diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index 15bc0a3..74f3925 100644 --- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -36,12 +36,14 @@ import javax.security.auth.login.LoginException; -import static org.apache.hadoop.hive.conf.Validator.*; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; +import org.apache.hadoop.hive.conf.Validator.PatternSet; +import org.apache.hadoop.hive.conf.Validator.RangeValidator; +import org.apache.hadoop.hive.conf.Validator.StringSet; import org.apache.hadoop.hive.shims.ShimLoader; import org.apache.hadoop.mapred.JobConf; import org.apache.hadoop.security.UserGroupInformation; @@ -282,9 +284,9 @@ LOCALMODEAUTO("hive.exec.mode.local.auto", false, "Let Hive determine whether to run in local mode automatically"), - LOCALMODEMAXBYTES("hive.exec.mode.local.auto.inputbytes.max", 134217728L, + LOCALMODEMAXBYTES("hive.exec.mode.local.auto.inputbytes.max", 134217728L, "When hive.exec.mode.local.auto is true, input bytes should less than this for local mode."), - LOCALMODEMAXINPUTFILES("hive.exec.mode.local.auto.input.files.max", 4, + LOCALMODEMAXINPUTFILES("hive.exec.mode.local.auto.input.files.max", 4, "When hive.exec.mode.local.auto is true, the number of tasks should less than this for local mode."), DROPIGNORESNONEXISTENT("hive.exec.drop.ignorenonexistent", true, @@ -355,7 +357,7 @@ "The number of times to retry a HMSHandler call if there were a connection error"), HMSHANDLERINTERVAL("hive.hmshandler.retry.interval", 1000, "The number of milliseconds between HMSHandler retry attempts"), - HMSHANDLERFORCERELOADCONF("hive.hmshandler.force.reload.conf", false, + HMSHANDLERFORCERELOADCONF("hive.hmshandler.force.reload.conf", false, "Whether to force reloading of the HMSHandler configuration (including\n" + "the connection URL, before the next metastore query that accesses the\n" + "datastore. Once reloaded, this value is reset to false. Used for\n" + @@ -368,7 +370,7 @@ "Whether to enable TCP keepalive for the metastore server. Keepalive will prevent accumulation of half-open connections."), METASTORE_INT_ORIGINAL("hive.metastore.archive.intermediate.original", - "_INTERMEDIATE_ORIGINAL", + "_INTERMEDIATE_ORIGINAL", "Intermediate dir suffixes used for archiving. Not important what they\n" + "are, as long as collisions are avoided"), METASTORE_INT_ARCHIVED("hive.metastore.archive.intermediate.archived", @@ -544,7 +546,7 @@ HIVE_SESSION_HISTORY_ENABLED("hive.session.history.enabled", false, "Whether to log Hive query, query plan, runtime statistics etc."), - HIVEQUERYSTRING("hive.query.string", "", + HIVEQUERYSTRING("hive.query.string", "", "Query being executed (might be multiple per a session)"), HIVEQUERYID("hive.query.id", "", @@ -783,7 +785,7 @@ " for small ORC files. Note that enabling this config will not honor padding tolerance\n" + " config (hive.exec.orc.block.padding.tolerance)."), HIVEMERGEINPUTFORMATSTRIPELEVEL("hive.merge.input.format.stripe.level", - "org.apache.hadoop.hive.ql.io.orc.OrcFileStripeMergeInputFormat", + "org.apache.hadoop.hive.ql.io.orc.OrcFileStripeMergeInputFormat", "Input file format to use for ORC stripe level merging (for internal use only)"), HIVEMERGECURRENTJOBHASDYNAMICPARTITIONS( "hive.merge.current.job.has.dynamic.partitions", false, ""), @@ -799,7 +801,7 @@ HIVE_RCFILE_TOLERATE_CORRUPTIONS("hive.io.rcfile.tolerate.corruptions", false, ""), HIVE_RCFILE_RECORD_BUFFER_SIZE("hive.io.rcfile.record.buffer.size", 4194304, ""), // 4M - HIVE_ORC_FILE_MEMORY_POOL("hive.exec.orc.memory.pool", 0.5f, + HIVE_ORC_FILE_MEMORY_POOL("hive.exec.orc.memory.pool", 0.5f, "Maximum fraction of heap that can be used by ORC file writers"), HIVE_ORC_WRITE_FORMAT("hive.exec.orc.write.format", null, "Define the version of the file to write"), @@ -1080,8 +1082,8 @@ "The Java class (implementing the StatsAggregator interface) that is used by default if hive.stats.dbclass is custom type."), HIVE_STATS_JDBC_TIMEOUT("hive.stats.jdbc.timeout", 30, "Timeout value (number of seconds) used by JDBC connection and statements."), - HIVE_STATS_ATOMIC("hive.stats.atomic", false, - "whether to update metastore stats only if all stats are available"), + HIVE_STATS_ATOMIC("hive.stats.atomic", false, + "whether to update metastore stats only if all stats are available"), HIVE_STATS_RETRIES_MAX("hive.stats.retries.max", 0, "Maximum number of retries when stats publisher/aggregator got an exception updating intermediate database. \n" + "Default is no tries on failures."), @@ -1304,6 +1306,8 @@ "Enables type checking for registered Hive configurations"), SEMANTIC_ANALYZER_HOOK("hive.semantic.analyzer.hook", "", ""), + HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE( + "hive.test.authz.sstd.hs2.mode", false, "test hs2 mode from .q tests", true), HIVE_AUTHORIZATION_ENABLED("hive.security.authorization.enabled", false, "enable or disable the Hive client authorization"), HIVE_AUTHORIZATION_MANAGER("hive.security.authorization.manager", @@ -1635,7 +1639,7 @@ "Exceeding this will trigger a flush irrelevant of memory pressure condition."), HIVE_VECTORIZATION_GROUPBY_FLUSH_PERCENT("hive.vectorized.groupby.flush.percent", (float) 0.1, "Percent of entries in the group by aggregation hash flushed when the memory threshold is exceeded."), - + HIVE_TYPE_CHECK_ON_INSERT("hive.typecheck.on.insert", true, ""), diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java index c91b15c..b68c03d 100644 --- a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java +++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java @@ -63,7 +63,7 @@ static class MockedHiveAuthorizerFactory implements HiveAuthorizerFactory { @Override public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, - HiveConf conf, HiveAuthenticationProvider authenticator) { + HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) { TestHiveAuthorizerCheckInvocation.mockedAuthorizer = Mockito.mock(HiveAuthorizer.class); return TestHiveAuthorizerCheckInvocation.mockedAuthorizer; } diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestCLIAuthzSessionContext.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestCLIAuthzSessionContext.java new file mode 100644 index 0000000..9a44dfa --- /dev/null +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestCLIAuthzSessionContext.java @@ -0,0 +1,88 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hive.jdbc.authorization; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; + +import org.apache.hadoop.hive.cli.CliDriver; +import org.apache.hadoop.hive.cli.CliSessionState; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; +import org.apache.hadoop.hive.ql.session.SessionState; +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.Test; +import org.mockito.Mockito; +/** + * Test context information that gets passed to authorization factory + */ +public class TestCLIAuthzSessionContext { + private static HiveAuthzSessionContext sessionCtx; + private static CliDriver driver; + + /** + * This factory captures the HiveAuthzSessionContext argument and returns mocked + * HiveAuthorizer class + */ + static class MockedHiveAuthorizerFactory implements HiveAuthorizerFactory { + @Override + public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, + HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) { + TestCLIAuthzSessionContext.sessionCtx = ctx; + HiveAuthorizer mockedAuthorizer = Mockito.mock(HiveAuthorizer.class); + return mockedAuthorizer; + } + } + + @BeforeClass + public static void beforeTest() throws Exception { + HiveConf conf = new HiveConf(); + conf.setVar(ConfVars.HIVE_AUTHORIZATION_MANAGER, MockedHiveAuthorizerFactory.class.getName()); + conf.setVar(ConfVars.HIVE_AUTHENTICATOR_MANAGER, SessionStateUserAuthenticator.class.getName()); + conf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, true); + conf.setBoolVar(ConfVars.HIVE_SUPPORT_CONCURRENCY, false); + + // once SessionState for thread is set, CliDriver picks conf from it + CliSessionState ss = new CliSessionState(conf); + ss.err = System.err; + ss.out = System.out; + SessionState.start(ss); + TestCLIAuthzSessionContext.driver = new CliDriver(); + } + + @AfterClass + public static void afterTest() throws Exception { + } + + @Test + public void testAuthzSessionContextContents() throws Exception { + driver.processCmd("show tables"); + // session string is supposed to be unique, so its got to be of some reasonable size + assertTrue("session string size check", sessionCtx.getSessionString().length() > 10); + assertEquals("Client type ", HiveAuthzSessionContext.CLIENT_TYPE.HIVECLI, sessionCtx.getClientType()); + } + +} diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java index f42390c..d03dba4 100644 --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java @@ -33,9 +33,12 @@ import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; @@ -60,7 +63,7 @@ static class MockedHiveAuthorizerFactory implements HiveAuthorizerFactory { @Override public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, - HiveConf conf, HiveAuthenticationProvider authenticator) { + HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) { TestHS2AuthzContext.mockedAuthorizer = Mockito.mock(HiveAuthorizer.class); return TestHS2AuthzContext.mockedAuthorizer; } @@ -88,12 +91,21 @@ public static void afterTest() throws Exception { } @Test - public void testAuthzContextContents() throws Exception { + public void testAuthzContextContentsDriverCmd() throws Exception { + String cmd = "show tables"; + verifyContextContents(cmd, cmd); + } + + @Test + public void testAuthzContextContentsCmdProcessorCmd() throws Exception { + verifyContextContents("dfs -ls /", "-ls /"); + } + private void verifyContextContents(final String cmd, String ctxCmd) throws SQLException, + HiveAuthzPluginException, HiveAccessControlException { Connection hs2Conn = getConnection("user1"); Statement stmt = hs2Conn.createStatement(); - final String cmd = "show tables"; stmt.execute(cmd); stmt.close(); hs2Conn.close(); @@ -107,13 +119,10 @@ public void testAuthzContextContents() throws Exception { HiveAuthzContext context = contextCapturer.getValue(); - assertEquals("Command ", cmd, context.getCommandString()); + assertEquals("Command ", ctxCmd, context.getCommandString()); assertTrue("ip address pattern check", context.getIpAddress().contains(".")); // ip address size check - check for something better than non zero assertTrue("ip address size check", context.getIpAddress().length() > 7); - // session string is supposed to be unique, so its got to be of some reasonable size - assertTrue("session string size check", context.getSessionString().length() > 10); - assertEquals("Client type ", HiveAuthzContext.CLIENT_TYPE.HIVESERVER2, context.getClientType()); } private Connection getConnection(String userName) throws SQLException { diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzSessionContext.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzSessionContext.java new file mode 100644 index 0000000..eb29e22 --- /dev/null +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzSessionContext.java @@ -0,0 +1,88 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hive.jdbc.authorization; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; + +import java.util.HashMap; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; +import org.apache.hive.jdbc.miniHS2.MiniHS2; +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.Test; +import org.mockito.Mockito; +/** + * Test context information that gets passed to authorization factory + */ +public class TestHS2AuthzSessionContext { + private static MiniHS2 miniHS2 = null; + private static HiveAuthzSessionContext sessionCtx; + + /** + * This factory captures the HiveAuthzSessionContext argument and returns mocked + * HiveAuthorizer class + */ + static class MockedHiveAuthorizerFactory implements HiveAuthorizerFactory { + @Override + public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, + HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) { + TestHS2AuthzSessionContext.sessionCtx = ctx; + HiveAuthorizer mockedAuthorizer = Mockito.mock(HiveAuthorizer.class); + return mockedAuthorizer; + } + } + + @BeforeClass + public static void beforeTest() throws Exception { + Class.forName(MiniHS2.getJdbcDriverName()); + HiveConf conf = new HiveConf(); + conf.setVar(ConfVars.HIVE_AUTHORIZATION_MANAGER, MockedHiveAuthorizerFactory.class.getName()); + conf.setVar(ConfVars.HIVE_AUTHENTICATOR_MANAGER, SessionStateUserAuthenticator.class.getName()); + conf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, true); + conf.setBoolVar(ConfVars.HIVE_SUPPORT_CONCURRENCY, false); + conf.setBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS, false); + + miniHS2 = new MiniHS2(conf); + miniHS2.start(new HashMap()); + } + + @AfterClass + public static void afterTest() throws Exception { + if (miniHS2.isStarted()) { + miniHS2.stop(); + } + } + + @Test + public void testAuthzSessionContextContents() throws Exception { + // session string is supposed to be unique, so its got to be of some reasonable size + assertTrue("session string size check", sessionCtx.getSessionString().length() > 10); + assertEquals("Client type ", HiveAuthzSessionContext.CLIENT_TYPE.HIVESERVER2, sessionCtx.getClientType()); + } + +} diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java index bdbe8a7..89429b6 100644 --- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java @@ -21,6 +21,7 @@ import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; /** @@ -32,8 +33,8 @@ public class SQLStdHiveAccessControllerForTest extends SQLStdHiveAccessController { SQLStdHiveAccessControllerForTest(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, - HiveAuthenticationProvider authenticator) throws HiveAuthzPluginException { - super(metastoreClientFactory, conf, authenticator); + HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws HiveAuthzPluginException { + super(metastoreClientFactory, conf, authenticator, ctx); } diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java index 3395513..0f41a8f 100644 --- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java @@ -24,15 +24,16 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerImpl; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; @Private public class SQLStdHiveAuthorizerFactoryForTest implements HiveAuthorizerFactory{ @Override public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, - HiveConf conf, HiveAuthenticationProvider authenticator) throws HiveAuthzPluginException { + HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws HiveAuthzPluginException { SQLStdHiveAccessController privilegeManager = - new SQLStdHiveAccessControllerForTest(metastoreClientFactory, conf, authenticator); + new SQLStdHiveAccessControllerForTest(metastoreClientFactory, conf, authenticator, ctx); return new HiveAuthorizerImpl( privilegeManager, new SQLStdHiveAuthorizationValidatorForTest(metastoreClientFactory, conf, authenticator, diff --git a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java index 8f3f2b6..12b6c49 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java @@ -103,7 +103,6 @@ import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils; import org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext.CLIENT_TYPE; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType; @@ -703,11 +702,7 @@ private static void doAuthorizationV2(SessionState ss, HiveOperation op, HashSet HashSet outputs, String command, Map> tab2cols) throws HiveException { HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder(); - - authzContextBuilder.setClientType(ss.isHiveServerQuery() ? CLIENT_TYPE.HIVESERVER2 - : CLIENT_TYPE.HIVECLI); authzContextBuilder.setUserIpAddress(ss.getUserIpAddress()); - authzContextBuilder.setSessionString(ss.getSessionId()); authzContextBuilder.setCommandString(command); HiveOperationType hiveOpType = getHiveOperationType(op); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java b/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java index 87c8fbb..69783e7 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java @@ -22,11 +22,14 @@ import java.util.List; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; import org.apache.hadoop.hive.ql.session.SessionState; +import com.google.common.base.Joiner; + class CommandUtil { /** @@ -68,7 +71,10 @@ static CommandProcessorResponse authorizeCommand(SessionState ss, HiveOperationT static void authorizeCommandThrowEx(SessionState ss, HiveOperationType type, List command) throws HiveAuthzPluginException, HiveAccessControlException { HivePrivilegeObject commandObj = HivePrivilegeObject.createHivePrivilegeObject(command); - ss.getAuthorizerV2().checkPrivileges(type, Arrays.asList(commandObj), null, null); + HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder(); + ctxBuilder.setCommandString(Joiner.on(' ').join(command)); + ctxBuilder.setUserIpAddress(ss.getUserIpAddress()); + ss.getAuthorizerV2().checkPrivileges(type, Arrays.asList(commandObj), null, ctxBuilder.build()); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java index 876527a..27fc128 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java @@ -37,9 +37,11 @@ * different thread, so get the current instance in each method invocation. * @param conf - current HiveConf * @param hiveAuthenticator - authenticator, provides user name + * @param ctx - session context information * @return new instance of HiveAuthorizer * @throws HiveAuthzPluginException */ HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, - HiveConf conf, HiveAuthenticationProvider hiveAuthenticator) throws HiveAuthzPluginException; + HiveConf conf, HiveAuthenticationProvider hiveAuthenticator, HiveAuthzSessionContext ctx) + throws HiveAuthzPluginException; } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzContext.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzContext.java index bb71a7e..248b626 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzContext.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzContext.java @@ -29,14 +29,8 @@ @Evolving public final class HiveAuthzContext { - public enum CLIENT_TYPE { - HIVESERVER2, HIVECLI - }; - public static class Builder { private String userIpAddress; - private String sessionString; - private CLIENT_TYPE clientType; private String commandString; /** @@ -50,18 +44,6 @@ public String getUserIpAddress() { public void setUserIpAddress(String userIpAddress) { this.userIpAddress = userIpAddress; } - public String getSessionString() { - return sessionString; - } - public void setSessionString(String sessionString) { - this.sessionString = sessionString; - } - public CLIENT_TYPE getClientType() { - return clientType; - } - public void setClientType(CLIENT_TYPE clientType) { - this.clientType = clientType; - } public String getCommandString() { return commandString; } @@ -76,14 +58,10 @@ public HiveAuthzContext build(){ } private final String userIpAddress; - private final String sessionString; - private final CLIENT_TYPE clientType; private final String commandString; private HiveAuthzContext(Builder builder) { this.userIpAddress = builder.userIpAddress; - this.sessionString = builder.sessionString; - this.clientType = builder.clientType; this.commandString = builder.commandString; } @@ -92,22 +70,14 @@ public String getIpAddress() { return userIpAddress; } - public String getSessionString() { - return sessionString; - } - - public CLIENT_TYPE getClientType() { - return clientType; - } - public String getCommandString() { return commandString; } @Override public String toString() { - return "HiveAuthzContext [userIpAddress=" + userIpAddress + ", sessionString=" + sessionString - + ", clientType=" + clientType + ", commandString=" + commandString + "]"; + return "HiveAuthzContext [userIpAddress=" + userIpAddress + ", commandString=" + commandString + + "]"; } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzSessionContext.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzSessionContext.java new file mode 100644 index 0000000..b0aadd5 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzSessionContext.java @@ -0,0 +1,89 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; +import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving; + +/** + * Provides session context information. + * It is an immutable class. Builder inner class is used instantiate it. + */ +@LimitedPrivate(value = { "" }) +@Evolving +public final class HiveAuthzSessionContext { + + public enum CLIENT_TYPE { + HIVESERVER2, HIVECLI + }; + + public static class Builder { + private String sessionString; + private CLIENT_TYPE clientType; + + public Builder(){}; + + /** + * Builder that copies values from given instance of HiveAuthzSessionContext + * @param other + */ + public Builder(HiveAuthzSessionContext other){ + this.sessionString = other.getSessionString(); + this.clientType = other.getClientType(); + } + + public String getSessionString() { + return sessionString; + } + public void setSessionString(String sessionString) { + this.sessionString = sessionString; + } + public CLIENT_TYPE getClientType() { + return clientType; + } + public void setClientType(CLIENT_TYPE clientType) { + this.clientType = clientType; + } + public HiveAuthzSessionContext build(){ + return new HiveAuthzSessionContext(this); + } + } + + private final String sessionString; + private final CLIENT_TYPE clientType; + + private HiveAuthzSessionContext(Builder builder) { + this.sessionString = builder.sessionString; + this.clientType = builder.clientType; + } + + public String getSessionString() { + return sessionString; + } + + public CLIENT_TYPE getClientType() { + return clientType; + } + + @Override + public String toString() { + return "HiveAuthzSessionContext [sessionString=" + sessionString + ", clientType=" + clientType + + "]"; + } + +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index 140882d..532bcc5 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -50,6 +50,8 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; @@ -81,13 +83,46 @@ + "have it as current role, for this action."; private final String HAS_ADMIN_PRIV_MSG = "grantor need to have ADMIN OPTION on role being" + " granted and have it as a current role for this action."; + private final HiveAuthzSessionContext sessionCtx; public static final Log LOG = LogFactory.getLog(SQLStdHiveAccessController.class); public SQLStdHiveAccessController(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, - HiveAuthenticationProvider authenticator) throws HiveAuthzPluginException { + HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws HiveAuthzPluginException { this.metastoreClientFactory = metastoreClientFactory; this.authenticator = authenticator; + this.sessionCtx = applyTestSettings(ctx, conf); + + assertHiveCliAuthDisabled(conf); initUserRoles(); + LOG.info("Created SQLStdHiveAccessController for session context : " + sessionCtx); + } + + /** + * Change the session context based on configuration to aid in testing of sql std auth + * @param ctx + * @param conf + * @return + */ + private HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext ctx, HiveConf conf) { + if(conf.getBoolVar(ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE) && + ctx.getClientType() == CLIENT_TYPE.HIVECLI + ){ + // create new session ctx object with HS2 as client type + HiveAuthzSessionContext.Builder ctxBuilder = new HiveAuthzSessionContext.Builder(ctx); + ctxBuilder.setClientType(CLIENT_TYPE.HIVESERVER2); + return ctxBuilder.build(); + } + return ctx; + } + + private void assertHiveCliAuthDisabled(HiveConf conf) throws HiveAuthzPluginException { + if (sessionCtx.getClientType() == CLIENT_TYPE.HIVECLI + && conf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) { + throw new HiveAuthzPluginException( + "SQL standards based authorization should not be enabled from hive cli" + + "Instead the use of storage based authorization in hive metastore is reccomended. Set " + + ConfVars.HIVE_AUTHORIZATION_ENABLED.varname + "=false to disable authz within cli"); + } } /** @@ -671,31 +706,37 @@ private boolean doesUserHasAdminOption(List roleNames) throws HiveAuthzP @Override public void applyAuthorizationConfigPolicy(HiveConf hiveConf) { - // grant all privileges for table to its owner + // First apply configuration applicable to both Hive Cli and HiveServer2 + // Not adding any authorization related restrictions to hive cli + // grant all privileges for table to its owner - set this in cli as well so that owner + // has permissions via HiveServer2 as well. hiveConf.setVar(ConfVars.HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS, "INSERT,SELECT,UPDATE,DELETE"); - // Configure PREEXECHOOKS with DisallowTransformHook to disallow transform queries - String hooks = hiveConf.getVar(ConfVars.PREEXECHOOKS).trim(); - if (hooks.isEmpty()) { - hooks = DisallowTransformHook.class.getName(); - } else { - hooks = hooks + "," +DisallowTransformHook.class.getName(); - } - LOG.debug("Configuring hooks : " + hooks); - hiveConf.setVar(ConfVars.PREEXECHOOKS, hooks); - - // restrict the variables that can be set using set command to a list in whitelist - hiveConf.setIsModWhiteListEnabled(true); - String whiteListParamsStr = hiveConf.getVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST); - if (whiteListParamsStr == null || whiteListParamsStr.trim().equals("")){ - // set the default configs in whitelist - whiteListParamsStr = Joiner.on(",").join(defaultModWhiteListSqlStdAuth); - hiveConf.setVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST, whiteListParamsStr); - } - for(String whiteListParam : whiteListParamsStr.split(",")){ - hiveConf.addToModifiableWhiteList(whiteListParam); + // Apply rest of the configuration only to HiveServer2 + if(sessionCtx.getClientType() == CLIENT_TYPE.HIVESERVER2) { + // Configure PREEXECHOOKS with DisallowTransformHook to disallow transform queries + String hooks = hiveConf.getVar(ConfVars.PREEXECHOOKS).trim(); + if (hooks.isEmpty()) { + hooks = DisallowTransformHook.class.getName(); + } else { + hooks = hooks + "," +DisallowTransformHook.class.getName(); + } + LOG.debug("Configuring hooks : " + hooks); + hiveConf.setVar(ConfVars.PREEXECHOOKS, hooks); + + // restrict the variables that can be set using set command to a list in whitelist + hiveConf.setIsModWhiteListEnabled(true); + String whiteListParamsStr = hiveConf.getVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST); + if (whiteListParamsStr == null || whiteListParamsStr.trim().equals("")){ + // set the default configs in whitelist + whiteListParamsStr = Joiner.on(",").join(defaultModWhiteListSqlStdAuth); + hiveConf.setVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST, whiteListParamsStr); + } + for(String whiteListParam : whiteListParamsStr.split(",")){ + hiveConf.addToModifiableWhiteList(whiteListParam); + } } - } + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java index c2d50b1..9db3d74 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java @@ -24,15 +24,16 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerImpl; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; @Private public class SQLStdHiveAuthorizerFactory implements HiveAuthorizerFactory{ @Override public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, - HiveConf conf, HiveAuthenticationProvider authenticator) throws HiveAuthzPluginException { + HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws HiveAuthzPluginException { SQLStdHiveAccessController privilegeManager = - new SQLStdHiveAccessController(metastoreClientFactory, conf, authenticator); + new SQLStdHiveAccessController(metastoreClientFactory, conf, authenticator, ctx); return new HiveAuthorizerImpl( privilegeManager, new SQLStdHiveAuthorizationValidator(metastoreClientFactory, conf, authenticator, diff --git a/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java b/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java index fcfcf42..9798cf3 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java @@ -62,6 +62,8 @@ import org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactoryImpl; import org.apache.hadoop.hive.ql.util.DosToUnix; import org.apache.hadoop.hive.shims.ShimLoader; @@ -504,8 +506,13 @@ private void setupAuth() { HiveAuthorizerFactory authorizerFactory = HiveUtils.getAuthorizerFactory(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER); + HiveAuthzSessionContext.Builder authzContextBuilder = new HiveAuthzSessionContext.Builder(); + authzContextBuilder.setClientType(isHiveServerQuery() ? CLIENT_TYPE.HIVESERVER2 + : CLIENT_TYPE.HIVECLI); + authzContextBuilder.setSessionString(getSessionId()); + authorizerV2 = authorizerFactory.createHiveAuthorizer(new HiveMetastoreClientFactoryImpl(), - conf, authenticator); + conf, authenticator, authzContextBuilder.build()); authorizerV2.applyAuthorizationConfigPolicy(conf); // create the create table grants with new config diff --git a/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestSessionUserName.java b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestSessionUserName.java index 273c4b9..a81ac44 100644 --- a/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestSessionUserName.java +++ b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestSessionUserName.java @@ -28,6 +28,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerImpl; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; import org.apache.hadoop.hive.ql.session.SessionState; import org.junit.Before; @@ -111,7 +112,7 @@ private HiveConf getAuthV2HiveConf() { @Override public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, - HiveConf conf, HiveAuthenticationProvider authenticator) { + HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) { username = authenticator.getUserName(); HiveAccessController acontroller = Mockito.mock(HiveAccessController.class); return new HiveAuthorizerImpl(acontroller, null); diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessController.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessController.java deleted file mode 100644 index 226b16e..0000000 --- a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessController.java +++ /dev/null @@ -1,116 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; - -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; - -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.conf.HiveConf.ConfVars; -import org.apache.hadoop.hive.ql.security.HadoopDefaultAuthenticator; -import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; -import org.junit.Test; - -import com.google.common.base.Joiner; - -/** - * Test SQLStdHiveAccessController - */ -public class TestSQLStdHiveAccessController { - - /** - * Test if SQLStdHiveAccessController is applying configuration security - * policy on hiveconf correctly - * - * @throws HiveAuthzPluginException - */ - @Test - public void testConfigProcessing() throws HiveAuthzPluginException { - HiveConf processedConf = new HiveConf(); - - SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null, - processedConf, new HadoopDefaultAuthenticator()); - accessController.applyAuthorizationConfigPolicy(processedConf); - - // check that hook to disable transforms has been added - assertTrue("Check for transform query disabling hook", - processedConf.getVar(ConfVars.PREEXECHOOKS).contains(DisallowTransformHook.class.getName())); - - verifyParamSettability(SQLStdHiveAccessController.defaultModWhiteListSqlStdAuth, processedConf); - - } - - /** - * Verify that params in settableParams can be modified, and other random ones can't be modified - * @param settableParams - * @param processedConf - */ - private void verifyParamSettability(String [] settableParams, HiveConf processedConf) { - // verify that the whitlelist params can be set - for (String param : settableParams) { - try { - processedConf.verifyAndSet(param, "dummy"); - } catch (IllegalArgumentException e) { - fail("Unable to set value for parameter in whitelist " + param + " " + e); - } - } - - // verify that non whitelist params can't be set - assertConfModificationException(processedConf, "dummy.param"); - // does not make sense to have any of the metastore config variables to be - // modifiable - for (ConfVars metaVar : HiveConf.metaVars) { - assertConfModificationException(processedConf, metaVar.varname); - } - } - - /** - * Test that modifying HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST config works - * @throws HiveAuthzPluginException - */ - @Test - public void testConfigProcessingCustomSetWhitelist() throws HiveAuthzPluginException { - - HiveConf processedConf = new HiveConf(); - // add custom value, including one from the default, one new one - String [] settableParams = {SQLStdHiveAccessController.defaultModWhiteListSqlStdAuth[0], "abcs.dummy.test.param"}; - processedConf.setVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST, - Joiner.on(",").join(settableParams)); - - - SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null, - processedConf, new HadoopDefaultAuthenticator()); - accessController.applyAuthorizationConfigPolicy(processedConf); - verifyParamSettability(settableParams, processedConf); - - - } - - - private void assertConfModificationException(HiveConf processedConf, String param) { - boolean caughtEx = false; - try { - processedConf.verifyAndSet(param, "dummy"); - } catch (IllegalArgumentException e) { - caughtEx = true; - } - assertTrue("Exception should be thrown while modifying the param " + param, caughtEx); - } - -} diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerCLI.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerCLI.java new file mode 100644 index 0000000..c0d4948 --- /dev/null +++ b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerCLI.java @@ -0,0 +1,89 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hadoop.hive.ql.security.HadoopDefaultAuthenticator; +import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.Builder; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE; +import org.junit.Test; + +/** + * Test SQLStdHiveAccessController + */ +public class TestSQLStdHiveAccessControllerCLI { + + /** + * Test that SQLStdHiveAccessController is not applying config restrictions on CLI + * + * @throws HiveAuthzPluginException + */ + @Test + public void testConfigProcessing() throws HiveAuthzPluginException { + HiveConf processedConf = new HiveConf(); + SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null, + processedConf, new HadoopDefaultAuthenticator(), getCLISessionCtx() + ); + accessController.applyAuthorizationConfigPolicy(processedConf); + + // check that hook to disable transforms has not been added + assertFalse("Check for transform query disabling hook", + processedConf.getVar(ConfVars.PREEXECHOOKS).contains(DisallowTransformHook.class.getName())); + + // check that set param whitelist is not set + assertTrue(processedConf.getVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST) == null + || processedConf.getVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST).trim() + .equals("")); + + // verify that some dummy param can be set + processedConf.verifyAndSet("dummy.param", "dummy.val"); + } + + private HiveAuthzSessionContext getCLISessionCtx() { + Builder ctxBuilder = new HiveAuthzSessionContext.Builder(); + ctxBuilder.setClientType(CLIENT_TYPE.HIVECLI); + return ctxBuilder.build(); + } + + /** + * Verify that exceptiion is thrown if authorization is enabled from hive cli, + * when sql std auth is used + */ + @Test + public void testAuthEnableError() { + HiveConf processedConf = new HiveConf(); + processedConf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, true); + try { + SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null, + processedConf, new HadoopDefaultAuthenticator(), getCLISessionCtx()); + fail("Exception expected"); + } catch (HiveAuthzPluginException e) { + assertTrue(e.getMessage().contains( + "SQL standards based authorization should not be enabled from hive cli")); + } + } + +} diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerHS2.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerHS2.java new file mode 100644 index 0000000..f13cf7e --- /dev/null +++ b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerHS2.java @@ -0,0 +1,123 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; + +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hadoop.hive.ql.security.HadoopDefaultAuthenticator; +import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.Builder; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE; +import org.junit.Test; + +import com.google.common.base.Joiner; + +/** + * Test SQLStdHiveAccessController + */ +public class TestSQLStdHiveAccessControllerHS2 { + + /** + * Test if SQLStdHiveAccessController is applying configuration security + * policy on hiveconf correctly + * + * @throws HiveAuthzPluginException + */ + @Test + public void testConfigProcessing() throws HiveAuthzPluginException { + HiveConf processedConf = new HiveConf(); + SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null, + processedConf, new HadoopDefaultAuthenticator(), getHS2SessionCtx() + ); + accessController.applyAuthorizationConfigPolicy(processedConf); + + // check that hook to disable transforms has been added + assertTrue("Check for transform query disabling hook", + processedConf.getVar(ConfVars.PREEXECHOOKS).contains(DisallowTransformHook.class.getName())); + + verifyParamSettability(SQLStdHiveAccessController.defaultModWhiteListSqlStdAuth, processedConf); + + } + + private HiveAuthzSessionContext getHS2SessionCtx() { + Builder ctxBuilder = new HiveAuthzSessionContext.Builder(); + ctxBuilder.setClientType(CLIENT_TYPE.HIVESERVER2); + return ctxBuilder.build(); + } + + /** + * Verify that params in settableParams can be modified, and other random ones can't be modified + * @param settableParams + * @param processedConf + */ + private void verifyParamSettability(String [] settableParams, HiveConf processedConf) { + // verify that the whitlelist params can be set + for (String param : settableParams) { + try { + processedConf.verifyAndSet(param, "dummy"); + } catch (IllegalArgumentException e) { + fail("Unable to set value for parameter in whitelist " + param + " " + e); + } + } + + // verify that non whitelist params can't be set + assertConfModificationException(processedConf, "dummy.param"); + // does not make sense to have any of the metastore config variables to be + // modifiable + for (ConfVars metaVar : HiveConf.metaVars) { + assertConfModificationException(processedConf, metaVar.varname); + } + } + + /** + * Test that modifying HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST config works + * @throws HiveAuthzPluginException + */ + @Test + public void testConfigProcessingCustomSetWhitelist() throws HiveAuthzPluginException { + + HiveConf processedConf = new HiveConf(); + // add custom value, including one from the default, one new one + String[] settableParams = { SQLStdHiveAccessController.defaultModWhiteListSqlStdAuth[0], + "abcs.dummy.test.param" }; + processedConf.setVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST, + Joiner.on(",").join(settableParams)); + + SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null, + processedConf, new HadoopDefaultAuthenticator(), getHS2SessionCtx()); + accessController.applyAuthorizationConfigPolicy(processedConf); + verifyParamSettability(settableParams, processedConf); + + } + + private void assertConfModificationException(HiveConf processedConf, String param) { + boolean caughtEx = false; + try { + processedConf.verifyAndSet(param, "dummy"); + } catch (IllegalArgumentException e) { + caughtEx = true; + } + assertTrue("Exception should be thrown while modifying the param " + param, caughtEx); + } + +} diff --git a/ql/src/test/queries/clientnegative/authorization_addjar.q b/ql/src/test/queries/clientnegative/authorization_addjar.q index aad703c..f7c851d 100644 --- a/ql/src/test/queries/clientnegative/authorization_addjar.q +++ b/ql/src/test/queries/clientnegative/authorization_addjar.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.enabled=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; diff --git a/ql/src/test/queries/clientnegative/authorization_addpartition.q b/ql/src/test/queries/clientnegative/authorization_addpartition.q index 8abdd2b..f84ab98 100644 --- a/ql/src/test/queries/clientnegative/authorization_addpartition.q +++ b/ql/src/test/queries/clientnegative/authorization_addpartition.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_alter_db_owner.q b/ql/src/test/queries/clientnegative/authorization_alter_db_owner.q index f716262..83a0efa 100644 --- a/ql/src/test/queries/clientnegative/authorization_alter_db_owner.q +++ b/ql/src/test/queries/clientnegative/authorization_alter_db_owner.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_alter_db_owner_default.q b/ql/src/test/queries/clientnegative/authorization_alter_db_owner_default.q index f904935..2140eca 100644 --- a/ql/src/test/queries/clientnegative/authorization_alter_db_owner_default.q +++ b/ql/src/test/queries/clientnegative/authorization_alter_db_owner_default.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_cannot_create_all_role.q b/ql/src/test/queries/clientnegative/authorization_cannot_create_all_role.q index 9bbd655..9bac3e0 100644 --- a/ql/src/test/queries/clientnegative/authorization_cannot_create_all_role.q +++ b/ql/src/test/queries/clientnegative/authorization_cannot_create_all_role.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientnegative/authorization_cannot_create_default_role.q b/ql/src/test/queries/clientnegative/authorization_cannot_create_default_role.q index 32045e4..73c9e88 100644 --- a/ql/src/test/queries/clientnegative/authorization_cannot_create_default_role.q +++ b/ql/src/test/queries/clientnegative/authorization_cannot_create_default_role.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientnegative/authorization_cannot_create_none_role.q b/ql/src/test/queries/clientnegative/authorization_cannot_create_none_role.q index 42369d8..acb03c1 100644 --- a/ql/src/test/queries/clientnegative/authorization_cannot_create_none_role.q +++ b/ql/src/test/queries/clientnegative/authorization_cannot_create_none_role.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientnegative/authorization_caseinsensitivity.q b/ql/src/test/queries/clientnegative/authorization_caseinsensitivity.q index 7b47b65..bdedcb1 100644 --- a/ql/src/test/queries/clientnegative/authorization_caseinsensitivity.q +++ b/ql/src/test/queries/clientnegative/authorization_caseinsensitivity.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientnegative/authorization_cli_auth_enable.q b/ql/src/test/queries/clientnegative/authorization_cli_auth_enable.q new file mode 100644 index 0000000..4761051 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_cli_auth_enable.q @@ -0,0 +1,7 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_test_user; +set hive.security.authorization.enabled=true; + +-- verify that sql std auth throws an error with hive cli, if auth is enabled +show tables 'src'; diff --git a/ql/src/test/queries/clientnegative/authorization_compile.q b/ql/src/test/queries/clientnegative/authorization_compile.q index 857306b..0d51c99 100644 --- a/ql/src/test/queries/clientnegative/authorization_compile.q +++ b/ql/src/test/queries/clientnegative/authorization_compile.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.enabled=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; diff --git a/ql/src/test/queries/clientnegative/authorization_create_func1.q b/ql/src/test/queries/clientnegative/authorization_create_func1.q index 02bbe09..1154ce8 100644 --- a/ql/src/test/queries/clientnegative/authorization_create_func1.q +++ b/ql/src/test/queries/clientnegative/authorization_create_func1.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_create_func2.q b/ql/src/test/queries/clientnegative/authorization_create_func2.q index 8760fa8..0d273fa 100644 --- a/ql/src/test/queries/clientnegative/authorization_create_func2.q +++ b/ql/src/test/queries/clientnegative/authorization_create_func2.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_create_macro1.q b/ql/src/test/queries/clientnegative/authorization_create_macro1.q index c904a10..f965426 100644 --- a/ql/src/test/queries/clientnegative/authorization_create_macro1.q +++ b/ql/src/test/queries/clientnegative/authorization_create_macro1.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q b/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q index a84fe64..b7b2b85 100644 --- a/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q +++ b/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; -- this test will fail because hive_test_user is not in admin role. create role r1; diff --git a/ql/src/test/queries/clientnegative/authorization_createview.q b/ql/src/test/queries/clientnegative/authorization_createview.q index 9b1f2ea..4c91c70 100644 --- a/ql/src/test/queries/clientnegative/authorization_createview.q +++ b/ql/src/test/queries/clientnegative/authorization_createview.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_ctas.q b/ql/src/test/queries/clientnegative/authorization_ctas.q index 1cf74a3..13e25f5 100644 --- a/ql/src/test/queries/clientnegative/authorization_ctas.q +++ b/ql/src/test/queries/clientnegative/authorization_ctas.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_deletejar.q b/ql/src/test/queries/clientnegative/authorization_deletejar.q index f2e95d2..1e6af60 100644 --- a/ql/src/test/queries/clientnegative/authorization_deletejar.q +++ b/ql/src/test/queries/clientnegative/authorization_deletejar.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.enabled=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; diff --git a/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q b/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q index 47663c9..598cc75 100644 --- a/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q +++ b/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_dfs.q b/ql/src/test/queries/clientnegative/authorization_dfs.q index 9dc8a64..4553d02 100644 --- a/ql/src/test/queries/clientnegative/authorization_dfs.q +++ b/ql/src/test/queries/clientnegative/authorization_dfs.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.enabled=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; diff --git a/ql/src/test/queries/clientnegative/authorization_disallow_transform.q b/ql/src/test/queries/clientnegative/authorization_disallow_transform.q index 64b300c..342c29a 100644 --- a/ql/src/test/queries/clientnegative/authorization_disallow_transform.q +++ b/ql/src/test/queries/clientnegative/authorization_disallow_transform.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set role ALL; SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM src; diff --git a/ql/src/test/queries/clientnegative/authorization_drop_db_cascade.q b/ql/src/test/queries/clientnegative/authorization_drop_db_cascade.q index 78ec078..eb573f4 100644 --- a/ql/src/test/queries/clientnegative/authorization_drop_db_cascade.q +++ b/ql/src/test/queries/clientnegative/authorization_drop_db_cascade.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_drop_db_empty.q b/ql/src/test/queries/clientnegative/authorization_drop_db_empty.q index 993a2a3..570a0fa 100644 --- a/ql/src/test/queries/clientnegative/authorization_drop_db_empty.q +++ b/ql/src/test/queries/clientnegative/authorization_drop_db_empty.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q b/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q index 2593e9e..b9a0d21 100644 --- a/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q +++ b/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientnegative/authorization_droppartition.q b/ql/src/test/queries/clientnegative/authorization_droppartition.q index f05e945..29a27ce 100644 --- a/ql/src/test/queries/clientnegative/authorization_droppartition.q +++ b/ql/src/test/queries/clientnegative/authorization_droppartition.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_fail_8.q b/ql/src/test/queries/clientnegative/authorization_fail_8.q index 37213a2..3c156a4 100644 --- a/ql/src/test/queries/clientnegative/authorization_fail_8.q +++ b/ql/src/test/queries/clientnegative/authorization_fail_8.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientnegative/authorization_grant_table_allpriv.q b/ql/src/test/queries/clientnegative/authorization_grant_table_allpriv.q index f3c86b9..fb4abd7 100644 --- a/ql/src/test/queries/clientnegative/authorization_grant_table_allpriv.q +++ b/ql/src/test/queries/clientnegative/authorization_grant_table_allpriv.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientnegative/authorization_grant_table_dup.q b/ql/src/test/queries/clientnegative/authorization_grant_table_dup.q index 7808cb3..13b48df 100644 --- a/ql/src/test/queries/clientnegative/authorization_grant_table_dup.q +++ b/ql/src/test/queries/clientnegative/authorization_grant_table_dup.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientnegative/authorization_grant_table_fail1.q b/ql/src/test/queries/clientnegative/authorization_grant_table_fail1.q index 8dc8e45..80aa7a4 100644 --- a/ql/src/test/queries/clientnegative/authorization_grant_table_fail1.q +++ b/ql/src/test/queries/clientnegative/authorization_grant_table_fail1.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientnegative/authorization_grant_table_fail_nogrant.q b/ql/src/test/queries/clientnegative/authorization_grant_table_fail_nogrant.q index d51c1c3..dcde1f9 100644 --- a/ql/src/test/queries/clientnegative/authorization_grant_table_fail_nogrant.q +++ b/ql/src/test/queries/clientnegative/authorization_grant_table_fail_nogrant.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientnegative/authorization_insert_noinspriv.q b/ql/src/test/queries/clientnegative/authorization_insert_noinspriv.q index 2fa3cb2..0ab5c08 100644 --- a/ql/src/test/queries/clientnegative/authorization_insert_noinspriv.q +++ b/ql/src/test/queries/clientnegative/authorization_insert_noinspriv.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_insert_noselectpriv.q b/ql/src/test/queries/clientnegative/authorization_insert_noselectpriv.q index b9bee4e..7b60d56 100644 --- a/ql/src/test/queries/clientnegative/authorization_insert_noselectpriv.q +++ b/ql/src/test/queries/clientnegative/authorization_insert_noselectpriv.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_insertoverwrite_nodel.q b/ql/src/test/queries/clientnegative/authorization_insertoverwrite_nodel.q index 73cfe82..d891ca2 100644 --- a/ql/src/test/queries/clientnegative/authorization_insertoverwrite_nodel.q +++ b/ql/src/test/queries/clientnegative/authorization_insertoverwrite_nodel.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_invalid_priv_v2.q b/ql/src/test/queries/clientnegative/authorization_invalid_priv_v2.q index 9c72408..5d4c95e 100644 --- a/ql/src/test/queries/clientnegative/authorization_invalid_priv_v2.q +++ b/ql/src/test/queries/clientnegative/authorization_invalid_priv_v2.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; create table if not exists authorization_invalid_v2 (key int, value string); diff --git a/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_rename.q b/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_rename.q index 8a3300c..fe5c1f6 100644 --- a/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_rename.q +++ b/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_rename.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_serdeprop.q b/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_serdeprop.q index 0172c4c..2eb4180 100644 --- a/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_serdeprop.q +++ b/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_serdeprop.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_not_owner_drop_tab.q b/ql/src/test/queries/clientnegative/authorization_not_owner_drop_tab.q index 2d0e52d..aa8b684 100644 --- a/ql/src/test/queries/clientnegative/authorization_not_owner_drop_tab.q +++ b/ql/src/test/queries/clientnegative/authorization_not_owner_drop_tab.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_not_owner_drop_view.q b/ql/src/test/queries/clientnegative/authorization_not_owner_drop_view.q index 76bbab4..8e611a0 100644 --- a/ql/src/test/queries/clientnegative/authorization_not_owner_drop_view.q +++ b/ql/src/test/queries/clientnegative/authorization_not_owner_drop_view.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_priv_current_role_neg.q b/ql/src/test/queries/clientnegative/authorization_priv_current_role_neg.q index 29a06a8..c0fb599 100644 --- a/ql/src/test/queries/clientnegative/authorization_priv_current_role_neg.q +++ b/ql/src/test/queries/clientnegative/authorization_priv_current_role_neg.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientnegative/authorization_revoke_table_fail1.q b/ql/src/test/queries/clientnegative/authorization_revoke_table_fail1.q index e19bf37..dc1f451 100644 --- a/ql/src/test/queries/clientnegative/authorization_revoke_table_fail1.q +++ b/ql/src/test/queries/clientnegative/authorization_revoke_table_fail1.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientnegative/authorization_revoke_table_fail2.q b/ql/src/test/queries/clientnegative/authorization_revoke_table_fail2.q index 4b0cf32..f10be40 100644 --- a/ql/src/test/queries/clientnegative/authorization_revoke_table_fail2.q +++ b/ql/src/test/queries/clientnegative/authorization_revoke_table_fail2.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientnegative/authorization_role_cycles1.q b/ql/src/test/queries/clientnegative/authorization_role_cycles1.q index fa3fc19..739fe00 100644 --- a/ql/src/test/queries/clientnegative/authorization_role_cycles1.q +++ b/ql/src/test/queries/clientnegative/authorization_role_cycles1.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientnegative/authorization_role_cycles2.q b/ql/src/test/queries/clientnegative/authorization_role_cycles2.q index 069a663..ebca827 100644 --- a/ql/src/test/queries/clientnegative/authorization_role_cycles2.q +++ b/ql/src/test/queries/clientnegative/authorization_role_cycles2.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientnegative/authorization_role_grant.q b/ql/src/test/queries/clientnegative/authorization_role_grant.q index 3f1a7b8..d0e1705 100644 --- a/ql/src/test/queries/clientnegative/authorization_role_grant.q +++ b/ql/src/test/queries/clientnegative/authorization_role_grant.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientnegative/authorization_role_grant2.q b/ql/src/test/queries/clientnegative/authorization_role_grant2.q index 7d439cb..f19b912 100644 --- a/ql/src/test/queries/clientnegative/authorization_role_grant2.q +++ b/ql/src/test/queries/clientnegative/authorization_role_grant2.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientnegative/authorization_role_grant_nosuchrole.q b/ql/src/test/queries/clientnegative/authorization_role_grant_nosuchrole.q index 51ca345..ed6f972 100644 --- a/ql/src/test/queries/clientnegative/authorization_role_grant_nosuchrole.q +++ b/ql/src/test/queries/clientnegative/authorization_role_grant_nosuchrole.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientnegative/authorization_role_grant_otherrole.q b/ql/src/test/queries/clientnegative/authorization_role_grant_otherrole.q index 9440c45..233cd17 100644 --- a/ql/src/test/queries/clientnegative/authorization_role_grant_otherrole.q +++ b/ql/src/test/queries/clientnegative/authorization_role_grant_otherrole.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientnegative/authorization_role_grant_otheruser.q b/ql/src/test/queries/clientnegative/authorization_role_grant_otheruser.q index 1db2806..c7900fe 100644 --- a/ql/src/test/queries/clientnegative/authorization_role_grant_otheruser.q +++ b/ql/src/test/queries/clientnegative/authorization_role_grant_otheruser.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientnegative/authorization_rolehierarchy_privs.q b/ql/src/test/queries/clientnegative/authorization_rolehierarchy_privs.q index 8bb776e..ede7dfd 100644 --- a/ql/src/test/queries/clientnegative/authorization_rolehierarchy_privs.q +++ b/ql/src/test/queries/clientnegative/authorization_rolehierarchy_privs.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_select.q b/ql/src/test/queries/clientnegative/authorization_select.q index 3987179..d4cc148 100644 --- a/ql/src/test/queries/clientnegative/authorization_select.q +++ b/ql/src/test/queries/clientnegative/authorization_select.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_select_view.q b/ql/src/test/queries/clientnegative/authorization_select_view.q index a4071cd..365f239 100644 --- a/ql/src/test/queries/clientnegative/authorization_select_view.q +++ b/ql/src/test/queries/clientnegative/authorization_select_view.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_set_role_neg1.q b/ql/src/test/queries/clientnegative/authorization_set_role_neg1.q index 9ba3a82..8afe68d 100644 --- a/ql/src/test/queries/clientnegative/authorization_set_role_neg1.q +++ b/ql/src/test/queries/clientnegative/authorization_set_role_neg1.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; -- an error should be thrown if 'set role ' is done for role that does not exist diff --git a/ql/src/test/queries/clientnegative/authorization_set_role_neg2.q b/ql/src/test/queries/clientnegative/authorization_set_role_neg2.q index a810f1a..c1cb253 100644 --- a/ql/src/test/queries/clientnegative/authorization_set_role_neg2.q +++ b/ql/src/test/queries/clientnegative/authorization_set_role_neg2.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientnegative/authorization_show_grant_otherrole.q b/ql/src/test/queries/clientnegative/authorization_show_grant_otherrole.q index e131766..e689c60 100644 --- a/ql/src/test/queries/clientnegative/authorization_show_grant_otherrole.q +++ b/ql/src/test/queries/clientnegative/authorization_show_grant_otherrole.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_all.q b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_all.q index 4ef501d..8b55f8d 100644 --- a/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_all.q +++ b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_all.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_alltabs.q b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_alltabs.q index 8cfc790..912842e 100644 --- a/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_alltabs.q +++ b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_alltabs.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_wtab.q b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_wtab.q index 4c3892c..3558c4d 100644 --- a/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_wtab.q +++ b/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_wtab.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_show_parts_nosel.q b/ql/src/test/queries/clientnegative/authorization_show_parts_nosel.q index d8190de..e63dfd8 100644 --- a/ql/src/test/queries/clientnegative/authorization_show_parts_nosel.q +++ b/ql/src/test/queries/clientnegative/authorization_show_parts_nosel.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_show_role_principals_no_admin.q b/ql/src/test/queries/clientnegative/authorization_show_role_principals_no_admin.q index 2afe87f..08c997c 100644 --- a/ql/src/test/queries/clientnegative/authorization_show_role_principals_no_admin.q +++ b/ql/src/test/queries/clientnegative/authorization_show_role_principals_no_admin.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; -- This test will fail because hive_test_user is not in admin role show principals role1; diff --git a/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q b/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q index 0fc9fca..26277c1 100644 --- a/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q +++ b/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; -- This test will fail because hive_test_user is not in admin role show roles; diff --git a/ql/src/test/queries/clientnegative/authorization_table_grant_nosuchrole.q b/ql/src/test/queries/clientnegative/authorization_table_grant_nosuchrole.q index 2065093..54d085a 100644 --- a/ql/src/test/queries/clientnegative/authorization_table_grant_nosuchrole.q +++ b/ql/src/test/queries/clientnegative/authorization_table_grant_nosuchrole.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientnegative/authorization_truncate.q b/ql/src/test/queries/clientnegative/authorization_truncate.q index 285600b..da96c61 100644 --- a/ql/src/test/queries/clientnegative/authorization_truncate.q +++ b/ql/src/test/queries/clientnegative/authorization_truncate.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_add_partition.q b/ql/src/test/queries/clientnegative/authorization_uri_add_partition.q index d82ac71..5b2e486 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_add_partition.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_add_partition.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_alterpart_loc.q b/ql/src/test/queries/clientnegative/authorization_uri_alterpart_loc.q index d38ba74..b7ad814 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_alterpart_loc.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_alterpart_loc.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_altertab_setloc.q b/ql/src/test/queries/clientnegative/authorization_uri_altertab_setloc.q index c446b86..653b7bb 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_altertab_setloc.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_altertab_setloc.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_create_table1.q b/ql/src/test/queries/clientnegative/authorization_uri_create_table1.q index c8e1fb4..fb50a7d 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_create_table1.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_create_table1.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_create_table_ext.q b/ql/src/test/queries/clientnegative/authorization_uri_create_table_ext.q index c8549b4..82b5916 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_create_table_ext.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_create_table_ext.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_createdb.q b/ql/src/test/queries/clientnegative/authorization_uri_createdb.q index edfdf5a..1a257c0 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_createdb.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_createdb.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_index.q b/ql/src/test/queries/clientnegative/authorization_uri_index.q index 1a8f9cb..795928d 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_index.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_index.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_insert.q b/ql/src/test/queries/clientnegative/authorization_uri_insert.q index 81b6e52..39bb4b6 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_insert.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_insert.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_insert_local.q b/ql/src/test/queries/clientnegative/authorization_uri_insert_local.q index 0a2fd89..4ad350c 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_insert_local.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_insert_local.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_uri_load_data.q b/ql/src/test/queries/clientnegative/authorization_uri_load_data.q index 6af41f0..a409e18 100644 --- a/ql/src/test/queries/clientnegative/authorization_uri_load_data.q +++ b/ql/src/test/queries/clientnegative/authorization_uri_load_data.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorize_create_tbl.q b/ql/src/test/queries/clientnegative/authorize_create_tbl.q index d8beac3..f0f398f 100644 --- a/ql/src/test/queries/clientnegative/authorize_create_tbl.q +++ b/ql/src/test/queries/clientnegative/authorize_create_tbl.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientnegative/temp_table_authorize_create_tbl.q b/ql/src/test/queries/clientnegative/temp_table_authorize_create_tbl.q index bb75777..69bcc43 100644 --- a/ql/src/test/queries/clientnegative/temp_table_authorize_create_tbl.q +++ b/ql/src/test/queries/clientnegative/temp_table_authorize_create_tbl.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientpositive/authorization_1_sql_std.q b/ql/src/test/queries/clientpositive/authorization_1_sql_std.q index 34a9b68..82896a4 100644 --- a/ql/src/test/queries/clientpositive/authorization_1_sql_std.q +++ b/ql/src/test/queries/clientpositive/authorization_1_sql_std.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientpositive/authorization_admin_almighty1.q b/ql/src/test/queries/clientpositive/authorization_admin_almighty1.q index 380f506..3ae0ce1 100644 --- a/ql/src/test/queries/clientpositive/authorization_admin_almighty1.q +++ b/ql/src/test/queries/clientpositive/authorization_admin_almighty1.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_test_user; diff --git a/ql/src/test/queries/clientpositive/authorization_admin_almighty2.q b/ql/src/test/queries/clientpositive/authorization_admin_almighty2.q index ba43e40..c666e97 100644 --- a/ql/src/test/queries/clientpositive/authorization_admin_almighty2.q +++ b/ql/src/test/queries/clientpositive/authorization_admin_almighty2.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientpositive/authorization_cli_createtab.q b/ql/src/test/queries/clientpositive/authorization_cli_createtab.q new file mode 100644 index 0000000..25fc80a --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_cli_createtab.q @@ -0,0 +1,14 @@ +set hive.test.authz.sstd.hs2.mode=true; +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_test_user; + +-- verify that sql std auth can be set as the authorizer with hive cli +-- and that the create table/view result in correct permissions (suitable for sql std auth mode) + +create table t_cli(i int); +show grant user hive_test_user on t_cli; + +create view v_cli (i) as select i from t_cli; +show grant user hive_test_user on v_cli; diff --git a/ql/src/test/queries/clientpositive/authorization_create_func1.q b/ql/src/test/queries/clientpositive/authorization_create_func1.q index 1f48deb..6c7ebc7 100644 --- a/ql/src/test/queries/clientpositive/authorization_create_func1.q +++ b/ql/src/test/queries/clientpositive/authorization_create_func1.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientpositive/authorization_create_macro1.q b/ql/src/test/queries/clientpositive/authorization_create_macro1.q index 741fa92..e0297d2 100644 --- a/ql/src/test/queries/clientpositive/authorization_create_macro1.q +++ b/ql/src/test/queries/clientpositive/authorization_create_macro1.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientpositive/authorization_create_table_owner_privs.q b/ql/src/test/queries/clientpositive/authorization_create_table_owner_privs.q index 17f4861..9897657 100644 --- a/ql/src/test/queries/clientpositive/authorization_create_table_owner_privs.q +++ b/ql/src/test/queries/clientpositive/authorization_create_table_owner_privs.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientpositive/authorization_create_temp_table.q b/ql/src/test/queries/clientpositive/authorization_create_temp_table.q index d49dbb4..52b9ca7 100644 --- a/ql/src/test/queries/clientpositive/authorization_create_temp_table.q +++ b/ql/src/test/queries/clientpositive/authorization_create_temp_table.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientpositive/authorization_grant_public_role.q b/ql/src/test/queries/clientpositive/authorization_grant_public_role.q index 9da33dc..fe177ac 100644 --- a/ql/src/test/queries/clientpositive/authorization_grant_public_role.q +++ b/ql/src/test/queries/clientpositive/authorization_grant_public_role.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q b/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q index 9c7a999..f0eac73 100644 --- a/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q +++ b/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientpositive/authorization_index.q b/ql/src/test/queries/clientpositive/authorization_index.q index 1f177ff..b8dd577 100644 --- a/ql/src/test/queries/clientpositive/authorization_index.q +++ b/ql/src/test/queries/clientpositive/authorization_index.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.stats.dbclass=fs; diff --git a/ql/src/test/queries/clientpositive/authorization_insert.q b/ql/src/test/queries/clientpositive/authorization_insert.q index c1e4c1f..d589405 100644 --- a/ql/src/test/queries/clientpositive/authorization_insert.q +++ b/ql/src/test/queries/clientpositive/authorization_insert.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientpositive/authorization_owner_actions.q b/ql/src/test/queries/clientpositive/authorization_owner_actions.q index 85d8b11..d186a44 100644 --- a/ql/src/test/queries/clientpositive/authorization_owner_actions.q +++ b/ql/src/test/queries/clientpositive/authorization_owner_actions.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientpositive/authorization_owner_actions_db.q b/ql/src/test/queries/clientpositive/authorization_owner_actions_db.q index 14a8d7c..ccd4605 100644 --- a/ql/src/test/queries/clientpositive/authorization_owner_actions_db.q +++ b/ql/src/test/queries/clientpositive/authorization_owner_actions_db.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientpositive/authorization_parts.q b/ql/src/test/queries/clientpositive/authorization_parts.q index bee091b..141cdea 100644 --- a/ql/src/test/queries/clientpositive/authorization_parts.q +++ b/ql/src/test/queries/clientpositive/authorization_parts.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientpositive/authorization_reset.q b/ql/src/test/queries/clientpositive/authorization_reset.q index aa2c1fb..047474e 100644 --- a/ql/src/test/queries/clientpositive/authorization_reset.q +++ b/ql/src/test/queries/clientpositive/authorization_reset.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q b/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q index 1cd445b..1e3e6cf 100644 --- a/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q +++ b/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientpositive/authorization_role_grant1.q b/ql/src/test/queries/clientpositive/authorization_role_grant1.q index 1e8a6af..f0b8d9c 100644 --- a/ql/src/test/queries/clientpositive/authorization_role_grant1.q +++ b/ql/src/test/queries/clientpositive/authorization_role_grant1.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientpositive/authorization_role_grant2.q b/ql/src/test/queries/clientpositive/authorization_role_grant2.q index d87d96f..95fa4e6 100644 --- a/ql/src/test/queries/clientpositive/authorization_role_grant2.q +++ b/ql/src/test/queries/clientpositive/authorization_role_grant2.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; diff --git a/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q b/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q index 4132370..f10b649 100644 --- a/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q +++ b/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_admin_user; diff --git a/ql/src/test/queries/clientpositive/authorization_show_grant.q b/ql/src/test/queries/clientpositive/authorization_show_grant.q index bad1f07..0f17439 100644 --- a/ql/src/test/queries/clientpositive/authorization_show_grant.q +++ b/ql/src/test/queries/clientpositive/authorization_show_grant.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q b/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q index 91acd39..85d3ca3 100644 --- a/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q +++ b/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q @@ -1,3 +1,4 @@ +set hive.test.authz.sstd.hs2.mode=true; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/results/clientnegative/authorization_cli_auth_enable.q.out b/ql/src/test/results/clientnegative/authorization_cli_auth_enable.q.out new file mode 100644 index 0000000..252eb66 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_cli_auth_enable.q.out @@ -0,0 +1 @@ +FAILED: RuntimeException org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException: SQL standards based authorization should not be enabled from hive cliInstead the use of storage based authorization in hive metastore is reccomended. Set hive.security.authorization.enabled=false to disable authz within cli diff --git a/ql/src/test/results/clientpositive/authorization_cli_createtab.q.out b/ql/src/test/results/clientpositive/authorization_cli_createtab.q.out new file mode 100644 index 0000000..2d2a1bf --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_cli_createtab.q.out @@ -0,0 +1,36 @@ +PREHOOK: query: -- verify that sql std auth can be set as the authorizer with hive cli +-- and that the create table/view result in correct permissions (suitable for sql std auth mode) + +create table t_cli(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +POSTHOOK: query: -- verify that sql std auth can be set as the authorizer with hive cli +-- and that the create table/view result in correct permissions (suitable for sql std auth mode) + +create table t_cli(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t_cli +PREHOOK: query: show grant user hive_test_user on t_cli +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on t_cli +POSTHOOK: type: SHOW_GRANT +default t_cli hive_test_user USER DELETE true -1 hive_test_user +default t_cli hive_test_user USER INSERT true -1 hive_test_user +default t_cli hive_test_user USER SELECT true -1 hive_test_user +default t_cli hive_test_user USER UPDATE true -1 hive_test_user +PREHOOK: query: create view v_cli (i) as select i from t_cli +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@t_cli +POSTHOOK: query: create view v_cli (i) as select i from t_cli +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@t_cli +POSTHOOK: Output: default@v_cli +PREHOOK: query: show grant user hive_test_user on v_cli +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on v_cli +POSTHOOK: type: SHOW_GRANT +default v_cli hive_test_user USER DELETE true -1 hive_test_user +default v_cli hive_test_user USER INSERT true -1 hive_test_user +default v_cli hive_test_user USER SELECT true -1 hive_test_user +default v_cli hive_test_user USER UPDATE true -1 hive_test_user