diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java index 9bda95d..53d88b0 100644 --- a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java +++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java @@ -21,6 +21,7 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; import static org.mockito.Matchers.any; import static org.mockito.Mockito.reset; import static org.mockito.Mockito.verify; @@ -141,6 +142,47 @@ public void testInputAllColumnsUsed() throws HiveAuthzPluginException, HiveAcces } @Test + public void testCreateTableWithDb() throws HiveAuthzPluginException, HiveAccessControlException, + CommandNeedRetryException { + final String newTable = "ctTableWithDb"; + checkCreateViewOrTableWithDb(newTable, "create table " + dbName + "." + newTable + "(i int)"); + } + + @Test + public void testCreateViewWithDb() throws HiveAuthzPluginException, HiveAccessControlException, + CommandNeedRetryException { + final String newTable = "ctViewWithDb"; + checkCreateViewOrTableWithDb(newTable, "create table " + dbName + "." + newTable + "(i int)"); + } + + private void checkCreateViewOrTableWithDb(String newTable, String cmd) + throws HiveAuthzPluginException, HiveAccessControlException { + reset(mockedAuthorizer); + int status = driver.compile(cmd); + assertEquals(0, status); + + List outputs = getHivePrivilegeObjectInputs().getRight(); + assertEquals("num outputs", 2, outputs.size()); + for (HivePrivilegeObject output : outputs) { + switch (output.getType()) { + case DATABASE: + assertTrue("database name", output.getDbname().equalsIgnoreCase(dbName)); + break; + case TABLE_OR_VIEW: + assertTrue("database name", output.getDbname().equalsIgnoreCase(dbName)); + assertEqualsIgnoreCase("table name", output.getObjectName(), newTable); + break; + default: + fail("Unexpected type : " + output.getType()); + } + } + } + + private void assertEqualsIgnoreCase(String msg, String expected, String actual) { + assertEquals(msg, expected.toLowerCase(), actual.toLowerCase()); + } + + @Test public void testInputNoColumnsUsed() throws HiveAuthzPluginException, HiveAccessControlException, CommandNeedRetryException { diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/BaseSemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/BaseSemanticAnalyzer.java index 60d490f..3e0e3ec 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/BaseSemanticAnalyzer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/BaseSemanticAnalyzer.java @@ -1203,6 +1203,10 @@ protected Table getTable(String[] qualified) throws SemanticException { return getTable(qualified[0], qualified[1], true); } + protected Table getTable(String[] qualified, boolean throwException) throws SemanticException { + return getTable(qualified[0], qualified[1], throwException); + } + protected Table getTable(String tblName) throws SemanticException { return getTable(null, tblName, true); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java index 7a71ec7..11de569 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java @@ -9992,7 +9992,9 @@ public RowResolver getRowResolver(Operator opt) { */ private ASTNode analyzeCreateTable(ASTNode ast, QB qb) throws SemanticException { - String tableName = getUnescapedName((ASTNode) ast.getChild(0)); + String[] qualifiedTabName = getQualifiedTableName((ASTNode) ast.getChild(0)); + String dbDotTab = getDotName(qualifiedTabName); + String likeTableName = null; List cols = new ArrayList(); List partCols = new ArrayList(); @@ -10018,7 +10020,7 @@ private ASTNode analyzeCreateTable(ASTNode ast, QB qb) RowFormatParams rowFormatParams = new RowFormatParams(); StorageFormat storageFormat = new StorageFormat(conf); - LOG.info("Creating table " + tableName + " position=" + LOG.info("Creating table " + dbDotTab + " position=" + ast.getCharPositionInLine()); int numCh = ast.getChildCount(); @@ -10149,7 +10151,7 @@ private ASTNode analyzeCreateTable(ASTNode ast, QB qb) // check for existence of table if (ifNotExists) { try { - Table table = getTable(tableName, false); + Table table = getTable(qualifiedTabName, false); if (table != null) { // table exists return null; } @@ -10159,11 +10161,7 @@ private ASTNode analyzeCreateTable(ASTNode ast, QB qb) } } - String[] qualified = Hive.getQualifiedNames(tableName); - String dbName = qualified.length == 1 ? SessionState.get().getCurrentDatabase() : qualified[0]; - Database database = getDatabase(dbName); - outputs.add(new WriteEntity(database, WriteEntity.WriteType.DDL_SHARED)); - outputs.add(new WriteEntity(new Table(dbName, tableName), WriteEntity.WriteType.DDL_NO_LOCK)); + addDbAndTabToOutputs(qualifiedTabName); if (isTemporary) { if (partCols.size() > 0) { @@ -10192,7 +10190,7 @@ private ASTNode analyzeCreateTable(ASTNode ast, QB qb) case CREATE_TABLE: // REGULAR CREATE TABLE DDL tblProps = addDefaultProperties(tblProps); - crtTblDesc = new CreateTableDesc(tableName, isExt, isTemporary, cols, partCols, + crtTblDesc = new CreateTableDesc(dbDotTab, isExt, isTemporary, cols, partCols, bucketCols, sortCols, numBuckets, rowFormatParams.fieldDelim, rowFormatParams.fieldEscape, rowFormatParams.collItemDelim, rowFormatParams.mapKeyDelim, rowFormatParams.lineDelim, @@ -10221,7 +10219,7 @@ private ASTNode analyzeCreateTable(ASTNode ast, QB qb) + "and source table in CREATE TABLE LIKE is partitioned."); } } - CreateTableLikeDesc crtTblLikeDesc = new CreateTableLikeDesc(tableName, isExt, isTemporary, + CreateTableLikeDesc crtTblLikeDesc = new CreateTableLikeDesc(dbDotTab, isExt, isTemporary, storageFormat.getInputFormat(), storageFormat.getOutputFormat(), location, storageFormat.getSerde(), storageFormat.getSerdeProps(), tblProps, ifNotExists, likeTableName); @@ -10234,9 +10232,9 @@ private ASTNode analyzeCreateTable(ASTNode ast, QB qb) // Verify that the table does not already exist try { - Table dumpTable = db.newTable(tableName); + Table dumpTable = db.newTable(dbDotTab); if (null != db.getTable(dumpTable.getDbName(), dumpTable.getTableName(), false)) { - throw new SemanticException(ErrorMsg.TABLE_ALREADY_EXISTS.getMsg(tableName)); + throw new SemanticException(ErrorMsg.TABLE_ALREADY_EXISTS.getMsg(dbDotTab)); } } catch (HiveException e) { throw new SemanticException(e); @@ -10244,11 +10242,10 @@ private ASTNode analyzeCreateTable(ASTNode ast, QB qb) tblProps = addDefaultProperties(tblProps); - crtTblDesc = new CreateTableDesc(dbName, tableName, isExt, isTemporary, cols, partCols, - bucketCols, sortCols, numBuckets, rowFormatParams.fieldDelim, - rowFormatParams.fieldEscape, - rowFormatParams.collItemDelim, rowFormatParams.mapKeyDelim, rowFormatParams.lineDelim, - comment, storageFormat.getInputFormat(), + crtTblDesc = new CreateTableDesc(qualifiedTabName[0], dbDotTab, isExt, isTemporary, cols, + partCols, bucketCols, sortCols, numBuckets, rowFormatParams.fieldDelim, + rowFormatParams.fieldEscape, rowFormatParams.collItemDelim, rowFormatParams.mapKeyDelim, + rowFormatParams.lineDelim, comment, storageFormat.getInputFormat(), storageFormat.getOutputFormat(), location, storageFormat.getSerde(), storageFormat.getStorageHandler(), storageFormat.getSerdeProps(), tblProps, ifNotExists, skewedColNames, skewedValues); @@ -10265,9 +10262,17 @@ private ASTNode analyzeCreateTable(ASTNode ast, QB qb) return null; } + private void addDbAndTabToOutputs(String[] qualifiedTabName) throws SemanticException { + Database database = getDatabase(qualifiedTabName[0]); + outputs.add(new WriteEntity(database, WriteEntity.WriteType.DDL_SHARED)); + outputs.add(new WriteEntity(new Table(qualifiedTabName[0], qualifiedTabName[1]), + WriteEntity.WriteType.DDL_NO_LOCK)); + } + private ASTNode analyzeCreateView(ASTNode ast, QB qb) throws SemanticException { - String tableName = getUnescapedName((ASTNode) ast.getChild(0)); + String[] qualTabName = getQualifiedTableName((ASTNode) ast.getChild(0)); + String dbDotTable = getDotName(qualTabName); List cols = null; boolean ifNotExists = false; boolean orReplace = false; @@ -10277,7 +10282,7 @@ private ASTNode analyzeCreateView(ASTNode ast, QB qb) Map tblProps = null; List partColNames = null; - LOG.info("Creating view " + tableName + " position=" + LOG.info("Creating view " + dbDotTable + " position=" + ast.getCharPositionInLine()); int numCh = ast.getChildCount(); for (int num = 1; num < numCh; num++) { @@ -10319,13 +10324,14 @@ private ASTNode analyzeCreateView(ASTNode ast, QB qb) } createVwDesc = new CreateViewDesc( - tableName, cols, comment, tblProps, partColNames, + dbDotTable, cols, comment, tblProps, partColNames, ifNotExists, orReplace, isAlterViewAs); unparseTranslator.enable(); rootTasks.add(TaskFactory.get(new DDLWork(getInputs(), getOutputs(), createVwDesc), conf)); + addDbAndTabToOutputs(qualTabName); return selectStmt; } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/TaskCompiler.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/TaskCompiler.java index a8d9a15..0f714b5 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/TaskCompiler.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/TaskCompiler.java @@ -21,6 +21,7 @@ import java.io.Serializable; import java.util.ArrayList; import java.util.HashSet; +import java.util.Iterator; import java.util.LinkedHashSet; import java.util.List; import java.util.Set; @@ -227,11 +228,19 @@ public void compile(final ParseContext pCtx, final List outIter = outputs.iterator(); + while (outIter.hasNext()) { + switch (outIter.next().getType()) { + case DFS_DIR: + case LOCAL_DIR: + outIter.remove(); + break; + default: + break; + } + } Task crtTblTask = TaskFactory.get(new DDLWork( inputs, outputs, crtTblDesc), conf); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java index 45404fe..bd10b1a 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java @@ -276,8 +276,9 @@ public HivePrivilegeObjectType getObjectType() { (SEL_NOGRANT_AR, null)); op2Priv.put(HiveOperationType.SHOW_TBLPROPERTIES, PrivRequirement.newIOPrivRequirement (SEL_NOGRANT_AR, null)); - op2Priv.put(HiveOperationType.CREATETABLE_AS_SELECT, PrivRequirement.newIOPrivRequirement -(SEL_NOGRANT_AR, null)); + op2Priv.put(HiveOperationType.CREATETABLE_AS_SELECT, PrivRequirement.newPrivRequirementList( + new PrivRequirement(SEL_NOGRANT_AR, IOType.INPUT), + new PrivRequirement(OWNER_PRIV_AR, HivePrivilegeObjectType.DATABASE))); // QUERY,LOAD op can contain an insert & overwrite, // require delete privilege if this is an insert-overwrite @@ -300,8 +301,9 @@ public HivePrivilegeObjectType getObjectType() { // for now allow only create-view with 'select with grant' // the owner will also have select with grant privileges on new view - op2Priv.put(HiveOperationType.CREATEVIEW, PrivRequirement.newIOPrivRequirement -(SEL_GRANT_AR, null)); + op2Priv.put(HiveOperationType.CREATEVIEW, PrivRequirement.newPrivRequirementList( + new PrivRequirement(SEL_GRANT_AR, IOType.INPUT), + new PrivRequirement(OWNER_PRIV_AR, HivePrivilegeObjectType.DATABASE))); op2Priv.put(HiveOperationType.SHOWFUNCTIONS, PrivRequirement.newIOPrivRequirement (null, null)); diff --git a/ql/src/test/queries/clientnegative/authorization_create_tbl.q b/ql/src/test/queries/clientnegative/authorization_create_tbl.q new file mode 100644 index 0000000..f0f398f --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_create_tbl.q @@ -0,0 +1,11 @@ +set hive.test.authz.sstd.hs2.mode=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; + +set hive.security.authorization.enabled=true; +set user.name=user33; +create database db23221; +use db23221; + +set user.name=user44; +create table twew221(a string); diff --git a/ql/src/test/queries/clientnegative/authorization_create_view.q b/ql/src/test/queries/clientnegative/authorization_create_view.q new file mode 100644 index 0000000..6438cdd --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_create_view.q @@ -0,0 +1,13 @@ +set hive.test.authz.sstd.hs2.mode=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +set user.name=user3; +create database db1; +use db1; +create table tab1(i int); + +set user.name=user4; +-- create view should fail as view is being created in db that it does not own +create view db1.view1(i) as select * from tab1; diff --git a/ql/src/test/queries/clientnegative/authorization_ctas2.q b/ql/src/test/queries/clientnegative/authorization_ctas2.q new file mode 100644 index 0000000..0bf634c --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_ctas2.q @@ -0,0 +1,14 @@ +set hive.test.authz.sstd.hs2.mode=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +set user.name=user_dbowner; +-- check ctas without db ownership +create database ctas_auth; + +set user.name=user_unauth; +create table t1(i int); +use ctas_auth; +show tables; +create table t2 as select * from default.t1; diff --git a/ql/src/test/queries/clientnegative/authorize_create_tbl.q b/ql/src/test/queries/clientnegative/authorize_create_tbl.q deleted file mode 100644 index f0f398f..0000000 --- a/ql/src/test/queries/clientnegative/authorize_create_tbl.q +++ /dev/null @@ -1,11 +0,0 @@ -set hive.test.authz.sstd.hs2.mode=true; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; -set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; - -set hive.security.authorization.enabled=true; -set user.name=user33; -create database db23221; -use db23221; - -set user.name=user44; -create table twew221(a string); diff --git a/ql/src/test/results/clientnegative/authorization_create_tbl.q.out b/ql/src/test/results/clientnegative/authorization_create_tbl.q.out new file mode 100644 index 0000000..5db06f1 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_create_tbl.q.out @@ -0,0 +1,13 @@ +PREHOOK: query: create database db23221 +PREHOOK: type: CREATEDATABASE +PREHOOK: Output: database:db23221 +POSTHOOK: query: create database db23221 +POSTHOOK: type: CREATEDATABASE +POSTHOOK: Output: database:db23221 +PREHOOK: query: use db23221 +PREHOOK: type: SWITCHDATABASE +PREHOOK: Input: database:db23221 +POSTHOOK: query: use db23221 +POSTHOOK: type: SWITCHDATABASE +POSTHOOK: Input: database:db23221 +FAILED: HiveAccessControlException Permission denied: Principal [name=user44, type=USER] does not have following privileges for operation CREATETABLE [[OBJECT OWNERSHIP] on Object [type=DATABASE, name=db23221]] diff --git a/ql/src/test/results/clientnegative/authorization_create_view.q.out b/ql/src/test/results/clientnegative/authorization_create_view.q.out new file mode 100644 index 0000000..f272aec --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_create_view.q.out @@ -0,0 +1,21 @@ +PREHOOK: query: create database db1 +PREHOOK: type: CREATEDATABASE +PREHOOK: Output: database:db1 +POSTHOOK: query: create database db1 +POSTHOOK: type: CREATEDATABASE +POSTHOOK: Output: database:db1 +PREHOOK: query: use db1 +PREHOOK: type: SWITCHDATABASE +PREHOOK: Input: database:db1 +POSTHOOK: query: use db1 +POSTHOOK: type: SWITCHDATABASE +POSTHOOK: Input: database:db1 +PREHOOK: query: create table tab1(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:db1 +PREHOOK: Output: db1@tab1 +POSTHOOK: query: create table tab1(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:db1 +POSTHOOK: Output: db1@tab1 +FAILED: HiveAccessControlException Permission denied: Principal [name=user4, type=USER] does not have following privileges for operation CREATEVIEW [[OBJECT OWNERSHIP] on Object [type=DATABASE, name=db1], [SELECT with grant] on Object [type=TABLE_OR_VIEW, name=db1.tab1]] diff --git a/ql/src/test/results/clientnegative/authorization_ctas2.q.out b/ql/src/test/results/clientnegative/authorization_ctas2.q.out new file mode 100644 index 0000000..6b6a50b --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_ctas2.q.out @@ -0,0 +1,27 @@ +#### A masked pattern was here #### +create database ctas_auth +PREHOOK: type: CREATEDATABASE +PREHOOK: Output: database:ctas_auth +#### A masked pattern was here #### +create database ctas_auth +POSTHOOK: type: CREATEDATABASE +POSTHOOK: Output: database:ctas_auth +PREHOOK: query: create table t1(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +PREHOOK: Output: default@t1 +POSTHOOK: query: create table t1(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t1 +PREHOOK: query: use ctas_auth +PREHOOK: type: SWITCHDATABASE +PREHOOK: Input: database:ctas_auth +POSTHOOK: query: use ctas_auth +POSTHOOK: type: SWITCHDATABASE +POSTHOOK: Input: database:ctas_auth +PREHOOK: query: show tables +PREHOOK: type: SHOWTABLES +POSTHOOK: query: show tables +POSTHOOK: type: SHOWTABLES +FAILED: HiveAccessControlException Permission denied: Principal [name=user_unauth, type=USER] does not have following privileges for operation CREATETABLE_AS_SELECT [[OBJECT OWNERSHIP] on Object [type=DATABASE, name=ctas_auth]] diff --git a/ql/src/test/results/clientnegative/authorization_drop_db_cascade.q.out b/ql/src/test/results/clientnegative/authorization_drop_db_cascade.q.out index 8ffa555..d267a89 100644 --- a/ql/src/test/results/clientnegative/authorization_drop_db_cascade.q.out +++ b/ql/src/test/results/clientnegative/authorization_drop_db_cascade.q.out @@ -9,11 +9,10 @@ POSTHOOK: Output: database:dba1 PREHOOK: query: create table dba1.tab1(i int) PREHOOK: type: CREATETABLE PREHOOK: Output: database:dba1 -PREHOOK: Output: dba1@dba1.tab1 +PREHOOK: Output: dba1@tab1 POSTHOOK: query: create table dba1.tab1(i int) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:dba1 -POSTHOOK: Output: dba1@dba1.tab1 POSTHOOK: Output: dba1@tab1 PREHOOK: query: drop database dba1 cascade PREHOOK: type: DROPDATABASE @@ -36,11 +35,10 @@ POSTHOOK: Output: database:dba2 PREHOOK: query: create table dba2.tab2(i int) PREHOOK: type: CREATETABLE PREHOOK: Output: database:dba2 -PREHOOK: Output: dba2@dba2.tab2 +PREHOOK: Output: dba2@tab2 POSTHOOK: query: create table dba2.tab2(i int) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:dba2 -POSTHOOK: Output: dba2@dba2.tab2 POSTHOOK: Output: dba2@tab2 PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES diff --git a/ql/src/test/results/clientnegative/authorization_not_owner_drop_view.q.out b/ql/src/test/results/clientnegative/authorization_not_owner_drop_view.q.out index 305d6d8..9a79b7d 100644 --- a/ql/src/test/results/clientnegative/authorization_not_owner_drop_view.q.out +++ b/ql/src/test/results/clientnegative/authorization_not_owner_drop_view.q.out @@ -11,8 +11,11 @@ POSTHOOK: Output: default@t1 PREHOOK: query: create view vt1 as select * from t1 PREHOOK: type: CREATEVIEW PREHOOK: Input: default@t1 +PREHOOK: Output: database:default +PREHOOK: Output: default@vt1 POSTHOOK: query: create view vt1 as select * from t1 POSTHOOK: type: CREATEVIEW POSTHOOK: Input: default@t1 +POSTHOOK: Output: database:default POSTHOOK: Output: default@vt1 FAILED: HiveAccessControlException Permission denied: Principal [name=user2, type=USER] does not have following privileges for operation DROPVIEW [[OBJECT OWNERSHIP] on Object [type=TABLE_OR_VIEW, name=default.vt1], [OBJECT OWNERSHIP] on Object [type=TABLE_OR_VIEW, name=default.vt1]] diff --git a/ql/src/test/results/clientnegative/authorization_part.q.out b/ql/src/test/results/clientnegative/authorization_part.q.out index 26e645b..6238782 100644 --- a/ql/src/test/results/clientnegative/authorization_part.q.out +++ b/ql/src/test/results/clientnegative/authorization_part.q.out @@ -21,9 +21,12 @@ POSTHOOK: Output: default@authorization_part_fail PREHOOK: query: create table src_auth as select * from src PREHOOK: type: CREATETABLE_AS_SELECT PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_auth POSTHOOK: query: create table src_auth as select * from src POSTHOOK: type: CREATETABLE_AS_SELECT POSTHOOK: Input: default@src +POSTHOOK: Output: database:default POSTHOOK: Output: default@src_auth PREHOOK: query: grant Create on table authorization_part_fail to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE diff --git a/ql/src/test/results/clientnegative/authorization_select_view.q.out b/ql/src/test/results/clientnegative/authorization_select_view.q.out index ba1fc89..a2a6b66 100644 --- a/ql/src/test/results/clientnegative/authorization_select_view.q.out +++ b/ql/src/test/results/clientnegative/authorization_select_view.q.out @@ -11,8 +11,11 @@ POSTHOOK: Output: default@t1 PREHOOK: query: create view v1 as select * from t1 PREHOOK: type: CREATEVIEW PREHOOK: Input: default@t1 +PREHOOK: Output: database:default +PREHOOK: Output: default@v1 POSTHOOK: query: create view v1 as select * from t1 POSTHOOK: type: CREATEVIEW POSTHOOK: Input: default@t1 +POSTHOOK: Output: database:default POSTHOOK: Output: default@v1 FAILED: HiveAccessControlException Permission denied: Principal [name=user1, type=USER] does not have following privileges for operation QUERY [[SELECT] on Object [type=TABLE_OR_VIEW, name=default.v1]] diff --git a/ql/src/test/results/clientnegative/authorize_create_tbl.q.out b/ql/src/test/results/clientnegative/authorize_create_tbl.q.out deleted file mode 100644 index 5db06f1..0000000 --- a/ql/src/test/results/clientnegative/authorize_create_tbl.q.out +++ /dev/null @@ -1,13 +0,0 @@ -PREHOOK: query: create database db23221 -PREHOOK: type: CREATEDATABASE -PREHOOK: Output: database:db23221 -POSTHOOK: query: create database db23221 -POSTHOOK: type: CREATEDATABASE -POSTHOOK: Output: database:db23221 -PREHOOK: query: use db23221 -PREHOOK: type: SWITCHDATABASE -PREHOOK: Input: database:db23221 -POSTHOOK: query: use db23221 -POSTHOOK: type: SWITCHDATABASE -POSTHOOK: Input: database:db23221 -FAILED: HiveAccessControlException Permission denied: Principal [name=user44, type=USER] does not have following privileges for operation CREATETABLE [[OBJECT OWNERSHIP] on Object [type=DATABASE, name=db23221]] diff --git a/ql/src/test/results/clientpositive/alter_rename_partition_authorization.q.out b/ql/src/test/results/clientpositive/alter_rename_partition_authorization.q.out index 5e7c3e2..d35bf40 100644 --- a/ql/src/test/results/clientpositive/alter_rename_partition_authorization.q.out +++ b/ql/src/test/results/clientpositive/alter_rename_partition_authorization.q.out @@ -3,11 +3,14 @@ PREHOOK: query: -- SORT_BEFORE_DIFF create table src_auth_tmp as select * from src PREHOOK: type: CREATETABLE_AS_SELECT PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_auth_tmp POSTHOOK: query: -- SORT_BEFORE_DIFF create table src_auth_tmp as select * from src POSTHOOK: type: CREATETABLE_AS_SELECT POSTHOOK: Input: default@src +POSTHOOK: Output: database:default POSTHOOK: Output: default@src_auth_tmp PREHOOK: query: create table authorization_part (key int, value string) partitioned by (ds string) PREHOOK: type: CREATETABLE diff --git a/ql/src/test/results/clientpositive/authorization_1.q.out b/ql/src/test/results/clientpositive/authorization_1.q.out index dac0820..ef74167 100644 --- a/ql/src/test/results/clientpositive/authorization_1.q.out +++ b/ql/src/test/results/clientpositive/authorization_1.q.out @@ -3,11 +3,14 @@ PREHOOK: query: -- SORT_BEFORE_DIFF create table src_autho_test as select * from src PREHOOK: type: CREATETABLE_AS_SELECT PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test POSTHOOK: query: -- SORT_BEFORE_DIFF create table src_autho_test as select * from src POSTHOOK: type: CREATETABLE_AS_SELECT POSTHOOK: Input: default@src +POSTHOOK: Output: database:default POSTHOOK: Output: default@src_autho_test PREHOOK: query: --table grant to user diff --git a/ql/src/test/results/clientpositive/authorization_2.q.out b/ql/src/test/results/clientpositive/authorization_2.q.out index 0da0ec2..e92763c 100644 --- a/ql/src/test/results/clientpositive/authorization_2.q.out +++ b/ql/src/test/results/clientpositive/authorization_2.q.out @@ -13,9 +13,12 @@ POSTHOOK: Output: default@authorization_part PREHOOK: query: create table src_auth_tmp as select * from src PREHOOK: type: CREATETABLE_AS_SELECT PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_auth_tmp POSTHOOK: query: create table src_auth_tmp as select * from src POSTHOOK: type: CREATETABLE_AS_SELECT POSTHOOK: Input: default@src +POSTHOOK: Output: database:default POSTHOOK: Output: default@src_auth_tmp PREHOOK: query: ALTER TABLE authorization_part SET TBLPROPERTIES ("PARTITION_LEVEL_PRIVILEGE"="TRUE") PREHOOK: type: ALTERTABLE_PROPERTIES diff --git a/ql/src/test/results/clientpositive/authorization_3.q.out b/ql/src/test/results/clientpositive/authorization_3.q.out index 8de1daf..2b53233 100644 --- a/ql/src/test/results/clientpositive/authorization_3.q.out +++ b/ql/src/test/results/clientpositive/authorization_3.q.out @@ -3,11 +3,14 @@ PREHOOK: query: -- SORT_BEFORE_DIFF create table src_autho_test as select * from src PREHOOK: type: CREATETABLE_AS_SELECT PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test POSTHOOK: query: -- SORT_BEFORE_DIFF create table src_autho_test as select * from src POSTHOOK: type: CREATETABLE_AS_SELECT POSTHOOK: Input: default@src +POSTHOOK: Output: database:default POSTHOOK: Output: default@src_autho_test PREHOOK: query: grant drop on table src_autho_test to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE diff --git a/ql/src/test/results/clientpositive/authorization_4.q.out b/ql/src/test/results/clientpositive/authorization_4.q.out index 881c128..67a30fd 100644 --- a/ql/src/test/results/clientpositive/authorization_4.q.out +++ b/ql/src/test/results/clientpositive/authorization_4.q.out @@ -3,11 +3,14 @@ PREHOOK: query: -- SORT_BEFORE_DIFF create table src_autho_test as select * from src PREHOOK: type: CREATETABLE_AS_SELECT PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test POSTHOOK: query: -- SORT_BEFORE_DIFF create table src_autho_test as select * from src POSTHOOK: type: CREATETABLE_AS_SELECT POSTHOOK: Input: default@src +POSTHOOK: Output: database:default POSTHOOK: Output: default@src_autho_test PREHOOK: query: grant All on table src_autho_test to user hive_test_user PREHOOK: type: GRANT_PRIVILEGE diff --git a/ql/src/test/results/clientpositive/authorization_6.q.out b/ql/src/test/results/clientpositive/authorization_6.q.out index 02c4109..0341094 100644 --- a/ql/src/test/results/clientpositive/authorization_6.q.out +++ b/ql/src/test/results/clientpositive/authorization_6.q.out @@ -3,11 +3,14 @@ PREHOOK: query: -- SORT_BEFORE_DIFF create table src_auth_tmp as select * from src PREHOOK: type: CREATETABLE_AS_SELECT PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_auth_tmp POSTHOOK: query: -- SORT_BEFORE_DIFF create table src_auth_tmp as select * from src POSTHOOK: type: CREATETABLE_AS_SELECT POSTHOOK: Input: default@src +POSTHOOK: Output: database:default POSTHOOK: Output: default@src_auth_tmp PREHOOK: query: create table authorization_part (key int, value string) partitioned by (ds string) PREHOOK: type: CREATETABLE diff --git a/ql/src/test/results/clientpositive/authorization_8.q.out b/ql/src/test/results/clientpositive/authorization_8.q.out index 47791fd..9fed5dc 100644 --- a/ql/src/test/results/clientpositive/authorization_8.q.out +++ b/ql/src/test/results/clientpositive/authorization_8.q.out @@ -13,9 +13,12 @@ POSTHOOK: Output: default@tbl_j5jbymsx8e PREHOOK: query: CREATE VIEW view_j5jbymsx8e_1 as SELECT * FROM tbl_j5jbymsx8e PREHOOK: type: CREATEVIEW PREHOOK: Input: default@tbl_j5jbymsx8e +PREHOOK: Output: database:default +PREHOOK: Output: default@view_j5jbymsx8e_1 POSTHOOK: query: CREATE VIEW view_j5jbymsx8e_1 as SELECT * FROM tbl_j5jbymsx8e POSTHOOK: type: CREATEVIEW POSTHOOK: Input: default@tbl_j5jbymsx8e +POSTHOOK: Output: database:default POSTHOOK: Output: default@view_j5jbymsx8e_1 PREHOOK: query: DESCRIBE view_j5jbymsx8e_1 PREHOOK: type: DESCTABLE diff --git a/ql/src/test/results/clientpositive/authorization_cli_createtab.q.out b/ql/src/test/results/clientpositive/authorization_cli_createtab.q.out index 79a0a95..a75d64b 100644 --- a/ql/src/test/results/clientpositive/authorization_cli_createtab.q.out +++ b/ql/src/test/results/clientpositive/authorization_cli_createtab.q.out @@ -23,9 +23,12 @@ default t_cli hive_test_user USER UPDATE true -1 hive_test_user PREHOOK: query: create view v_cli (i) as select i from t_cli PREHOOK: type: CREATEVIEW PREHOOK: Input: default@t_cli +PREHOOK: Output: database:default +PREHOOK: Output: default@v_cli POSTHOOK: query: create view v_cli (i) as select i from t_cli POSTHOOK: type: CREATEVIEW POSTHOOK: Input: default@t_cli +POSTHOOK: Output: database:default POSTHOOK: Output: default@v_cli PREHOOK: query: show grant user hive_test_user on v_cli PREHOOK: type: SHOW_GRANT diff --git a/ql/src/test/results/clientpositive/authorization_create_temp_table.q.out b/ql/src/test/results/clientpositive/authorization_create_temp_table.q.out index b171d6c..c87862d 100644 --- a/ql/src/test/results/clientpositive/authorization_create_temp_table.q.out +++ b/ql/src/test/results/clientpositive/authorization_create_temp_table.q.out @@ -1,9 +1,12 @@ PREHOOK: query: create table authorization_create_temp_table_1 as select * from src limit 10 PREHOOK: type: CREATETABLE_AS_SELECT PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@authorization_create_temp_table_1 POSTHOOK: query: create table authorization_create_temp_table_1 as select * from src limit 10 POSTHOOK: type: CREATETABLE_AS_SELECT POSTHOOK: Input: default@src +POSTHOOK: Output: database:default POSTHOOK: Output: default@authorization_create_temp_table_1 PREHOOK: query: grant select on authorization_create_temp_table_1 to user user1 PREHOOK: type: GRANT_PRIVILEGE diff --git a/ql/src/test/results/clientpositive/authorization_owner_actions.q.out b/ql/src/test/results/clientpositive/authorization_owner_actions.q.out index ad81888..41d339c 100644 --- a/ql/src/test/results/clientpositive/authorization_owner_actions.q.out +++ b/ql/src/test/results/clientpositive/authorization_owner_actions.q.out @@ -35,9 +35,12 @@ POSTHOOK: Output: default@t1 PREHOOK: query: create view vt1 as select * from t1 PREHOOK: type: CREATEVIEW PREHOOK: Input: default@t1 +PREHOOK: Output: database:default +PREHOOK: Output: default@vt1 POSTHOOK: query: create view vt1 as select * from t1 POSTHOOK: type: CREATEVIEW POSTHOOK: Input: default@t1 +POSTHOOK: Output: database:default POSTHOOK: Output: default@vt1 PREHOOK: query: drop view vt1 PREHOOK: type: DROPVIEW diff --git a/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out b/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out index 279554d..39367be 100644 --- a/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out +++ b/ql/src/test/results/clientpositive/authorization_view_sqlstd.q.out @@ -22,19 +22,25 @@ PREHOOK: query: -- protecting certain columns create view vt1 as select i,k from t1 PREHOOK: type: CREATEVIEW PREHOOK: Input: default@t1 +PREHOOK: Output: database:default +PREHOOK: Output: default@vt1 POSTHOOK: query: -- protecting certain columns create view vt1 as select i,k from t1 POSTHOOK: type: CREATEVIEW POSTHOOK: Input: default@t1 +POSTHOOK: Output: database:default POSTHOOK: Output: default@vt1 PREHOOK: query: -- protecting certain rows create view vt2 as select * from t1 where i > 1 PREHOOK: type: CREATEVIEW PREHOOK: Input: default@t1 +PREHOOK: Output: database:default +PREHOOK: Output: default@vt2 POSTHOOK: query: -- protecting certain rows create view vt2 as select * from t1 where i > 1 POSTHOOK: type: CREATEVIEW POSTHOOK: Input: default@t1 +POSTHOOK: Output: database:default POSTHOOK: Output: default@vt2 PREHOOK: query: show grant user user1 on all PREHOOK: type: SHOW_GRANT