diff --git itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestMetastoreAuthorizationProvider.java itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestMetastoreAuthorizationProvider.java index 87f9185..c869469 100644 --- itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestMetastoreAuthorizationProvider.java +++ itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestMetastoreAuthorizationProvider.java @@ -24,6 +24,7 @@ import junit.framework.TestCase; +import org.apache.hadoop.fs.Path; import org.apache.hadoop.hive.cli.CliSessionState; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.metastore.HiveMetaStoreClient; @@ -172,6 +173,17 @@ public void testSimplePrivileges() throws Exception { String.format("create table %s (a string) partitioned by (b string)", tblName)); assertEquals(1,ret.getResponseCode()); + + // Even if table location is specified table creation should fail + String tblNameLoc = tblName + "_loc"; + String tblLocation = new Path(dbLocn).getParent().toUri() + "/" + tblNameLoc; + + driver.run("use " + dbName); + ret = driver.run( + String.format("create table %s (a string) partitioned by (b string) location '" + + tblLocation + "'", tblNameLoc)); + assertEquals(1, ret.getResponseCode()); + // failure from not having permissions to create table ArrayList fields = new ArrayList(2); @@ -215,6 +227,15 @@ public void testSimplePrivileges() throws Exception { validateCreateTable(tbl,tblName, dbName); + // Table creation should succeed even if location is specified + driver.run("use " + dbName); + ret = driver.run( + String.format("create table %s (a string) partitioned by (b string) location '" + + tblLocation + "'", tblNameLoc)); + assertEquals(0, ret.getResponseCode()); + Table tblLoc = msc.getTable(dbName, tblNameLoc); + validateCreateTable(tblLoc, tblNameLoc, dbName); + String fakeUser = "mal"; List fakeGroupNames = new ArrayList(); fakeGroupNames.add("groupygroup"); diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java index c105eae..ddbe30c 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java @@ -148,22 +148,19 @@ public void authorize(Database db, Privilege[] readRequiredPriv, Privilege[] wri public void authorize(Table table, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv) throws HiveException, AuthorizationException { - // Table path can be null in the case of a new create table - in this case, - // we try to determine what the path would be after the create table is issued. - Path path = null; + // To create/drop/alter a table, the owner should have WRITE permission on the database directory + authorize(hive_db.getDatabase(table.getDbName()), readRequiredPriv, writeRequiredPriv); + + // If the user has specified a location - external or not, check if the user has the try { initWh(); String location = table.getTTable().getSd().getLocation(); - if (location == null || location.isEmpty()) { - path = wh.getTablePath(hive_db.getDatabase(table.getDbName()), table.getTableName()); - } else { - path = new Path(location); + if (location != null && !location.isEmpty()) { + authorize(new Path(location), readRequiredPriv, writeRequiredPriv); } } catch (MetaException ex) { throw hiveException(ex); } - - authorize(path, readRequiredPriv, writeRequiredPriv); } @Override