy(HiveConf hiveConf) { LOG.debug("Configuring hooks : " + hooks); hiveConf.setVar(ConfVars.PREEXECHOOKS, hooks); - // set security command list to only allow set command - hiveConf.setVar(ConfVars.HIVE_SECURITY_COMMAND_WHITELIST, "set"); - // restrict the variables that can be set using set command to a list in whitelist hiveConf.setIsModWhiteListEnabled(true); String whiteListParamsStr = hiveConf.getVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java index 8937cfa..d86d8bf 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java @@ -34,7 +34,6 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.Operation2Privilege.IOType; public class SQLStdHiveAuthorizationValidator implements HiveAuthorizationValidator { @@ -80,6 +79,10 @@ private void checkPrivileges(HiveOperationType hiveOpType, List missingPriv = requiredPrivs.findMissingPrivs(availPrivs); SQLAuthorizationUtils.assertNoMissingPrivilege(missingPriv, new HivePrincipal(userName, - HivePrincipalType.USER), hiveObj); + HivePrincipalType.USER), hiveObj, hiveOpType); } } diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveOperationType.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveOperationType.java index b990cb2..8417655 100644 --- a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveOperationType.java +++ b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveOperationType.java @@ -17,7 +17,7 @@ */ package org.apache.hadoop.hive.ql.security.authorization.plugin; -import static org.junit.Assert.*; +import static org.junit.Assert.fail; import org.apache.hadoop.hive.ql.plan.HiveOperation; import org.junit.Test; @@ -40,8 +40,6 @@ public void checkHiveOperationTypeMatch(){ fail("Unable to find corresponding type in HiveOperationType for " + op + " : " + ex ); } } - assertEquals("Check if HiveOperation, HiveOperationType have same number of instances", - HiveOperation.values().length, HiveOperationType.values().length); } } diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessController.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessController.java index 06f9258..226b16e 100644 --- a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessController.java +++ b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessController.java @@ -17,7 +17,6 @@ */ package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; -import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; @@ -42,17 +41,13 @@ * @throws HiveAuthzPluginException */ @Test - public void checkConfigProcessing() throws HiveAuthzPluginException { + public void testConfigProcessing() throws HiveAuthzPluginException { HiveConf processedConf = new HiveConf(); SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null, processedConf, new HadoopDefaultAuthenticator()); accessController.applyAuthorizationConfigPolicy(processedConf); - // check that unsafe commands have been disabled - assertEquals("only set command should be allowed", - processedConf.getVar(ConfVars.HIVE_SECURITY_COMMAND_WHITELIST), "set"); - // check that hook to disable transforms has been added assertTrue("Check for transform query disabling hook", processedConf.getVar(ConfVars.PREEXECHOOKS).contains(DisallowTransformHook.class.getName())); @@ -90,7 +85,7 @@ private void verifyParamSettability(String [] settableParams, HiveConf processed * @throws HiveAuthzPluginException */ @Test - public void checkConfigProcessingCustomSetWhitelist() throws HiveAuthzPluginException { + public void testConfigProcessingCustomSetWhitelist() throws HiveAuthzPluginException { HiveConf processedConf = new HiveConf(); // add custom value, including one from the default, one new one diff --git a/ql/src/test/queries/clientnegative/authorization_addjar.q b/ql/src/test/queries/clientnegative/authorization_addjar.q index a1709da..aad703c 100644 --- a/ql/src/test/queries/clientnegative/authorization_addjar.q +++ b/ql/src/test/queries/clientnegative/authorization_addjar.q @@ -1,7 +1,4 @@ set hive.security.authorization.enabled=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; --- running a sql query to initialize the authorization - not needed in real HS2 mode -show tables; - -add jar ${system:maven.local.repository}/org/apache/hive/hcatalog/hive-hcatalog-core/${system:hive.version}/hive-hcatalog-core-${system:hive.version}.jar; +add jar dummy.jar diff --git a/ql/src/test/queries/clientnegative/authorization_compile.q b/ql/src/test/queries/clientnegative/authorization_compile.q new file mode 100644 index 0000000..857306b --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_compile.q @@ -0,0 +1,7 @@ +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; + +COMPILE `dummy code ` AS groovy NAMED something.groovy; + + + diff --git a/ql/src/test/queries/clientnegative/authorization_deletejar.q b/ql/src/test/queries/clientnegative/authorization_deletejar.q new file mode 100644 index 0000000..f2e95d2 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_deletejar.q @@ -0,0 +1,5 @@ +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; + +delete jar dummy.jar + diff --git a/ql/src/test/queries/clientnegative/authorization_dfs.q b/ql/src/test/queries/clientnegative/authorization_dfs.q index 7d47a7b..9dc8a64 100644 --- a/ql/src/test/queries/clientnegative/authorization_dfs.q +++ b/ql/src/test/queries/clientnegative/authorization_dfs.q @@ -1,7 +1,4 @@ set hive.security.authorization.enabled=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; --- running a sql query to initialize the authorization - not needed in real HS2 mode -show tables; -dfs -ls ${system:test.tmp.dir}/ - +dfs -ls dummy_file; diff --git a/ql/src/test/queries/clientpositive/authorization_admin_almighty2.q b/ql/src/test/queries/clientpositive/authorization_admin_almighty2.q new file mode 100644 index 0000000..ce99670 --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_admin_almighty2.q @@ -0,0 +1,32 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; + +-- test commands such as dfs,add,delete,compile allowed only by admin user, after following statement +use default; + +set role admin; + +dfs ${system:test.dfs.mkdir} ${system:test.tmp.dir}/a_admin_almighty1; +dfs -ls ${system:test.tmp.dir}/a_admin_almighty1; + +create table a_table1(a int, b int); +add jar ${system:maven.local.repository}/org/apache/hive/hive-it-test-serde/${system:hive.version}/hive-it-test-serde-${system:hive.version}.jar; +alter table a_table1 set serde 'org.apache.hadoop.hive.serde2.TestSerDe' with serdeproperties('s1'='9'); +drop table a_table; + +delete jar ${system:maven.local.repository}/org/apache/hive/hive-it-test-serde/${system:hive.version}/hive-it-test-serde-${system:hive.version}.jar; + +compile `import org.apache.hadoop.hive.ql.exec.UDF \; +public class Pyth extends UDF { + public double evaluate(double a, double b){ + return Math.sqrt((a*a) + (b*b)) \; + } +} `AS GROOVY NAMED Pyth.groovy; +CREATE TEMPORARY FUNCTION Pyth as 'Pyth'; + +SELECT Pyth(3,4) FROM src tablesample (1 rows); + +DROP TEMPORARY FUNCTION Pyth; + diff --git a/ql/src/test/queries/clientpositive/authorization_reset.q b/ql/src/test/queries/clientpositive/authorization_reset.q new file mode 100644 index 0000000..aa2c1fb --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_reset.q @@ -0,0 +1,8 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +set hive.metastore.server.min.threads=101; +set hive.metastore.server.min.threads; +reset; +set hive.metastore.server.min.threads; diff --git a/ql/src/test/results/clientnegative/authorization_addjar.q.out b/ql/src/test/results/clientnegative/authorization_addjar.q.out index d206dca..68c3c60 100644 --- a/ql/src/test/results/clientnegative/authorization_addjar.q.out +++ b/ql/src/test/results/clientnegative/authorization_addjar.q.out @@ -1,16 +1 @@ -PREHOOK: query: -- running a sql query to initialize the authorization - not needed in real HS2 mode -show tables -PREHOOK: type: SHOWTABLES -POSTHOOK: query: -- running a sql query to initialize the authorization - not needed in real HS2 mode -show tables -POSTHOOK: type: SHOWTABLES -alltypesorc -src -src1 -src_json -src_sequencefile -src_thrift -srcbucket -srcbucket2 -srcpart -Failed processing command add Insufficient privileges to execute add +Query returned non-zero code: 1, cause: Permission denied. Principal [name=hive_test_user, type=USER] does not have following privileges on Object [type=COMMAND_PARAMS, name=[jar, dummy.jar]] for operation ADD : [ADMIN PRIVILEGE] diff --git a/ql/src/test/results/clientnegative/authorization_addpartition.q.out b/ql/src/test/results/clientnegative/authorization_addpartition.q.out index 6331ae2..a14080a 100644 --- a/ql/src/test/results/clientnegative/authorization_addpartition.q.out +++ b/ql/src/test/results/clientnegative/authorization_addpartition.q.out @@ -7,4 +7,4 @@ create table tpart(i int, j int) partitioned by (k string) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:default POSTHOOK: Output: default@tpart -FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.tpart] : [INSERT] +FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.tpart] for operation ALTERTABLE_ADDPARTS : [INSERT] diff --git a/ql/src/test/results/clientnegative/authorization_alter_db_owner.q.out b/ql/src/test/results/clientnegative/authorization_alter_db_owner.q.out index 550cbcc..928e9f5 100644 --- a/ql/src/test/results/clientnegative/authorization_alter_db_owner.q.out +++ b/ql/src/test/results/clientnegative/authorization_alter_db_owner.q.out @@ -6,4 +6,4 @@ PREHOOK: type: CREATEDATABASE create database dbao POSTHOOK: type: CREATEDATABASE -FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=DATABASE, name=dbao] : [ADMIN PRIVILEGE] +FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=DATABASE, name=dbao] for operation ALTERDATABASE_OWNER : [ADMIN PRIVILEGE] diff --git a/ql/src/test/results/clientnegative/authorization_alter_db_owner_default.q.out b/ql/src/test/results/clientnegative/authorization_alter_db_owner_default.q.out index 4df868e..d4a617e 100644 --- a/ql/src/test/results/clientnegative/authorization_alter_db_owner_default.q.out +++ b/ql/src/test/results/clientnegative/authorization_alter_db_owner_default.q.out @@ -1 +1 @@ -FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=DATABASE, name=default] : [ADMIN PRIVILEGE] +FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=DATABASE, name=default] for operation ALTERDATABASE_OWNER : [ADMIN PRIVILEGE] diff --git a/ql/src/test/results/clientnegative/authorization_compile.q.out b/ql/src/test/results/clientnegative/authorization_compile.q.out new file mode 100644 index 0000000..cf5e4d1 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_compile.q.out @@ -0,0 +1 @@ +Query returned non-zero code: 1, cause: Permission denied. Principal [name=hive_test_user, type=USER] does not have following privileges on Object [type=COMMAND_PARAMS, name=[`dummy code ` AS groovy NAMED something.groovy]] for operation COMPILE : [ADMIN PRIVILEGE] diff --git a/ql/src/test/results/clientnegative/authorization_create_func1.q.out b/ql/src/test/results/clientnegative/authorization_create_func1.q.out index 7c72092..8863e91 100644 --- a/ql/src/test/results/clientnegative/authorization_create_func1.q.out +++ b/ql/src/test/results/clientnegative/authorization_create_func1.q.out @@ -1 +1 @@ -FAILED: HiveAccessControlException Permission denied. Principal [name=hive_test_user, type=USER] does not have following privileges on Object [type=DATABASE, name=default] : [ADMIN PRIVILEGE] +FAILED: HiveAccessControlException Permission denied. Principal [name=hive_test_user, type=USER] does not have following privileges on Object [type=DATABASE, name=default] for operation CREATEFUNCTION : [ADMIN PRIVILEGE] diff --git a/ql/src/test/results/clientnegative/authorization_create_func2.q.out b/ql/src/test/results/clientnegative/authorization_create_func2.q.out index 7c72092..8863e91 100644 --- a/ql/src/test/results/clientnegative/authorization_create_func2.q.out +++ b/ql/src/test/results/clientnegative/authorization_create_func2.q.out @@ -1 +1 @@ -FAILED: HiveAccessControlException Permission denied. Principal [name=hive_test_user, type=USER] does not have following privileges on Object [type=DATABASE, name=default] : [ADMIN PRIVILEGE] +FAILED: HiveAccessControlException Permission denied. Principal [name=hive_test_user, type=USER] does not have following privileges on Object [type=DATABASE, name=default] for operation CREATEFUNCTION : [ADMIN PRIVILEGE] diff --git a/ql/src/test/results/clientnegative/authorization_create_macro1.q.out b/ql/src/test/results/clientnegative/authorization_create_macro1.q.out index 7c72092..e4d410c 100644 --- a/ql/src/test/results/clientnegative/authorization_create_macro1.q.out +++ b/ql/src/test/results/clientnegative/authorization_create_macro1.q.out @@ -1 +1 @@ -FAILED: HiveAccessControlException Permission denied. Principal [name=hive_test_user, type=USER] does not have following privileges on Object [type=DATABASE, name=default] : [ADMIN PRIVILEGE] +FAILED: HiveAccessControlException Permission denied. Principal [name=hive_test_user, type=USER] does not have following privileges on Object [type=DATABASE, name=default] for operation CREATEMACRO : [ADMIN PRIVILEGE] diff --git a/ql/src/test/results/clientnegative/authorization_createview.q.out b/ql/src/test/results/clientnegative/authorization_createview.q.out index c86bdfa..3d0d191 100644 --- a/ql/src/test/results/clientnegative/authorization_createview.q.out +++ b/ql/src/test/results/clientnegative/authorization_createview.q.out @@ -7,4 +7,4 @@ create table t1(i int) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 -FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [SELECT with grant] +FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] for operation CREATEVIEW : [SELECT with grant] diff --git a/ql/src/test/results/clientnegative/authorization_ctas.q.out b/ql/src/test/results/clientnegative/authorization_ctas.q.out index f8395b7..c9d0130 100644 --- a/ql/src/test/results/clientnegative/authorization_ctas.q.out +++ b/ql/src/test/results/clientnegative/authorization_ctas.q.out @@ -7,4 +7,4 @@ create table t1(i int) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 -FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [SELECT] +FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] for operation CREATETABLE_AS_SELECT : [SELECT] diff --git a/ql/src/test/results/clientnegative/authorization_deletejar.q.out b/ql/src/test/results/clientnegative/authorization_deletejar.q.out new file mode 100644 index 0000000..71b11fd --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_deletejar.q.out @@ -0,0 +1 @@ +Query returned non-zero code: 1, cause: Permission denied. Principal [name=hive_test_user, type=USER] does not have following privileges on Object [type=COMMAND_PARAMS, name=[jar, dummy.jar]] for operation DELETE : [ADMIN PRIVILEGE] diff --git a/ql/src/test/results/clientnegative/authorization_desc_table_nosel.q.out b/ql/src/test/results/clientnegative/authorization_desc_table_nosel.q.out index be56d34..4583f56 100644 --- a/ql/src/test/results/clientnegative/authorization_desc_table_nosel.q.out +++ b/ql/src/test/results/clientnegative/authorization_desc_table_nosel.q.out @@ -26,4 +26,4 @@ PREHOOK: Output: default@t1 POSTHOOK: query: revoke select on table t1 from user user2 POSTHOOK: type: REVOKE_PRIVILEGE POSTHOOK: Output: default@t1 -FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [SELECT] +FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] for operation DESCTABLE : [SELECT] diff --git a/ql/src/test/results/clientnegative/authorization_dfs.q.out b/ql/src/test/results/clientnegative/authorization_dfs.q.out index d685e78..e95f563 100644 --- a/ql/src/test/results/clientnegative/authorization_dfs.q.out +++ b/ql/src/test/results/clientnegative/authorization_dfs.q.out @@ -1,16 +1 @@ -PREHOOK: query: -- running a sql query to initialize the authorization - not needed in real HS2 mode -show tables -PREHOOK: type: SHOWTABLES -POSTHOOK: query: -- running a sql query to initialize the authorization - not needed in real HS2 mode -show tables -POSTHOOK: type: SHOWTABLES -alltypesorc -src -src1 -src_json -src_sequencefile -src_thrift -srcbucket -srcbucket2 -srcpart -Failed processing command dfs Insufficient privileges to execute dfs +Query returned non-zero code: 1, cause: Permission denied. Principal [name=hive_test_user, type=USER] does not have following privileges on Object [type=COMMAND_PARAMS, name=[-ls, dummy_file]] for operation DFS : [ADMIN PRIVILEGE] diff --git a/ql/src/test/results/clientnegative/authorization_drop_db_cascade.q.out b/ql/src/test/results/clientnegative/authorization_drop_db_cascade.q.out index 74ab4c8..0bf82fc 100644 --- a/ql/src/test/results/clientnegative/authorization_drop_db_cascade.q.out +++ b/ql/src/test/results/clientnegative/authorization_drop_db_cascade.q.out @@ -50,4 +50,4 @@ POSTHOOK: query: show current roles POSTHOOK: type: SHOW_ROLES public -FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=dba2.tab2] : [OBJECT OWNERSHIP] +FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=dba2.tab2] for operation DROPDATABASE : [OBJECT OWNERSHIP] diff --git a/ql/src/test/results/clientnegative/authorization_drop_db_empty.q.out b/ql/src/test/results/clientnegative/authorization_drop_db_empty.q.out index bd7447f..93a3f1c 100644 --- a/ql/src/test/results/clientnegative/authorization_drop_db_empty.q.out +++ b/ql/src/test/results/clientnegative/authorization_drop_db_empty.q.out @@ -46,4 +46,4 @@ POSTHOOK: query: show current roles POSTHOOK: type: SHOW_ROLES public -FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=DATABASE, name=dba2] : [OBJECT OWNERSHIP] +FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=DATABASE, name=dba2] for operation DROPDATABASE : [OBJECT OWNERSHIP] diff --git a/ql/src/test/results/clientnegative/authorization_droppartition.q.out b/ql/src/test/results/clientnegative/authorization_droppartition.q.out index 1da250a..3efabfe 100644 --- a/ql/src/test/results/clientnegative/authorization_droppartition.q.out +++ b/ql/src/test/results/clientnegative/authorization_droppartition.q.out @@ -16,4 +16,4 @@ POSTHOOK: type: ALTERTABLE_ADDPARTS #### A masked pattern was here #### POSTHOOK: Output: default@tpart POSTHOOK: Output: default@tpart@k=abc -FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.tpart] : [DELETE] +FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.tpart] for operation ALTERTABLE_DROPPARTS : [DELETE] diff --git a/ql/src/test/results/clientnegative/authorization_grant_table_allpriv.q.out b/ql/src/test/results/clientnegative/authorization_grant_table_allpriv.q.out index 4aa7058..ab4fd1c 100644 --- a/ql/src/test/results/clientnegative/authorization_grant_table_allpriv.q.out +++ b/ql/src/test/results/clientnegative/authorization_grant_table_allpriv.q.out @@ -21,4 +21,4 @@ PREHOOK: query: -- try grant all to user3, without having all privileges GRANT ALL ON table_priv_allf TO USER user3 PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@table_priv_allf -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.table_priv_allf] : [SELECT with grant, UPDATE with grant, DELETE with grant] +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.table_priv_allf] for operation GRANT_PRIVILEGE : [SELECT with grant, UPDATE with grant, DELETE with grant] diff --git a/ql/src/test/results/clientnegative/authorization_grant_table_fail1.q.out b/ql/src/test/results/clientnegative/authorization_grant_table_fail1.q.out index f042c1e..0975a9c 100644 --- a/ql/src/test/results/clientnegative/authorization_grant_table_fail1.q.out +++ b/ql/src/test/results/clientnegative/authorization_grant_table_fail1.q.out @@ -13,4 +13,4 @@ PREHOOK: query: -- try grant insert to user3 as user2 GRANT INSERT ON table_priv_gfail1 TO USER user3 PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@table_priv_gfail1 -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.table_priv_gfail1] : [INSERT with grant] +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.table_priv_gfail1] for operation GRANT_PRIVILEGE : [INSERT with grant] diff --git a/ql/src/test/results/clientnegative/authorization_grant_table_fail_nogrant.q.out b/ql/src/test/results/clientnegative/authorization_grant_table_fail_nogrant.q.out index a906a70..8e3d71c 100644 --- a/ql/src/test/results/clientnegative/authorization_grant_table_fail_nogrant.q.out +++ b/ql/src/test/results/clientnegative/authorization_grant_table_fail_nogrant.q.out @@ -21,4 +21,4 @@ PREHOOK: query: -- try grant insert to user3 GRANT INSERT ON table_priv_gfail1 TO USER user3 PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@table_priv_gfail1 -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.table_priv_gfail1] : [INSERT with grant] +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.table_priv_gfail1] for operation GRANT_PRIVILEGE : [INSERT with grant] diff --git a/ql/src/test/results/clientnegative/authorization_insert_noinspriv.q.out b/ql/src/test/results/clientnegative/authorization_insert_noinspriv.q.out index 8de1104..332d8a4 100644 --- a/ql/src/test/results/clientnegative/authorization_insert_noinspriv.q.out +++ b/ql/src/test/results/clientnegative/authorization_insert_noinspriv.q.out @@ -14,4 +14,4 @@ POSTHOOK: query: create table user2tab(i int) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:default POSTHOOK: Output: default@user2tab -FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [INSERT] +FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] for operation QUERY : [INSERT] diff --git a/ql/src/test/results/clientnegative/authorization_insert_noselectpriv.q.out b/ql/src/test/results/clientnegative/authorization_insert_noselectpriv.q.out index 46ada3b..1423e75 100644 --- a/ql/src/test/results/clientnegative/authorization_insert_noselectpriv.q.out +++ b/ql/src/test/results/clientnegative/authorization_insert_noselectpriv.q.out @@ -14,4 +14,4 @@ POSTHOOK: query: create table t2(i int) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:default POSTHOOK: Output: default@t2 -FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [SELECT] +FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] for operation QUERY : [SELECT] diff --git a/ql/src/test/results/clientnegative/authorization_insertoverwrite_nodel.q.out b/ql/src/test/results/clientnegative/authorization_insertoverwrite_nodel.q.out index fa0f7f7..458e65b 100644 --- a/ql/src/test/results/clientnegative/authorization_insertoverwrite_nodel.q.out +++ b/ql/src/test/results/clientnegative/authorization_insertoverwrite_nodel.q.out @@ -33,4 +33,4 @@ POSTHOOK: query: create table user1tab(i int) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:default POSTHOOK: Output: default@user1tab -FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [DELETE] +FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] for operation QUERY : [DELETE] diff --git a/ql/src/test/results/clientnegative/authorization_not_owner_alter_tab_rename.q.out b/ql/src/test/results/clientnegative/authorization_not_owner_alter_tab_rename.q.out index 8a7f2d2..39642e3 100644 --- a/ql/src/test/results/clientnegative/authorization_not_owner_alter_tab_rename.q.out +++ b/ql/src/test/results/clientnegative/authorization_not_owner_alter_tab_rename.q.out @@ -7,4 +7,4 @@ create table t1(i int) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 -FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [OBJECT OWNERSHIP] +FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] for operation ALTERTABLE_RENAME : [OBJECT OWNERSHIP] diff --git a/ql/src/test/results/clientnegative/authorization_not_owner_alter_tab_serdeprop.q.out b/ql/src/test/results/clientnegative/authorization_not_owner_alter_tab_serdeprop.q.out index 8a7f2d2..96df5a7 100644 --- a/ql/src/test/results/clientnegative/authorization_not_owner_alter_tab_serdeprop.q.out +++ b/ql/src/test/results/clientnegative/authorization_not_owner_alter_tab_serdeprop.q.out @@ -7,4 +7,4 @@ create table t1(i int) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 -FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [OBJECT OWNERSHIP] +FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] for operation ALTERTABLE_SERDEPROPERTIES : [OBJECT OWNERSHIP] diff --git a/ql/src/test/results/clientnegative/authorization_not_owner_drop_tab.q.out b/ql/src/test/results/clientnegative/authorization_not_owner_drop_tab.q.out index 4378b12..bf22e89 100644 --- a/ql/src/test/results/clientnegative/authorization_not_owner_drop_tab.q.out +++ b/ql/src/test/results/clientnegative/authorization_not_owner_drop_tab.q.out @@ -7,4 +7,4 @@ create table t1(i int) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 -FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [OBJECT OWNERSHIP] +FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] for operation DROPTABLE : [OBJECT OWNERSHIP] diff --git a/ql/src/test/results/clientnegative/authorization_not_owner_drop_view.q.out b/ql/src/test/results/clientnegative/authorization_not_owner_drop_view.q.out index 80378ac..acdc0f3 100644 --- a/ql/src/test/results/clientnegative/authorization_not_owner_drop_view.q.out +++ b/ql/src/test/results/clientnegative/authorization_not_owner_drop_view.q.out @@ -14,4 +14,4 @@ POSTHOOK: query: create view vt1 as select * from t1 POSTHOOK: type: CREATEVIEW POSTHOOK: Input: default@t1 POSTHOOK: Output: default@vt1 -FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.vt1] : [OBJECT OWNERSHIP] +FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.vt1] for operation DROPVIEW : [OBJECT OWNERSHIP] diff --git a/ql/src/test/results/clientnegative/authorization_priv_current_role_neg.q.out b/ql/src/test/results/clientnegative/authorization_priv_current_role_neg.q.out index a62b7b3..16927fd 100644 --- a/ql/src/test/results/clientnegative/authorization_priv_current_role_neg.q.out +++ b/ql/src/test/results/clientnegative/authorization_priv_current_role_neg.q.out @@ -76,4 +76,4 @@ PREHOOK: query: -- set role to public, should fail as role2 is not one of the cu grant all on table tpriv_current_role to user user5 PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@tpriv_current_role -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.tpriv_current_role] : [SELECT with grant, INSERT with grant, UPDATE with grant, DELETE with grant] +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.tpriv_current_role] for operation GRANT_PRIVILEGE : [SELECT with grant, INSERT with grant, UPDATE with grant, DELETE with grant] diff --git a/ql/src/test/results/clientnegative/authorization_rolehierarchy_privs.q.out b/ql/src/test/results/clientnegative/authorization_rolehierarchy_privs.q.out index 9f99d6f..0dcb653 100644 --- a/ql/src/test/results/clientnegative/authorization_rolehierarchy_privs.q.out +++ b/ql/src/test/results/clientnegative/authorization_rolehierarchy_privs.q.out @@ -206,4 +206,4 @@ role1 role2 role4 -FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [SELECT] +FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] for operation QUERY : [SELECT] diff --git a/ql/src/test/results/clientnegative/authorization_select.q.out b/ql/src/test/results/clientnegative/authorization_select.q.out index f8395b7..7854200 100644 --- a/ql/src/test/results/clientnegative/authorization_select.q.out +++ b/ql/src/test/results/clientnegative/authorization_select.q.out @@ -7,4 +7,4 @@ create table t1(i int) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 -FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [SELECT] +FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] for operation QUERY : [SELECT] diff --git a/ql/src/test/results/clientnegative/authorization_select_view.q.out b/ql/src/test/results/clientnegative/authorization_select_view.q.out index f253870..9f1e07e 100644 --- a/ql/src/test/results/clientnegative/authorization_select_view.q.out +++ b/ql/src/test/results/clientnegative/authorization_select_view.q.out @@ -14,4 +14,4 @@ POSTHOOK: query: create view v1 as select * from t1 POSTHOOK: type: CREATEVIEW POSTHOOK: Input: default@t1 POSTHOOK: Output: default@v1 -FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.v1] : [SELECT] +FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.v1] for operation QUERY : [SELECT] diff --git a/ql/src/test/results/clientnegative/authorization_show_parts_nosel.q.out b/ql/src/test/results/clientnegative/authorization_show_parts_nosel.q.out index bd502d1..306fe2e 100644 --- a/ql/src/test/results/clientnegative/authorization_show_parts_nosel.q.out +++ b/ql/src/test/results/clientnegative/authorization_show_parts_nosel.q.out @@ -7,4 +7,4 @@ create table t_show_parts(i int) partitioned by (j string) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:default POSTHOOK: Output: default@t_show_parts -FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t_show_parts] : [SELECT] +FAILED: HiveAccessControlException Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t_show_parts] for operation SHOWPARTITIONS : [SELECT] diff --git a/ql/src/test/results/clientnegative/authorization_truncate.q.out b/ql/src/test/results/clientnegative/authorization_truncate.q.out index 4d51bc4..3f19aa9 100644 --- a/ql/src/test/results/clientnegative/authorization_truncate.q.out +++ b/ql/src/test/results/clientnegative/authorization_truncate.q.out @@ -7,4 +7,4 @@ create table t1(i int, j int) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:default POSTHOOK: Output: default@t1 -FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] : [OBJECT OWNERSHIP] +FAILED: HiveAccessControlException Permission denied. Principal [name=user1, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.t1] for operation TRUNCATETABLE : [OBJECT OWNERSHIP] diff --git a/ql/src/test/results/clientnegative/authorize_create_tbl.q.out b/ql/src/test/results/clientnegative/authorize_create_tbl.q.out index ec75b1d..64ebd8b 100644 --- a/ql/src/test/results/clientnegative/authorize_create_tbl.q.out +++ b/ql/src/test/results/clientnegative/authorize_create_tbl.q.out @@ -6,4 +6,4 @@ PREHOOK: query: use db23221 PREHOOK: type: SWITCHDATABASE POSTHOOK: query: use db23221 POSTHOOK: type: SWITCHDATABASE -FAILED: HiveAccessControlException Permission denied. Principal [name=user44, type=USER] does not have following privileges on Object [type=DATABASE, name=db23221] : [OBJECT OWNERSHIP] +FAILED: HiveAccessControlException Permission denied. Principal [name=user44, type=USER] does not have following privileges on Object [type=DATABASE, name=db23221] for operation CREATETABLE : [OBJECT OWNERSHIP] diff --git a/ql/src/test/results/clientnegative/temp_table_authorize_create_tbl.q.out b/ql/src/test/results/clientnegative/temp_table_authorize_create_tbl.q.out index ec75b1d..64ebd8b 100644 --- a/ql/src/test/results/clientnegative/temp_table_authorize_create_tbl.q.out +++ b/ql/src/test/results/clientnegative/temp_table_authorize_create_tbl.q.out @@ -6,4 +6,4 @@ PREHOOK: query: use db23221 PREHOOK: type: SWITCHDATABASE POSTHOOK: query: use db23221 POSTHOOK: type: SWITCHDATABASE -FAILED: HiveAccessControlException Permission denied. Principal [name=user44, type=USER] does not have following privileges on Object [type=DATABASE, name=db23221] : [OBJECT OWNERSHIP] +FAILED: HiveAccessControlException Permission denied. Principal [name=user44, type=USER] does not have following privileges on Object [type=DATABASE, name=db23221] for operation CREATETABLE : [OBJECT OWNERSHIP] diff --git a/ql/src/test/results/clientpositive/authorization_admin_almighty2.q.out b/ql/src/test/results/clientpositive/authorization_admin_almighty2.q.out new file mode 100644 index 0000000..1c8c3e3 --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_admin_almighty2.q.out @@ -0,0 +1,50 @@ +PREHOOK: query: -- test commands such as dfs,add,delete,compile allowed only by admin user, after following statement +use default +PREHOOK: type: SWITCHDATABASE +POSTHOOK: query: -- test commands such as dfs,add,delete,compile allowed only by admin user, after following statement +use default +POSTHOOK: type: SWITCHDATABASE +PREHOOK: query: set role admin +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role admin +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: create table a_table1(a int, b int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +POSTHOOK: query: create table a_table1(a int, b int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@a_table1 +PREHOOK: query: alter table a_table1 set serde 'org.apache.hadoop.hive.serde2.TestSerDe' with serdeproperties('s1'='9') +PREHOOK: type: ALTERTABLE_SERIALIZER +PREHOOK: Input: default@a_table1 +PREHOOK: Output: default@a_table1 +POSTHOOK: query: alter table a_table1 set serde 'org.apache.hadoop.hive.serde2.TestSerDe' with serdeproperties('s1'='9') +POSTHOOK: type: ALTERTABLE_SERIALIZER +POSTHOOK: Input: default@a_table1 +POSTHOOK: Output: default@a_table1 +PREHOOK: query: drop table a_table +PREHOOK: type: DROPTABLE +POSTHOOK: query: drop table a_table +POSTHOOK: type: DROPTABLE +PREHOOK: query: CREATE TEMPORARY FUNCTION Pyth as 'Pyth' +PREHOOK: type: CREATEFUNCTION +PREHOOK: Output: database:default +POSTHOOK: query: CREATE TEMPORARY FUNCTION Pyth as 'Pyth' +POSTHOOK: type: CREATEFUNCTION +POSTHOOK: Output: database:default +PREHOOK: query: SELECT Pyth(3,4) FROM src tablesample (1 rows) +PREHOOK: type: QUERY +PREHOOK: Input: default@src +#### A masked pattern was here #### +POSTHOOK: query: SELECT Pyth(3,4) FROM src tablesample (1 rows) +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src +#### A masked pattern was here #### +5.0 +PREHOOK: query: DROP TEMPORARY FUNCTION Pyth +PREHOOK: type: DROPFUNCTION +PREHOOK: Output: database:default +POSTHOOK: query: DROP TEMPORARY FUNCTION Pyth +POSTHOOK: type: DROPFUNCTION +POSTHOOK: Output: database:default diff --git a/ql/src/test/results/clientpositive/authorization_reset.q.out b/ql/src/test/results/clientpositive/authorization_reset.q.out new file mode 100644 index 0000000..57b6024 --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_reset.q.out @@ -0,0 +1,2 @@ +hive.metastore.server.min.threads=101 +hive.metastore.server.min.threads=200