diff --git a/conf/hive-default.xml.template b/conf/hive-default.xml.template
index 653f5cc..ba922d0 100644
--- a/conf/hive-default.xml.template
+++ b/conf/hive-default.xml.template
@@ -1711,6 +1711,11 @@
+ hive.optimize.null.scan
+ true
+ Dont scan relations which are guaranteed to not generate any rows
+
+
hive.optimize.ppd.storage
true
Whether to push predicates down to storage handlers
diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/jdbc/TestJdbcDriver.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/jdbc/TestJdbcDriver.java
index e8daad6..fa8c43b 100644
--- a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/jdbc/TestJdbcDriver.java
+++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/jdbc/TestJdbcDriver.java
@@ -18,8 +18,8 @@
package org.apache.hadoop.hive.jdbc;
-import static org.apache.hadoop.hive.ql.exec.ExplainTask.EXPL_COLUMN_NAME;
import static org.apache.hadoop.hive.conf.SystemVariables.SET_COLUMN_NAME;
+import static org.apache.hadoop.hive.ql.exec.ExplainTask.EXPL_COLUMN_NAME;
import java.sql.Connection;
import java.sql.DatabaseMetaData;
@@ -1158,7 +1158,7 @@ public void testShowGrant() throws SQLException {
assertEquals("", res.getString(4)); // column
assertEquals("hive_test_user", res.getString(5));
assertEquals("USER", res.getString(6));
- assertEquals("Select", res.getString(7));
+ assertEquals("SELECT", res.getString(7));
assertEquals(false, res.getBoolean(8)); // grant option
assertEquals(-1, res.getLong(9));
assertNotNull(res.getString(10)); // grantor
diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java
index 9388a09..526f3dc 100644
--- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java
+++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java
@@ -18,8 +18,8 @@
package org.apache.hive.jdbc;
-import static org.apache.hadoop.hive.ql.exec.ExplainTask.EXPL_COLUMN_NAME;
import static org.apache.hadoop.hive.conf.SystemVariables.SET_COLUMN_NAME;
+import static org.apache.hadoop.hive.ql.exec.ExplainTask.EXPL_COLUMN_NAME;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
@@ -53,7 +53,6 @@
import org.apache.hadoop.hive.metastore.TableType;
import org.apache.hadoop.hive.ql.exec.UDF;
import org.apache.hadoop.hive.ql.processors.DfsProcessor;
-import org.apache.hadoop.hive.ql.processors.SetProcessor;
import org.apache.hive.common.util.HiveVersionInfo;
import org.apache.hive.jdbc.Utils.JdbcConnectionParams;
import org.apache.hive.service.cli.operation.ClassicTableTypeMapping;
@@ -1997,7 +1996,7 @@ public void testShowGrant() throws SQLException {
assertEquals("", res.getString(4)); // column
assertEquals("hive_test_user", res.getString(5));
assertEquals("USER", res.getString(6));
- assertEquals("Select", res.getString(7));
+ assertEquals("SELECT", res.getString(7));
assertEquals(false, res.getBoolean(8)); // grant option
assertEquals(-1, res.getLong(9));
assertNotNull(res.getString(10)); // grantor
diff --git a/metastore/src/java/org/apache/hadoop/hive/metastore/Warehouse.java b/metastore/src/java/org/apache/hadoop/hive/metastore/Warehouse.java
index 82b871b..74b1432 100755
--- a/metastore/src/java/org/apache/hadoop/hive/metastore/Warehouse.java
+++ b/metastore/src/java/org/apache/hadoop/hive/metastore/Warehouse.java
@@ -89,8 +89,7 @@ private MetaStoreFS getMetaStoreFsHandler(Configuration conf)
try {
Class extends MetaStoreFS> handlerClass = (Class extends MetaStoreFS>) Class
.forName(handlerClassStr, true, JavaUtils.getClassLoader());
- MetaStoreFS handler = (MetaStoreFS) ReflectionUtils.newInstance(
- handlerClass, conf);
+ MetaStoreFS handler = ReflectionUtils.newInstance(handlerClass, conf);
return handler;
} catch (ClassNotFoundException e) {
throw new MetaException("Error in loading MetaStoreFS handler."
@@ -563,4 +562,12 @@ public static String makePartName(List partCols,
return values;
}
+ public static Map makeSpecFromValues(List partCols,
+ List values) {
+ Map spec = new LinkedHashMap();
+ for (int i = 0; i < values.size(); i++) {
+ spec.put(partCols.get(i).getName(), values.get(i));
+ }
+ return spec;
+ }
}
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/ErrorMsg.java b/ql/src/java/org/apache/hadoop/hive/ql/ErrorMsg.java
index 9889cfe..4246d68 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/ErrorMsg.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/ErrorMsg.java
@@ -371,10 +371,14 @@
INVALID_DIR(10252, "{0} is not a directory", true),
NO_VALID_LOCATIONS(10253, "Could not find any valid location to place the jars. " +
"Please update hive.jar.directory or hive.user.install.directory with a valid location", false),
- UNNSUPPORTED_AUTHORIZATION_PRINCIPAL_TYPE_GROUP(10254,
+ UNSUPPORTED_AUTHORIZATION_PRINCIPAL_TYPE_GROUP(10254,
"Principal type GROUP is not supported in this authorization setting", "28000"),
INVALID_TABLE_NAME(10255, "Invalid table name {0}", true),
INSERT_INTO_IMMUTABLE_TABLE(10256, "Inserting into a non-empty immutable table is not allowed"),
+ UNSUPPORTED_AUTHORIZATION_RESOURCE_TYPE_GLOBAL(10257,
+ "Resource type GLOBAL is not supported in this authorization setting", "28000"),
+ UNSUPPORTED_AUTHORIZATION_RESOURCE_TYPE_COLUMN(10258,
+ "Resource type COLUMN is not supported in this authorization setting", "28000"),
TXNMGR_NOT_SPECIFIED(10260, "Transaction manager not specified correctly, " +
"set hive.txn.manager"),
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java
index 40ec4e5..c80a2a3 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java
@@ -66,17 +66,12 @@
import org.apache.hadoop.hive.metastore.api.Database;
import org.apache.hadoop.hive.metastore.api.FieldSchema;
import org.apache.hadoop.hive.metastore.api.GetOpenTxnsInfoResponse;
-import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege;
-import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
-import org.apache.hadoop.hive.metastore.api.HiveObjectType;
import org.apache.hadoop.hive.metastore.api.Index;
import org.apache.hadoop.hive.metastore.api.InvalidOperationException;
import org.apache.hadoop.hive.metastore.api.MetaException;
import org.apache.hadoop.hive.metastore.api.NoSuchObjectException;
import org.apache.hadoop.hive.metastore.api.Order;
import org.apache.hadoop.hive.metastore.api.PrincipalType;
-import org.apache.hadoop.hive.metastore.api.PrivilegeBag;
-import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo;
import org.apache.hadoop.hive.metastore.api.RolePrincipalGrant;
import org.apache.hadoop.hive.metastore.api.SerDeInfo;
import org.apache.hadoop.hive.metastore.api.ShowCompactResponse;
@@ -169,15 +164,13 @@
import org.apache.hadoop.hive.ql.plan.UnlockTableDesc;
import org.apache.hadoop.hive.ql.plan.api.StageType;
import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils;
-import org.apache.hadoop.hive.ql.security.authorization.Privilege;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveV1Authorizer;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.hadoop.hive.serde.serdeConstants;
import org.apache.hadoop.hive.serde2.Deserializer;
@@ -493,14 +486,21 @@ public int execute(DriverContext driverContext) {
return exchangeTablePartition(db, alterTableExchangePartition);
}
} catch (Throwable e) {
- setException(e);
- LOG.error(stringifyException(e));
+ failed(e);
return 1;
}
assert false;
return 0;
}
+ private void failed(Throwable e) {
+ while (e.getCause() != null && e.getClass() == RuntimeException.class) {
+ e = e.getCause();
+ }
+ setException(e);
+ LOG.error(stringifyException(e));
+ }
+
private int showConf(Hive db, ShowConfDesc showConf) throws Exception {
ConfVars conf = HiveConf.getConfVars(showConf.getConfName());
if (conf == null) {
@@ -564,187 +564,46 @@ private int mergeFiles(Hive db, AlterTablePartMergeFilesDesc mergeFilesDesc)
return ret;
}
- private int grantOrRevokeRole(GrantRevokeRoleDDL grantOrRevokeRoleDDL)
- throws HiveException {
- try {
- boolean grantRole = grantOrRevokeRoleDDL.getGrant();
- List principals = grantOrRevokeRoleDDL.getPrincipalDesc();
- List roles = grantOrRevokeRoleDDL.getRoles();
-
- if(SessionState.get().isAuthorizationModeV2()){
- return grantOrRevokeRoleV2(grantOrRevokeRoleDDL);
- }
-
- for (PrincipalDesc principal : principals) {
- String userName = principal.getName();
- for (String roleName : roles) {
- if (grantRole) {
- db.grantRole(roleName, userName, principal.getType(),
- grantOrRevokeRoleDDL.getGrantor(), grantOrRevokeRoleDDL
- .getGrantorType(), grantOrRevokeRoleDDL.isGrantOption());
- } else {
- db.revokeRole(roleName, userName, principal.getType(),
- grantOrRevokeRoleDDL.isGrantOption());
- }
- }
- }
- } catch (Exception e) {
- throw new HiveException(e);
+ private HiveAuthorizer getSessionAuthorizer() {
+ HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2();
+ if (authorizer == null) {
+ authorizer = new HiveV1Authorizer(conf, db);
}
- return 0;
+ return authorizer;
}
- private int grantOrRevokeRoleV2(GrantRevokeRoleDDL grantOrRevokeRoleDDL) throws HiveException {
- HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2();
+ private int grantOrRevokeRole(GrantRevokeRoleDDL grantOrRevokeRoleDDL)
+ throws HiveException {
+ HiveAuthorizer authorizer = getSessionAuthorizer();
//convert to the types needed for plugin api
HivePrincipal grantorPrinc = null;
if(grantOrRevokeRoleDDL.getGrantor() != null){
grantorPrinc = new HivePrincipal(grantOrRevokeRoleDDL.getGrantor(),
- getHivePrincipalType(grantOrRevokeRoleDDL.getGrantorType()));
+ AuthorizationUtils.getHivePrincipalType(grantOrRevokeRoleDDL.getGrantorType()));
}
- List hivePrincipals = getHivePrincipals(grantOrRevokeRoleDDL.getPrincipalDesc());
+ List principals =
+ AuthorizationUtils.getHivePrincipals(grantOrRevokeRoleDDL.getPrincipalDesc());
List roles = grantOrRevokeRoleDDL.getRoles();
- if(grantOrRevokeRoleDDL.getGrant()){
- authorizer.grantRole(hivePrincipals, roles,
- grantOrRevokeRoleDDL.isGrantOption(), grantorPrinc);
- }
- else{
- authorizer.revokeRole(hivePrincipals, roles,
- grantOrRevokeRoleDDL.isGrantOption(), grantorPrinc);
+ boolean grantOption = grantOrRevokeRoleDDL.isGrantOption();
+ if (grantOrRevokeRoleDDL.getGrant()) {
+ authorizer.grantRole(principals, roles, grantOption, grantorPrinc);
+ } else {
+ authorizer.revokeRole(principals, roles, grantOption, grantorPrinc);
}
return 0;
}
private int showGrants(ShowGrantDesc showGrantDesc) throws HiveException {
- if(SessionState.get().isAuthorizationModeV2()){
- return showGrantsV2(showGrantDesc);
- }
-
- PrincipalDesc principalDesc = showGrantDesc.getPrincipalDesc();
- PrivilegeObjectDesc hiveObjectDesc = showGrantDesc.getHiveObj();
- String principalName = principalDesc == null ? null : principalDesc.getName();
- PrincipalType type = principalDesc == null ? null : principalDesc.getType();
- List privs = new ArrayList();
- try {
- if (hiveObjectDesc == null) {
- privs.addAll(db.showPrivilegeGrant(HiveObjectType.GLOBAL, principalName, type,
- null, null, null, null));
- } else if (hiveObjectDesc != null && hiveObjectDesc.getObject() == null) {
- privs.addAll(db.showPrivilegeGrant(null, principalName, type, null, null, null, null));
- } else {
- String obj = hiveObjectDesc.getObject();
- boolean notFound = true;
- String dbName = null;
- String tableName = null;
- Table tableObj = null;
- Database dbObj = null;
-
- if (hiveObjectDesc.getTable()) {
- String[] dbTab = splitTableName(obj);
- dbName = dbTab[0];
- tableName = dbTab[1];
- dbObj = db.getDatabase(dbName);
- tableObj = db.getTable(dbName, tableName);
- notFound = (dbObj == null || tableObj == null);
- } else {
- dbName = hiveObjectDesc.getObject();
- dbObj = db.getDatabase(dbName);
- notFound = (dbObj == null);
- }
- if (notFound) {
- throw new HiveException(obj + " can not be found");
- }
-
- String partName = null;
- List partValues = null;
- if (hiveObjectDesc.getPartSpec() != null) {
- partName = Warehouse
- .makePartName(hiveObjectDesc.getPartSpec(), false);
- partValues = Warehouse.getPartValuesFromPartName(partName);
- }
-
- if (!hiveObjectDesc.getTable()) {
- // show database level privileges
- privs.addAll(db.showPrivilegeGrant(HiveObjectType.DATABASE,
- principalName, type, dbName, null, null, null));
- } else {
- if (showGrantDesc.getColumns() != null) {
- // show column level privileges
- for (String columnName : showGrantDesc.getColumns()) {
- privs.addAll(db.showPrivilegeGrant(
- HiveObjectType.COLUMN, principalName,
- type, dbName, tableName, partValues,
- columnName));
- }
- } else if (hiveObjectDesc.getPartSpec() != null) {
- // show partition level privileges
- privs.addAll(db.showPrivilegeGrant(
- HiveObjectType.PARTITION, principalName, type,
- dbName, tableName, partValues, null));
- } else {
- // show table level privileges
- privs.addAll(db.showPrivilegeGrant(
- HiveObjectType.TABLE, principalName, type,
- dbName, tableName, null, null));
- }
- }
- }
- boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST);
- writeToFile(writeGrantInfo(privs, testMode), showGrantDesc.getResFile());
- } catch (FileNotFoundException e) {
- LOG.info("show table status: " + stringifyException(e));
- return 1;
- } catch (IOException e) {
- LOG.info("show table status: " + stringifyException(e));
- return 1;
- } catch (Exception e) {
- e.printStackTrace();
- throw new HiveException(e);
- }
- return 0;
- }
-
- private static String[] splitTableName(String fullName) {
- String[] dbTab = fullName.split("\\.");
- String[] result = new String[2];
- if (dbTab.length == 2) {
- result[0] = dbTab[0];
- result[1] = dbTab[1];
- } else {
- result[0] = SessionState.get().getCurrentDatabase();
- result[1] = fullName;
- }
- return result;
- }
-
- private int showGrantsV2(ShowGrantDesc showGrantDesc) throws HiveException {
- HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2();
+ HiveAuthorizer authorizer = getSessionAuthorizer();
try {
List privInfos = authorizer.showPrivileges(
- getHivePrincipal(showGrantDesc.getPrincipalDesc()),
- getHivePrivilegeObject(showGrantDesc.getHiveObj())
- );
- List privList = new ArrayList();
- for(HivePrivilegeInfo privInfo : privInfos){
- HivePrincipal principal = privInfo.getPrincipal();
- HivePrivilegeObject privObj = privInfo.getObject();
- HivePrivilege priv = privInfo.getPrivilege();
-
- PrivilegeGrantInfo grantInfo =
- AuthorizationUtils.getThriftPrivilegeGrantInfo(priv, privInfo.getGrantorPrincipal(),
- privInfo.isGrantOption(), privInfo.getGrantTime());
-
- //only grantInfo is used
- HiveObjectPrivilege thriftObjectPriv = new HiveObjectPrivilege(new HiveObjectRef(
- AuthorizationUtils.getThriftHiveObjType(privObj.getType()),privObj.getDbname(),
- privObj.getTableViewURI(),null,null), principal.getName(),
- AuthorizationUtils.getThriftPrincipalType(principal.getType()), grantInfo);
- privList.add(thriftObjectPriv);
- }
+ AuthorizationUtils.getHivePrincipal(showGrantDesc.getPrincipalDesc()),
+ AuthorizationUtils.getHivePrivilegeObject(showGrantDesc.getHiveObj(),
+ showGrantDesc.getColumns()));
boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST);
- writeToFile(writeGrantInfo(privList, testMode), showGrantDesc.getResFile());
+ writeToFile(writeGrantInfo(privInfos, testMode), showGrantDesc.getResFile());
} catch (IOException e) {
throw new HiveException("Error in show grant statement", e);
}
@@ -756,156 +615,15 @@ private int grantOrRevokePrivileges(List principals,
String grantor, PrincipalType grantorType, boolean grantOption, boolean isGrant)
throws HiveException {
- if(SessionState.get().isAuthorizationModeV2()){
- return grantOrRevokePrivilegesV2(principals, privileges, privSubjectDesc, grantor,
- grantorType, grantOption, isGrant);
- }
-
- if (privileges == null || privileges.size() == 0) {
- console.printError("No privilege found.");
- return 1;
- }
-
- String dbName = null;
- String tableName = null;
- Table tableObj = null;
- Database dbObj = null;
-
- try {
-
- if (privSubjectDesc != null) {
- if (privSubjectDesc.getPartSpec() != null && isGrant) {
- throw new HiveException("Grant does not support partition level.");
- }
- String obj = privSubjectDesc.getObject();
-
- //get the db, table objects
- if (privSubjectDesc.getTable()) {
- String[] dbTable = Utilities.getDbTableName(obj);
- dbName = dbTable[0];
- tableName = dbTable[1];
-
- dbObj = db.getDatabase(dbName);
- if (dbObj == null) {
- throwNotFound("Database", dbName);
- }
- tableObj = db.getTable(dbName, tableName);
- if (tableObj == null) {
- throwNotFound("Table", obj);
- }
- } else {
- dbName = privSubjectDesc.getObject();
- dbObj = db.getDatabase(dbName);
- if (dbObj == null) {
- throwNotFound("Database", dbName);
- }
- }
- }
-
- PrivilegeBag privBag = new PrivilegeBag();
- if (privSubjectDesc == null) {
- for (int idx = 0; idx < privileges.size(); idx++) {
- Privilege priv = privileges.get(idx).getPrivilege();
- if (privileges.get(idx).getColumns() != null
- && privileges.get(idx).getColumns().size() > 0) {
- throw new HiveException(
- "For user-level privileges, column sets should be null. columns="
- + privileges.get(idx).getColumns().toString());
- }
-
- privBag.addToPrivileges(new HiveObjectPrivilege(new HiveObjectRef(
- HiveObjectType.GLOBAL, null, null, null, null), null, null,
- new PrivilegeGrantInfo(priv.toString(), 0, grantor, grantorType,
- grantOption)));
- }
- } else {
- org.apache.hadoop.hive.metastore.api.Partition partObj = null;
- List partValues = null;
- if (tableObj != null) {
- if ((!tableObj.isPartitioned())
- && privSubjectDesc.getPartSpec() != null) {
- throw new HiveException(
- "Table is not partitioned, but partition name is present: partSpec="
- + privSubjectDesc.getPartSpec().toString());
- }
-
- if (privSubjectDesc.getPartSpec() != null) {
- partObj = db.getPartition(tableObj, privSubjectDesc.getPartSpec(),
- false).getTPartition();
- partValues = partObj.getValues();
- }
- }
-
- for (PrivilegeDesc privDesc : privileges) {
- List columns = privDesc.getColumns();
- Privilege priv = privDesc.getPrivilege();
- if (columns != null && columns.size() > 0) {
- if (!priv.supportColumnLevel()) {
- throw new HiveException(priv.toString()
- + " does not support column level.");
- }
- if (privSubjectDesc == null || tableName == null) {
- throw new HiveException(
- "For user-level/database-level privileges, column sets should be null. columns="
- + columns);
- }
- for (int i = 0; i < columns.size(); i++) {
- privBag.addToPrivileges(new HiveObjectPrivilege(
- new HiveObjectRef(HiveObjectType.COLUMN, dbName, tableName,
- partValues, columns.get(i)), null, null, new PrivilegeGrantInfo(priv.toString(), 0, grantor, grantorType, grantOption)));
- }
- } else {
- if (privSubjectDesc.getTable()) {
- if (privSubjectDesc.getPartSpec() != null) {
- privBag.addToPrivileges(new HiveObjectPrivilege(
- new HiveObjectRef(HiveObjectType.PARTITION, dbName,
- tableName, partValues, null), null, null, new PrivilegeGrantInfo(priv.toString(), 0, grantor, grantorType, grantOption)));
- } else {
- privBag
- .addToPrivileges(new HiveObjectPrivilege(
- new HiveObjectRef(HiveObjectType.TABLE, dbName,
- tableName, null, null), null, null, new PrivilegeGrantInfo(priv.toString(), 0, grantor, grantorType, grantOption)));
- }
- } else {
- privBag.addToPrivileges(new HiveObjectPrivilege(
- new HiveObjectRef(HiveObjectType.DATABASE, dbName, null,
- null, null), null, null, new PrivilegeGrantInfo(priv.toString(), 0, grantor, grantorType, grantOption)));
- }
- }
- }
- }
-
- for (PrincipalDesc principal : principals) {
- for (int i = 0; i < privBag.getPrivileges().size(); i++) {
- HiveObjectPrivilege objPrivs = privBag.getPrivileges().get(i);
- objPrivs.setPrincipalName(principal.getName());
- objPrivs.setPrincipalType(principal.getType());
- }
- if (isGrant) {
- db.grantPrivileges(privBag);
- } else {
- db.revokePrivileges(privBag, grantOption);
- }
-
- }
- } catch (Exception e) {
- console.printError("Error: " + e.getMessage());
- return 1;
- }
-
- return 0;
- }
-
- private int grantOrRevokePrivilegesV2(List principals,
- List privileges, PrivilegeObjectDesc privSubjectDesc, String grantor,
- PrincipalType grantorType, boolean grantOption, boolean isGrant) throws HiveException {
- HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2();
+ HiveAuthorizer authorizer = getSessionAuthorizer();
//Convert to object types used by the authorization plugin interface
- List hivePrincipals = getHivePrincipals(principals);
- List hivePrivileges = getHivePrivileges(privileges);
- HivePrivilegeObject hivePrivObject = getHivePrivilegeObject(privSubjectDesc);
- HivePrincipal grantorPrincipal = new HivePrincipal(grantor, getHivePrincipalType(grantorType));
+ List hivePrincipals = AuthorizationUtils.getHivePrincipals(principals);
+ List hivePrivileges = AuthorizationUtils.getHivePrivileges(privileges);
+ HivePrivilegeObject hivePrivObject = AuthorizationUtils.getHivePrivilegeObject(privSubjectDesc, null);
+
+ HivePrincipal grantorPrincipal = new HivePrincipal(
+ grantor, AuthorizationUtils.getHivePrincipalType(grantorType));
if(isGrant){
authorizer.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
@@ -918,123 +636,8 @@ private int grantOrRevokePrivilegesV2(List principals,
return 0;
}
- private HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc)
- throws HiveException {
- if(privSubjectDesc == null){
- return new HivePrivilegeObject(null, null, null);
- }
- String [] dbTable = Utilities.getDbTableName(privSubjectDesc.getObject());
- return new HivePrivilegeObject(getPrivObjectType(privSubjectDesc), dbTable[0], dbTable[1]);
- }
-
- private HivePrincipalType getHivePrincipalType(PrincipalType type) throws HiveException {
- if(type == null){
- return null;
- }
-
- switch(type){
- case USER:
- return HivePrincipalType.USER;
- case ROLE:
- return HivePrincipalType.ROLE;
- case GROUP:
- throw new HiveException(ErrorMsg.UNNSUPPORTED_AUTHORIZATION_PRINCIPAL_TYPE_GROUP);
- default:
- //should not happen as we take care of all existing types
- throw new AssertionError("Unsupported authorization type specified");
- }
- }
-
- private HivePrivilegeObjectType getPrivObjectType(PrivilegeObjectDesc privSubjectDesc) {
- if (privSubjectDesc.getObject() == null) {
- return null;
- }
- return privSubjectDesc.getTable() ? HivePrivilegeObjectType.TABLE_OR_VIEW : HivePrivilegeObjectType.DATABASE;
- }
-
- private List getHivePrivileges(List privileges) {
- List hivePrivileges = new ArrayList();
- for(PrivilegeDesc privilege : privileges){
- hivePrivileges.add(
- new HivePrivilege(privilege.getPrivilege().toString(), privilege.getColumns()));
- }
- return hivePrivileges;
- }
-
- private List getHivePrincipals(List principals) throws HiveException {
- ArrayList hivePrincipals = new ArrayList();
- for(PrincipalDesc principal : principals){
- hivePrincipals.add(getHivePrincipal(principal));
- }
- return hivePrincipals;
- }
-
- private HivePrincipal getHivePrincipal(PrincipalDesc principal) throws HiveException {
- if (principal == null) {
- return null;
- }
- return new HivePrincipal(principal.getName(),
- AuthorizationUtils.getHivePrincipalType(principal.getType()));
- }
-
- private void throwNotFound(String objType, String objName) throws HiveException {
- throw new HiveException(objType + " " + objName + " not found");
- }
-
- private int roleDDL(RoleDDLDesc roleDDLDesc) throws HiveException, IOException {
- if(SessionState.get().isAuthorizationModeV2()){
- return roleDDLV2(roleDDLDesc);
- }
-
- DataOutputStream outStream = null;
- RoleDDLDesc.RoleOperation operation = roleDDLDesc.getOperation();
- try {
- if (operation.equals(RoleDDLDesc.RoleOperation.CREATE_ROLE)) {
- db.createRole(roleDDLDesc.getName(), roleDDLDesc.getRoleOwnerName());
- } else if (operation.equals(RoleDDLDesc.RoleOperation.DROP_ROLE)) {
- db.dropRole(roleDDLDesc.getName());
- } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLE_GRANT)) {
- boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST);
- List roleGrants = db.getRoleGrantInfoForPrincipal(roleDDLDesc.getName(), roleDDLDesc.getPrincipalType());
- writeToFile(writeRoleGrantsInfo(roleGrants, testMode), roleDDLDesc.getResFile());
- } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLES)) {
- List roleNames = db.getAllRoleNames();
- //sort the list to get sorted (deterministic) output (for ease of testing)
- Collections.sort(roleNames);
- Path resFile = new Path(roleDDLDesc.getResFile());
- FileSystem fs = resFile.getFileSystem(conf);
- outStream = fs.create(resFile);
- for (String roleName : roleNames) {
- outStream.writeBytes(roleName);
- outStream.write(terminator);
- }
- outStream.close();
- outStream = null;
- } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLE_PRINCIPALS)) {
- throw new HiveException("Show role principals is not currently supported in "
- + "authorization mode V1");
- }
- else {
- throw new HiveException("Unkown role operation "
- + operation.getOperationName());
- }
- } catch (HiveException e) {
- console.printError("Error in role operation "
- + operation.getOperationName() + " on role name "
- + roleDDLDesc.getName() + ", error message " + e.getMessage());
- return 1;
- } catch (IOException e) {
- LOG.info("role ddl exception: " + stringifyException(e));
- return 1;
- } finally {
- IOUtils.closeStream(outStream);
- }
-
- return 0;
- }
-
- private int roleDDLV2(RoleDDLDesc roleDDLDesc) throws HiveException, IOException {
- HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2();
+ private int roleDDL(RoleDDLDesc roleDDLDesc) throws Exception {
+ HiveAuthorizer authorizer = getSessionAuthorizer();
RoleDDLDesc.RoleOperation operation = roleDDLDesc.getOperation();
//call the appropriate hive authorizer function
switch(operation){
@@ -1047,7 +650,7 @@ private int roleDDLV2(RoleDDLDesc roleDDLDesc) throws HiveException, IOException
case SHOW_ROLE_GRANT:
boolean testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST);
List roles = authorizer.getRoleGrantInfoForPrincipal(
- new HivePrincipal(roleDDLDesc.getName(), getHivePrincipalType(roleDDLDesc.getPrincipalType())));
+ AuthorizationUtils.getHivePrincipal(roleDDLDesc.getName(), roleDDLDesc.getPrincipalType()));
writeToFile(writeRolesGrantedInfo(roles, testMode), roleDDLDesc.getResFile());
break;
case SHOW_ROLES:
@@ -2802,7 +2405,7 @@ public int compare(HiveLock o1, HiveLock o2) {
LOG.warn("show function: " + stringifyException(e));
return 1;
} catch (Exception e) {
- throw new HiveException(e.toString());
+ throw new HiveException(e.toString(), e);
} finally {
IOUtils.closeStream(outStream);
}
@@ -3491,7 +3094,7 @@ private int describeTable(Hive db, DescTableDesc descTbl) throws HiveException {
// when column name is specified in describe table DDL, colPath will
// will be table_name.column_name
String colName = colPath.split("\\.")[1];
- String[] dbTab = splitTableName(tableName);
+ String[] dbTab = Utilities.getDbTableName(tableName);
List colNames = new ArrayList();
colNames.add(colName.toLowerCase());
if (null == part) {
@@ -3541,28 +3144,41 @@ private static void fixDecimalColumnTypeName(List cols) {
}
}
- static String writeGrantInfo(List privileges, boolean testMode) {
+ static String writeGrantInfo(List privileges, boolean testMode) {
if (privileges == null || privileges.isEmpty()) {
return "";
}
StringBuilder builder = new StringBuilder();
//sort the list to get sorted (deterministic) output (for ease of testing)
- Collections.sort(privileges);
-
- for (HiveObjectPrivilege privilege : privileges) {
- HiveObjectRef resource = privilege.getHiveObject();
- PrivilegeGrantInfo grantInfo = privilege.getGrantInfo();
-
- appendNonNull(builder, resource.getDbName(), true);
- appendNonNull(builder, resource.getObjectName());
- appendNonNull(builder, resource.getPartValues());
- appendNonNull(builder, resource.getColumnName());
- appendNonNull(builder, privilege.getPrincipalName());
- appendNonNull(builder, privilege.getPrincipalType());
- appendNonNull(builder, grantInfo.getPrivilege());
- appendNonNull(builder, grantInfo.isGrantOption());
- appendNonNull(builder, testMode ? -1 : grantInfo.getCreateTime() * 1000L);
- appendNonNull(builder, grantInfo.getGrantor());
+ Collections.sort(privileges, new Comparator() {
+ @Override
+ public int compare(HivePrivilegeInfo o1, HivePrivilegeInfo o2) {
+ int compare = o1.getObject().compareTo(o2.getObject());
+ if (compare == 0) {
+ compare = o1.getPrincipal().compareTo(o2.getPrincipal());
+ }
+ if (compare == 0) {
+ compare = o1.getPrivilege().compareTo(o2.getPrivilege());
+ }
+ return compare;
+ }
+ });
+
+ for (HivePrivilegeInfo privilege : privileges) {
+ HivePrincipal principal = privilege.getPrincipal();
+ HivePrivilegeObject resource = privilege.getObject();
+ HivePrincipal grantor = privilege.getGrantorPrincipal();
+
+ appendNonNull(builder, resource.getDbname(), true);
+ appendNonNull(builder, resource.getTableViewURI());
+ appendNonNull(builder, resource.getPartKeys());
+ appendNonNull(builder, resource.getColumns());
+ appendNonNull(builder, principal.getName());
+ appendNonNull(builder, principal.getType());
+ appendNonNull(builder, privilege.getPrivilege().getName());
+ appendNonNull(builder, privilege.isGrantOption());
+ appendNonNull(builder, testMode ? -1 : privilege.getGrantTime() * 1000L);
+ appendNonNull(builder, grantor.getName());
}
return builder.toString();
}
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/metadata/SessionHiveMetaStoreClient.java b/ql/src/java/org/apache/hadoop/hive/ql/metadata/SessionHiveMetaStoreClient.java
index 37b1669..d258bc6 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/metadata/SessionHiveMetaStoreClient.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/metadata/SessionHiveMetaStoreClient.java
@@ -12,10 +12,7 @@
import java.util.regex.Pattern;
import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.fs.FileSystem;
-import org.apache.hadoop.hive.common.FileUtils;
-import org.apache.hadoop.hive.conf.HiveConf;;
-import org.apache.hadoop.hive.metastore.HiveMetaHook;
+import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.metastore.HiveMetaHookLoader;
import org.apache.hadoop.hive.metastore.HiveMetaStoreClient;
import org.apache.hadoop.hive.metastore.IMetaStoreClient;
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java
index 604c39d..e86442a 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java
@@ -18,22 +18,32 @@
package org.apache.hadoop.hive.ql.security.authorization;
import org.apache.hadoop.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege;
import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
import org.apache.hadoop.hive.metastore.api.HiveObjectType;
import org.apache.hadoop.hive.metastore.api.PrincipalType;
import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo;
import org.apache.hadoop.hive.ql.ErrorMsg;
import org.apache.hadoop.hive.ql.hooks.Entity;
+import org.apache.hadoop.hive.ql.exec.Utilities;
import org.apache.hadoop.hive.ql.hooks.Entity.Type;
import org.apache.hadoop.hive.ql.hooks.WriteEntity;
import org.apache.hadoop.hive.ql.hooks.WriteEntity.WriteType;
import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.plan.PrincipalDesc;
+import org.apache.hadoop.hive.ql.plan.PrivilegeDesc;
+import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
+import org.apache.hadoop.hive.ql.session.SessionState;
+
+import java.util.ArrayList;
+import java.util.List;
/**
* Utility code shared by hive internal code and sql standard authorization plugin implementation
@@ -48,13 +58,19 @@
* @throws HiveException
*/
public static HivePrincipalType getHivePrincipalType(PrincipalType type) throws HiveException {
+ if (type == null) {
+ return null;
+ }
switch(type){
case USER:
return HivePrincipalType.USER;
case ROLE:
return HivePrincipalType.ROLE;
case GROUP:
- throw new HiveException(ErrorMsg.UNNSUPPORTED_AUTHORIZATION_PRINCIPAL_TYPE_GROUP);
+ if (SessionState.get().getAuthorizationMode() == SessionState.AuthorizationMode.V2) {
+ throw new HiveException(ErrorMsg.UNSUPPORTED_AUTHORIZATION_PRINCIPAL_TYPE_GROUP);
+ }
+ return HivePrincipalType.GROUP;
default:
//should not happen as we take care of all existing types
throw new AssertionError("Unsupported authorization type specified");
@@ -68,6 +84,9 @@ public static HivePrincipalType getHivePrincipalType(PrincipalType type) throws
* @return
*/
public static HivePrivilegeObjectType getHivePrivilegeObjectType(Type type) {
+ if (type == null){
+ return null;
+ }
switch(type){
case DATABASE:
return HivePrivilegeObjectType.DATABASE;
@@ -85,6 +104,95 @@ public static HivePrivilegeObjectType getHivePrivilegeObjectType(Type type) {
}
}
+ public static HivePrivilegeObjectType getPrivObjectType(PrivilegeObjectDesc privSubjectDesc) {
+ if (privSubjectDesc.getObject() == null) {
+ return null;
+ }
+ return privSubjectDesc.getTable() ? HivePrivilegeObjectType.TABLE_OR_VIEW :
+ HivePrivilegeObjectType.DATABASE;
+ }
+
+ public static List getHivePrivileges(List privileges) {
+ List hivePrivileges = new ArrayList();
+ for(PrivilegeDesc privilege : privileges){
+ Privilege priv = privilege.getPrivilege();
+ hivePrivileges.add(
+ new HivePrivilege(priv.toString(), privilege.getColumns(), priv.getScopeList()));
+ }
+ return hivePrivileges;
+ }
+
+ public static List getHivePrincipals(List principals)
+ throws HiveException {
+
+ ArrayList hivePrincipals = new ArrayList();
+ for(PrincipalDesc principal : principals){
+ hivePrincipals.add(getHivePrincipal(principal));
+ }
+ return hivePrincipals;
+ }
+
+ public static HivePrincipal getHivePrincipal(PrincipalDesc principal) throws HiveException {
+ if (principal == null) {
+ return null;
+ }
+ return getHivePrincipal(principal.getName(), principal.getType());
+ }
+
+ public static HivePrincipal getHivePrincipal(String name, PrincipalType type) throws HiveException {
+ return new HivePrincipal(name, AuthorizationUtils.getHivePrincipalType(type));
+ }
+
+ public static List getPrivilegeInfos(List privs)
+ throws HiveException {
+ List hivePrivs = new ArrayList();
+ for (HiveObjectPrivilege priv : privs) {
+ PrivilegeGrantInfo grantorInfo = priv.getGrantInfo();
+ HiveObjectRef privObject = priv.getHiveObject();
+ HivePrincipal hivePrincipal =
+ getHivePrincipal(priv.getPrincipalName(), priv.getPrincipalType());
+ HivePrincipal grantor =
+ getHivePrincipal(grantorInfo.getGrantor(), grantorInfo.getGrantorType());
+ HivePrivilegeObject object = getHiveObjectRef(privObject);
+ HivePrivilege privilege = new HivePrivilege(grantorInfo.getPrivilege(), null);
+ hivePrivs.add(new HivePrivilegeInfo(hivePrincipal, privilege, object, grantor,
+ grantorInfo.isGrantOption(), grantorInfo.getCreateTime()));
+ }
+ return hivePrivs;
+ }
+
+ public static HivePrivilegeObject getHiveObjectRef(HiveObjectRef privObj) throws HiveException {
+ if (privObj == null) {
+ return null;
+ }
+ HivePrivilegeObjectType objType = getHiveObjType(privObj.getObjectType());
+ return new HivePrivilegeObject(objType, privObj.getDbName(), privObj.getObjectName(),
+ privObj.getPartValues(), privObj.getColumnName());
+ }
+
+ public static HivePrivilegeObject getHivePrivilegeObject(
+ PrivilegeObjectDesc privSubjectDesc, List columns) throws HiveException {
+
+ // null means ALL for show grants, GLOBAL for grant/revoke
+ HivePrivilegeObjectType objectType = null;
+
+ String[] dbTable;
+ List partSpec = null;
+ if (privSubjectDesc == null) {
+ dbTable = new String[] {null, null};
+ } else {
+ if (privSubjectDesc.getTable()) {
+ dbTable = Utilities.getDbTableName(privSubjectDesc.getObject());
+ } else {
+ dbTable = new String[] {privSubjectDesc.getObject(), null};
+ }
+ if (privSubjectDesc.getPartSpec() != null) {
+ partSpec = new ArrayList(privSubjectDesc.getPartSpec().values());
+ }
+ objectType = getPrivObjectType(privSubjectDesc);
+ }
+ return new HivePrivilegeObject(objectType, dbTable[0], dbTable[1], partSpec, columns, null);
+ }
/**
* Convert authorization plugin principal type to thrift principal type
@@ -99,6 +207,8 @@ public static PrincipalType getThriftPrincipalType(HivePrincipalType type) {
switch(type){
case USER:
return PrincipalType.USER;
+ case GROUP:
+ return PrincipalType.GROUP;
case ROLE:
return PrincipalType.ROLE;
default:
@@ -106,7 +216,6 @@ public static PrincipalType getThriftPrincipalType(HivePrincipalType type) {
}
}
-
/**
* Get thrift privilege grant info
* @param privilege
@@ -134,12 +243,16 @@ public static HiveObjectType getThriftHiveObjType(HivePrivilegeObjectType type)
return null;
}
switch(type){
+ case GLOBAL:
+ return HiveObjectType.GLOBAL;
case DATABASE:
return HiveObjectType.DATABASE;
case TABLE_OR_VIEW:
return HiveObjectType.TABLE;
case PARTITION:
return HiveObjectType.PARTITION;
+ case COLUMN:
+ return HiveObjectType.COLUMN;
case LOCAL_URI:
case DFS_URI:
throw new HiveException("Unsupported type " + type);
@@ -149,6 +262,33 @@ public static HiveObjectType getThriftHiveObjType(HivePrivilegeObjectType type)
}
}
+ // V1 to V2 conversion.
+ private static HivePrivilegeObjectType getHiveObjType(HiveObjectType type) throws HiveException {
+ if (type == null) {
+ return null;
+ }
+ switch(type){
+ case GLOBAL:
+ if (SessionState.get().getAuthorizationMode() == SessionState.AuthorizationMode.V2) {
+ throw new HiveException(ErrorMsg.UNSUPPORTED_AUTHORIZATION_RESOURCE_TYPE_GLOBAL);
+ }
+ return HivePrivilegeObjectType.GLOBAL;
+ case DATABASE:
+ return HivePrivilegeObjectType.DATABASE;
+ case TABLE:
+ return HivePrivilegeObjectType.TABLE_OR_VIEW;
+ case PARTITION:
+ return HivePrivilegeObjectType.PARTITION;
+ case COLUMN:
+ if (SessionState.get().getAuthorizationMode() == SessionState.AuthorizationMode.V2) {
+ throw new HiveException(ErrorMsg.UNSUPPORTED_AUTHORIZATION_RESOURCE_TYPE_COLUMN);
+ }
+ return HivePrivilegeObjectType.COLUMN;
+ default:
+ //should not happen as we have accounted for all types
+ throw new AssertionError("Unsupported type " + type);
+ }
+ }
/**
* Convert thrift HiveObjectRef to plugin HivePrivilegeObject
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/Privilege.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/Privilege.java
index f9d1b4b..ba8ce26 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/Privilege.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/Privilege.java
@@ -18,7 +18,9 @@
package org.apache.hadoop.hive.ql.security.authorization;
+import java.util.ArrayList;
import java.util.EnumSet;
+import java.util.List;
/**
* Privilege defines a privilege in Hive. Each privilege has a name and scope associated with it.
@@ -65,6 +67,17 @@ public boolean supportTableLevel() {
&& supportedScopeSet.contains(PrivilegeScope.TABLE_LEVEL_SCOPE);
}
+ public List getScopeList() {
+ if (supportedScopeSet == null) {
+ return null;
+ }
+ List scopes = new ArrayList();
+ for (PrivilegeScope scope : supportedScopeSet) {
+ scopes.add(scope.name());
+ }
+ return scopes;
+ }
+
@Override
public String toString() {
return this.getPriv().toString();
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java
index dd4cd22..30a4496 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java
@@ -25,10 +25,19 @@
*/
@LimitedPrivate(value = { "" })
@Evolving
-public class HivePrincipal {
+public class HivePrincipal implements Comparable {
+
+ @Override
+ public int compareTo(HivePrincipal o) {
+ int compare = name.compareTo(o.name);
+ if (compare == 0) {
+ compare = type.compareTo(o.type);
+ }
+ return compare;
+ }
public enum HivePrincipalType{
- USER, ROLE, UNKNOWN
+ USER, GROUP, ROLE, UNKNOWN
}
@Override
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java
index 126300a..5e64b8d 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java
@@ -22,13 +22,14 @@
import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
+import org.apache.hadoop.hive.ql.security.authorization.PrivilegeScope;
/**
* Represents the hive privilege being granted/revoked
*/
@LimitedPrivate(value = { "" })
@Evolving
-public class HivePrivilege {
+public class HivePrivilege implements Comparable {
@Override
public String toString() {
return "Privilege [name=" + name + ", columns=" + columns + "]";
@@ -36,10 +37,16 @@ public String toString() {
private final String name;
private final List columns;
+ private final List supportedScope;
- public HivePrivilege(String name, List columns){
+ public HivePrivilege(String name, List columns) {
+ this(name, columns, null);
+ }
+
+ public HivePrivilege(String name, List columns, List supportedScope) {
this.name = name.toUpperCase(Locale.US);
this.columns = columns;
+ this.supportedScope = supportedScope;
}
public String getName() {
@@ -50,6 +57,10 @@ public String getName() {
return columns;
}
+ public List getSupportedScope() {
+ return supportedScope;
+ }
+
@Override
public int hashCode() {
final int prime = 31;
@@ -82,5 +93,27 @@ public boolean equals(Object obj) {
}
+ public boolean supportsScope(PrivilegeScope scope) {
+ return supportedScope != null && supportedScope.contains(scope.name());
+ }
+
+ public int compareTo(HivePrivilege privilege) {
+ int compare = columns != null ?
+ (privilege.columns != null ? compare(columns, privilege.columns) : 1) :
+ (privilege.columns != null ? -1 : 0);
+ if (compare == 0) {
+ compare = name.compareTo(privilege.name);
+ }
+ return compare;
+ }
+ private int compare(List o1, List o2) {
+ for (int i = 0; i < Math.min(o1.size(), o2.size()); i++) {
+ int compare = o1.get(i).compareTo(o2.get(i));
+ if (compare != 0) {
+ return compare;
+ }
+ }
+ return o1.size() > o2.size() ? 1 : (o1.size() < o2.size() ? -1 : 0);
+ }
}
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java
index 8cdff5b..912be6b 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java
@@ -21,14 +21,16 @@
import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
import org.apache.hadoop.hive.common.classification.InterfaceStability.Unstable;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
+
+import java.util.ArrayList;
+import java.util.Arrays;
/**
* Represents the object on which privilege is being granted/revoked
*/
@LimitedPrivate(value = { "" })
@Unstable
-public class HivePrivilegeObject {
+public class HivePrivilegeObject implements Comparable {
@Override
public String toString() {
@@ -38,8 +40,13 @@ public String toString() {
name = dbname;
break;
case TABLE_OR_VIEW:
+ case PARTITION:
name = (dbname == null ? "" : dbname + ".") + tableviewname;
+ if (partKeys != null) {
+ name += partKeys.toString();
+ }
break;
+ case COLUMN:
case LOCAL_URI:
case DFS_URI:
name = tableviewname;
@@ -47,33 +54,74 @@ public String toString() {
case COMMAND_PARAMS:
name = commandParams.toString();
break;
- case PARTITION:
- break;
}
return "Object [type=" + type + ", name=" + name + "]";
}
- public enum HivePrivilegeObjectType {
- DATABASE, TABLE_OR_VIEW, PARTITION, LOCAL_URI, DFS_URI, COMMAND_PARAMS
- };
+ @Override
+ public int compareTo(HivePrivilegeObject o) {
+ int compare = type.compareTo(o.type);
+ if (compare == 0) {
+ compare = dbname.compareTo(o.dbname);
+ }
+ if (compare == 0) {
+ compare = tableviewname != null ?
+ (o.tableviewname != null ? tableviewname.compareTo(o.tableviewname) : 1) :
+ (o.tableviewname != null ? -1 : 0);
+ }
+ if (compare == 0) {
+ compare = partKeys != null ?
+ (o.partKeys != null ? compare(partKeys, o.partKeys) : 1) :
+ (o.partKeys != null ? -1 : 0);
+ }
+ if (compare == 0) {
+ compare = columns != null ?
+ (o.columns != null ? compare(columns, o.columns) : 1) :
+ (o.columns != null ? -1 : 0);
+ }
+ return compare;
+ }
+
+ private int compare(List o1, List o2) {
+ for (int i = 0; i < Math.min(o1.size(), o2.size()); i++) {
+ int compare = o1.get(i).compareTo(o2.get(i));
+ if (compare != 0) {
+ return compare;
+ }
+ }
+ return o1.size() > o2.size() ? 1 : (o1.size() < o2.size() ? -1 : 0);
+ }
+ public enum HivePrivilegeObjectType {
+ GLOBAL, DATABASE, TABLE_OR_VIEW, PARTITION, COLUMN, LOCAL_URI, DFS_URI, COMMAND_PARAMS
+ } ;
public enum HivePrivObjectActionType {
OTHER, INSERT, INSERT_OVERWRITE
};
+
private final HivePrivilegeObjectType type;
private final String dbname;
private final String tableviewname;
private final List commandParams;
+ private final List partKeys;
+ private final List columns;
private final HivePrivObjectActionType actionType;
- public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI){
+ public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI) {
this(type, dbname, tableViewURI, HivePrivObjectActionType.OTHER);
}
+ public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI
+ , HivePrivObjectActionType actionType) {
+ this(type, dbname, tableViewURI, null, null, actionType, null);
+ }
+
public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI,
- HivePrivObjectActionType actionType) {
- this(type, dbname, tableViewURI, actionType, null);
+ List partKeys, String column) {
+ this(type, dbname, tableViewURI, partKeys,
+ column == null ? null : new ArrayList(Arrays.asList(column)),
+ HivePrivObjectActionType.OTHER, null);
}
/**
@@ -82,15 +130,23 @@ public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String t
* @return
*/
public static HivePrivilegeObject createHivePrivilegeObject(List cmdParams) {
- return new HivePrivilegeObject(HivePrivilegeObjectType.COMMAND_PARAMS, null, null, null,
+ return new HivePrivilegeObject(HivePrivilegeObjectType.COMMAND_PARAMS, null, null, null, null,
cmdParams);
}
public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI,
- HivePrivObjectActionType actionType, List commandParams) {
+ List partKeys, List columns, List commandParams) {
+ this(type, dbname, tableViewURI, partKeys, columns, HivePrivObjectActionType.OTHER, commandParams);
+ }
+
+ public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String tableViewURI,
+ List partKeys, List columns, HivePrivObjectActionType actionType,
+ List commandParams) {
this.type = type;
this.dbname = dbname;
this.tableviewname = tableViewURI;
+ this.partKeys = partKeys;
+ this.columns = columns;
this.actionType = actionType;
this.commandParams = commandParams;
}
@@ -114,4 +170,12 @@ public HivePrivObjectActionType getActionType() {
public List getCommandParams() {
return commandParams;
}
+
+ public List getPartKeys() {
+ return partKeys;
+ }
+
+ public List getColumns() {
+ return columns;
+ }
}
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java
new file mode 100644
index 0000000..60c9f14
--- /dev/null
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java
@@ -0,0 +1,374 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.metastore.Warehouse;
+import org.apache.hadoop.hive.metastore.api.Database;
+import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege;
+import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
+import org.apache.hadoop.hive.metastore.api.HiveObjectType;
+import org.apache.hadoop.hive.metastore.api.Partition;
+import org.apache.hadoop.hive.metastore.api.PrincipalType;
+import org.apache.hadoop.hive.metastore.api.PrivilegeBag;
+import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo;
+import org.apache.hadoop.hive.metastore.api.Role;
+import org.apache.hadoop.hive.metastore.api.RolePrincipalGrant;
+import org.apache.hadoop.hive.ql.metadata.Hive;
+import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.metadata.Table;
+import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils;
+import org.apache.hadoop.hive.ql.security.authorization.PrivilegeScope;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController;
+import org.apache.hadoop.hive.ql.session.SessionState;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+public class HiveV1Authorizer implements HiveAuthorizer {
+
+ private final HiveConf conf;
+ private final Hive hive;
+
+ public HiveV1Authorizer(HiveConf conf, Hive hive) {
+ this.conf = conf;
+ this.hive = hive;
+ }
+
+ @Override
+ public VERSION getVersion() {
+ return VERSION.V1;
+ }
+
+ @Override
+ public void checkPrivileges(HiveOperationType hiveOpType, List inputsHObjs,
+ List outputHObjs, HiveAuthzContext context)
+ throws HiveAuthzPluginException, HiveAccessControlException {
+ throw new UnsupportedOperationException("Should not be called for v1 authorizer");
+ }
+
+ @Override
+ public void grantPrivileges(
+ List principals, List privileges, HivePrivilegeObject privObject,
+ HivePrincipal grantor, boolean grantOption)
+ throws HiveAuthzPluginException, HiveAccessControlException {
+ try {
+ PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption);
+ grantOrRevokePrivs(principals, privBag, true, grantOption);
+ } catch (Exception e) {
+ throw new HiveAuthzPluginException(e);
+ }
+ }
+
+ @Override
+ public void revokePrivileges(
+ List principals, List privileges, HivePrivilegeObject privObject,
+ HivePrincipal grantor, boolean grantOption)
+ throws HiveAuthzPluginException, HiveAccessControlException {
+ try {
+ PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption);
+ grantOrRevokePrivs(principals, privBag, false, grantOption);
+ } catch (Exception e) {
+ throw new HiveAuthzPluginException(e);
+ }
+ }
+
+ private void grantOrRevokePrivs(List principals, PrivilegeBag privBag,
+ boolean isGrant, boolean grantOption) throws HiveException {
+ for (HivePrincipal principal : principals) {
+ PrincipalType type = AuthorizationUtils.getThriftPrincipalType(principal.getType());
+ for (HiveObjectPrivilege priv : privBag.getPrivileges()) {
+ priv.setPrincipalName(principal.getName());
+ priv.setPrincipalType(type);
+ }
+ if (isGrant) {
+ hive.grantPrivileges(privBag);
+ } else {
+ hive.revokePrivileges(privBag, grantOption);
+ }
+ }
+ }
+
+ private PrivilegeBag toPrivilegeBag(List privileges,
+ HivePrivilegeObject privObject, HivePrincipal grantor, boolean grantOption)
+ throws HiveException {
+
+ PrivilegeBag privBag = new PrivilegeBag();
+ if (privileges.isEmpty()) {
+ return privBag;
+ }
+ String grantorName = grantor.getName();
+ PrincipalType grantorType = AuthorizationUtils.getThriftPrincipalType(grantor.getType());
+ if (privObject.getType() == null ||
+ privObject.getType() == HivePrivilegeObject.HivePrivilegeObjectType.GLOBAL) {
+ for (HivePrivilege priv : privileges) {
+ List columns = priv.getColumns();
+ if (columns != null && !columns.isEmpty()) {
+ throw new HiveException(
+ "For user-level privileges, column sets should be null. columns=" +
+ columns.toString());
+ }
+ privBag.addToPrivileges(new HiveObjectPrivilege(new HiveObjectRef(
+ HiveObjectType.GLOBAL, null, null, null, null), null, null,
+ new PrivilegeGrantInfo(priv.getName(), 0, grantor.getName(), grantorType,
+ grantOption)));
+ }
+ return privBag;
+ }
+
+ if (privObject.getPartKeys() != null && grantOption) {
+ throw new HiveException("Grant does not support partition level.");
+ }
+ Database dbObj = hive.getDatabase(privObject.getDbname());
+ if (dbObj == null) {
+ throw new HiveException("Database " + privObject.getDbname() + " does not exists");
+ }
+ Table tableObj = null;
+ if (privObject.getTableViewURI() != null) {
+ tableObj = hive.getTable(dbObj.getName(), privObject.getTableViewURI());
+ }
+
+ List partValues = null;
+ if (tableObj != null) {
+ if ((!tableObj.isPartitioned())
+ && privObject.getPartKeys() != null) {
+ throw new HiveException(
+ "Table is not partitioned, but partition name is present: partSpec="
+ + privObject.getPartKeys());
+ }
+
+ if (privObject.getPartKeys() != null) {
+ Map partSpec =
+ Warehouse.makeSpecFromValues(tableObj.getPartitionKeys(), privObject.getPartKeys());
+ Partition partObj = hive.getPartition(tableObj, partSpec, false).getTPartition();
+ partValues = partObj.getValues();
+ }
+ }
+
+ for (HivePrivilege priv : privileges) {
+ List columns = priv.getColumns();
+ if (columns != null && !columns.isEmpty()) {
+ if (!priv.supportsScope(PrivilegeScope.COLUMN_LEVEL_SCOPE)) {
+ throw new HiveException(priv.getName() + " does not support column level privilege.");
+ }
+ if (tableObj == null) {
+ throw new HiveException(
+ "For user-level/database-level privileges, column sets should be null. columns="
+ + columns);
+ }
+ for (int i = 0; i < columns.size(); i++) {
+ privBag.addToPrivileges(new HiveObjectPrivilege(
+ new HiveObjectRef(HiveObjectType.COLUMN, dbObj.getName(), tableObj.getTableName(),
+ partValues, columns.get(i)), null, null,
+ new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption)));
+ }
+ } else if (tableObj == null) {
+ privBag.addToPrivileges(new HiveObjectPrivilege(
+ new HiveObjectRef(HiveObjectType.DATABASE, dbObj.getName(), null,
+ null, null), null, null,
+ new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption)));
+ } else if (partValues == null) {
+ privBag.addToPrivileges(new HiveObjectPrivilege(
+ new HiveObjectRef(HiveObjectType.TABLE, dbObj.getName(), tableObj.getTableName(),
+ null, null), null, null,
+ new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption)));
+ } else {
+ privBag.addToPrivileges(new HiveObjectPrivilege(
+ new HiveObjectRef(HiveObjectType.PARTITION, dbObj.getName(), tableObj.getTableName(),
+ partValues, null), null, null,
+ new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption)));
+ }
+ }
+ return privBag;
+ }
+
+ @Override
+ public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException, HiveAccessControlException {
+ try {
+ hive.createRole(roleName, adminGrantor == null ? null : adminGrantor.getName());
+ } catch (HiveException e) {
+ throw new HiveAuthzPluginException(e);
+ }
+ }
+
+ @Override
+ public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException {
+ try {
+ hive.dropRole(roleName);
+ } catch (HiveException e) {
+ throw new HiveAuthzPluginException(e);
+ }
+ }
+
+ @Override
+ public List getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException {
+ try {
+ return SQLStdHiveAccessController.getHiveRoleGrants(hive.getMSC(), roleName);
+ } catch (Exception e) {
+ throw new HiveAuthzPluginException(e);
+ }
+ }
+
+ @Override
+ public List getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, HiveAccessControlException {
+ PrincipalType type = AuthorizationUtils.getThriftPrincipalType(principal.getType());
+ try {
+ List grants = new ArrayList();
+ for (RolePrincipalGrant grant : hive.getRoleGrantInfoForPrincipal(principal.getName(), type)) {
+ grants.add(new HiveRoleGrant(grant));
+ }
+ return grants;
+ } catch (HiveException e) {
+ throw new HiveAuthzPluginException(e);
+ }
+ }
+
+ @Override
+ public void grantRole(List principals, List roles, boolean grantOption,
+ HivePrincipal grantor) throws HiveAuthzPluginException, HiveAccessControlException {
+ try {
+ grantOrRevokeRole(principals, roles, grantOption, grantor, true);
+ } catch (HiveException e) {
+ throw new HiveAuthzPluginException(e);
+ }
+ }
+
+ @Override
+ public void revokeRole(List principals, List roles, boolean grantOption,
+ HivePrincipal grantor) throws HiveAuthzPluginException, HiveAccessControlException {
+ try {
+ grantOrRevokeRole(principals, roles, grantOption, grantor, false);
+ } catch (HiveException e) {
+ throw new HiveAuthzPluginException(e);
+ }
+ }
+
+ private void grantOrRevokeRole(List principals, List roles,
+ boolean grantOption, HivePrincipal grantor, boolean isGrant) throws HiveException {
+ PrincipalType grantorType = AuthorizationUtils.getThriftPrincipalType(grantor.getType());
+ for (HivePrincipal principal : principals) {
+ PrincipalType principalType = AuthorizationUtils.getThriftPrincipalType(principal.getType());
+ String userName = principal.getName();
+ for (String roleName : roles) {
+ if (isGrant) {
+ hive.grantRole(roleName, userName, principalType,
+ grantor.getName(), grantorType, grantOption);
+ } else {
+ hive.revokeRole(roleName, userName, principalType, grantOption);
+ }
+ }
+ }
+ }
+
+ @Override
+ public List getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException {
+ try {
+ return hive.getAllRoleNames();
+ } catch (HiveException e) {
+ throw new HiveAuthzPluginException(e);
+ }
+ }
+
+ @Override
+ public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
+ throws HiveAuthzPluginException, HiveAccessControlException {
+ String name = principal == null ? null : principal.getName();
+ PrincipalType type =
+ AuthorizationUtils.getThriftPrincipalType(principal == null ? null : principal.getType());
+
+ List privs = new ArrayList();
+ try {
+ if (privObj == null) {
+ // show user level privileges
+ privs.addAll(hive.showPrivilegeGrant(HiveObjectType.GLOBAL, name, type,
+ null, null, null, null));
+ } else if (privObj.getDbname() == null) {
+ // show all privileges
+ privs.addAll(hive.showPrivilegeGrant(null, name, type, null, null, null, null));
+ } else {
+ Database dbObj = hive.getDatabase(privObj.getDbname());;
+ if (dbObj == null) {
+ throw new HiveException("Database " + privObj.getDbname() + " does not exists");
+ }
+ Table tableObj = null;
+ if (privObj.getTableViewURI() != null) {
+ tableObj = hive.getTable(dbObj.getName(), privObj.getTableViewURI());
+ }
+ List partValues = privObj.getPartKeys();
+
+ if (tableObj == null) {
+ // show database level privileges
+ privs.addAll(hive.showPrivilegeGrant(HiveObjectType.DATABASE,
+ name, type, dbObj.getName(), null, null, null));
+ } else {
+ List columns = privObj.getColumns();
+ if (columns != null && !columns.isEmpty()) {
+ // show column level privileges
+ for (String columnName : columns) {
+ privs.addAll(hive.showPrivilegeGrant(HiveObjectType.COLUMN, name, type,
+ dbObj.getName(), tableObj.getTableName(), partValues, columnName));
+ }
+ } else if (partValues == null) {
+ // show table level privileges
+ privs.addAll(hive.showPrivilegeGrant(HiveObjectType.TABLE, name, type,
+ dbObj.getName(), tableObj.getTableName(), null, null));
+ } else {
+ // show partition level privileges
+ privs.addAll(hive.showPrivilegeGrant(HiveObjectType.PARTITION, name, type,
+ dbObj.getName(), tableObj.getTableName(), partValues, null));
+ }
+ }
+ }
+ return AuthorizationUtils.getPrivilegeInfos(privs);
+ } catch (Exception ex) {
+ throw new HiveAuthzPluginException(ex);
+ }
+ }
+
+ @Override
+ public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException {
+ throw new HiveAuthzPluginException("Unsupported operation 'setCurrentRole' for V1 auth");
+ }
+
+ @Override
+ public List getCurrentRoleNames() throws HiveAuthzPluginException {
+
+ String userName = SessionState.get().getUserName();
+ if (userName == null) {
+ userName = SessionState.getUserFromAuthenticator();
+ }
+ if (userName == null) {
+ throw new HiveAuthzPluginException("Cannot resolve current user name");
+ }
+ try {
+ List roleNames = new ArrayList();
+ for (Role role : hive.listRoles(userName, PrincipalType.USER)) {
+ roleNames.add(role.getRoleName());
+ }
+ return roleNames;
+ } catch (HiveException e) {
+ throw new HiveAuthzPluginException(e);
+ }
+ }
+
+ @Override
+ public void applyAuthorizationConfigPolicy(HiveConf hiveConf) {
+ }
+}
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java
index 6b635ce..f1220d7 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java
@@ -186,8 +186,12 @@ static RequiredPrivileges getPrivilegesFromMetaStore(IMetaStoreClient metastoreC
// get privileges for this user and its role on this object
PrincipalPrivilegeSet thrifPrivs = null;
try {
+ HiveObjectRef objectRef = AuthorizationUtils.getThriftHiveObjectRef(hivePrivObject);
+ if (objectRef.getObjectType() == null) {
+ objectRef.setObjectType(HiveObjectType.GLOBAL);
+ }
thrifPrivs = metastoreClient.get_privilege_set(
- AuthorizationUtils.getThriftHiveObjectRef(hivePrivObject), userName, null);
+ objectRef, userName, null);
} catch (MetaException e) {
throwGetPrivErr(e, hivePrivObject, userName);
} catch (TException e) {
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
index 932b980..a16f42a 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
@@ -350,19 +350,24 @@ public void revokeRole(List hivePrincipals, List roleName
+ " allowed get principals in a role. " + ADMIN_ONLY_MSG);
}
try {
- GetPrincipalsInRoleResponse princGrantInfo =
- metastoreClientFactory.getHiveMetastoreClient().get_principals_in_role(new GetPrincipalsInRoleRequest(roleName));
-
- List hiveRoleGrants = new ArrayList();
- for(RolePrincipalGrant thriftRoleGrant : princGrantInfo.getPrincipalGrants()){
- hiveRoleGrants.add(new HiveRoleGrant(thriftRoleGrant));
- }
- return hiveRoleGrants;
+ return getHiveRoleGrants(metastoreClientFactory.getHiveMetastoreClient(), roleName);
} catch (Exception e) {
throw new HiveAuthzPluginException("Error getting principals for all roles", e);
}
}
+ public static List getHiveRoleGrants(IMetaStoreClient client, String roleName)
+ throws Exception {
+ GetPrincipalsInRoleRequest request = new GetPrincipalsInRoleRequest(roleName);
+ GetPrincipalsInRoleResponse princGrantInfo = client.get_principals_in_role(request);
+
+ List hiveRoleGrants = new ArrayList();
+ for(RolePrincipalGrant thriftRoleGrant : princGrantInfo.getPrincipalGrants()){
+ hiveRoleGrants.add(new HiveRoleGrant(thriftRoleGrant));
+ }
+ return hiveRoleGrants;
+ }
+
@Override
public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
throws HiveAuthzPluginException {
@@ -416,7 +421,7 @@ public void revokeRole(List hivePrincipals, List roleName
HivePrivilegeObject resPrivObj = new HivePrivilegeObject(
getPluginObjType(msObjRef.getObjectType()), msObjRef.getDbName(),
- msObjRef.getObjectName());
+ msObjRef.getObjectName(), msObjRef.getPartValues(), msObjRef.getColumnName());
// result grantor principal
HivePrincipal grantorPrincipal = new HivePrincipal(msGrantInfo.getGrantor(),
diff --git a/ql/src/test/queries/clientnegative/authorization_show_role_principals_v1.q b/ql/src/test/queries/clientnegative/authorization_show_role_principals_v1.q
deleted file mode 100644
index 69cea2f..0000000
--- a/ql/src/test/queries/clientnegative/authorization_show_role_principals_v1.q
+++ /dev/null
@@ -1,2 +0,0 @@
--- This test will fail because the command is not currently supported in auth mode v1
-show principals role1;
diff --git a/ql/src/test/queries/clientpositive/authorization_show_role_principals_v1.q b/ql/src/test/queries/clientpositive/authorization_show_role_principals_v1.q
new file mode 100644
index 0000000..50e9dc2
--- /dev/null
+++ b/ql/src/test/queries/clientpositive/authorization_show_role_principals_v1.q
@@ -0,0 +1,6 @@
+create role role1;
+grant role1 to user user1 with admin option;
+grant role1 to user user2 with admin option;
+show role grant user user1;
+show role grant user user2;
+show principals role1;
diff --git a/ql/src/test/results/clientnegative/authorization_caseinsensitivity.q.out b/ql/src/test/results/clientnegative/authorization_caseinsensitivity.q.out
index 9cd36b6..633527d 100644
--- a/ql/src/test/results/clientnegative/authorization_caseinsensitivity.q.out
+++ b/ql/src/test/results/clientnegative/authorization_caseinsensitivity.q.out
@@ -59,4 +59,4 @@ testrole
PREHOOK: query: create role TESTRoLE
PREHOOK: type: CREATEROLE
-FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. InvalidObjectException(message:Role testrole already exists.)
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Role testrole already exists.
diff --git a/ql/src/test/results/clientnegative/authorization_fail_1.q.out b/ql/src/test/results/clientnegative/authorization_fail_1.q.out
index 7af4ae8..3f9c4ed 100644
--- a/ql/src/test/results/clientnegative/authorization_fail_1.q.out
+++ b/ql/src/test/results/clientnegative/authorization_fail_1.q.out
@@ -14,5 +14,4 @@ POSTHOOK: Output: default@authorization_fail_1
PREHOOK: query: grant Create on table authorization_fail_1 to user hive_test_user
PREHOOK: type: GRANT_PRIVILEGE
PREHOOK: Output: default@authorization_fail_1
-Error: java.lang.RuntimeException: InvalidObjectException(message:Create is already granted on table [default,authorization_fail_1] by hive_test_user)
-FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: java.lang.RuntimeException: InvalidObjectException(message:CREATE is already granted on table [default,authorization_fail_1] by hive_test_user)
diff --git a/ql/src/test/results/clientnegative/authorization_fail_3.q.out b/ql/src/test/results/clientnegative/authorization_fail_3.q.out
index d3b2a7c..8cc246d 100644
--- a/ql/src/test/results/clientnegative/authorization_fail_3.q.out
+++ b/ql/src/test/results/clientnegative/authorization_fail_3.q.out
@@ -26,7 +26,7 @@ PREHOOK: query: show grant user hive_test_user on table authorization_fail_3
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_fail_3
POSTHOOK: type: SHOW_GRANT
-default authorization_fail_3 hive_test_user USER Create false -1 hive_test_user
+default authorization_fail_3 hive_test_user USER CREATE false -1 hive_test_user
PREHOOK: query: show grant user hive_test_user on table authorization_fail_3 partition (ds='2010')
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_fail_3 partition (ds='2010')
diff --git a/ql/src/test/results/clientnegative/authorization_fail_4.q.out b/ql/src/test/results/clientnegative/authorization_fail_4.q.out
index 3ce149b..1eddbf7 100644
--- a/ql/src/test/results/clientnegative/authorization_fail_4.q.out
+++ b/ql/src/test/results/clientnegative/authorization_fail_4.q.out
@@ -40,12 +40,12 @@ PREHOOK: query: show grant user hive_test_user on table authorization_fail_4
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_fail_4
POSTHOOK: type: SHOW_GRANT
-default authorization_fail_4 hive_test_user USER Alter false -1 hive_test_user
-default authorization_fail_4 hive_test_user USER Create false -1 hive_test_user
+default authorization_fail_4 hive_test_user USER ALTER false -1 hive_test_user
+default authorization_fail_4 hive_test_user USER CREATE false -1 hive_test_user
PREHOOK: query: show grant user hive_test_user on table authorization_fail_4 partition (ds='2010')
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_fail_4 partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_fail_4 [2010] hive_test_user USER Alter false -1 hive_test_user
-default authorization_fail_4 [2010] hive_test_user USER Create false -1 hive_test_user
+default authorization_fail_4 [2010] hive_test_user USER ALTER false -1 hive_test_user
+default authorization_fail_4 [2010] hive_test_user USER CREATE false -1 hive_test_user
Authorization failed:No privilege 'Select' found for inputs { database:default, table:authorization_fail_4, partitionName:ds=2010, columnName:key}. Use SHOW GRANT to get more details.
diff --git a/ql/src/test/results/clientnegative/authorization_fail_5.q.out b/ql/src/test/results/clientnegative/authorization_fail_5.q.out
index 72b074f..365d5ce 100644
--- a/ql/src/test/results/clientnegative/authorization_fail_5.q.out
+++ b/ql/src/test/results/clientnegative/authorization_fail_5.q.out
@@ -46,16 +46,16 @@ PREHOOK: query: show grant user hive_test_user on table authorization_fail
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_fail
POSTHOOK: type: SHOW_GRANT
-default authorization_fail hive_test_user USER Alter false -1 hive_test_user
-default authorization_fail hive_test_user USER Create false -1 hive_test_user
-default authorization_fail hive_test_user USER Select false -1 hive_test_user
+default authorization_fail hive_test_user USER ALTER false -1 hive_test_user
+default authorization_fail hive_test_user USER CREATE false -1 hive_test_user
+default authorization_fail hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: show grant user hive_test_user on table authorization_fail partition (ds='2010')
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_fail partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_fail [2010] hive_test_user USER Alter false -1 hive_test_user
-default authorization_fail [2010] hive_test_user USER Create false -1 hive_test_user
-default authorization_fail [2010] hive_test_user USER Select false -1 hive_test_user
+default authorization_fail [2010] hive_test_user USER ALTER false -1 hive_test_user
+default authorization_fail [2010] hive_test_user USER CREATE false -1 hive_test_user
+default authorization_fail [2010] hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: revoke Select on table authorization_fail partition (ds='2010') from user hive_test_user
PREHOOK: type: REVOKE_PRIVILEGE
PREHOOK: Output: default@authorization_fail@ds=2010
@@ -66,6 +66,6 @@ PREHOOK: query: show grant user hive_test_user on table authorization_fail parti
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_fail partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_fail [2010] hive_test_user USER Alter false -1 hive_test_user
-default authorization_fail [2010] hive_test_user USER Create false -1 hive_test_user
+default authorization_fail [2010] hive_test_user USER ALTER false -1 hive_test_user
+default authorization_fail [2010] hive_test_user USER CREATE false -1 hive_test_user
Authorization failed:No privilege 'Select' found for inputs { database:default, table:authorization_fail, partitionName:ds=2010, columnName:key}. Use SHOW GRANT to get more details.
diff --git a/ql/src/test/results/clientnegative/authorization_fail_7.q.out b/ql/src/test/results/clientnegative/authorization_fail_7.q.out
index e9b7c35..77ead38 100644
--- a/ql/src/test/results/clientnegative/authorization_fail_7.q.out
+++ b/ql/src/test/results/clientnegative/authorization_fail_7.q.out
@@ -33,7 +33,7 @@ PREHOOK: query: show grant role hive_test_role_fail on table authorization_fail
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant role hive_test_role_fail on table authorization_fail
POSTHOOK: type: SHOW_GRANT
-default authorization_fail hive_test_role_fail ROLE Select false -1 hive_test_user
+default authorization_fail hive_test_role_fail ROLE SELECT false -1 hive_test_user
PREHOOK: query: drop role hive_test_role_fail
PREHOOK: type: DROPROLE
POSTHOOK: query: drop role hive_test_role_fail
diff --git a/ql/src/test/results/clientnegative/authorization_fail_8.q.out b/ql/src/test/results/clientnegative/authorization_fail_8.q.out
index 10dd71b..fecb15c 100644
--- a/ql/src/test/results/clientnegative/authorization_fail_8.q.out
+++ b/ql/src/test/results/clientnegative/authorization_fail_8.q.out
@@ -45,4 +45,4 @@ PREHOOK: query: -- Now that grant option has been revoked, granting to other use
GRANT SELECT ON authorization_fail TO USER user3
PREHOOK: type: GRANT_PRIVILEGE
PREHOOK: Output: default@authorization_fail
-FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.authorization_fail] : [SELECT with grant]
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied. Principal [name=user2, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.authorization_fail] for operation GRANT_PRIVILEGE : [SELECT with grant]
diff --git a/ql/src/test/results/clientnegative/authorization_part.q.out b/ql/src/test/results/clientnegative/authorization_part.q.out
index dfdcb39..fa80590 100644
--- a/ql/src/test/results/clientnegative/authorization_part.q.out
+++ b/ql/src/test/results/clientnegative/authorization_part.q.out
@@ -68,7 +68,7 @@ PREHOOK: query: show grant group hive_test_group1 on table authorization_part_fa
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant group hive_test_group1 on table authorization_part_fail
POSTHOOK: type: SHOW_GRANT
-default authorization_part_fail hive_test_group1 GROUP Select false -1 hive_test_user
+default authorization_part_fail hive_test_group1 GROUP SELECT false -1 hive_test_user
PREHOOK: query: insert overwrite table authorization_part_fail partition (ds='2010') select key, value from src_auth
PREHOOK: type: QUERY
PREHOOK: Input: default@src_auth
@@ -83,12 +83,12 @@ PREHOOK: query: show grant group hive_test_group1 on table authorization_part_fa
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant group hive_test_group1 on table authorization_part_fail(key) partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_part_fail [2010] key hive_test_group1 GROUP Select false -1 hive_test_user
+default authorization_part_fail [2010] [key] hive_test_group1 GROUP SELECT false -1 hive_test_user
PREHOOK: query: show grant group hive_test_group1 on table authorization_part_fail partition (ds='2010')
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant group hive_test_group1 on table authorization_part_fail partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_part_fail [2010] hive_test_group1 GROUP Select false -1 hive_test_user
+default authorization_part_fail [2010] hive_test_group1 GROUP SELECT false -1 hive_test_user
PREHOOK: query: select key, value from authorization_part_fail where ds='2010' order by key limit 20
PREHOOK: type: QUERY
PREHOOK: Input: default@authorization_part_fail
@@ -133,12 +133,12 @@ PREHOOK: query: show grant group hive_test_group1 on table authorization_part_fa
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant group hive_test_group1 on table authorization_part_fail(key) partition (ds='2011')
POSTHOOK: type: SHOW_GRANT
-default authorization_part_fail [2011] key hive_test_group1 GROUP Select false -1 hive_test_user
+default authorization_part_fail [2011] [key] hive_test_group1 GROUP SELECT false -1 hive_test_user
PREHOOK: query: show grant group hive_test_group1 on table authorization_part_fail partition (ds='2011')
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant group hive_test_group1 on table authorization_part_fail partition (ds='2011')
POSTHOOK: type: SHOW_GRANT
-default authorization_part_fail [2011] hive_test_group1 GROUP Select false -1 hive_test_user
+default authorization_part_fail [2011] hive_test_group1 GROUP SELECT false -1 hive_test_user
PREHOOK: query: select key, value from authorization_part_fail where ds='2011' order by key limit 20
PREHOOK: type: QUERY
PREHOOK: Input: default@authorization_part_fail
diff --git a/ql/src/test/results/clientnegative/authorization_public_create.q.out b/ql/src/test/results/clientnegative/authorization_public_create.q.out
index 0318a8b..4c9a2ad 100644
--- a/ql/src/test/results/clientnegative/authorization_public_create.q.out
+++ b/ql/src/test/results/clientnegative/authorization_public_create.q.out
@@ -1,4 +1,3 @@
PREHOOK: query: create role PUBLIC
PREHOOK: type: CREATEROLE
-Error in role operation create_role on role name public, error message MetaException(message:public role implictly exists. It can't be created.)
-FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:public role implictly exists. It can't be created.)
diff --git a/ql/src/test/results/clientnegative/authorization_public_drop.q.out b/ql/src/test/results/clientnegative/authorization_public_drop.q.out
index 912589d..7759745 100644
--- a/ql/src/test/results/clientnegative/authorization_public_drop.q.out
+++ b/ql/src/test/results/clientnegative/authorization_public_drop.q.out
@@ -1,4 +1,3 @@
PREHOOK: query: drop role PUBLIC
PREHOOK: type: DROPROLE
-Error in role operation drop_role on role name public, error message MetaException(message:public/admin role can't be dropped.)
-FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:public/admin role can't be dropped.)
diff --git a/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out b/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out
index 704b7b1..032be5b 100644
--- a/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out
+++ b/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out
@@ -19,4 +19,4 @@ POSTHOOK: type: GRANT_ROLE
PREHOOK: query: -- this will create a cycle
grant role role2 to role role1
PREHOOK: type: GRANT_ROLE
-FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException: Cannot grant role role1 to role2 as role2 already belongs to the role role1. (no cycles allowed)
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Cannot grant role role1 to role2 as role2 already belongs to the role role1. (no cycles allowed)
diff --git a/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out b/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out
index 03348a8..a9d8cfe 100644
--- a/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out
+++ b/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out
@@ -45,4 +45,4 @@ POSTHOOK: type: GRANT_ROLE
PREHOOK: query: -- this will create a cycle in middle of the hierarchy
grant role role2 to role role4
PREHOOK: type: GRANT_ROLE
-FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException: Cannot grant role role4 to role2 as role2 already belongs to the role role4. (no cycles allowed)
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Cannot grant role role4 to role2 as role2 already belongs to the role role4. (no cycles allowed)
diff --git a/ql/src/test/results/clientnegative/authorization_role_grant.q.out b/ql/src/test/results/clientnegative/authorization_role_grant.q.out
index a497467..bd0f0a3 100644
--- a/ql/src/test/results/clientnegative/authorization_role_grant.q.out
+++ b/ql/src/test/results/clientnegative/authorization_role_grant.q.out
@@ -41,4 +41,4 @@ POSTHOOK: query: set role role_noadmin
POSTHOOK: type: SHOW_ROLES
PREHOOK: query: grant src_role_wadmin to user user3
PREHOOK: type: GRANT_ROLE
-FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Current user : user2 is not allowed to grant role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action.
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : user2 is not allowed to grant role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action.
diff --git a/ql/src/test/results/clientnegative/authorization_role_grant2.q.out b/ql/src/test/results/clientnegative/authorization_role_grant2.q.out
index dc662ec..2156d49 100644
--- a/ql/src/test/results/clientnegative/authorization_role_grant2.q.out
+++ b/ql/src/test/results/clientnegative/authorization_role_grant2.q.out
@@ -59,4 +59,4 @@ POSTHOOK: type: SHOW_ROLES
PREHOOK: query: -- grant/revoke should now fail
grant src_role_wadmin to user user3
PREHOOK: type: GRANT_ROLE
-FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Current user : user2 is not allowed to grant role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action.
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : user2 is not allowed to grant role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action.
diff --git a/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out b/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out
index 6193103..510c3a4 100644
--- a/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out
+++ b/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out
@@ -16,4 +16,4 @@ create role role1
POSTHOOK: type: CREATEROLE
PREHOOK: query: grant role1 to role nosuchrole
PREHOOK: type: GRANT_ROLE
-FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException: Error granting roles for nosuchrole to role role1: NoSuchObjectException(message:Role nosuchrole does not exist)
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error granting roles for nosuchrole to role role1: NoSuchObjectException(message:Role nosuchrole does not exist)
diff --git a/ql/src/test/results/clientnegative/authorization_show_role_principals_v1.q.out b/ql/src/test/results/clientnegative/authorization_show_role_principals_v1.q.out
deleted file mode 100644
index e9a965b..0000000
--- a/ql/src/test/results/clientnegative/authorization_show_role_principals_v1.q.out
+++ /dev/null
@@ -1,5 +0,0 @@
-PREHOOK: query: -- This test will fail because the command is not currently supported in auth mode v1
-show principals role1
-PREHOOK: type: SHOW_ROLE_PRINCIPALS
-Error in role operation show_role_principals on role name role1, error message Show role principals is not currently supported in authorization mode V1
-FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask
diff --git a/ql/src/test/results/clientpositive/alter_rename_partition_authorization.q.out b/ql/src/test/results/clientpositive/alter_rename_partition_authorization.q.out
index 1e00d1b..4d49f1e 100644
--- a/ql/src/test/results/clientpositive/alter_rename_partition_authorization.q.out
+++ b/ql/src/test/results/clientpositive/alter_rename_partition_authorization.q.out
@@ -54,9 +54,9 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part
POSTHOOK: type: SHOW_GRANT
-default authorization_part hive_test_user USER Create false -1 hive_test_user
-default authorization_part hive_test_user USER Drop false -1 hive_test_user
-default authorization_part hive_test_user USER Update false -1 hive_test_user
+default authorization_part hive_test_user USER CREATE false -1 hive_test_user
+default authorization_part hive_test_user USER DROP false -1 hive_test_user
+default authorization_part hive_test_user USER UPDATE false -1 hive_test_user
PREHOOK: query: grant select(key) on table authorization_part to user hive_test_user
PREHOOK: type: GRANT_PRIVILEGE
PREHOOK: Output: default@authorization_part
@@ -77,7 +77,7 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part(key)
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_part [2010] key hive_test_user USER Select false -1 hive_test_user
+default authorization_part [2010] [key] hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: alter table authorization_part partition (ds='2010') rename to partition (ds='2010_tmp')
PREHOOK: type: ALTERTABLE_RENAMEPART
PREHOOK: Input: default@authorization_part
@@ -92,7 +92,7 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part(key)
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) partition (ds='2010_tmp')
POSTHOOK: type: SHOW_GRANT
-default authorization_part [2010_tmp] key hive_test_user USER Select false -1 hive_test_user
+default authorization_part [2010_tmp] [key] hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: drop table authorization_part
PREHOOK: type: DROPTABLE
PREHOOK: Input: default@authorization_part
diff --git a/ql/src/test/results/clientpositive/authorization_1.q.out b/ql/src/test/results/clientpositive/authorization_1.q.out
index 0ff4b04..dac0820 100644
--- a/ql/src/test/results/clientpositive/authorization_1.q.out
+++ b/ql/src/test/results/clientpositive/authorization_1.q.out
@@ -23,7 +23,7 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table src_autho_test
POSTHOOK: type: SHOW_GRANT
-default src_autho_test hive_test_user USER Select false -1 hive_test_user
+default src_autho_test hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: show grant user hive_test_user on table src_autho_test(key)
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table src_autho_test(key)
@@ -88,7 +88,7 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test(key)
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table src_autho_test(key)
POSTHOOK: type: SHOW_GRANT
-default src_autho_test key hive_test_user USER Select false -1 hive_test_user
+default src_autho_test [key] hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: select key from src_autho_test order by key limit 20
PREHOOK: type: QUERY
PREHOOK: Input: default@src_autho_test
@@ -145,7 +145,7 @@ PREHOOK: query: show grant group hive_test_group1 on table src_autho_test
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant group hive_test_group1 on table src_autho_test
POSTHOOK: type: SHOW_GRANT
-default src_autho_test hive_test_group1 GROUP Select false -1 hive_test_user
+default src_autho_test hive_test_group1 GROUP SELECT false -1 hive_test_user
PREHOOK: query: show grant group hive_test_group1 on table src_autho_test(key)
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant group hive_test_group1 on table src_autho_test(key)
@@ -210,7 +210,7 @@ PREHOOK: query: show grant group hive_test_group1 on table src_autho_test(key)
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant group hive_test_group1 on table src_autho_test(key)
POSTHOOK: type: SHOW_GRANT
-default src_autho_test key hive_test_group1 GROUP Select false -1 hive_test_user
+default src_autho_test [key] hive_test_group1 GROUP SELECT false -1 hive_test_user
PREHOOK: query: select key from src_autho_test order by key limit 20
PREHOOK: type: QUERY
PREHOOK: Input: default@src_autho_test
@@ -287,7 +287,7 @@ PREHOOK: query: show grant role src_role on table src_autho_test(key)
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant role src_role on table src_autho_test(key)
POSTHOOK: type: SHOW_GRANT
-default src_autho_test key src_role ROLE Select false -1 hive_test_user
+default src_autho_test [key] src_role ROLE SELECT false -1 hive_test_user
PREHOOK: query: select key from src_autho_test order by key limit 20
PREHOOK: type: QUERY
PREHOOK: Input: default@src_autho_test
@@ -364,7 +364,7 @@ PREHOOK: query: show grant role src_role on table src_autho_test
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant role src_role on table src_autho_test
POSTHOOK: type: SHOW_GRANT
-default src_autho_test src_role ROLE Select false -1 hive_test_user
+default src_autho_test src_role ROLE SELECT false -1 hive_test_user
PREHOOK: query: show grant role src_role on table src_autho_test(key)
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant role src_role on table src_autho_test(key)
diff --git a/ql/src/test/results/clientpositive/authorization_2.q.out b/ql/src/test/results/clientpositive/authorization_2.q.out
index 5d82e56..fc586d9 100644
--- a/ql/src/test/results/clientpositive/authorization_2.q.out
+++ b/ql/src/test/results/clientpositive/authorization_2.q.out
@@ -54,9 +54,9 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part
POSTHOOK: type: SHOW_GRANT
-default authorization_part hive_test_user USER Create false -1 hive_test_user
-default authorization_part hive_test_user USER Drop false -1 hive_test_user
-default authorization_part hive_test_user USER Update false -1 hive_test_user
+default authorization_part hive_test_user USER CREATE false -1 hive_test_user
+default authorization_part hive_test_user USER DROP false -1 hive_test_user
+default authorization_part hive_test_user USER UPDATE false -1 hive_test_user
PREHOOK: query: alter table authorization_part add partition (ds='2010')
PREHOOK: type: ALTERTABLE_ADDPARTS
PREHOOK: Output: default@authorization_part
@@ -68,9 +68,9 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part parti
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_part [2010] hive_test_user USER Create false -1 hive_test_user
-default authorization_part [2010] hive_test_user USER Drop false -1 hive_test_user
-default authorization_part [2010] hive_test_user USER Update false -1 hive_test_user
+default authorization_part [2010] hive_test_user USER CREATE false -1 hive_test_user
+default authorization_part [2010] hive_test_user USER DROP false -1 hive_test_user
+default authorization_part [2010] hive_test_user USER UPDATE false -1 hive_test_user
PREHOOK: query: grant select(key) on table authorization_part to user hive_test_user
PREHOOK: type: GRANT_PRIVILEGE
PREHOOK: Output: default@authorization_part
@@ -99,12 +99,12 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part(key)
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_part [2010] key hive_test_user USER Select false -1 hive_test_user
+default authorization_part [2010] [key] hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: show grant user hive_test_user on table authorization_part(key)
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part(key)
POSTHOOK: type: SHOW_GRANT
-default authorization_part key hive_test_user USER Select false -1 hive_test_user
+default authorization_part [key] hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20
PREHOOK: type: QUERY
PREHOOK: Input: default@authorization_part
@@ -149,7 +149,7 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part(key)
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_part [2010] key hive_test_user USER Select false -1 hive_test_user
+default authorization_part [2010] [key] hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20
PREHOOK: type: QUERY
PREHOOK: Input: default@authorization_part
@@ -204,9 +204,9 @@ PREHOOK: type: SHOW_GRANT
POSTHOOK: query: -- table grant to user
show grant user hive_test_user on table authorization_part
POSTHOOK: type: SHOW_GRANT
-default authorization_part hive_test_user USER Create false -1 hive_test_user
-default authorization_part hive_test_user USER Drop false -1 hive_test_user
-default authorization_part hive_test_user USER Update false -1 hive_test_user
+default authorization_part hive_test_user USER CREATE false -1 hive_test_user
+default authorization_part hive_test_user USER DROP false -1 hive_test_user
+default authorization_part hive_test_user USER UPDATE false -1 hive_test_user
PREHOOK: query: alter table authorization_part add partition (ds='2010')
PREHOOK: type: ALTERTABLE_ADDPARTS
PREHOOK: Output: default@authorization_part
@@ -218,9 +218,9 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part parti
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_part [2010] hive_test_user USER Create false -1 hive_test_user
-default authorization_part [2010] hive_test_user USER Drop false -1 hive_test_user
-default authorization_part [2010] hive_test_user USER Update false -1 hive_test_user
+default authorization_part [2010] hive_test_user USER CREATE false -1 hive_test_user
+default authorization_part [2010] hive_test_user USER DROP false -1 hive_test_user
+default authorization_part [2010] hive_test_user USER UPDATE false -1 hive_test_user
PREHOOK: query: grant select on table authorization_part to user hive_test_user
PREHOOK: type: GRANT_PRIVILEGE
PREHOOK: Output: default@authorization_part
@@ -249,18 +249,18 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part parti
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_part [2010] hive_test_user USER Create false -1 hive_test_user
-default authorization_part [2010] hive_test_user USER Drop false -1 hive_test_user
-default authorization_part [2010] hive_test_user USER Select false -1 hive_test_user
-default authorization_part [2010] hive_test_user USER Update false -1 hive_test_user
+default authorization_part [2010] hive_test_user USER CREATE false -1 hive_test_user
+default authorization_part [2010] hive_test_user USER DROP false -1 hive_test_user
+default authorization_part [2010] hive_test_user USER SELECT false -1 hive_test_user
+default authorization_part [2010] hive_test_user USER UPDATE false -1 hive_test_user
PREHOOK: query: show grant user hive_test_user on table authorization_part
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part
POSTHOOK: type: SHOW_GRANT
-default authorization_part hive_test_user USER Create false -1 hive_test_user
-default authorization_part hive_test_user USER Drop false -1 hive_test_user
-default authorization_part hive_test_user USER Select false -1 hive_test_user
-default authorization_part hive_test_user USER Update false -1 hive_test_user
+default authorization_part hive_test_user USER CREATE false -1 hive_test_user
+default authorization_part hive_test_user USER DROP false -1 hive_test_user
+default authorization_part hive_test_user USER SELECT false -1 hive_test_user
+default authorization_part hive_test_user USER UPDATE false -1 hive_test_user
PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20
PREHOOK: type: QUERY
PREHOOK: Input: default@authorization_part
@@ -301,17 +301,17 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part
POSTHOOK: type: SHOW_GRANT
-default authorization_part hive_test_user USER Create false -1 hive_test_user
-default authorization_part hive_test_user USER Drop false -1 hive_test_user
-default authorization_part hive_test_user USER Update false -1 hive_test_user
+default authorization_part hive_test_user USER CREATE false -1 hive_test_user
+default authorization_part hive_test_user USER DROP false -1 hive_test_user
+default authorization_part hive_test_user USER UPDATE false -1 hive_test_user
PREHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010')
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_part [2010] hive_test_user USER Create false -1 hive_test_user
-default authorization_part [2010] hive_test_user USER Drop false -1 hive_test_user
-default authorization_part [2010] hive_test_user USER Select false -1 hive_test_user
-default authorization_part [2010] hive_test_user USER Update false -1 hive_test_user
+default authorization_part [2010] hive_test_user USER CREATE false -1 hive_test_user
+default authorization_part [2010] hive_test_user USER DROP false -1 hive_test_user
+default authorization_part [2010] hive_test_user USER SELECT false -1 hive_test_user
+default authorization_part [2010] hive_test_user USER UPDATE false -1 hive_test_user
PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20
PREHOOK: type: QUERY
PREHOOK: Input: default@authorization_part
@@ -352,9 +352,9 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part parti
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_part [2010] hive_test_user USER Create false -1 hive_test_user
-default authorization_part [2010] hive_test_user USER Drop false -1 hive_test_user
-default authorization_part [2010] hive_test_user USER Update false -1 hive_test_user
+default authorization_part [2010] hive_test_user USER CREATE false -1 hive_test_user
+default authorization_part [2010] hive_test_user USER DROP false -1 hive_test_user
+default authorization_part [2010] hive_test_user USER UPDATE false -1 hive_test_user
PREHOOK: query: alter table authorization_part drop partition (ds='2010')
PREHOOK: type: ALTERTABLE_DROPPARTS
PREHOOK: Input: default@authorization_part
@@ -410,12 +410,12 @@ PREHOOK: query: show grant group hive_test_group1 on table authorization_part(ke
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant group hive_test_group1 on table authorization_part(key) partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_part [2010] key hive_test_group1 GROUP Select false -1 hive_test_user
+default authorization_part [2010] [key] hive_test_group1 GROUP SELECT false -1 hive_test_user
PREHOOK: query: show grant group hive_test_group1 on table authorization_part(key)
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant group hive_test_group1 on table authorization_part(key)
POSTHOOK: type: SHOW_GRANT
-default authorization_part key hive_test_group1 GROUP Select false -1 hive_test_user
+default authorization_part [key] hive_test_group1 GROUP SELECT false -1 hive_test_user
PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20
PREHOOK: type: QUERY
PREHOOK: Input: default@authorization_part
@@ -460,7 +460,7 @@ PREHOOK: query: show grant group hive_test_group1 on table authorization_part(ke
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant group hive_test_group1 on table authorization_part(key) partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_part [2010] key hive_test_group1 GROUP Select false -1 hive_test_user
+default authorization_part [2010] [key] hive_test_group1 GROUP SELECT false -1 hive_test_user
PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20
PREHOOK: type: QUERY
PREHOOK: Input: default@authorization_part
@@ -554,12 +554,12 @@ PREHOOK: query: show grant group hive_test_group1 on table authorization_part pa
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant group hive_test_group1 on table authorization_part partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_part [2010] hive_test_group1 GROUP Select false -1 hive_test_user
+default authorization_part [2010] hive_test_group1 GROUP SELECT false -1 hive_test_user
PREHOOK: query: show grant group hive_test_group1 on table authorization_part
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant group hive_test_group1 on table authorization_part
POSTHOOK: type: SHOW_GRANT
-default authorization_part hive_test_group1 GROUP Select false -1 hive_test_user
+default authorization_part hive_test_group1 GROUP SELECT false -1 hive_test_user
PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20
PREHOOK: type: QUERY
PREHOOK: Input: default@authorization_part
@@ -604,7 +604,7 @@ PREHOOK: query: show grant group hive_test_group1 on table authorization_part pa
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant group hive_test_group1 on table authorization_part partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_part [2010] hive_test_group1 GROUP Select false -1 hive_test_user
+default authorization_part [2010] hive_test_group1 GROUP SELECT false -1 hive_test_user
PREHOOK: query: select key from authorization_part where ds='2010' order by key limit 20
PREHOOK: type: QUERY
PREHOOK: Input: default@authorization_part
diff --git a/ql/src/test/results/clientpositive/authorization_3.q.out b/ql/src/test/results/clientpositive/authorization_3.q.out
index 834909c..8de1daf 100644
--- a/ql/src/test/results/clientpositive/authorization_3.q.out
+++ b/ql/src/test/results/clientpositive/authorization_3.q.out
@@ -25,8 +25,8 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table src_autho_test
POSTHOOK: type: SHOW_GRANT
-default src_autho_test hive_test_user USER Drop false -1 hive_test_user
-default src_autho_test hive_test_user USER Select false -1 hive_test_user
+default src_autho_test hive_test_user USER DROP false -1 hive_test_user
+default src_autho_test hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: revoke select on table src_autho_test from user hive_test_user
PREHOOK: type: REVOKE_PRIVILEGE
PREHOOK: Output: default@src_autho_test
@@ -49,8 +49,8 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table src_autho_test
POSTHOOK: type: SHOW_GRANT
-default src_autho_test hive_test_user USER Drop false -1 hive_test_user
-default src_autho_test hive_test_user USER Select false -1 hive_test_user
+default src_autho_test hive_test_user USER DROP false -1 hive_test_user
+default src_autho_test hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: revoke drop,select on table src_autho_test from user hive_test_user
PREHOOK: type: REVOKE_PRIVILEGE
PREHOOK: Output: default@src_autho_test
@@ -67,7 +67,7 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table src_autho_test
POSTHOOK: type: SHOW_GRANT
-default src_autho_test hive_test_user USER Drop false -1 hive_test_user
+default src_autho_test hive_test_user USER DROP false -1 hive_test_user
PREHOOK: query: revoke drop,select(key), select(value) on table src_autho_test from user hive_test_user
PREHOOK: type: REVOKE_PRIVILEGE
PREHOOK: Output: default@src_autho_test
diff --git a/ql/src/test/results/clientpositive/authorization_4.q.out b/ql/src/test/results/clientpositive/authorization_4.q.out
index 1b745d8..881c128 100644
--- a/ql/src/test/results/clientpositive/authorization_4.q.out
+++ b/ql/src/test/results/clientpositive/authorization_4.q.out
@@ -19,7 +19,7 @@ PREHOOK: query: show grant user hive_test_user on table src_autho_test
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table src_autho_test
POSTHOOK: type: SHOW_GRANT
-default src_autho_test hive_test_user USER All false -1 hive_test_user
+default src_autho_test hive_test_user USER ALL false -1 hive_test_user
PREHOOK: query: select key from src_autho_test order by key limit 20
PREHOOK: type: QUERY
PREHOOK: Input: default@src_autho_test
diff --git a/ql/src/test/results/clientpositive/authorization_5.q.out b/ql/src/test/results/clientpositive/authorization_5.q.out
index 6f75dd1..7da3d70 100644
--- a/ql/src/test/results/clientpositive/authorization_5.q.out
+++ b/ql/src/test/results/clientpositive/authorization_5.q.out
@@ -24,8 +24,8 @@ PREHOOK: query: SHOW GRANT USER hive_test_user ON DATABASE test_db
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: SHOW GRANT USER hive_test_user ON DATABASE test_db
POSTHOOK: type: SHOW_GRANT
-test_db hive_test_user USER Drop false -1 hive_test_user
-test_db hive_test_user USER Select false -1 hive_test_user
+test_db hive_test_user USER DROP false -1 hive_test_user
+test_db hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: CREATE ROLE db_test_role
PREHOOK: type: CREATEROLE
POSTHOOK: query: CREATE ROLE db_test_role
@@ -52,8 +52,8 @@ PREHOOK: query: SHOW GRANT ROLE db_test_role ON DATABASE test_db
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: SHOW GRANT ROLE db_test_role ON DATABASE test_db
POSTHOOK: type: SHOW_GRANT
-test_db db_test_role ROLE Drop false -1 hive_test_user
-test_db db_test_role ROLE Select false -1 hive_test_user
+test_db db_test_role ROLE DROP false -1 hive_test_user
+test_db db_test_role ROLE SELECT false -1 hive_test_user
PREHOOK: query: DROP DATABASE IF EXISTS test_db
PREHOOK: type: DROPDATABASE
PREHOOK: Input: database:test_db
diff --git a/ql/src/test/results/clientpositive/authorization_6.q.out b/ql/src/test/results/clientpositive/authorization_6.q.out
index b7bccd0..d931eac 100644
--- a/ql/src/test/results/clientpositive/authorization_6.q.out
+++ b/ql/src/test/results/clientpositive/authorization_6.q.out
@@ -54,9 +54,9 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part
POSTHOOK: type: SHOW_GRANT
-default authorization_part hive_test_user USER Create false -1 hive_test_user
-default authorization_part hive_test_user USER Drop false -1 hive_test_user
-default authorization_part hive_test_user USER Update false -1 hive_test_user
+default authorization_part hive_test_user USER CREATE false -1 hive_test_user
+default authorization_part hive_test_user USER DROP false -1 hive_test_user
+default authorization_part hive_test_user USER UPDATE false -1 hive_test_user
PREHOOK: query: grant select(key) on table authorization_part to user hive_test_user
PREHOOK: type: GRANT_PRIVILEGE
PREHOOK: Output: default@authorization_part
@@ -87,17 +87,17 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part(key)
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) partition (ds='2010')
POSTHOOK: type: SHOW_GRANT
-default authorization_part [2010] key hive_test_user USER Select false -1 hive_test_user
+default authorization_part [2010] [key] hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: show grant user hive_test_user on table authorization_part(key) partition (ds='2011')
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part(key) partition (ds='2011')
POSTHOOK: type: SHOW_GRANT
-default authorization_part [2011] key hive_test_user USER Select false -1 hive_test_user
+default authorization_part [2011] [key] hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: show grant user hive_test_user on table authorization_part(key)
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part(key)
POSTHOOK: type: SHOW_GRANT
-default authorization_part key hive_test_user USER Select false -1 hive_test_user
+default authorization_part [key] hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: select key from authorization_part where ds>='2010' order by key limit 20
PREHOOK: type: QUERY
PREHOOK: Input: default@authorization_part
@@ -169,8 +169,8 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part
POSTHOOK: type: SHOW_GRANT
-default authorization_part hive_test_user USER Create false -1 hive_test_user
-default authorization_part hive_test_user USER Update false -1 hive_test_user
+default authorization_part hive_test_user USER CREATE false -1 hive_test_user
+default authorization_part hive_test_user USER UPDATE false -1 hive_test_user
PREHOOK: query: grant select(key) on table authorization_part to user hive_test_user
PREHOOK: type: GRANT_PRIVILEGE
PREHOOK: Output: default@authorization_part
@@ -209,7 +209,7 @@ PREHOOK: query: show grant user hive_test_user on table authorization_part(key)
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table authorization_part(key)
POSTHOOK: type: SHOW_GRANT
-default authorization_part key hive_test_user USER Select false -1 hive_test_user
+default authorization_part [key] hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: select key from authorization_part where ds>='2010' order by key limit 20
PREHOOK: type: QUERY
PREHOOK: Input: default@authorization_part
diff --git a/ql/src/test/results/clientpositive/authorization_9.q.out b/ql/src/test/results/clientpositive/authorization_9.q.out
index d03682c..b3eb7a0 100644
--- a/ql/src/test/results/clientpositive/authorization_9.q.out
+++ b/ql/src/test/results/clientpositive/authorization_9.q.out
@@ -29,20 +29,20 @@ PREHOOK: query: show grant user hive_test_user on database default
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on database default
POSTHOOK: type: SHOW_GRANT
-default hive_test_user USER Select false -1 hive_test_user
+default hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: show grant user hive_test_user on table dummy
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on table dummy
POSTHOOK: type: SHOW_GRANT
-default dummy hive_test_user USER Select false -1 hive_test_user
+default dummy hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: show grant user hive_test_user on all
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test_user on all
POSTHOOK: type: SHOW_GRANT
-default hive_test_user USER Select false -1 hive_test_user
-default dummy hive_test_user USER Select false -1 hive_test_user
-default dummy key hive_test_user USER Select false -1 hive_test_user
-default dummy value hive_test_user USER Select false -1 hive_test_user
+default hive_test_user USER SELECT false -1 hive_test_user
+default dummy hive_test_user USER SELECT false -1 hive_test_user
+default dummy [key] hive_test_user USER SELECT false -1 hive_test_user
+default dummy [value] hive_test_user USER SELECT false -1 hive_test_user
PREHOOK: query: grant select on database default to user hive_test_user2
PREHOOK: type: GRANT_PRIVILEGE
POSTHOOK: query: grant select on database default to user hive_test_user2
@@ -63,15 +63,15 @@ PREHOOK: query: show grant on all
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant on all
POSTHOOK: type: SHOW_GRANT
- admin ROLE All true -1 admin
-default hive_test_user USER Select false -1 hive_test_user
-default hive_test_user2 USER Select false -1 hive_test_user
-default dummy hive_test_user USER Select false -1 hive_test_user
-default dummy hive_test_user2 USER Select false -1 hive_test_user
-default dummy key hive_test_user USER Select false -1 hive_test_user
-default dummy key hive_test_user2 USER Select false -1 hive_test_user
-default dummy value hive_test_user USER Select false -1 hive_test_user
-default dummy value hive_test_user2 USER Select false -1 hive_test_user
+ admin ROLE ALL true -1 admin
+default hive_test_user USER SELECT false -1 hive_test_user
+default hive_test_user2 USER SELECT false -1 hive_test_user
+default dummy hive_test_user USER SELECT false -1 hive_test_user
+default dummy hive_test_user2 USER SELECT false -1 hive_test_user
+default dummy [key] hive_test_user USER SELECT false -1 hive_test_user
+default dummy [key] hive_test_user2 USER SELECT false -1 hive_test_user
+default dummy [value] hive_test_user USER SELECT false -1 hive_test_user
+default dummy [value] hive_test_user2 USER SELECT false -1 hive_test_user
PREHOOK: query: revoke select on database default from user hive_test_user
PREHOOK: type: REVOKE_PRIVILEGE
POSTHOOK: query: revoke select on database default from user hive_test_user
diff --git a/ql/src/test/results/clientpositive/authorization_show_role_principals_v1.q.out b/ql/src/test/results/clientpositive/authorization_show_role_principals_v1.q.out
new file mode 100644
index 0000000..7c87e2c
--- /dev/null
+++ b/ql/src/test/results/clientpositive/authorization_show_role_principals_v1.q.out
@@ -0,0 +1,30 @@
+PREHOOK: query: create role role1
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: create role role1
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: grant role1 to user user1 with admin option
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant role1 to user user1 with admin option
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: grant role1 to user user2 with admin option
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant role1 to user user2 with admin option
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: show role grant user user1
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user user1
+POSTHOOK: type: SHOW_ROLE_GRANT
+public false -1
+role1 true -1 hive_test_user
+PREHOOK: query: show role grant user user2
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user user2
+POSTHOOK: type: SHOW_ROLE_GRANT
+public false -1
+role1 true -1 hive_test_user
+PREHOOK: query: show principals role1
+PREHOOK: type: SHOW_ROLE_PRINCIPALS
+POSTHOOK: query: show principals role1
+POSTHOOK: type: SHOW_ROLE_PRINCIPALS
+user1 USER true hive_test_user USER -1
+user2 USER true hive_test_user USER -1
diff --git a/ql/src/test/results/clientpositive/keyword_1.q.out b/ql/src/test/results/clientpositive/keyword_1.q.out
index 84bb2d0..55c6701 100644
--- a/ql/src/test/results/clientpositive/keyword_1.q.out
+++ b/ql/src/test/results/clientpositive/keyword_1.q.out
@@ -52,7 +52,7 @@ PREHOOK: query: show grant user hive_test on table test_user
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test on table test_user
POSTHOOK: type: SHOW_GRANT
-default test_user hive_test USER Select false -1 hive_test_user
+default test_user hive_test USER SELECT false -1 hive_test_user
PREHOOK: query: drop table test_user
PREHOOK: type: DROPTABLE
PREHOOK: Input: default@test_user
@@ -111,7 +111,7 @@ PREHOOK: query: show grant user hive_test on table test_user
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user hive_test on table test_user
POSTHOOK: type: SHOW_GRANT
-default test_user hive_test USER Select false -1 hive_test_user
+default test_user hive_test USER SELECT false -1 hive_test_user
PREHOOK: query: drop table test_user
PREHOOK: type: DROPTABLE
PREHOOK: Input: default@test_user
diff --git a/ql/src/test/results/clientpositive/show_roles.q.out b/ql/src/test/results/clientpositive/show_roles.q.out
index f90bba0..c3c8c6d 100644
--- a/ql/src/test/results/clientpositive/show_roles.q.out
+++ b/ql/src/test/results/clientpositive/show_roles.q.out
@@ -14,3 +14,4 @@ admin
public
role1
role2
+