commit ee9f3a30391b18131b386c2b2f81067d7bc81f5a Author: Thejas Nair Date: Tue Aug 12 16:40:17 2014 -0700 fix diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java index 789ef76..bd24b6e 100644 --- a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java +++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java @@ -30,6 +30,8 @@ import java.util.Collections; import java.util.List; +import org.apache.commons.lang3.tuple.ImmutablePair; +import org.apache.commons.lang3.tuple.Pair; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.ql.CommandNeedRetryException; @@ -43,7 +45,6 @@ import org.junit.BeforeClass; import org.junit.Test; import org.mockito.ArgumentCaptor; -import org.mockito.Matchers; import org.mockito.Mockito; /** @@ -52,7 +53,10 @@ public class TestHiveAuthorizerCheckInvocation { protected static HiveConf conf; protected static Driver driver; - private static final String tableName = TestHiveAuthorizerCheckInvocation.class.getSimpleName(); + private static final String tableName = TestHiveAuthorizerCheckInvocation.class.getSimpleName() + + "Table"; + private static final String dbName = TestHiveAuthorizerCheckInvocation.class.getSimpleName() + + "Db"; static HiveAuthorizer mockedAuthorizer; /** @@ -82,8 +86,13 @@ public static void beforeTest() throws Exception { SessionState.start(conf); driver = new Driver(conf); - CommandProcessorResponse resp = driver.run("create table " + tableName + runCmd("create table " + tableName + " (i int, j int, k string) partitioned by (city string, date string) "); + runCmd("create database " + dbName); + } + + private static void runCmd(String cmd) throws CommandNeedRetryException { + CommandProcessorResponse resp = driver.run(cmd); assertEquals(0, resp.getResponseCode()); } @@ -101,7 +110,7 @@ public void testInputSomeColumnsUsed() throws HiveAuthzPluginException, HiveAcce + " where k = 'X' and city = 'Scottsdale-AZ' "); assertEquals(0, status); - List inputs = getHivePrivilegeObjectInputs(); + List inputs = getHivePrivilegeObjectInputs().getLeft(); checkSingleTableInput(inputs); HivePrivilegeObject tableObj = inputs.get(0); assertEquals("no of columns used", 3, tableObj.getColumns().size()); @@ -123,7 +132,7 @@ public void testInputAllColumnsUsed() throws HiveAuthzPluginException, HiveAcces int status = driver.compile("select * from " + tableName + " order by i"); assertEquals(0, status); - List inputs = getHivePrivilegeObjectInputs(); + List inputs = getHivePrivilegeObjectInputs().getLeft(); checkSingleTableInput(inputs); HivePrivilegeObject tableObj = inputs.get(0); assertEquals("no of columns used", 5, tableObj.getColumns().size()); @@ -139,12 +148,60 @@ public void testInputNoColumnsUsed() throws HiveAuthzPluginException, HiveAccess int status = driver.compile("describe " + tableName); assertEquals(0, status); - List inputs = getHivePrivilegeObjectInputs(); + List inputs = getHivePrivilegeObjectInputs().getLeft(); checkSingleTableInput(inputs); HivePrivilegeObject tableObj = inputs.get(0); assertNull("columns used", tableObj.getColumns()); } + @Test + public void testPermFunction() throws HiveAuthzPluginException, HiveAccessControlException, + CommandNeedRetryException { + + reset(mockedAuthorizer); + final String funcName = "testauthfunc1"; + int status = driver.compile("create function " + dbName + "." + funcName + + " as 'org.apache.hadoop.hive.ql.udf.UDFPI'"); + assertEquals(0, status); + + List outputs = getHivePrivilegeObjectInputs().getRight(); + + HivePrivilegeObject funcObj; + HivePrivilegeObject dbObj; + assertEquals("number of output object", 2, outputs.size()); + if(outputs.get(0).getType() == HivePrivilegeObjectType.FUNCTION) { + funcObj = outputs.get(0); + dbObj = outputs.get(1); + } else { + funcObj = outputs.get(1); + dbObj = outputs.get(0); + } + + assertEquals("input type", HivePrivilegeObjectType.FUNCTION, funcObj.getType()); + assertTrue("function name", funcName.equalsIgnoreCase(funcObj.getObjectName())); + assertTrue("db name", dbName.equalsIgnoreCase(funcObj.getDbname())); + + assertEquals("input type", HivePrivilegeObjectType.DATABASE, dbObj.getType()); + assertTrue("db name", dbName.equalsIgnoreCase(dbObj.getDbname())); + } + + @Test + public void testTempFunction() throws HiveAuthzPluginException, HiveAccessControlException, + CommandNeedRetryException { + + reset(mockedAuthorizer); + final String funcName = "testAuthFunc2"; + int status = driver.compile("create temporary function " + funcName + + " as 'org.apache.hadoop.hive.ql.udf.UDFPI'"); + assertEquals(0, status); + + List outputs = getHivePrivilegeObjectInputs().getRight(); + HivePrivilegeObject funcObj = outputs.get(0); + assertEquals("input type", HivePrivilegeObjectType.FUNCTION, funcObj.getType()); + assertTrue("function name", funcName.equalsIgnoreCase(funcObj.getObjectName())); + assertEquals("db name", null, funcObj.getDbname()); + } + private void checkSingleTableInput(List inputs) { assertEquals("number of inputs", 1, inputs.size()); @@ -154,23 +211,28 @@ private void checkSingleTableInput(List inputs) { } /** - * @return the inputs passed in current call to authorizer.checkPrivileges + * @return pair with left value as inputs and right value as outputs, + * passed in current call to authorizer.checkPrivileges * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ - private List getHivePrivilegeObjectInputs() throws HiveAuthzPluginException, + private Pair, List> getHivePrivilegeObjectInputs() throws HiveAuthzPluginException, HiveAccessControlException { // Create argument capturer // a class variable cast to this generic of generic class Class> class_listPrivObjects = (Class) List.class; ArgumentCaptor> inputsCapturer = ArgumentCaptor .forClass(class_listPrivObjects); + ArgumentCaptor> outputsCapturer = ArgumentCaptor + .forClass(class_listPrivObjects); verify(mockedAuthorizer).checkPrivileges(any(HiveOperationType.class), - inputsCapturer.capture(), Matchers.anyListOf(HivePrivilegeObject.class), + inputsCapturer.capture(), outputsCapturer.capture(), any(HiveAuthzContext.class)); - return inputsCapturer.getValue(); + // return inputsCapturer.getValue(); + return new ImmutablePair(inputsCapturer.getValue(), outputsCapturer.getValue()); + } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java index ffb6074..d5a0bfa 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java @@ -759,6 +759,9 @@ private static void doAuthorizationV2(SessionState ss, HiveOperation op, HashSet objName = privObject.getD(); break; case FUNCTION: + if(privObject.getDatabase() != null) { + dbname = privObject.getDatabase().getName(); + } objName = privObject.getFunctionName(); break; case DUMMYPARTITION: diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/FunctionSemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/FunctionSemanticAnalyzer.java index bf3b65a..f9b875e 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/FunctionSemanticAnalyzer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/FunctionSemanticAnalyzer.java @@ -169,6 +169,7 @@ private void addEntities(String functionName, boolean isTemporaryFunction) try { String[] qualifiedNameParts = FunctionUtils.getQualifiedFunctionNameParts(functionName); String dbName = qualifiedNameParts[0]; + functionName = qualifiedNameParts[1]; database = getDatabase(dbName); } catch (HiveException e) { LOG.error(e); diff --git a/ql/src/test/results/clientnegative/authorization_create_func1.q.out b/ql/src/test/results/clientnegative/authorization_create_func1.q.out index 3bc49a6..6e11f04 100644 --- a/ql/src/test/results/clientnegative/authorization_create_func1.q.out +++ b/ql/src/test/results/clientnegative/authorization_create_func1.q.out @@ -1 +1 @@ -FAILED: HiveAccessControlException Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation CREATEFUNCTION [[ADMIN PRIVILEGE] on Object [type=DATABASE, name=default], [ADMIN PRIVILEGE] on Object [type=FUNCTION, name=perm_fn]] +FAILED: HiveAccessControlException Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation CREATEFUNCTION [[ADMIN PRIVILEGE] on Object [type=DATABASE, name=default], [ADMIN PRIVILEGE] on Object [type=FUNCTION, name=default.perm_fn]]