diff --git a/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java b/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java index b74868b..caf82a7 100644 --- a/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java +++ b/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java @@ -4008,7 +4008,7 @@ public boolean drop_role(final String roleName) incrementCounter("drop_role"); firePreEvent(new PreAuthorizationCallEvent(this)); if (ADMIN.equals(roleName) || PUBLIC.equals(roleName)) { - throw new MetaException(PUBLIC + "/" + ADMIN +" role can't be dropped."); + throw new MetaException(PUBLIC + "," + ADMIN +" roles can't be dropped."); } Boolean ret = null; try { @@ -4078,6 +4078,7 @@ private boolean revoke_role(final String roleName, final String userName, return ret; } + @Override public GrantRevokeRoleResponse grant_revoke_role(GrantRevokeRoleRequest request) throws MetaException, org.apache.thrift.TException { GrantRevokeRoleResponse response = new GrantRevokeRoleResponse(); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java index 6a283ab..5adb980 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java @@ -412,5 +412,8 @@ public static void assertNoDeniedPermissions(HivePrincipal hivePrincipal, } } + static HiveAuthzPluginException getPluginException(String prefix, Exception e) { + return new HiveAuthzPluginException(prefix + ": " + e.getMessage(), e); + } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index fa77c0c..140882d 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -123,8 +123,8 @@ private void initUserRoles() throws HiveAuthzPluginException { } return currentRoles; } catch (Exception e) { - throw new HiveAuthzPluginException("Failed to retrieve roles for " + currentUserName + ": " - + e.getMessage(), e); + throw SQLAuthorizationUtils.getPluginException("Failed to retrieve roles for " + + currentUserName, e); } } @@ -179,7 +179,7 @@ public void grantPrivileges(List hivePrincipals, try { metastoreClient.grant_privileges(privBag); } catch (Exception e) { - throw new HiveAuthzPluginException("Error granting privileges: " + e.getMessage(), e); + throw SQLAuthorizationUtils.getPluginException("Error granting privileges", e); } } @@ -239,7 +239,7 @@ public void revokePrivileges(List hivePrincipals, // that has desired behavior. metastoreClient.revoke_privileges(new PrivilegeBag(revokePrivs), grantOption); } catch (Exception e) { - throw new HiveAuthzPluginException("Error revoking privileges", e); + throw SQLAuthorizationUtils.getPluginException("Error revoking privileges", e); } } @@ -260,7 +260,7 @@ public void createRole(String roleName, HivePrincipal adminGrantor) metastoreClientFactory.getHiveMetastoreClient().create_role( new Role(roleName, 0, grantorName)); } catch (TException e) { - throw new HiveAuthzPluginException("Error create role : " + e.getMessage(), e); + throw SQLAuthorizationUtils.getPluginException("Error create role", e); } } @@ -274,7 +274,7 @@ public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAcces try { metastoreClientFactory.getHiveMetastoreClient().drop_role(roleName); } catch (Exception e) { - throw new HiveAuthzPluginException("Error dropping role", e); + throw SQLAuthorizationUtils.getPluginException("Error dropping role", e); } } @@ -295,11 +295,11 @@ public void grantRole(List hivePrincipals, List roleNames grantorPrinc.getName(), AuthorizationUtils.getThriftPrincipalType(grantorPrinc.getType()), grantOption); } catch (MetaException e) { - throw new HiveAuthzPluginException(e.getMessage(), e); + throw SQLAuthorizationUtils.getPluginException("Error granting role", e); } catch (Exception e) { String msg = "Error granting roles for " + hivePrincipal.getName() + " to role " - + roleName + ": " + e.getMessage(); - throw new HiveAuthzPluginException(msg, e); + + roleName; + throw SQLAuthorizationUtils.getPluginException(msg, e); } } } @@ -321,8 +321,8 @@ public void revokeRole(List hivePrincipals, List roleName AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType()), grantOption); } catch (Exception e) { String msg = "Error revoking roles for " + hivePrincipal.getName() + " to role " - + roleName + ": " + e.getMessage(); - throw new HiveAuthzPluginException(msg, e); + + roleName; + throw SQLAuthorizationUtils.getPluginException(msg, e); } } } @@ -338,7 +338,7 @@ public void revokeRole(List hivePrincipals, List roleName try { return metastoreClientFactory.getHiveMetastoreClient().listRoleNames(); } catch (Exception e) { - throw new HiveAuthzPluginException("Error listing all roles", e); + throw SQLAuthorizationUtils.getPluginException("Error listing all roles", e); } } @@ -353,10 +353,12 @@ public void revokeRole(List hivePrincipals, List roleName try { return getHiveRoleGrants(metastoreClientFactory.getHiveMetastoreClient(), roleName); } catch (Exception e) { - throw new HiveAuthzPluginException("Error getting principals for all roles", e); + throw SQLAuthorizationUtils.getPluginException("Error getting principals for all roles", e); } } + + public static List getHiveRoleGrants(IMetaStoreClient client, String roleName) throws Exception { GetPrincipalsInRoleRequest request = new GetPrincipalsInRoleRequest(roleName); @@ -435,7 +437,7 @@ public void revokeRole(List hivePrincipals, List roleName return resPrivInfos; } catch (Exception e) { - throw new HiveAuthzPluginException("Error showing privileges: "+ e.getMessage(), e); + throw SQLAuthorizationUtils.getPluginException("Error showing privileges", e); } } @@ -550,11 +552,7 @@ public void setCurrentRole(String roleName) throws HiveAccessControlException, */ boolean isUserAdmin() throws HiveAuthzPluginException { List roles; - try { - roles = getCurrentRoles(); - } catch (Exception e) { - throw new HiveAuthzPluginException(e); - } + roles = getCurrentRoles(); for (HiveRoleGrant role : roles) { if (role.getRoleName().equalsIgnoreCase(HiveMetaStore.ADMIN)) { return true; @@ -565,11 +563,7 @@ boolean isUserAdmin() throws HiveAuthzPluginException { private boolean doesUserHasAdminOption(List roleNames) throws HiveAuthzPluginException { List currentRoles; - try { - currentRoles = getCurrentRoles(); - } catch (Exception e) { - throw new HiveAuthzPluginException(e); - } + currentRoles = getCurrentRoles(); for (String roleName : roleNames) { boolean roleFound = false; for (HiveRoleGrant currentRole : currentRoles) { @@ -606,8 +600,8 @@ private boolean doesUserHasAdminOption(List roleNames) throws HiveAuthzP } return hiveRoleGrants; } catch (Exception e) { - throw new HiveAuthzPluginException("Error getting role grant information for user " - + principal.getName() + ": " + e.getMessage(), e); + throw SQLAuthorizationUtils.getPluginException("Error getting role grant information for user " + + principal.getName(), e); } } diff --git a/ql/src/test/queries/clientnegative/authorization_drop_admin_role.q b/ql/src/test/queries/clientnegative/authorization_drop_admin_role.q new file mode 100644 index 0000000..9c21b5f --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_drop_admin_role.q @@ -0,0 +1,5 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; +set role admin; +drop role admin; diff --git a/ql/src/test/results/clientnegative/authorization_drop_admin_role.q.out b/ql/src/test/results/clientnegative/authorization_drop_admin_role.q.out new file mode 100644 index 0000000..8383f52 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_drop_admin_role.q.out @@ -0,0 +1,7 @@ +PREHOOK: query: set role admin +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role admin +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: drop role admin +PREHOOK: type: DROPROLE +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error dropping role: public,admin roles can't be dropped. diff --git a/ql/src/test/results/clientnegative/authorization_public_drop.q.out b/ql/src/test/results/clientnegative/authorization_public_drop.q.out index 7759745..520b56e 100644 --- a/ql/src/test/results/clientnegative/authorization_public_drop.q.out +++ b/ql/src/test/results/clientnegative/authorization_public_drop.q.out @@ -1,3 +1,3 @@ PREHOOK: query: drop role PUBLIC PREHOOK: type: DROPROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:public/admin role can't be dropped.) +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:public,admin roles can't be dropped.) diff --git a/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out b/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out index 032be5b..2b7eaeb 100644 --- a/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out +++ b/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out @@ -19,4 +19,4 @@ POSTHOOK: type: GRANT_ROLE PREHOOK: query: -- this will create a cycle grant role role2 to role role1 PREHOOK: type: GRANT_ROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Cannot grant role role1 to role2 as role2 already belongs to the role role1. (no cycles allowed) +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error granting role: Cannot grant role role1 to role2 as role2 already belongs to the role role1. (no cycles allowed) diff --git a/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out b/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out index a9d8cfe..fe47208 100644 --- a/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out +++ b/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out @@ -45,4 +45,4 @@ POSTHOOK: type: GRANT_ROLE PREHOOK: query: -- this will create a cycle in middle of the hierarchy grant role role2 to role role4 PREHOOK: type: GRANT_ROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Cannot grant role role4 to role2 as role2 already belongs to the role role4. (no cycles allowed) +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error granting role: Cannot grant role role4 to role2 as role2 already belongs to the role role4. (no cycles allowed)