diff --git a/conf/hive-default.xml.template b/conf/hive-default.xml.template index 653f5cc..ba922d0 100644 --- a/conf/hive-default.xml.template +++ b/conf/hive-default.xml.template @@ -1711,6 +1711,11 @@ + hive.optimize.null.scan + true + Dont scan relations which are guaranteed to not generate any rows + + hive.optimize.ppd.storage true Whether to push predicates down to storage handlers diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/jdbc/TestJdbcDriver.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/jdbc/TestJdbcDriver.java index e8daad6..fa8c43b 100644 --- a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/jdbc/TestJdbcDriver.java +++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/jdbc/TestJdbcDriver.java @@ -18,8 +18,8 @@ package org.apache.hadoop.hive.jdbc; -import static org.apache.hadoop.hive.ql.exec.ExplainTask.EXPL_COLUMN_NAME; import static org.apache.hadoop.hive.conf.SystemVariables.SET_COLUMN_NAME; +import static org.apache.hadoop.hive.ql.exec.ExplainTask.EXPL_COLUMN_NAME; import java.sql.Connection; import java.sql.DatabaseMetaData; @@ -1158,7 +1158,7 @@ public void testShowGrant() throws SQLException { assertEquals("", res.getString(4)); // column assertEquals("hive_test_user", res.getString(5)); assertEquals("USER", res.getString(6)); - assertEquals("Select", res.getString(7)); + assertEquals("SELECT", res.getString(7)); assertEquals(false, res.getBoolean(8)); // grant option assertEquals(-1, res.getLong(9)); assertNotNull(res.getString(10)); // grantor diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java index 9388a09..526f3dc 100644 --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java @@ -18,8 +18,8 @@ package org.apache.hive.jdbc; -import static org.apache.hadoop.hive.ql.exec.ExplainTask.EXPL_COLUMN_NAME; import static org.apache.hadoop.hive.conf.SystemVariables.SET_COLUMN_NAME; +import static org.apache.hadoop.hive.ql.exec.ExplainTask.EXPL_COLUMN_NAME; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotNull; @@ -53,7 +53,6 @@ import org.apache.hadoop.hive.metastore.TableType; import org.apache.hadoop.hive.ql.exec.UDF; import org.apache.hadoop.hive.ql.processors.DfsProcessor; -import org.apache.hadoop.hive.ql.processors.SetProcessor; import org.apache.hive.common.util.HiveVersionInfo; import org.apache.hive.jdbc.Utils.JdbcConnectionParams; import org.apache.hive.service.cli.operation.ClassicTableTypeMapping; @@ -1997,7 +1996,7 @@ public void testShowGrant() throws SQLException { assertEquals("", res.getString(4)); // column assertEquals("hive_test_user", res.getString(5)); assertEquals("USER", res.getString(6)); - assertEquals("Select", res.getString(7)); + assertEquals("SELECT", res.getString(7)); assertEquals(false, res.getBoolean(8)); // grant option assertEquals(-1, res.getLong(9)); assertNotNull(res.getString(10)); // grantor diff --git a/metastore/src/java/org/apache/hadoop/hive/metastore/Warehouse.java b/metastore/src/java/org/apache/hadoop/hive/metastore/Warehouse.java index 82b871b..74b1432 100755 --- a/metastore/src/java/org/apache/hadoop/hive/metastore/Warehouse.java +++ b/metastore/src/java/org/apache/hadoop/hive/metastore/Warehouse.java @@ -89,8 +89,7 @@ private MetaStoreFS getMetaStoreFsHandler(Configuration conf) try { Class handlerClass = (Class) Class .forName(handlerClassStr, true, JavaUtils.getClassLoader()); - MetaStoreFS handler = (MetaStoreFS) ReflectionUtils.newInstance( - handlerClass, conf); + MetaStoreFS handler = ReflectionUtils.newInstance(handlerClass, conf); return handler; } catch (ClassNotFoundException e) { throw new MetaException("Error in loading MetaStoreFS handler." @@ -563,4 +562,12 @@ public static String makePartName(List partCols, return values; } + public static Map makeSpecFromValues(List partCols, + List values) { + Map spec = new LinkedHashMap(); + for (int i = 0; i < values.size(); i++) { + spec.put(partCols.get(i).getName(), values.get(i)); + } + return spec; + } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/ErrorMsg.java b/ql/src/java/org/apache/hadoop/hive/ql/ErrorMsg.java index 9889cfe..4246d68 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/ErrorMsg.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/ErrorMsg.java @@ -371,10 +371,14 @@ INVALID_DIR(10252, "{0} is not a directory", true), NO_VALID_LOCATIONS(10253, "Could not find any valid location to place the jars. " + "Please update hive.jar.directory or hive.user.install.directory with a valid location", false), - UNNSUPPORTED_AUTHORIZATION_PRINCIPAL_TYPE_GROUP(10254, + UNSUPPORTED_AUTHORIZATION_PRINCIPAL_TYPE_GROUP(10254, "Principal type GROUP is not supported in this authorization setting", "28000"), INVALID_TABLE_NAME(10255, "Invalid table name {0}", true), INSERT_INTO_IMMUTABLE_TABLE(10256, "Inserting into a non-empty immutable table is not allowed"), + UNSUPPORTED_AUTHORIZATION_RESOURCE_TYPE_GLOBAL(10257, + "Resource type GLOBAL is not supported in this authorization setting", "28000"), + UNSUPPORTED_AUTHORIZATION_RESOURCE_TYPE_COLUMN(10258, + "Resource type COLUMN is not supported in this authorization setting", "28000"), TXNMGR_NOT_SPECIFIED(10260, "Transaction manager not specified correctly, " + "set hive.txn.manager"), diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java index 40ec4e5..c80a2a3 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java @@ -66,17 +66,12 @@ import org.apache.hadoop.hive.metastore.api.Database; import org.apache.hadoop.hive.metastore.api.FieldSchema; import org.apache.hadoop.hive.metastore.api.GetOpenTxnsInfoResponse; -import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege; -import org.apache.hadoop.hive.metastore.api.HiveObjectRef; -import org.apache.hadoop.hive.metastore.api.HiveObjectType; import org.apache.hadoop.hive.metastore.api.Index; import org.apache.hadoop.hive.metastore.api.InvalidOperationException; import org.apache.hadoop.hive.metastore.api.MetaException; import org.apache.hadoop.hive.metastore.api.NoSuchObjectException; import org.apache.hadoop.hive.metastore.api.Order; import org.apache.hadoop.hive.metastore.api.PrincipalType; -import org.apache.hadoop.hive.metastore.api.PrivilegeBag; -import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo; import org.apache.hadoop.hive.metastore.api.RolePrincipalGrant; import org.apache.hadoop.hive.metastore.api.SerDeInfo; import org.apache.hadoop.hive.metastore.api.ShowCompactResponse; @@ -169,15 +164,13 @@ import org.apache.hadoop.hive.ql.plan.UnlockTableDesc; import org.apache.hadoop.hive.ql.plan.api.StageType; import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils; -import org.apache.hadoop.hive.ql.security.authorization.Privilege; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveV1Authorizer; import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hadoop.hive.serde.serdeConstants; import org.apache.hadoop.hive.serde2.Deserializer; @@ -493,14 +486,21 @@ public int execute(DriverContext driverContext) { return exchangeTablePartition(db, alterTableExchangePartition); } } catch (Throwable e) { - setException(e); - LOG.error(stringifyException(e)); + failed(e); return 1; } assert false; return 0; } + private void failed(Throwable e) { + while (e.getCause() != null && e.getClass() == RuntimeException.class) { + e = e.getCause(); + } + setException(e); + LOG.error(stringifyException(e)); + } + private int showConf(Hive db, ShowConfDesc showConf) throws Exception { ConfVars conf = HiveConf.getConfVars(showConf.getConfName()); if (conf == null) { @@ -564,187 +564,46 @@ private int mergeFiles(Hive db, AlterTablePartMergeFilesDesc mergeFilesDesc) return ret; } - private int grantOrRevokeRole(GrantRevokeRoleDDL grantOrRevokeRoleDDL) - throws HiveException { - try { - boolean grantRole = grantOrRevokeRoleDDL.getGrant(); - List principals = grantOrRevokeRoleDDL.getPrincipalDesc(); - List roles = grantOrRevokeRoleDDL.getRoles(); - - if(SessionState.get().isAuthorizationModeV2()){ - return grantOrRevokeRoleV2(grantOrRevokeRoleDDL); - } - - for (PrincipalDesc principal : principals) { - String userName = principal.getName(); - for (String roleName : roles) { - if (grantRole) { - db.grantRole(roleName, userName, principal.getType(), - grantOrRevokeRoleDDL.getGrantor(), grantOrRevokeRoleDDL - .getGrantorType(), grantOrRevokeRoleDDL.isGrantOption()); - } else { - db.revokeRole(roleName, userName, principal.getType(), - grantOrRevokeRoleDDL.isGrantOption()); - } - } - } - } catch (Exception e) { - throw new HiveException(e); + private HiveAuthorizer getSessionAuthorizer() { + HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); + if (authorizer == null) { + authorizer = new HiveV1Authorizer(conf, db); } - return 0; + return authorizer; } - private int grantOrRevokeRoleV2(GrantRevokeRoleDDL grantOrRevokeRoleDDL) throws HiveException { - HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); + private int grantOrRevokeRole(GrantRevokeRoleDDL grantOrRevokeRoleDDL) + throws HiveException { + HiveAuthorizer authorizer = getSessionAuthorizer(); //convert to the types needed for plugin api HivePrincipal grantorPrinc = null; if(grantOrRevokeRoleDDL.getGrantor() != null){ grantorPrinc = new HivePrincipal(grantOrRevokeRoleDDL.getGrantor(), - getHivePrincipalType(grantOrRevokeRoleDDL.getGrantorType())); + AuthorizationUtils.getHivePrincipalType(grantOrRevokeRoleDDL.getGrantorType())); } - List hivePrincipals = getHivePrincipals(grantOrRevokeRoleDDL.getPrincipalDesc()); + List principals = + AuthorizationUtils.getHivePrincipals(grantOrRevokeRoleDDL.getPrincipalDesc()); List roles = grantOrRevokeRoleDDL.getRoles(); - if(grantOrRevokeRoleDDL.getGrant()){ - authorizer.grantRole(hivePrincipals, roles, - grantOrRevokeRoleDDL.isGrantOption(), grantorPrinc); - } - else{ - authorizer.revokeRole(hivePrincipals, roles, - grantOrRevokeRoleDDL.isGrantOption(), grantorPrinc); + boolean grantOption = grantOrRevokeRoleDDL.isGrantOption(); + if (grantOrRevokeRoleDDL.getGrant()) { + authorizer.grantRole(principals, roles, grantOption, grantorPrinc); + } else { + authorizer.revokeRole(principals, roles, grantOption, grantorPrinc); } return 0; } private int showGrants(ShowGrantDesc showGrantDesc) throws HiveException { - if(SessionState.get().isAuthorizationModeV2()){ - return showGrantsV2(showGrantDesc); - } - - PrincipalDesc principalDesc = showGrantDesc.getPrincipalDesc(); - PrivilegeObjectDesc hiveObjectDesc = showGrantDesc.getHiveObj(); - String principalName = principalDesc == null ? null : principalDesc.getName(); - PrincipalType type = principalDesc == null ? null : principalDesc.getType(); - List privs = new ArrayList(); - try { - if (hiveObjectDesc == null) { - privs.addAll(db.showPrivilegeGrant(HiveObjectType.GLOBAL, principalName, type, - null, null, null, null)); - } else if (hiveObjectDesc != null && hiveObjectDesc.getObject() == null) { - privs.addAll(db.showPrivilegeGrant(null, principalName, type, null, null, null, null)); - } else { - String obj = hiveObjectDesc.getObject(); - boolean notFound = true; - String dbName = null; - String tableName = null; - Table tableObj = null; - Database dbObj = null; - - if (hiveObjectDesc.getTable()) { - String[] dbTab = splitTableName(obj); - dbName = dbTab[0]; - tableName = dbTab[1]; - dbObj = db.getDatabase(dbName); - tableObj = db.getTable(dbName, tableName); - notFound = (dbObj == null || tableObj == null); - } else { - dbName = hiveObjectDesc.getObject(); - dbObj = db.getDatabase(dbName); - notFound = (dbObj == null); - } - if (notFound) { - throw new HiveException(obj + " can not be found"); - } - - String partName = null; - List partValues = null; - if (hiveObjectDesc.getPartSpec() != null) { - partName = Warehouse - .makePartName(hiveObjectDesc.getPartSpec(), false); - partValues = Warehouse.getPartValuesFromPartName(partName); - } - - if (!hiveObjectDesc.getTable()) { - // show database level privileges - privs.addAll(db.showPrivilegeGrant(HiveObjectType.DATABASE, - principalName, type, dbName, null, null, null)); - } else { - if (showGrantDesc.getColumns() != null) { - // show column level privileges - for (String columnName : showGrantDesc.getColumns()) { - privs.addAll(db.showPrivilegeGrant( - HiveObjectType.COLUMN, principalName, - type, dbName, tableName, partValues, - columnName)); - } - } else if (hiveObjectDesc.getPartSpec() != null) { - // show partition level privileges - privs.addAll(db.showPrivilegeGrant( - HiveObjectType.PARTITION, principalName, type, - dbName, tableName, partValues, null)); - } else { - // show table level privileges - privs.addAll(db.showPrivilegeGrant( - HiveObjectType.TABLE, principalName, type, - dbName, tableName, null, null)); - } - } - } - boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); - writeToFile(writeGrantInfo(privs, testMode), showGrantDesc.getResFile()); - } catch (FileNotFoundException e) { - LOG.info("show table status: " + stringifyException(e)); - return 1; - } catch (IOException e) { - LOG.info("show table status: " + stringifyException(e)); - return 1; - } catch (Exception e) { - e.printStackTrace(); - throw new HiveException(e); - } - return 0; - } - - private static String[] splitTableName(String fullName) { - String[] dbTab = fullName.split("\\."); - String[] result = new String[2]; - if (dbTab.length == 2) { - result[0] = dbTab[0]; - result[1] = dbTab[1]; - } else { - result[0] = SessionState.get().getCurrentDatabase(); - result[1] = fullName; - } - return result; - } - - private int showGrantsV2(ShowGrantDesc showGrantDesc) throws HiveException { - HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); + HiveAuthorizer authorizer = getSessionAuthorizer(); try { List privInfos = authorizer.showPrivileges( - getHivePrincipal(showGrantDesc.getPrincipalDesc()), - getHivePrivilegeObject(showGrantDesc.getHiveObj()) - ); - List privList = new ArrayList(); - for(HivePrivilegeInfo privInfo : privInfos){ - HivePrincipal principal = privInfo.getPrincipal(); - HivePrivilegeObject privObj = privInfo.getObject(); - HivePrivilege priv = privInfo.getPrivilege(); - - PrivilegeGrantInfo grantInfo = - AuthorizationUtils.getThriftPrivilegeGrantInfo(priv, privInfo.getGrantorPrincipal(), - privInfo.isGrantOption(), privInfo.getGrantTime()); - - //only grantInfo is used - HiveObjectPrivilege thriftObjectPriv = new HiveObjectPrivilege(new HiveObjectRef( - AuthorizationUtils.getThriftHiveObjType(privObj.getType()),privObj.getDbname(), - privObj.getTableViewURI(),null,null), principal.getName(), - AuthorizationUtils.getThriftPrincipalType(principal.getType()), grantInfo); - privList.add(thriftObjectPriv); - } + AuthorizationUtils.getHivePrincipal(showGrantDesc.getPrincipalDesc()), + AuthorizationUtils.getHivePrivilegeObject(showGrantDesc.getHiveObj(), + showGrantDesc.getColumns())); boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); - writeToFile(writeGrantInfo(privList, testMode), showGrantDesc.getResFile()); + writeToFile(writeGrantInfo(privInfos, testMode), showGrantDesc.getResFile()); } catch (IOException e) { throw new HiveException("Error in show grant statement", e); } @@ -756,156 +615,15 @@ private int grantOrRevokePrivileges(List principals, String grantor, PrincipalType grantorType, boolean grantOption, boolean isGrant) throws HiveException { - if(SessionState.get().isAuthorizationModeV2()){ - return grantOrRevokePrivilegesV2(principals, privileges, privSubjectDesc, grantor, - grantorType, grantOption, isGrant); - } - - if (privileges == null || privileges.size() == 0) { - console.printError("No privilege found."); - return 1; - } - - String dbName = null; - String tableName = null; - Table tableObj = null; - Database dbObj = null; - - try { - - if (privSubjectDesc != null) { - if (privSubjectDesc.getPartSpec() != null && isGrant) { - throw new HiveException("Grant does not support partition level."); - } - String obj = privSubjectDesc.getObject(); - - //get the db, table objects - if (privSubjectDesc.getTable()) { - String[] dbTable = Utilities.getDbTableName(obj); - dbName = dbTable[0]; - tableName = dbTable[1]; - - dbObj = db.getDatabase(dbName); - if (dbObj == null) { - throwNotFound("Database", dbName); - } - tableObj = db.getTable(dbName, tableName); - if (tableObj == null) { - throwNotFound("Table", obj); - } - } else { - dbName = privSubjectDesc.getObject(); - dbObj = db.getDatabase(dbName); - if (dbObj == null) { - throwNotFound("Database", dbName); - } - } - } - - PrivilegeBag privBag = new PrivilegeBag(); - if (privSubjectDesc == null) { - for (int idx = 0; idx < privileges.size(); idx++) { - Privilege priv = privileges.get(idx).getPrivilege(); - if (privileges.get(idx).getColumns() != null - && privileges.get(idx).getColumns().size() > 0) { - throw new HiveException( - "For user-level privileges, column sets should be null. columns=" - + privileges.get(idx).getColumns().toString()); - } - - privBag.addToPrivileges(new HiveObjectPrivilege(new HiveObjectRef( - HiveObjectType.GLOBAL, null, null, null, null), null, null, - new PrivilegeGrantInfo(priv.toString(), 0, grantor, grantorType, - grantOption))); - } - } else { - org.apache.hadoop.hive.metastore.api.Partition partObj = null; - List partValues = null; - if (tableObj != null) { - if ((!tableObj.isPartitioned()) - && privSubjectDesc.getPartSpec() != null) { - throw new HiveException( - "Table is not partitioned, but partition name is present: partSpec=" - + privSubjectDesc.getPartSpec().toString()); - } - - if (privSubjectDesc.getPartSpec() != null) { - partObj = db.getPartition(tableObj, privSubjectDesc.getPartSpec(), - false).getTPartition(); - partValues = partObj.getValues(); - } - } - - for (PrivilegeDesc privDesc : privileges) { - List columns = privDesc.getColumns(); - Privilege priv = privDesc.getPrivilege(); - if (columns != null && columns.size() > 0) { - if (!priv.supportColumnLevel()) { - throw new HiveException(priv.toString() - + " does not support column level."); - } - if (privSubjectDesc == null || tableName == null) { - throw new HiveException( - "For user-level/database-level privileges, column sets should be null. columns=" - + columns); - } - for (int i = 0; i < columns.size(); i++) { - privBag.addToPrivileges(new HiveObjectPrivilege( - new HiveObjectRef(HiveObjectType.COLUMN, dbName, tableName, - partValues, columns.get(i)), null, null, new PrivilegeGrantInfo(priv.toString(), 0, grantor, grantorType, grantOption))); - } - } else { - if (privSubjectDesc.getTable()) { - if (privSubjectDesc.getPartSpec() != null) { - privBag.addToPrivileges(new HiveObjectPrivilege( - new HiveObjectRef(HiveObjectType.PARTITION, dbName, - tableName, partValues, null), null, null, new PrivilegeGrantInfo(priv.toString(), 0, grantor, grantorType, grantOption))); - } else { - privBag - .addToPrivileges(new HiveObjectPrivilege( - new HiveObjectRef(HiveObjectType.TABLE, dbName, - tableName, null, null), null, null, new PrivilegeGrantInfo(priv.toString(), 0, grantor, grantorType, grantOption))); - } - } else { - privBag.addToPrivileges(new HiveObjectPrivilege( - new HiveObjectRef(HiveObjectType.DATABASE, dbName, null, - null, null), null, null, new PrivilegeGrantInfo(priv.toString(), 0, grantor, grantorType, grantOption))); - } - } - } - } - - for (PrincipalDesc principal : principals) { - for (int i = 0; i < privBag.getPrivileges().size(); i++) { - HiveObjectPrivilege objPrivs = privBag.getPrivileges().get(i); - objPrivs.setPrincipalName(principal.getName()); - objPrivs.setPrincipalType(principal.getType()); - } - if (isGrant) { - db.grantPrivileges(privBag); - } else { - db.revokePrivileges(privBag, grantOption); - } - - } - } catch (Exception e) { - console.printError("Error: " + e.getMessage()); - return 1; - } - - return 0; - } - - private int grantOrRevokePrivilegesV2(List principals, - List privileges, PrivilegeObjectDesc privSubjectDesc, String grantor, - PrincipalType grantorType, boolean grantOption, boolean isGrant) throws HiveException { - HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); + HiveAuthorizer authorizer = getSessionAuthorizer(); //Convert to object types used by the authorization plugin interface - List hivePrincipals = getHivePrincipals(principals); - List hivePrivileges = getHivePrivileges(privileges); - HivePrivilegeObject hivePrivObject = getHivePrivilegeObject(privSubjectDesc); - HivePrincipal grantorPrincipal = new HivePrincipal(grantor, getHivePrincipalType(grantorType)); + List hivePrincipals = AuthorizationUtils.getHivePrincipals(principals); + List hivePrivileges = AuthorizationUtils.getHivePrivileges(privileges); + HivePrivilegeObject hivePrivObject = AuthorizationUtils.getHivePrivilegeObject(privSubjectDesc, null); + + HivePrincipal grantorPrincipal = new HivePrincipal( + grantor, AuthorizationUtils.getHivePrincipalType(grantorType)); if(isGrant){ authorizer.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject, @@ -918,123 +636,8 @@ private int grantOrRevokePrivilegesV2(List principals, return 0; } - private HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc) - throws HiveException { - if(privSubjectDesc == null){ - return new HivePrivilegeObject(null, null, null); - } - String [] dbTable = Utilities.getDbTableName(privSubjectDesc.getObject()); - return new HivePrivilegeObject(getPrivObjectType(privSubjectDesc), dbTable[0], dbTable[1]); - } - - private HivePrincipalType getHivePrincipalType(PrincipalType type) throws HiveException { - if(type == null){ - return null; - } - - switch(type){ - case USER: - return HivePrincipalType.USER; - case ROLE: - return HivePrincipalType.ROLE; - case GROUP: - throw new HiveException(ErrorMsg.UNNSUPPORTED_AUTHORIZATION_PRINCIPAL_TYPE_GROUP); - default: - //should not happen as we take care of all existing types - throw new AssertionError("Unsupported authorization type specified"); - } - } - - private HivePrivilegeObjectType getPrivObjectType(PrivilegeObjectDesc privSubjectDesc) { - if (privSubjectDesc.getObject() == null) { - return null; - } - return privSubjectDesc.getTable() ? HivePrivilegeObjectType.TABLE_OR_VIEW : HivePrivilegeObjectType.DATABASE; - } - - private List getHivePrivileges(List privileges) { - List hivePrivileges = new ArrayList(); - for(PrivilegeDesc privilege : privileges){ - hivePrivileges.add( - new HivePrivilege(privilege.getPrivilege().toString(), privilege.getColumns())); - } - return hivePrivileges; - } - - private List getHivePrincipals(List principals) throws HiveException { - ArrayList hivePrincipals = new ArrayList(); - for(PrincipalDesc principal : principals){ - hivePrincipals.add(getHivePrincipal(principal)); - } - return hivePrincipals; - } - - private HivePrincipal getHivePrincipal(PrincipalDesc principal) throws HiveException { - if (principal == null) { - return null; - } - return new HivePrincipal(principal.getName(), - AuthorizationUtils.getHivePrincipalType(principal.getType())); - } - - private void throwNotFound(String objType, String objName) throws HiveException { - throw new HiveException(objType + " " + objName + " not found"); - } - - private int roleDDL(RoleDDLDesc roleDDLDesc) throws HiveException, IOException { - if(SessionState.get().isAuthorizationModeV2()){ - return roleDDLV2(roleDDLDesc); - } - - DataOutputStream outStream = null; - RoleDDLDesc.RoleOperation operation = roleDDLDesc.getOperation(); - try { - if (operation.equals(RoleDDLDesc.RoleOperation.CREATE_ROLE)) { - db.createRole(roleDDLDesc.getName(), roleDDLDesc.getRoleOwnerName()); - } else if (operation.equals(RoleDDLDesc.RoleOperation.DROP_ROLE)) { - db.dropRole(roleDDLDesc.getName()); - } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLE_GRANT)) { - boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); - List roleGrants = db.getRoleGrantInfoForPrincipal(roleDDLDesc.getName(), roleDDLDesc.getPrincipalType()); - writeToFile(writeRoleGrantsInfo(roleGrants, testMode), roleDDLDesc.getResFile()); - } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLES)) { - List roleNames = db.getAllRoleNames(); - //sort the list to get sorted (deterministic) output (for ease of testing) - Collections.sort(roleNames); - Path resFile = new Path(roleDDLDesc.getResFile()); - FileSystem fs = resFile.getFileSystem(conf); - outStream = fs.create(resFile); - for (String roleName : roleNames) { - outStream.writeBytes(roleName); - outStream.write(terminator); - } - outStream.close(); - outStream = null; - } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLE_PRINCIPALS)) { - throw new HiveException("Show role principals is not currently supported in " - + "authorization mode V1"); - } - else { - throw new HiveException("Unkown role operation " - + operation.getOperationName()); - } - } catch (HiveException e) { - console.printError("Error in role operation " - + operation.getOperationName() + " on role name " - + roleDDLDesc.getName() + ", error message " + e.getMessage()); - return 1; - } catch (IOException e) { - LOG.info("role ddl exception: " + stringifyException(e)); - return 1; - } finally { - IOUtils.closeStream(outStream); - } - - return 0; - } - - private int roleDDLV2(RoleDDLDesc roleDDLDesc) throws HiveException, IOException { - HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); + private int roleDDL(RoleDDLDesc roleDDLDesc) throws Exception { + HiveAuthorizer authorizer = getSessionAuthorizer(); RoleDDLDesc.RoleOperation operation = roleDDLDesc.getOperation(); //call the appropriate hive authorizer function switch(operation){ @@ -1047,7 +650,7 @@ private int roleDDLV2(RoleDDLDesc roleDDLDesc) throws HiveException, IOException case SHOW_ROLE_GRANT: boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); List roles = authorizer.getRoleGrantInfoForPrincipal( - new HivePrincipal(roleDDLDesc.getName(), getHivePrincipalType(roleDDLDesc.getPrincipalType()))); + AuthorizationUtils.getHivePrincipal(roleDDLDesc.getName(), roleDDLDesc.getPrincipalType())); writeToFile(writeRolesGrantedInfo(roles, testMode), roleDDLDesc.getResFile()); break; case SHOW_ROLES: @@ -2802,7 +2405,7 @@ public int compare(HiveLock o1, HiveLock o2) { LOG.warn("show function: " + stringifyException(e)); return 1; } catch (Exception e) { - throw new HiveException(e.toString()); + throw new HiveException(e.toString(), e); } finally { IOUtils.closeStream(outStream); } @@ -3491,7 +3094,7 @@ private int describeTable(Hive db, DescTableDesc descTbl) throws HiveException { // when column name is specified in describe table DDL, colPath will // will be table_name.column_name String colName = colPath.split("\\.")[1]; - String[] dbTab = splitTableName(tableName); + String[] dbTab = Utilities.getDbTableName(tableName); List colNames = new ArrayList(); colNames.add(colName.toLowerCase()); if (null == part) { @@ -3541,28 +3144,41 @@ private static void fixDecimalColumnTypeName(List cols) { } } - static String writeGrantInfo(List privileges, boolean testMode) { + static String writeGrantInfo(List privileges, boolean testMode) { if (privileges == null || privileges.isEmpty()) { return ""; } StringBuilder builder = new StringBuilder(); //sort the list to get sorted (deterministic) output (for ease of testing) - Collections.sort(privileges); - - for (HiveObjectPrivilege privilege : privileges) { - HiveObjectRef resource = privilege.getHiveObject(); - PrivilegeGrantInfo grantInfo = privilege.getGrantInfo(); - - appendNonNull(builder, resource.getDbName(), true); - appendNonNull(builder, resource.getObjectName()); - appendNonNull(builder, resource.getPartValues()); - appendNonNull(builder, resource.getColumnName()); - appendNonNull(builder, privilege.getPrincipalName()); - appendNonNull(builder, privilege.getPrincipalType()); - appendNonNull(builder, grantInfo.getPrivilege()); - appendNonNull(builder, grantInfo.isGrantOption()); - appendNonNull(builder, testMode ? -1 : grantInfo.getCreateTime() * 1000L); - appendNonNull(builder, grantInfo.getGrantor()); + Collections.sort(privileges, new Comparator() { + @Override + public int compare(HivePrivilegeInfo o1, HivePrivilegeInfo o2) { + int compare = o1.getObject().compareTo(o2.getObject()); + if (compare == 0) { + compare = o1.getPrincipal().compareTo(o2.getPrincipal()); + } + if (compare == 0) { + compare = o1.getPrivilege().compareTo(o2.getPrivilege()); + } + return compare; + } + }); + + for (HivePrivilegeInfo privilege : privileges) { + HivePrincipal principal = privilege.getPrincipal(); + HivePrivilegeObject resource = privilege.getObject(); + HivePrincipal grantor = privilege.getGrantorPrincipal(); + + appendNonNull(builder, resource.getDbname(), true); + appendNonNull(builder, resource.getTableViewURI()); + appendNonNull(builder, resource.getPartKeys()); + appendNonNull(builder, resource.getColumns()); + appendNonNull(builder, principal.getName()); + appendNonNull(builder, principal.getType()); + appendNonNull(builder, privilege.getPrivilege().getName()); + appendNonNull(builder, privilege.isGrantOption()); + appendNonNull(builder, testMode ? -1 : privilege.getGrantTime() * 1000L); + appendNonNull(builder, grantor.getName()); } return builder.toString(); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/metadata/SessionHiveMetaStoreClient.java b/ql/src/java/org/apache/hadoop/hive/ql/metadata/SessionHiveMetaStoreClient.java index 37b1669..d258bc6 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/metadata/SessionHiveMetaStoreClient.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/metadata/SessionHiveMetaStoreClient.java @@ -12,10 +12,7 @@ import java.util.regex.Pattern; import org.apache.hadoop.fs.Path; -import org.apache.hadoop.fs.FileSystem; -import org.apache.hadoop.hive.common.FileUtils; -import org.apache.hadoop.hive.conf.HiveConf;; -import org.apache.hadoop.hive.metastore.HiveMetaHook; +import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.metastore.HiveMetaHookLoader; import org.apache.hadoop.hive.metastore.HiveMetaStoreClient; import org.apache.hadoop.hive.metastore.IMetaStoreClient; diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java index 604c39d..e86442a 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java @@ -18,22 +18,32 @@ package org.apache.hadoop.hive.ql.security.authorization; import org.apache.hadoop.classification.InterfaceAudience.LimitedPrivate; +import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege; import org.apache.hadoop.hive.metastore.api.HiveObjectRef; import org.apache.hadoop.hive.metastore.api.HiveObjectType; import org.apache.hadoop.hive.metastore.api.PrincipalType; import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo; import org.apache.hadoop.hive.ql.ErrorMsg; import org.apache.hadoop.hive.ql.hooks.Entity; +import org.apache.hadoop.hive.ql.exec.Utilities; import org.apache.hadoop.hive.ql.hooks.Entity.Type; import org.apache.hadoop.hive.ql.hooks.WriteEntity; import org.apache.hadoop.hive.ql.hooks.WriteEntity.WriteType; import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.plan.PrincipalDesc; +import org.apache.hadoop.hive.ql.plan.PrivilegeDesc; +import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; +import org.apache.hadoop.hive.ql.session.SessionState; + +import java.util.ArrayList; +import java.util.List; /** * Utility code shared by hive internal code and sql standard authorization plugin implementation @@ -48,13 +58,19 @@ * @throws HiveException */ public static HivePrincipalType getHivePrincipalType(PrincipalType type) throws HiveException { + if (type == null) { + return null; + } switch(type){ case USER: return HivePrincipalType.USER; case ROLE: return HivePrincipalType.ROLE; case GROUP: - throw new HiveException(ErrorMsg.UNNSUPPORTED_AUTHORIZATION_PRINCIPAL_TYPE_GROUP); + if (SessionState.get().getAuthorizationMode() == SessionState.AuthorizationMode.V2) { + throw new HiveException(ErrorMsg.UNSUPPORTED_AUTHORIZATION_PRINCIPAL_TYPE_GROUP); + } + return HivePrincipalType.GROUP; default: //should not happen as we take care of all existing types throw new AssertionError("Unsupported authorization type specified"); @@ -68,6 +84,9 @@ public static HivePrincipalType getHivePrincipalType(PrincipalType type) throws * @return */ public static HivePrivilegeObjectType getHivePrivilegeObjectType(Type type) { + if (type == null){ + return null; + } switch(type){ case DATABASE: return HivePrivilegeObjectType.DATABASE; @@ -85,6 +104,95 @@ public static HivePrivilegeObjectType getHivePrivilegeObjectType(Type type) { } } + public static HivePrivilegeObjectType getPrivObjectType(PrivilegeObjectDesc privSubjectDesc) { + if (privSubjectDesc.getObject() == null) { + return null; + } + return privSubjectDesc.getTable() ? HivePrivilegeObjectType.TABLE_OR_VIEW : + HivePrivilegeObjectType.DATABASE; + } + + public static List getHivePrivileges(List privileges) { + List hivePrivileges = new ArrayList(); + for(PrivilegeDesc privilege : privileges){ + Privilege priv = privilege.getPrivilege(); + hivePrivileges.add( + new HivePrivilege(priv.toString(), privilege.getColumns(), priv.getScopeList())); + } + return hivePrivileges; + } + + public static List getHivePrincipals(List principals) + throws HiveException { + + ArrayList hivePrincipals = new ArrayList(); + for(PrincipalDesc principal : principals){ + hivePrincipals.add(getHivePrincipal(principal)); + } + return hivePrincipals; + } + + public static HivePrincipal getHivePrincipal(PrincipalDesc principal) throws HiveException { + if (principal == null) { + return null; + } + return getHivePrincipal(principal.getName(), principal.getType()); + } + + public static HivePrincipal getHivePrincipal(String name, PrincipalType type) throws HiveException { + return new HivePrincipal(name, AuthorizationUtils.getHivePrincipalType(type)); + } + + public static List getPrivilegeInfos(List privs) + throws HiveException { + List hivePrivs = new ArrayList(); + for (HiveObjectPrivilege priv : privs) { + PrivilegeGrantInfo grantorInfo = priv.getGrantInfo(); + HiveObjectRef privObject = priv.getHiveObject(); + HivePrincipal hivePrincipal = + getHivePrincipal(priv.getPrincipalName(), priv.getPrincipalType()); + HivePrincipal grantor = + getHivePrincipal(grantorInfo.getGrantor(), grantorInfo.getGrantorType()); + HivePrivilegeObject object = getHiveObjectRef(privObject); + HivePrivilege privilege = new HivePrivilege(grantorInfo.getPrivilege(), null); + hivePrivs.add(new HivePrivilegeInfo(hivePrincipal, privilege, object, grantor, + grantorInfo.isGrantOption(), grantorInfo.getCreateTime())); + } + return hivePrivs; + } + + public static HivePrivilegeObject getHiveObjectRef(HiveObjectRef privObj) throws HiveException { + if (privObj == null) { + return null; + } + HivePrivilegeObjectType objType = getHiveObjType(privObj.getObjectType()); + return new HivePrivilegeObject(objType, privObj.getDbName(), privObj.getObjectName(), + privObj.getPartValues(), privObj.getColumnName()); + } + + public static HivePrivilegeObject getHivePrivilegeObject( + PrivilegeObjectDesc privSubjectDesc, List columns) throws HiveException { + + // null means ALL for show grants, GLOBAL for grant/revoke + HivePrivilegeObjectType objectType = null; + + String[] dbTable; + List partSpec = null; + if (privSubjectDesc == null) { + dbTable = new String[] {null, null}; + } else { + if (privSubjectDesc.getTable()) { + dbTable = Utilities.getDbTableName(privSubjectDesc.getObject()); + } else { + dbTable = new String[] {privSubjectDesc.getObject(), null}; + } + if (privSubjectDesc.getPartSpec() != null) { + partSpec = new ArrayList(privSubjectDesc.getPartSpec().values()); + } + objectType = getPrivObjectType(privSubjectDesc); + } + return new HivePrivilegeObject(objectType, dbTable[0], dbTable[1], partSpec, columns, null); + } /** * Convert authorization plugin principal type to thrift principal type @@ -99,6 +207,8 @@ public static PrincipalType getThriftPrincipalType(HivePrincipalType type) { switch(type){ case USER: return PrincipalType.USER; + case GROUP: + return PrincipalType.GROUP; case ROLE: return PrincipalType.ROLE; default: @@ -106,7 +216,6 @@ public static PrincipalType getThriftPrincipalType(HivePrincipalType type) { } } - /** * Get thrift privilege grant info * @param privilege @@ -134,12 +243,16 @@ public static HiveObjectType getThriftHiveObjType(HivePrivilegeObjectType type) return null; } switch(type){ + case GLOBAL: + return HiveObjectType.GLOBAL; case DATABASE: return HiveObjectType.DATABASE; case TABLE_OR_VIEW: return HiveObjectType.TABLE; case PARTITION: return HiveObjectType.PARTITION; + case COLUMN: + return HiveObjectType.COLUMN; case LOCAL_URI: case DFS_URI: throw new HiveException("Unsupported type " + type); @@ -149,6 +262,33 @@ public static HiveObjectType getThriftHiveObjType(HivePrivilegeObjectType type) } } + // V1 to V2 conversion. + private static HivePrivilegeObjectType getHiveObjType(HiveObjectType type) throws HiveException { + if (type == null) { + return null; + } + switch(type){ + case GLOBAL: + if (SessionState.get().getAuthorizationMode() == SessionState.AuthorizationMode.V2) { + throw new HiveException(ErrorMsg.UNSUPPORTED_AUTHORIZATION_RESOURCE_TYPE_GLOBAL); + } + return HivePrivilegeObjectType.GLOBAL; + case DATABASE: + return HivePrivilegeObjectType.DATABASE; + case TABLE: + return HivePrivilegeObjectType.TABLE_OR_VIEW; + case PARTITION: + return HivePrivilegeObjectType.PARTITION; + case COLUMN: + if (SessionState.get().getAuthorizationMode() == SessionState.AuthorizationMode.V2) { + throw new HiveException(ErrorMsg.UNSUPPORTED_AUTHORIZATION_RESOURCE_TYPE_COLUMN); + } + return HivePrivilegeObjectType.COLUMN; + default: + //should not happen as we have accounted for all types + throw new AssertionError("Unsupported type " + type); + } + } /** * Convert thrift HiveObjectRef to plugin HivePrivilegeObject diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/Privilege.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/Privilege.java index f9d1b4b..ba8ce26 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/Privilege.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/Privilege.java @@ -18,7 +18,9 @@ package org.apache.hadoop.hive.ql.security.authorization; +import java.util.ArrayList; import java.util.EnumSet; +import java.util.List; /** * Privilege defines a privilege in Hive. Each privilege has a name and scope associated with it. @@ -65,6 +67,17 @@ public boolean supportTableLevel() { && supportedScopeSet.contains(PrivilegeScope.TABLE_LEVEL_SCOPE); } + public List getScopeList() { + if (supportedScopeSet == null) { + return null; + } + List scopes = new ArrayList(); + for (PrivilegeScope scope : supportedScopeSet) { + scopes.add(scope.name()); + } + return scopes; + } + @Override public String toString() { return this.getPriv().toString(); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java index dd4cd22..30a4496 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java @@ -25,10 +25,19 @@ */ @LimitedPrivate(value = { "" }) @Evolving -public class HivePrincipal { +public class HivePrincipal implements Comparable { + + @Override + public int compareTo(HivePrincipal o) { + int compare = name.compareTo(o.name); + if (compare == 0) { + compare = type.compareTo(o.type); + } + return compare; + } public enum HivePrincipalType{ - USER, ROLE, UNKNOWN + USER, GROUP, ROLE, UNKNOWN } @Override diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java index 126300a..5e64b8d 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java @@ -22,13 +22,14 @@ import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving; +import org.apache.hadoop.hive.ql.security.authorization.PrivilegeScope; /** * Represents the hive privilege being granted/revoked */ @LimitedPrivate(value = { "" }) @Evolving -public class HivePrivilege { +public class HivePrivilege implements Comparable { @Override public String toString() { return "Privilege [name=" + name + ", columns=" + columns + "]"; @@ -36,10 +37,16 @@ public String toString() { private final String name; private final List columns; + private final List supportedScope; - public HivePrivilege(String name, List columns){ + public HivePrivilege(String name, List columns) { + this(name, columns, null); + } + + public HivePrivilege(String name, List columns, List supportedScope) { this.name = name.toUpperCase(Locale.US); this.columns = columns; + this.supportedScope = supportedScope; } public String getName() { @@ -50,6 +57,10 @@ public String getName() { return columns; } + public List getSupportedScope() { + return supportedScope; + } + @Override public int hashCode() { final int prime = 31; @@ -82,5 +93,27 @@ public boolean equals(Object obj) { } + public boolean supportsScope(PrivilegeScope scope) { + return supportedScope != null && supportedScope.contains(scope.name()); + } + + public int compareTo(HivePrivilege privilege) { + int compare = columns != null ? + (privilege.columns != null ? compare(columns, privilege.columns) : 1) : + (privilege.columns != null ? -1 : 0); + if (compare == 0) { + compare = name.compareTo(privilege.name); + } + return compare; + } + private int compare(List o1, List o2) { + for (int i = 0; i < Math.min(o1.size(), o2.size()); i++) { + int compare = o1.get(i).compareTo(o2.get(i)); + if (compare != 0) { + return compare; + } + } + return o1.size() > o2.size() ? 1 : (o1.size() < o2.size() ? -1 : 0); + } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java index 8cdff5b..912be6b 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java @@ -21,14 +21,16 @@ import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; import org.apache.hadoop.hive.common.classification.InterfaceStability.Unstable; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; + +import java.util.ArrayList; +import java.util.Arrays; /** * Represents the object on which privilege is being granted/revoked */ @LimitedPrivate(value = { "" }) @Unstable -public class HivePrivilegeObject { +public class HivePrivilegeObject implements Comparable { @Override public String toString() { @@ -38,8 +40,13 @@ public String toString() { name = dbname; break; case TABLE_OR_VIEW: + case PARTITION: name = (dbname == null ? "" : dbname + ".") + tableviewname; + if (partKeys != null) { + name += partKeys.toString(); + } break; + case COLUMN: case LOCAL_URI: case DFS_URI: name = tableviewname; @@ -47,33 +54,74 @@ public String toString() { case COMMAND_PARAMS: name = commandParams.toString(); break; - case PARTITION: - break; } return "Object [type=" + type + ", name=" + name + "]"; } - public enum HivePrivilegeObjectType { - DATABASE, TABLE_OR_VIEW, PARTITION, LOCAL_URI, DFS_URI, COMMAND_PARAMS - }; + @Override + public int compareTo(HivePrivilegeObject o) { + int compare = type.compareTo(o.type); + if (compare == 0) { + compare = dbname.compareTo(o.dbname); + } + if (compare == 0) { + compare = tableviewname != null ? + (o.tableviewname != null ? tableviewname.compareTo(o.tableviewname) : 1) : + (o.tableviewname != null ? -1 : 0); + } + if (compare == 0) { + compare = partKeys != null ? + (o.partKeys != null ? compare(partKeys, o.partKeys) : 1) : + (o.partKeys != null ? -1 : 0); + } + if (compare == 0) { + compare = columns != null ? + (o.columns != null ? compare(columns, o.columns) : 1) : + (o.columns != null ? -1 : 0); + } + return compare; + } + + private int compare(List o1, List o2) { + for (int i = 0; i < Math.min(o1.size(), o2.size()); i++) { + int compare = o1.get(i).compareTo(o2.get(i)); + if (compare != 0) { + return compare; + } + } + return o1.size() > o2.size() ? 1 : (o1.size() < o2.size() ? -1 : 0); + } + public enum HivePrivilegeObjectType { + GLOBAL, DATABASE, TABLE_OR_VIEW, PARTITION, COLUMN, LOCAL_URI, DFS_URI, COMMAND_PARAMS + } ; public enum HivePrivObjectActionType { OTHER, INSERT, INSERT_OVERWRITE }; + private final HivePrivilegeObjectType type; private final String dbname; private final String tableviewname; private final List commandParams; + private final List partKeys; + private final List columns; private final HivePrivObjectActionType actionType; - public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI){ + public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI) { this(type, dbname, tableViewURI, HivePrivObjectActionType.OTHER); } + public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI + , HivePrivObjectActionType actionType) { + this(type, dbname, tableViewURI, null, null, actionType, null); + } + public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI, - HivePrivObjectActionType actionType) { - this(type, dbname, tableViewURI, actionType, null); + List partKeys, String column) { + this(type, dbname, tableViewURI, partKeys, + column == null ? null : new ArrayList(Arrays.asList(column)), + HivePrivObjectActionType.OTHER, null); } /** @@ -82,15 +130,23 @@ public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String t * @return */ public static HivePrivilegeObject createHivePrivilegeObject(List cmdParams) { - return new HivePrivilegeObject(HivePrivilegeObjectType.COMMAND_PARAMS, null, null, null, + return new HivePrivilegeObject(HivePrivilegeObjectType.COMMAND_PARAMS, null, null, null, null, cmdParams); } public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI, - HivePrivObjectActionType actionType, List commandParams) { + List partKeys, List columns, List commandParams) { + this(type, dbname, tableViewURI, partKeys, columns, HivePrivObjectActionType.OTHER, commandParams); + } + + public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI, + List partKeys, List columns, HivePrivObjectActionType actionType, + List commandParams) { this.type = type; this.dbname = dbname; this.tableviewname = tableViewURI; + this.partKeys = partKeys; + this.columns = columns; this.actionType = actionType; this.commandParams = commandParams; } @@ -114,4 +170,12 @@ public HivePrivObjectActionType getActionType() { public List getCommandParams() { return commandParams; } + + public List getPartKeys() { + return partKeys; + } + + public List getColumns() { + return columns; + } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java new file mode 100644 index 0000000..60c9f14 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java @@ -0,0 +1,374 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.metastore.Warehouse; +import org.apache.hadoop.hive.metastore.api.Database; +import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege; +import org.apache.hadoop.hive.metastore.api.HiveObjectRef; +import org.apache.hadoop.hive.metastore.api.HiveObjectType; +import org.apache.hadoop.hive.metastore.api.Partition; +import org.apache.hadoop.hive.metastore.api.PrincipalType; +import org.apache.hadoop.hive.metastore.api.PrivilegeBag; +import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo; +import org.apache.hadoop.hive.metastore.api.Role; +import org.apache.hadoop.hive.metastore.api.RolePrincipalGrant; +import org.apache.hadoop.hive.ql.metadata.Hive; +import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.metadata.Table; +import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils; +import org.apache.hadoop.hive.ql.security.authorization.PrivilegeScope; +import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController; +import org.apache.hadoop.hive.ql.session.SessionState; + +import java.util.ArrayList; +import java.util.List; +import java.util.Map; + +public class HiveV1Authorizer implements HiveAuthorizer { + + private final HiveConf conf; + private final Hive hive; + + public HiveV1Authorizer(HiveConf conf, Hive hive) { + this.conf = conf; + this.hive = hive; + } + + @Override + public VERSION getVersion() { + return VERSION.V1; + } + + @Override + public void checkPrivileges(HiveOperationType hiveOpType, List inputsHObjs, + List outputHObjs, HiveAuthzContext context) + throws HiveAuthzPluginException, HiveAccessControlException { + throw new UnsupportedOperationException("Should not be called for v1 authorizer"); + } + + @Override + public void grantPrivileges( + List principals, List privileges, HivePrivilegeObject privObject, + HivePrincipal grantor, boolean grantOption) + throws HiveAuthzPluginException, HiveAccessControlException { + try { + PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption); + grantOrRevokePrivs(principals, privBag, true, grantOption); + } catch (Exception e) { + throw new HiveAuthzPluginException(e); + } + } + + @Override + public void revokePrivileges( + List principals, List privileges, HivePrivilegeObject privObject, + HivePrincipal grantor, boolean grantOption) + throws HiveAuthzPluginException, HiveAccessControlException { + try { + PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption); + grantOrRevokePrivs(principals, privBag, false, grantOption); + } catch (Exception e) { + throw new HiveAuthzPluginException(e); + } + } + + private void grantOrRevokePrivs(List principals, PrivilegeBag privBag, + boolean isGrant, boolean grantOption) throws HiveException { + for (HivePrincipal principal : principals) { + PrincipalType type = AuthorizationUtils.getThriftPrincipalType(principal.getType()); + for (HiveObjectPrivilege priv : privBag.getPrivileges()) { + priv.setPrincipalName(principal.getName()); + priv.setPrincipalType(type); + } + if (isGrant) { + hive.grantPrivileges(privBag); + } else { + hive.revokePrivileges(privBag, grantOption); + } + } + } + + private PrivilegeBag toPrivilegeBag(List privileges, + HivePrivilegeObject privObject, HivePrincipal grantor, boolean grantOption) + throws HiveException { + + PrivilegeBag privBag = new PrivilegeBag(); + if (privileges.isEmpty()) { + return privBag; + } + String grantorName = grantor.getName(); + PrincipalType grantorType = AuthorizationUtils.getThriftPrincipalType(grantor.getType()); + if (privObject.getType() == null || + privObject.getType() == HivePrivilegeObject.HivePrivilegeObjectType.GLOBAL) { + for (HivePrivilege priv : privileges) { + List columns = priv.getColumns(); + if (columns != null && !columns.isEmpty()) { + throw new HiveException( + "For user-level privileges, column sets should be null. columns=" + + columns.toString()); + } + privBag.addToPrivileges(new HiveObjectPrivilege(new HiveObjectRef( + HiveObjectType.GLOBAL, null, null, null, null), null, null, + new PrivilegeGrantInfo(priv.getName(), 0, grantor.getName(), grantorType, + grantOption))); + } + return privBag; + } + + if (privObject.getPartKeys() != null && grantOption) { + throw new HiveException("Grant does not support partition level."); + } + Database dbObj = hive.getDatabase(privObject.getDbname()); + if (dbObj == null) { + throw new HiveException("Database " + privObject.getDbname() + " does not exists"); + } + Table tableObj = null; + if (privObject.getTableViewURI() != null) { + tableObj = hive.getTable(dbObj.getName(), privObject.getTableViewURI()); + } + + List partValues = null; + if (tableObj != null) { + if ((!tableObj.isPartitioned()) + && privObject.getPartKeys() != null) { + throw new HiveException( + "Table is not partitioned, but partition name is present: partSpec=" + + privObject.getPartKeys()); + } + + if (privObject.getPartKeys() != null) { + Map partSpec = + Warehouse.makeSpecFromValues(tableObj.getPartitionKeys(), privObject.getPartKeys()); + Partition partObj = hive.getPartition(tableObj, partSpec, false).getTPartition(); + partValues = partObj.getValues(); + } + } + + for (HivePrivilege priv : privileges) { + List columns = priv.getColumns(); + if (columns != null && !columns.isEmpty()) { + if (!priv.supportsScope(PrivilegeScope.COLUMN_LEVEL_SCOPE)) { + throw new HiveException(priv.getName() + " does not support column level privilege."); + } + if (tableObj == null) { + throw new HiveException( + "For user-level/database-level privileges, column sets should be null. columns=" + + columns); + } + for (int i = 0; i < columns.size(); i++) { + privBag.addToPrivileges(new HiveObjectPrivilege( + new HiveObjectRef(HiveObjectType.COLUMN, dbObj.getName(), tableObj.getTableName(), + partValues, columns.get(i)), null, null, + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + } + } else if (tableObj == null) { + privBag.addToPrivileges(new HiveObjectPrivilege( + new HiveObjectRef(HiveObjectType.DATABASE, dbObj.getName(), null, + null, null), null, null, + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + } else if (partValues == null) { + privBag.addToPrivileges(new HiveObjectPrivilege( + new HiveObjectRef(HiveObjectType.TABLE, dbObj.getName(), tableObj.getTableName(), + null, null), null, null, + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + } else { + privBag.addToPrivileges(new HiveObjectPrivilege( + new HiveObjectRef(HiveObjectType.PARTITION, dbObj.getName(), tableObj.getTableName(), + partValues, null), null, null, + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + } + } + return privBag; + } + + @Override + public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException, HiveAccessControlException { + try { + hive.createRole(roleName, adminGrantor == null ? null : adminGrantor.getName()); + } catch (HiveException e) { + throw new HiveAuthzPluginException(e); + } + } + + @Override + public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { + try { + hive.dropRole(roleName); + } catch (HiveException e) { + throw new HiveAuthzPluginException(e); + } + } + + @Override + public List getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { + try { + return SQLStdHiveAccessController.getHiveRoleGrants(hive.getMSC(), roleName); + } catch (Exception e) { + throw new HiveAuthzPluginException(e); + } + } + + @Override + public List getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException { + PrincipalType type = AuthorizationUtils.getThriftPrincipalType(principal.getType()); + try { + List grants = new ArrayList(); + for (RolePrincipalGrant grant : hive.getRoleGrantInfoForPrincipal(principal.getName(), type)) { + grants.add(new HiveRoleGrant(grant)); + } + return grants; + } catch (HiveException e) { + throw new HiveAuthzPluginException(e); + } + } + + @Override + public void grantRole(List principals, List roles, boolean grantOption, + HivePrincipal grantor) throws HiveAuthzPluginException, HiveAccessControlException { + try { + grantOrRevokeRole(principals, roles, grantOption, grantor, true); + } catch (HiveException e) { + throw new HiveAuthzPluginException(e); + } + } + + @Override + public void revokeRole(List principals, List roles, boolean grantOption, + HivePrincipal grantor) throws HiveAuthzPluginException, HiveAccessControlException { + try { + grantOrRevokeRole(principals, roles, grantOption, grantor, false); + } catch (HiveException e) { + throw new HiveAuthzPluginException(e); + } + } + + private void grantOrRevokeRole(List principals, List roles, + boolean grantOption, HivePrincipal grantor, boolean isGrant) throws HiveException { + PrincipalType grantorType = AuthorizationUtils.getThriftPrincipalType(grantor.getType()); + for (HivePrincipal principal : principals) { + PrincipalType principalType = AuthorizationUtils.getThriftPrincipalType(principal.getType()); + String userName = principal.getName(); + for (String roleName : roles) { + if (isGrant) { + hive.grantRole(roleName, userName, principalType, + grantor.getName(), grantorType, grantOption); + } else { + hive.revokeRole(roleName, userName, principalType, grantOption); + } + } + } + } + + @Override + public List getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException { + try { + return hive.getAllRoleNames(); + } catch (HiveException e) { + throw new HiveAuthzPluginException(e); + } + } + + @Override + public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) + throws HiveAuthzPluginException, HiveAccessControlException { + String name = principal == null ? null : principal.getName(); + PrincipalType type = + AuthorizationUtils.getThriftPrincipalType(principal == null ? null : principal.getType()); + + List privs = new ArrayList(); + try { + if (privObj == null) { + // show user level privileges + privs.addAll(hive.showPrivilegeGrant(HiveObjectType.GLOBAL, name, type, + null, null, null, null)); + } else if (privObj.getDbname() == null) { + // show all privileges + privs.addAll(hive.showPrivilegeGrant(null, name, type, null, null, null, null)); + } else { + Database dbObj = hive.getDatabase(privObj.getDbname());; + if (dbObj == null) { + throw new HiveException("Database " + privObj.getDbname() + " does not exists"); + } + Table tableObj = null; + if (privObj.getTableViewURI() != null) { + tableObj = hive.getTable(dbObj.getName(), privObj.getTableViewURI()); + } + List partValues = privObj.getPartKeys(); + + if (tableObj == null) { + // show database level privileges + privs.addAll(hive.showPrivilegeGrant(HiveObjectType.DATABASE, + name, type, dbObj.getName(), null, null, null)); + } else { + List columns = privObj.getColumns(); + if (columns != null && !columns.isEmpty()) { + // show column level privileges + for (String columnName : columns) { + privs.addAll(hive.showPrivilegeGrant(HiveObjectType.COLUMN, name, type, + dbObj.getName(), tableObj.getTableName(), partValues, columnName)); + } + } else if (partValues == null) { + // show table level privileges + privs.addAll(hive.showPrivilegeGrant(HiveObjectType.TABLE, name, type, + dbObj.getName(), tableObj.getTableName(), null, null)); + } else { + // show partition level privileges + privs.addAll(hive.showPrivilegeGrant(HiveObjectType.PARTITION, name, type, + dbObj.getName(), tableObj.getTableName(), partValues, null)); + } + } + } + return AuthorizationUtils.getPrivilegeInfos(privs); + } catch (Exception ex) { + throw new HiveAuthzPluginException(ex); + } + } + + @Override + public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException { + throw new HiveAuthzPluginException("Unsupported operation 'setCurrentRole' for V1 auth"); + } + + @Override + public List getCurrentRoleNames() throws HiveAuthzPluginException { + + String userName = SessionState.get().getUserName(); + if (userName == null) { + userName = SessionState.getUserFromAuthenticator(); + } + if (userName == null) { + throw new HiveAuthzPluginException("Cannot resolve current user name"); + } + try { + List roleNames = new ArrayList(); + for (Role role : hive.listRoles(userName, PrincipalType.USER)) { + roleNames.add(role.getRoleName()); + } + return roleNames; + } catch (HiveException e) { + throw new HiveAuthzPluginException(e); + } + } + + @Override + public void applyAuthorizationConfigPolicy(HiveConf hiveConf) { + } +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java index 6b635ce..f1220d7 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java @@ -186,8 +186,12 @@ static RequiredPrivileges getPrivilegesFromMetaStore(IMetaStoreClient metastoreC // get privileges for this user and its role on this object PrincipalPrivilegeSet thrifPrivs = null; try { + HiveObjectRef objectRef = AuthorizationUtils.getThriftHiveObjectRef(hivePrivObject); + if (objectRef.getObjectType() == null) { + objectRef.setObjectType(HiveObjectType.GLOBAL); + } thrifPrivs = metastoreClient.get_privilege_set( - AuthorizationUtils.getThriftHiveObjectRef(hivePrivObject), userName, null); + objectRef, userName, null); } catch (MetaException e) { throwGetPrivErr(e, hivePrivObject, userName); } catch (TException e) { diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index 932b980..a16f42a 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -350,19 +350,24 @@ public void revokeRole(List hivePrincipals, List roleName + " allowed get principals in a role. " + ADMIN_ONLY_MSG); } try { - GetPrincipalsInRoleResponse princGrantInfo = - metastoreClientFactory.getHiveMetastoreClient().get_principals_in_role(new GetPrincipalsInRoleRequest(roleName)); - - List hiveRoleGrants = new ArrayList(); - for(RolePrincipalGrant thriftRoleGrant : princGrantInfo.getPrincipalGrants()){ - hiveRoleGrants.add(new HiveRoleGrant(thriftRoleGrant)); - } - return hiveRoleGrants; + return getHiveRoleGrants(metastoreClientFactory.getHiveMetastoreClient(), roleName); } catch (Exception e) { throw new HiveAuthzPluginException("Error getting principals for all roles", e); } } + public static List getHiveRoleGrants(IMetaStoreClient client, String roleName) + throws Exception { + GetPrincipalsInRoleRequest request = new GetPrincipalsInRoleRequest(roleName); + GetPrincipalsInRoleResponse princGrantInfo = client.get_principals_in_role(request); + + List hiveRoleGrants = new ArrayList(); + for(RolePrincipalGrant thriftRoleGrant : princGrantInfo.getPrincipalGrants()){ + hiveRoleGrants.add(new HiveRoleGrant(thriftRoleGrant)); + } + return hiveRoleGrants; + } + @Override public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException { @@ -416,7 +421,7 @@ public void revokeRole(List hivePrincipals, List roleName HivePrivilegeObject resPrivObj = new HivePrivilegeObject( getPluginObjType(msObjRef.getObjectType()), msObjRef.getDbName(), - msObjRef.getObjectName()); + msObjRef.getObjectName(), msObjRef.getPartValues(), msObjRef.getColumnName()); // result grantor principal HivePrincipal grantorPrincipal = new HivePrincipal(msGrantInfo.getGrantor(), diff --git a/ql/src/test/queries/clientnegative/authorization_show_role_principals_v1.q b/ql/src/test/queries/clientnegative/authorization_show_role_principals_v1.q deleted file mode 100644 index 69cea2f..0000000 --- a/ql/src/test/queries/clientnegative/authorization_show_role_principals_v1.q +++ /dev/null @@ -1,2 +0,0 @@ --- This test will fail because the command is not currently supported in auth mode v1 -show principals role1; diff --git a/ql/src/test/queries/clientpositive/authorization_show_role_principals_v1.q b/ql/src/test/queries/clientpositive/authorization_show_role_principals_v1.q new file mode 100644 index 0000000..50e9dc2 --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_show_role_principals_v1.q @@ -0,0 +1,6 @@ +create role role1; +grant role1 to user user1 with admin option; +grant role1 to user user2 with admin option; +show role grant user user1; +show role grant user user2; +show principals role1; diff --git a/ql/src/test/results/clientnegative/authorization_caseinsensitivity.q.out b/ql/src/test/results/clientnegative/authorization_caseinsensitivity.q.out index 9cd36b6..633527d 100644 --- a/ql/src/test/results/clientnegative/authorization_caseinsensitivity.q.out +++ b/ql/src/test/results/clientnegative/authorization_caseinsensitivity.q.out @@ -59,4 +59,4 @@ testrole PREHOOK: query: create role TESTRoLE PREHOOK: type: CREATEROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. InvalidObjectException(message:Role testrole already exists.) +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Role testrole already exists. diff --git a/ql/src/test/results/clientnegative/authorization_fail_1.q.out b/ql/src/test/results/clientnegative/authorization_fail_1.q.out index 7af4ae8..3f9c4ed 100644 --- a/ql/src/test/results/clientnegative/authorization_fail_1.q.out +++ b/ql/src/test/results/clientnegative/authorization_fail_1.q.out @@ -14,5 +14,4 @@ POSTHOOK: Output: default@authorization_fail_1 PREHOOK: query: grant Create on table authorization_fail_1 to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@authorization_fail_1 -Error: java.lang.RuntimeException: InvalidObjectException(message:Create is already granted on table [default,authorization_fail_1] by hive_test_user) -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: java.lang.RuntimeException: InvalidObjectException(message:CREATE is already granted on table [default,authorization_fail_1] by hive_test_user) diff --git a/ql/src/test/results/clientnegative/authorization_fail_3.q.out b/ql/src/test/results/clientnegative/authorization_fail_3.q.out index d3b2a7c..8cc246d 100644 --- a/ql/src/test/results/clientnegative/authorization_fail_3.q.out +++ b/ql/src/test/results/clientnegative/authorization_fail_3.q.out @@ -26,7 +26,7 @@ PREHOOK: query: show grant user hive_test_user on table authorization_fail_3 PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_fail_3 POSTHOOK: type: SHOW_GRANT -default authorization_fail_3 hive_test_user USER Create false -1 hive_test_user +default authorization_fail_3 hive_test_user USER CREATE false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table authorization_fail_3 partition (ds='2010') PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_fail_3 partition (ds='2010') diff --git a/ql/src/test/results/clientnegative/authorization_fail_4.q.out b/ql/src/test/results/clientnegative/authorization_fail_4.q.out index 3ce149b..1eddbf7 100644 --- a/ql/src/test/results/clientnegative/authorization_fail_4.q.out +++ b/ql/src/test/results/clientnegative/authorization_fail_4.q.out @@ -40,12 +40,12 @@ PREHOOK: query: show grant user hive_test_user on table authorization_fail_4 PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_fail_4 POSTHOOK: type: SHOW_GRANT -default authorization_fail_4 hive_test_user USER Alter false -1 hive_test_user -default authorization_fail_4 hive_test_user USER Create false -1 hive_test_user +default authorization_fail_4 hive_test_user USER ALTER false -1 hive_test_user +default authorization_fail_4 hive_test_user USER CREATE false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table authorization_fail_4 partition (ds='2010') PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_fail_4 partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_fail_4 [2010] hive_test_user USER Alter false -1 hive_test_user -default authorization_fail_4 [2010] hive_test_user USER Create false -1 hive_test_user +default authorization_fail_4 [2010] hive_test_user USER ALTER false -1 hive_test_user +default authorization_fail_4 [2010] hive_test_user USER CREATE false -1 hive_test_user Authorization failed:No privilege 'Select' found for inputs { database:default, table:authorization_fail_4, partitionName:ds=2010, columnName:key}. Use SHOW GRANT to get more details. diff --git a/ql/src/test/results/clientnegative/authorization_fail_5.q.out b/ql/src/test/results/clientnegative/authorization_fail_5.q.out index 72b074f..365d5ce 100644 --- a/ql/src/test/results/clientnegative/authorization_fail_5.q.out +++ b/ql/src/test/results/clientnegative/authorization_fail_5.q.out @@ -46,16 +46,16 @@ PREHOOK: query: show grant user hive_test_user on table authorization_fail PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_fail POSTHOOK: type: SHOW_GRANT -default authorization_fail hive_test_user USER Alter false -1 hive_test_user -default authorization_fail hive_test_user USER Create false -1 hive_test_user -default authorization_fail hive_test_user USER Select false -1 hive_test_user +default authorization_fail hive_test_user USER ALTER false -1 hive_test_user +default authorization_fail hive_test_user USER CREATE false -1 hive_test_user +default authorization_fail hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table authorization_fail partition (ds='2010') PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_fail partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_fail [2010] hive_test_user USER Alter false -1 hive_test_user -default authorization_fail [2010] hive_test_user USER Create false -1 hive_test_user -default authorization_fail [2010] hive_test_user USER Select false -1 hive_test_user +default authorization_fail [2010] hive_test_user USER ALTER false -1 hive_test_user +default authorization_fail [2010] hive_test_user USER CREATE false -1 hive_test_user +default authorization_fail [2010] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: revoke Select on table authorization_fail partition (ds='2010') from user hive_test_user PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@authorization_fail@ds=2010 @@ -66,6 +66,6 @@ PREHOOK: query: show grant user hive_test_user on table authorization_fail parti PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_fail partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_fail [2010] hive_test_user USER Alter false -1 hive_test_user -default authorization_fail [2010] hive_test_user USER Create false -1 hive_test_user +default authorization_fail [2010] hive_test_user USER ALTER false -1 hive_test_user +default authorization_fail [2010] hive_test_user USER CREATE false -1 hive_test_user Authorization failed:No privilege 'Select' found for inputs { database:default, table:authorization_fail, partitionName:ds=2010, columnName:key}. Use SHOW GRANT to get more details. diff --git a/ql/src/test/results/clientnegative/authorization_fail_7.q.out b/ql/src/test/results/clientnegative/authorization_fail_7.q.out index e9b7c35..77ead38 100644 --- a/ql/src/test/results/clientnegative/authorization_fail_7.q.out +++ b/ql/src/test/results/clientnegative/authorization_fail_7.q.out @@ -33,7 +33,7 @@ PREHOOK: query: show grant role hive_test_role_fail on table authorization_fail PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant role hive_test_role_fail on table authorization_fail POSTHOOK: type: SHOW_GRANT -default authorization_fail hive_test_role_fail ROLE Select false -1 hive_test_user +default authorization_fail hive_test_role_fail ROLE SELECT false -1 hive_test_user PREHOOK: query: drop role hive_test_role_fail PREHOOK: type: DROPROLE POSTHOOK: query: drop role hive_test_role_fail diff --git a/ql/src/test/results/clientnegative/authorization_fail_8.q.out b/ql/src/test/results/clientnegative/authorization_fail_8.q.out index 10dd71b..fecb15c 100644 --- a/ql/src/test/results/clientnegative/authorization_fail_8.q.out +++ b/ql/src/test/results/clientnegative/authorization_fail_8.q.out @@ -45,4 +45,4 @@ PREHOOK: query: -- Now that grant option has been revoked, granting to other use GRANT SELECT ON authorization_fail TO USER user3 PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@authorization_fail -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.authorization_fail] : [SELECT with grant] +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.authorization_fail] for operation GRANT_PRIVILEGE : [SELECT with grant] diff --git a/ql/src/test/results/clientnegative/authorization_part.q.out b/ql/src/test/results/clientnegative/authorization_part.q.out index dfdcb39..fa80590 100644 --- a/ql/src/test/results/clientnegative/authorization_part.q.out +++ b/ql/src/test/results/clientnegative/authorization_part.q.out @@ -68,7 +68,7 @@ PREHOOK: query: show grant group hive_test_group1 on table authorization_part_fa PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table authorization_part_fail POSTHOOK: type: SHOW_GRANT -default authorization_part_fail hive_test_group1 GROUP Select false -1 hive_test_user +default authorization_part_fail hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: insert overwrite table authorization_part_fail partition (ds='2010') select key, value from src_auth PREHOOK: type: QUERY PREHOOK: Input: default@src_auth @@ -83,12 +83,12 @@ PREHOOK: query: show grant group hive_test_group1 on table authorization_part_fa PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table authorization_part_fail(key) partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_part_fail [2010] key hive_test_group1 GROUP Select false -1 hive_test_user +default authorization_part_fail [2010] [key] hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: show grant group hive_test_group1 on table authorization_part_fail partition (ds='2010') PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table authorization_part_fail partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_part_fail [2010] hive_test_group1 GROUP Select false -1 hive_test_user +default authorization_part_fail [2010] hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: select key, value from authorization_part_fail where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part_fail @@ -133,12 +133,12 @@ PREHOOK: query: show grant group hive_test_group1 on table authorization_part_fa PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table authorization_part_fail(key) partition (ds='2011') POSTHOOK: type: SHOW_GRANT -default authorization_part_fail [2011] key hive_test_group1 GROUP Select false -1 hive_test_user +default authorization_part_fail [2011] [key] hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: show grant group hive_test_group1 on table authorization_part_fail partition (ds='2011') PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table authorization_part_fail partition (ds='2011') POSTHOOK: type: SHOW_GRANT -default authorization_part_fail [2011] hive_test_group1 GROUP Select false -1 hive_test_user +default authorization_part_fail [2011] hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: select key, value from authorization_part_fail where ds='2011' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part_fail diff --git a/ql/src/test/results/clientnegative/authorization_public_create.q.out b/ql/src/test/results/clientnegative/authorization_public_create.q.out index 0318a8b..4c9a2ad 100644 --- a/ql/src/test/results/clientnegative/authorization_public_create.q.out +++ b/ql/src/test/results/clientnegative/authorization_public_create.q.out @@ -1,4 +1,3 @@ PREHOOK: query: create role PUBLIC PREHOOK: type: CREATEROLE -Error in role operation create_role on role name public, error message MetaException(message:public role implictly exists. It can't be created.) -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:public role implictly exists. It can't be created.) diff --git a/ql/src/test/results/clientnegative/authorization_public_drop.q.out b/ql/src/test/results/clientnegative/authorization_public_drop.q.out index 912589d..7759745 100644 --- a/ql/src/test/results/clientnegative/authorization_public_drop.q.out +++ b/ql/src/test/results/clientnegative/authorization_public_drop.q.out @@ -1,4 +1,3 @@ PREHOOK: query: drop role PUBLIC PREHOOK: type: DROPROLE -Error in role operation drop_role on role name public, error message MetaException(message:public/admin role can't be dropped.) -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:public/admin role can't be dropped.) diff --git a/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out b/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out index 704b7b1..032be5b 100644 --- a/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out +++ b/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out @@ -19,4 +19,4 @@ POSTHOOK: type: GRANT_ROLE PREHOOK: query: -- this will create a cycle grant role role2 to role role1 PREHOOK: type: GRANT_ROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException: Cannot grant role role1 to role2 as role2 already belongs to the role role1. (no cycles allowed) +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Cannot grant role role1 to role2 as role2 already belongs to the role role1. (no cycles allowed) diff --git a/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out b/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out index 03348a8..a9d8cfe 100644 --- a/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out +++ b/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out @@ -45,4 +45,4 @@ POSTHOOK: type: GRANT_ROLE PREHOOK: query: -- this will create a cycle in middle of the hierarchy grant role role2 to role role4 PREHOOK: type: GRANT_ROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException: Cannot grant role role4 to role2 as role2 already belongs to the role role4. (no cycles allowed) +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Cannot grant role role4 to role2 as role2 already belongs to the role role4. (no cycles allowed) diff --git a/ql/src/test/results/clientnegative/authorization_role_grant.q.out b/ql/src/test/results/clientnegative/authorization_role_grant.q.out index a497467..bd0f0a3 100644 --- a/ql/src/test/results/clientnegative/authorization_role_grant.q.out +++ b/ql/src/test/results/clientnegative/authorization_role_grant.q.out @@ -41,4 +41,4 @@ POSTHOOK: query: set role role_noadmin POSTHOOK: type: SHOW_ROLES PREHOOK: query: grant src_role_wadmin to user user3 PREHOOK: type: GRANT_ROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Current user : user2 is not allowed to grant role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action. +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : user2 is not allowed to grant role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action. diff --git a/ql/src/test/results/clientnegative/authorization_role_grant2.q.out b/ql/src/test/results/clientnegative/authorization_role_grant2.q.out index dc662ec..2156d49 100644 --- a/ql/src/test/results/clientnegative/authorization_role_grant2.q.out +++ b/ql/src/test/results/clientnegative/authorization_role_grant2.q.out @@ -59,4 +59,4 @@ POSTHOOK: type: SHOW_ROLES PREHOOK: query: -- grant/revoke should now fail grant src_role_wadmin to user user3 PREHOOK: type: GRANT_ROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Current user : user2 is not allowed to grant role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action. +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : user2 is not allowed to grant role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action. diff --git a/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out b/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out index 6193103..510c3a4 100644 --- a/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out +++ b/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out @@ -16,4 +16,4 @@ create role role1 POSTHOOK: type: CREATEROLE PREHOOK: query: grant role1 to role nosuchrole PREHOOK: type: GRANT_ROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException: Error granting roles for nosuchrole to role role1: NoSuchObjectException(message:Role nosuchrole does not exist) +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error granting roles for nosuchrole to role role1: NoSuchObjectException(message:Role nosuchrole does not exist) diff --git a/ql/src/test/results/clientnegative/authorization_show_role_principals_v1.q.out b/ql/src/test/results/clientnegative/authorization_show_role_principals_v1.q.out deleted file mode 100644 index e9a965b..0000000 --- a/ql/src/test/results/clientnegative/authorization_show_role_principals_v1.q.out +++ /dev/null @@ -1,5 +0,0 @@ -PREHOOK: query: -- This test will fail because the command is not currently supported in auth mode v1 -show principals role1 -PREHOOK: type: SHOW_ROLE_PRINCIPALS -Error in role operation show_role_principals on role name role1, error message Show role principals is not currently supported in authorization mode V1 -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask diff --git a/ql/src/test/results/clientpositive/alter_rename_partition_authorization.q.out b/ql/src/test/results/clientpositive/alter_rename_partition_authorization.q.out index 1e00d1b..4d49f1e 100644 --- a/ql/src/test/results/clientpositive/alter_rename_partition_authorization.q.out +++ b/ql/src/test/results/clientpositive/alter_rename_partition_authorization.q.out @@ -54,9 +54,9 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part POSTHOOK: type: SHOW_GRANT -default authorization_part hive_test_user USER Create false -1 hive_test_user -default authorization_part hive_test_user USER Drop false -1 hive_test_user -default authorization_part hive_test_user USER Update false -1 hive_test_user +default authorization_part hive_test_user USER CREATE false -1 hive_test_user +default authorization_part hive_test_user USER DROP false -1 hive_test_user +default authorization_part hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: grant select(key) on table authorization_part to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@authorization_part @@ -77,7 +77,7 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_part [2010] key hive_test_user USER Select false -1 hive_test_user +default authorization_part [2010] [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: alter table authorization_part partition (ds='2010') rename to partition (ds='2010_tmp') PREHOOK: type: ALTERTABLE_RENAMEPART PREHOOK: Input: default@authorization_part @@ -92,7 +92,7 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) partition (ds='2010_tmp') POSTHOOK: type: SHOW_GRANT -default authorization_part [2010_tmp] key hive_test_user USER Select false -1 hive_test_user +default authorization_part [2010_tmp] [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: drop table authorization_part PREHOOK: type: DROPTABLE PREHOOK: Input: default@authorization_part diff --git a/ql/src/test/results/clientpositive/authorization_1.q.out b/ql/src/test/results/clientpositive/authorization_1.q.out index 0ff4b04..dac0820 100644 --- a/ql/src/test/results/clientpositive/authorization_1.q.out +++ b/ql/src/test/results/clientpositive/authorization_1.q.out @@ -23,7 +23,7 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test hive_test_user USER Select false -1 hive_test_user +default src_autho_test hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table src_autho_test(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table src_autho_test(key) @@ -88,7 +88,7 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table src_autho_test(key) POSTHOOK: type: SHOW_GRANT -default src_autho_test key hive_test_user USER Select false -1 hive_test_user +default src_autho_test [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: select key from src_autho_test order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@src_autho_test @@ -145,7 +145,7 @@ PREHOOK: query: show grant group hive_test_group1 on table src_autho_test PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test hive_test_group1 GROUP Select false -1 hive_test_user +default src_autho_test hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: show grant group hive_test_group1 on table src_autho_test(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table src_autho_test(key) @@ -210,7 +210,7 @@ PREHOOK: query: show grant group hive_test_group1 on table src_autho_test(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table src_autho_test(key) POSTHOOK: type: SHOW_GRANT -default src_autho_test key hive_test_group1 GROUP Select false -1 hive_test_user +default src_autho_test [key] hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: select key from src_autho_test order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@src_autho_test @@ -287,7 +287,7 @@ PREHOOK: query: show grant role src_role on table src_autho_test(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant role src_role on table src_autho_test(key) POSTHOOK: type: SHOW_GRANT -default src_autho_test key src_role ROLE Select false -1 hive_test_user +default src_autho_test [key] src_role ROLE SELECT false -1 hive_test_user PREHOOK: query: select key from src_autho_test order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@src_autho_test @@ -364,7 +364,7 @@ PREHOOK: query: show grant role src_role on table src_autho_test PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant role src_role on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test src_role ROLE Select false -1 hive_test_user +default src_autho_test src_role ROLE SELECT false -1 hive_test_user PREHOOK: query: show grant role src_role on table src_autho_test(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant role src_role on table src_autho_test(key) diff --git a/ql/src/test/results/clientpositive/authorization_2.q.out b/ql/src/test/results/clientpositive/authorization_2.q.out index 5d82e56..fc586d9 100644 --- a/ql/src/test/results/clientpositive/authorization_2.q.out +++ b/ql/src/test/results/clientpositive/authorization_2.q.out @@ -54,9 +54,9 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part POSTHOOK: type: SHOW_GRANT -default authorization_part hive_test_user USER Create false -1 hive_test_user -default authorization_part hive_test_user USER Drop false -1 hive_test_user -default authorization_part hive_test_user USER Update false -1 hive_test_user +default authorization_part hive_test_user USER CREATE false -1 hive_test_user +default authorization_part hive_test_user USER DROP false -1 hive_test_user +default authorization_part hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: alter table authorization_part add partition (ds='2010') PREHOOK: type: ALTERTABLE_ADDPARTS PREHOOK: Output: default@authorization_part @@ -68,9 +68,9 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part parti PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_part [2010] hive_test_user USER Create false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Drop false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Update false -1 hive_test_user +default authorization_part [2010] hive_test_user USER CREATE false -1 hive_test_user +default authorization_part [2010] hive_test_user USER DROP false -1 hive_test_user +default authorization_part [2010] hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: grant select(key) on table authorization_part to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@authorization_part @@ -99,12 +99,12 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_part [2010] key hive_test_user USER Select false -1 hive_test_user +default authorization_part [2010] [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table authorization_part(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) POSTHOOK: type: SHOW_GRANT -default authorization_part key hive_test_user USER Select false -1 hive_test_user +default authorization_part [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part @@ -149,7 +149,7 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_part [2010] key hive_test_user USER Select false -1 hive_test_user +default authorization_part [2010] [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part @@ -204,9 +204,9 @@ PREHOOK: type: SHOW_GRANT POSTHOOK: query: -- table grant to user show grant user hive_test_user on table authorization_part POSTHOOK: type: SHOW_GRANT -default authorization_part hive_test_user USER Create false -1 hive_test_user -default authorization_part hive_test_user USER Drop false -1 hive_test_user -default authorization_part hive_test_user USER Update false -1 hive_test_user +default authorization_part hive_test_user USER CREATE false -1 hive_test_user +default authorization_part hive_test_user USER DROP false -1 hive_test_user +default authorization_part hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: alter table authorization_part add partition (ds='2010') PREHOOK: type: ALTERTABLE_ADDPARTS PREHOOK: Output: default@authorization_part @@ -218,9 +218,9 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part parti PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_part [2010] hive_test_user USER Create false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Drop false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Update false -1 hive_test_user +default authorization_part [2010] hive_test_user USER CREATE false -1 hive_test_user +default authorization_part [2010] hive_test_user USER DROP false -1 hive_test_user +default authorization_part [2010] hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: grant select on table authorization_part to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@authorization_part @@ -249,18 +249,18 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part parti PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_part [2010] hive_test_user USER Create false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Drop false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Select false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Update false -1 hive_test_user +default authorization_part [2010] hive_test_user USER CREATE false -1 hive_test_user +default authorization_part [2010] hive_test_user USER DROP false -1 hive_test_user +default authorization_part [2010] hive_test_user USER SELECT false -1 hive_test_user +default authorization_part [2010] hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table authorization_part PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part POSTHOOK: type: SHOW_GRANT -default authorization_part hive_test_user USER Create false -1 hive_test_user -default authorization_part hive_test_user USER Drop false -1 hive_test_user -default authorization_part hive_test_user USER Select false -1 hive_test_user -default authorization_part hive_test_user USER Update false -1 hive_test_user +default authorization_part hive_test_user USER CREATE false -1 hive_test_user +default authorization_part hive_test_user USER DROP false -1 hive_test_user +default authorization_part hive_test_user USER SELECT false -1 hive_test_user +default authorization_part hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part @@ -301,17 +301,17 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part POSTHOOK: type: SHOW_GRANT -default authorization_part hive_test_user USER Create false -1 hive_test_user -default authorization_part hive_test_user USER Drop false -1 hive_test_user -default authorization_part hive_test_user USER Update false -1 hive_test_user +default authorization_part hive_test_user USER CREATE false -1 hive_test_user +default authorization_part hive_test_user USER DROP false -1 hive_test_user +default authorization_part hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010') PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_part [2010] hive_test_user USER Create false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Drop false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Select false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Update false -1 hive_test_user +default authorization_part [2010] hive_test_user USER CREATE false -1 hive_test_user +default authorization_part [2010] hive_test_user USER DROP false -1 hive_test_user +default authorization_part [2010] hive_test_user USER SELECT false -1 hive_test_user +default authorization_part [2010] hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part @@ -352,9 +352,9 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part parti PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_part [2010] hive_test_user USER Create false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Drop false -1 hive_test_user -default authorization_part [2010] hive_test_user USER Update false -1 hive_test_user +default authorization_part [2010] hive_test_user USER CREATE false -1 hive_test_user +default authorization_part [2010] hive_test_user USER DROP false -1 hive_test_user +default authorization_part [2010] hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: alter table authorization_part drop partition (ds='2010') PREHOOK: type: ALTERTABLE_DROPPARTS PREHOOK: Input: default@authorization_part @@ -410,12 +410,12 @@ PREHOOK: query: show grant group hive_test_group1 on table authorization_part(ke PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table authorization_part(key) partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_part [2010] key hive_test_group1 GROUP Select false -1 hive_test_user +default authorization_part [2010] [key] hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: show grant group hive_test_group1 on table authorization_part(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table authorization_part(key) POSTHOOK: type: SHOW_GRANT -default authorization_part key hive_test_group1 GROUP Select false -1 hive_test_user +default authorization_part [key] hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part @@ -460,7 +460,7 @@ PREHOOK: query: show grant group hive_test_group1 on table authorization_part(ke PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table authorization_part(key) partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_part [2010] key hive_test_group1 GROUP Select false -1 hive_test_user +default authorization_part [2010] [key] hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part @@ -554,12 +554,12 @@ PREHOOK: query: show grant group hive_test_group1 on table authorization_part pa PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table authorization_part partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_part [2010] hive_test_group1 GROUP Select false -1 hive_test_user +default authorization_part [2010] hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: show grant group hive_test_group1 on table authorization_part PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table authorization_part POSTHOOK: type: SHOW_GRANT -default authorization_part hive_test_group1 GROUP Select false -1 hive_test_user +default authorization_part hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part @@ -604,7 +604,7 @@ PREHOOK: query: show grant group hive_test_group1 on table authorization_part pa PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table authorization_part partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_part [2010] hive_test_group1 GROUP Select false -1 hive_test_user +default authorization_part [2010] hive_test_group1 GROUP SELECT false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part diff --git a/ql/src/test/results/clientpositive/authorization_3.q.out b/ql/src/test/results/clientpositive/authorization_3.q.out index 834909c..8de1daf 100644 --- a/ql/src/test/results/clientpositive/authorization_3.q.out +++ b/ql/src/test/results/clientpositive/authorization_3.q.out @@ -25,8 +25,8 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test hive_test_user USER Drop false -1 hive_test_user -default src_autho_test hive_test_user USER Select false -1 hive_test_user +default src_autho_test hive_test_user USER DROP false -1 hive_test_user +default src_autho_test hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: revoke select on table src_autho_test from user hive_test_user PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@src_autho_test @@ -49,8 +49,8 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test hive_test_user USER Drop false -1 hive_test_user -default src_autho_test hive_test_user USER Select false -1 hive_test_user +default src_autho_test hive_test_user USER DROP false -1 hive_test_user +default src_autho_test hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: revoke drop,select on table src_autho_test from user hive_test_user PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@src_autho_test @@ -67,7 +67,7 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test hive_test_user USER Drop false -1 hive_test_user +default src_autho_test hive_test_user USER DROP false -1 hive_test_user PREHOOK: query: revoke drop,select(key), select(value) on table src_autho_test from user hive_test_user PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@src_autho_test diff --git a/ql/src/test/results/clientpositive/authorization_4.q.out b/ql/src/test/results/clientpositive/authorization_4.q.out index 1b745d8..881c128 100644 --- a/ql/src/test/results/clientpositive/authorization_4.q.out +++ b/ql/src/test/results/clientpositive/authorization_4.q.out @@ -19,7 +19,7 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test hive_test_user USER All false -1 hive_test_user +default src_autho_test hive_test_user USER ALL false -1 hive_test_user PREHOOK: query: select key from src_autho_test order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@src_autho_test diff --git a/ql/src/test/results/clientpositive/authorization_5.q.out b/ql/src/test/results/clientpositive/authorization_5.q.out index 6f75dd1..7da3d70 100644 --- a/ql/src/test/results/clientpositive/authorization_5.q.out +++ b/ql/src/test/results/clientpositive/authorization_5.q.out @@ -24,8 +24,8 @@ PREHOOK: query: SHOW GRANT USER hive_test_user ON DATABASE test_db PREHOOK: type: SHOW_GRANT POSTHOOK: query: SHOW GRANT USER hive_test_user ON DATABASE test_db POSTHOOK: type: SHOW_GRANT -test_db hive_test_user USER Drop false -1 hive_test_user -test_db hive_test_user USER Select false -1 hive_test_user +test_db hive_test_user USER DROP false -1 hive_test_user +test_db hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: CREATE ROLE db_test_role PREHOOK: type: CREATEROLE POSTHOOK: query: CREATE ROLE db_test_role @@ -52,8 +52,8 @@ PREHOOK: query: SHOW GRANT ROLE db_test_role ON DATABASE test_db PREHOOK: type: SHOW_GRANT POSTHOOK: query: SHOW GRANT ROLE db_test_role ON DATABASE test_db POSTHOOK: type: SHOW_GRANT -test_db db_test_role ROLE Drop false -1 hive_test_user -test_db db_test_role ROLE Select false -1 hive_test_user +test_db db_test_role ROLE DROP false -1 hive_test_user +test_db db_test_role ROLE SELECT false -1 hive_test_user PREHOOK: query: DROP DATABASE IF EXISTS test_db PREHOOK: type: DROPDATABASE PREHOOK: Input: database:test_db diff --git a/ql/src/test/results/clientpositive/authorization_6.q.out b/ql/src/test/results/clientpositive/authorization_6.q.out index b7bccd0..d931eac 100644 --- a/ql/src/test/results/clientpositive/authorization_6.q.out +++ b/ql/src/test/results/clientpositive/authorization_6.q.out @@ -54,9 +54,9 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part POSTHOOK: type: SHOW_GRANT -default authorization_part hive_test_user USER Create false -1 hive_test_user -default authorization_part hive_test_user USER Drop false -1 hive_test_user -default authorization_part hive_test_user USER Update false -1 hive_test_user +default authorization_part hive_test_user USER CREATE false -1 hive_test_user +default authorization_part hive_test_user USER DROP false -1 hive_test_user +default authorization_part hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: grant select(key) on table authorization_part to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@authorization_part @@ -87,17 +87,17 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) partition (ds='2010') POSTHOOK: type: SHOW_GRANT -default authorization_part [2010] key hive_test_user USER Select false -1 hive_test_user +default authorization_part [2010] [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table authorization_part(key) partition (ds='2011') PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) partition (ds='2011') POSTHOOK: type: SHOW_GRANT -default authorization_part [2011] key hive_test_user USER Select false -1 hive_test_user +default authorization_part [2011] [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table authorization_part(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) POSTHOOK: type: SHOW_GRANT -default authorization_part key hive_test_user USER Select false -1 hive_test_user +default authorization_part [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds>='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part @@ -169,8 +169,8 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part POSTHOOK: type: SHOW_GRANT -default authorization_part hive_test_user USER Create false -1 hive_test_user -default authorization_part hive_test_user USER Update false -1 hive_test_user +default authorization_part hive_test_user USER CREATE false -1 hive_test_user +default authorization_part hive_test_user USER UPDATE false -1 hive_test_user PREHOOK: query: grant select(key) on table authorization_part to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@authorization_part @@ -209,7 +209,7 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part(key) PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) POSTHOOK: type: SHOW_GRANT -default authorization_part key hive_test_user USER Select false -1 hive_test_user +default authorization_part [key] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: select key from authorization_part where ds>='2010' order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@authorization_part diff --git a/ql/src/test/results/clientpositive/authorization_9.q.out b/ql/src/test/results/clientpositive/authorization_9.q.out index d03682c..b3eb7a0 100644 --- a/ql/src/test/results/clientpositive/authorization_9.q.out +++ b/ql/src/test/results/clientpositive/authorization_9.q.out @@ -29,20 +29,20 @@ PREHOOK: query: show grant user hive_test_user on database default PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on database default POSTHOOK: type: SHOW_GRANT -default hive_test_user USER Select false -1 hive_test_user +default hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on table dummy PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on table dummy POSTHOOK: type: SHOW_GRANT -default dummy hive_test_user USER Select false -1 hive_test_user +default dummy hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: show grant user hive_test_user on all PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test_user on all POSTHOOK: type: SHOW_GRANT -default hive_test_user USER Select false -1 hive_test_user -default dummy hive_test_user USER Select false -1 hive_test_user -default dummy key hive_test_user USER Select false -1 hive_test_user -default dummy value hive_test_user USER Select false -1 hive_test_user +default hive_test_user USER SELECT false -1 hive_test_user +default dummy hive_test_user USER SELECT false -1 hive_test_user +default dummy [key] hive_test_user USER SELECT false -1 hive_test_user +default dummy [value] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: grant select on database default to user hive_test_user2 PREHOOK: type: GRANT_PRIVILEGE POSTHOOK: query: grant select on database default to user hive_test_user2 @@ -63,15 +63,15 @@ PREHOOK: query: show grant on all PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant on all POSTHOOK: type: SHOW_GRANT - admin ROLE All true -1 admin -default hive_test_user USER Select false -1 hive_test_user -default hive_test_user2 USER Select false -1 hive_test_user -default dummy hive_test_user USER Select false -1 hive_test_user -default dummy hive_test_user2 USER Select false -1 hive_test_user -default dummy key hive_test_user USER Select false -1 hive_test_user -default dummy key hive_test_user2 USER Select false -1 hive_test_user -default dummy value hive_test_user USER Select false -1 hive_test_user -default dummy value hive_test_user2 USER Select false -1 hive_test_user + admin ROLE ALL true -1 admin +default hive_test_user USER SELECT false -1 hive_test_user +default hive_test_user2 USER SELECT false -1 hive_test_user +default dummy hive_test_user USER SELECT false -1 hive_test_user +default dummy hive_test_user2 USER SELECT false -1 hive_test_user +default dummy [key] hive_test_user USER SELECT false -1 hive_test_user +default dummy [key] hive_test_user2 USER SELECT false -1 hive_test_user +default dummy [value] hive_test_user USER SELECT false -1 hive_test_user +default dummy [value] hive_test_user2 USER SELECT false -1 hive_test_user PREHOOK: query: revoke select on database default from user hive_test_user PREHOOK: type: REVOKE_PRIVILEGE POSTHOOK: query: revoke select on database default from user hive_test_user diff --git a/ql/src/test/results/clientpositive/authorization_show_role_principals_v1.q.out b/ql/src/test/results/clientpositive/authorization_show_role_principals_v1.q.out new file mode 100644 index 0000000..7c87e2c --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_show_role_principals_v1.q.out @@ -0,0 +1,30 @@ +PREHOOK: query: create role role1 +PREHOOK: type: CREATEROLE +POSTHOOK: query: create role role1 +POSTHOOK: type: CREATEROLE +PREHOOK: query: grant role1 to user user1 with admin option +PREHOOK: type: GRANT_ROLE +POSTHOOK: query: grant role1 to user user1 with admin option +POSTHOOK: type: GRANT_ROLE +PREHOOK: query: grant role1 to user user2 with admin option +PREHOOK: type: GRANT_ROLE +POSTHOOK: query: grant role1 to user user2 with admin option +POSTHOOK: type: GRANT_ROLE +PREHOOK: query: show role grant user user1 +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant user user1 +POSTHOOK: type: SHOW_ROLE_GRANT +public false -1 +role1 true -1 hive_test_user +PREHOOK: query: show role grant user user2 +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant user user2 +POSTHOOK: type: SHOW_ROLE_GRANT +public false -1 +role1 true -1 hive_test_user +PREHOOK: query: show principals role1 +PREHOOK: type: SHOW_ROLE_PRINCIPALS +POSTHOOK: query: show principals role1 +POSTHOOK: type: SHOW_ROLE_PRINCIPALS +user1 USER true hive_test_user USER -1 +user2 USER true hive_test_user USER -1 diff --git a/ql/src/test/results/clientpositive/keyword_1.q.out b/ql/src/test/results/clientpositive/keyword_1.q.out index 84bb2d0..55c6701 100644 --- a/ql/src/test/results/clientpositive/keyword_1.q.out +++ b/ql/src/test/results/clientpositive/keyword_1.q.out @@ -52,7 +52,7 @@ PREHOOK: query: show grant user hive_test on table test_user PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test on table test_user POSTHOOK: type: SHOW_GRANT -default test_user hive_test USER Select false -1 hive_test_user +default test_user hive_test USER SELECT false -1 hive_test_user PREHOOK: query: drop table test_user PREHOOK: type: DROPTABLE PREHOOK: Input: default@test_user @@ -111,7 +111,7 @@ PREHOOK: query: show grant user hive_test on table test_user PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant user hive_test on table test_user POSTHOOK: type: SHOW_GRANT -default test_user hive_test USER Select false -1 hive_test_user +default test_user hive_test USER SELECT false -1 hive_test_user PREHOOK: query: drop table test_user PREHOOK: type: DROPTABLE PREHOOK: Input: default@test_user diff --git a/ql/src/test/results/clientpositive/show_roles.q.out b/ql/src/test/results/clientpositive/show_roles.q.out index f90bba0..c3c8c6d 100644 --- a/ql/src/test/results/clientpositive/show_roles.q.out +++ b/ql/src/test/results/clientpositive/show_roles.q.out @@ -14,3 +14,4 @@ admin public role1 role2 +