diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java index 89429b6..88004c8 100644 --- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java @@ -30,7 +30,7 @@ * To be used for testing purposes only! */ @Private -public class SQLStdHiveAccessControllerForTest extends SQLStdHiveAccessController { +public class SQLStdHiveAccessControllerForTest extends SQLStdHiveAccessControllerWrapper { SQLStdHiveAccessControllerForTest(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws HiveAuthzPluginException { diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java index 1d039ad..8edb253 100644 --- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java @@ -38,7 +38,7 @@ public SQLStdHiveAuthorizationValidatorForTest(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider authenticator, - SQLStdHiveAccessController privController) { + SQLStdHiveAccessControllerWrapper privController) { super(metastoreClientFactory, conf, authenticator, privController); } diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java index 0f41a8f..bf00ae4 100644 --- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java @@ -32,7 +32,7 @@ @Override public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws HiveAuthzPluginException { - SQLStdHiveAccessController privilegeManager = + SQLStdHiveAccessControllerWrapper privilegeManager = new SQLStdHiveAccessControllerForTest(metastoreClientFactory, conf, authenticator, ctx); return new HiveAuthorizerImpl( privilegeManager, diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java index f92ecf2..10ef7e5 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java @@ -206,7 +206,7 @@ public HiveAuthorizationTaskFactoryImpl(HiveConf conf, Hive db) { List roles = new ArrayList(); for (int i = rolesStartPos; i < ast.getChildCount(); i++) { - roles.add(BaseSemanticAnalyzer.unescapeIdentifier(ast.getChild(i).getText()).toLowerCase()); + roles.add(BaseSemanticAnalyzer.unescapeIdentifier(ast.getChild(i).getText())); } String roleOwnerName = SessionState.getUserFromAuthenticator(); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/plan/RoleDDLDesc.java b/ql/src/java/org/apache/hadoop/hive/ql/plan/RoleDDLDesc.java index 8413fb7..2aae751 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/plan/RoleDDLDesc.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/plan/RoleDDLDesc.java @@ -102,8 +102,7 @@ public RoleDDLDesc(String roleName, RoleOperation operation) { public RoleDDLDesc(String principalName, PrincipalType principalType, RoleOperation operation, String roleOwnerName) { - this.name = (principalName != null && principalType == PrincipalType.ROLE) ? - principalName.toLowerCase() : principalName; + this.name = principalName; this.principalType = principalType; this.operation = operation; this.roleOwnerName = roleOwnerName; diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java index 2113f45..93df9f4 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/AuthorizationUtils.java @@ -67,9 +67,6 @@ public static HivePrincipalType getHivePrincipalType(PrincipalType type) throws case ROLE: return HivePrincipalType.ROLE; case GROUP: - if (SessionState.get().getAuthorizationMode() == SessionState.AuthorizationMode.V2) { - throw new HiveException(ErrorMsg.UNSUPPORTED_AUTHORIZATION_PRINCIPAL_TYPE_GROUP); - } return HivePrincipalType.GROUP; default: //should not happen as we take care of all existing types diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java index 30a4496..d8f530b 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java @@ -50,16 +50,9 @@ public String toString() { public HivePrincipal(String name, HivePrincipalType type){ this.type = type; - if (type == HivePrincipalType.ROLE) { - // lower case role to make operations on it case insensitive - // when the old default authorization gets deprecated, this can move - // to ObjectStore code base - this.name = name.toLowerCase(); - } else { - this.name = name; - } - + this.name = name; } + public String getName() { return name; } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java index a6b008a..96c4b48 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java @@ -17,7 +17,6 @@ */ package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; -import java.io.IOException; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -25,6 +24,7 @@ import java.util.HashMap; import java.util.HashSet; import java.util.List; +import java.util.ListIterator; import java.util.Locale; import java.util.Map; import java.util.Set; @@ -416,4 +416,43 @@ static HiveAuthzPluginException getPluginException(String prefix, Exception e) { return new HiveAuthzPluginException(prefix + ": " + e.getMessage(), e); } + /** + * Validate the principal type, and convert role name to lower case + * @param hPrincipal + * @return validated principal + * @throws HiveAuthzPluginException + */ + public static HivePrincipal getValidatedPrincipal(HivePrincipal hPrincipal) + throws HiveAuthzPluginException { + if (hPrincipal == null || hPrincipal.getType() == null) { + // null principal + return hPrincipal; + } + switch (hPrincipal.getType()) { + case USER: + return hPrincipal; + case ROLE: + // lower case role names, for case insensitive behavior + return new HivePrincipal(hPrincipal.getName().toLowerCase(), hPrincipal.getType()); + default: + throw new HiveAuthzPluginException("Invalid principal type in principal " + hPrincipal); + } + } + + /** + * Calls getValidatedPrincipal on each principal in list and updates the list + * @param hivePrincipals + * @return + * @return + * @throws HiveAuthzPluginException + */ + public static List getValidatedPrincipals(List hivePrincipals) + throws HiveAuthzPluginException { + ListIterator it = hivePrincipals.listIterator(); + while(it.hasNext()){ + it.set(getValidatedPrincipal(it.next())); + } + return hivePrincipals; + } + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerWrapper.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerWrapper.java new file mode 100644 index 0000000..29c1034 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerWrapper.java @@ -0,0 +1,193 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; + +import java.util.List; +import java.util.ListIterator; + +import org.apache.hadoop.classification.InterfaceAudience.Private; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; + +/** + * Wrapper for {@link SQLStdHiveAccessController} that does validation of + * arguments and then calls the real object. Doing the validation in this + * separate class, so that the chances of missing any validation is small. + * + * Validations/Conversions to be done + * 1. Call SQLAuthorizationUtils.getValidatedPrincipals on HivePrincipal to validate and + * update + * 2. Convert roleName to lower case + * + */ + +@Private +public class SQLStdHiveAccessControllerWrapper implements HiveAccessController { + + private final SQLStdHiveAccessController hiveAccessController; + + public SQLStdHiveAccessControllerWrapper(HiveMetastoreClientFactory metastoreClientFactory, + HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) + throws HiveAuthzPluginException { + this.hiveAccessController = new SQLStdHiveAccessController(metastoreClientFactory, conf, + authenticator, ctx); + } + + @Override + public void grantPrivileges(List hivePrincipals, + List hivePrivileges, HivePrivilegeObject hivePrivObject, + HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, + HiveAccessControlException { + // validate principals + hivePrincipals = SQLAuthorizationUtils.getValidatedPrincipals(hivePrincipals); + grantorPrincipal = SQLAuthorizationUtils.getValidatedPrincipal(grantorPrincipal); + + hiveAccessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject, + grantorPrincipal, grantOption); + + } + + @Override + public void revokePrivileges(List hivePrincipals, + List hivePrivileges, HivePrivilegeObject hivePrivObject, + HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, + HiveAccessControlException { + // validate principals + hivePrincipals = SQLAuthorizationUtils.getValidatedPrincipals(hivePrincipals); + grantorPrincipal = SQLAuthorizationUtils.getValidatedPrincipal(grantorPrincipal); + + hiveAccessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject, + grantorPrincipal, grantOption); + } + + @Override + public void createRole(String roleName, HivePrincipal adminGrantor) + throws HiveAuthzPluginException, HiveAccessControlException { + // validate principals + roleName = roleName.toLowerCase(); + adminGrantor = SQLAuthorizationUtils.getValidatedPrincipal(adminGrantor); + + hiveAccessController.createRole(roleName, adminGrantor); + } + + @Override + public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { + // lower case roleName + roleName = roleName.toLowerCase(); + + hiveAccessController.dropRole(roleName); + } + + @Override + public void grantRole(List hivePrincipals, List roles, + boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, + HiveAccessControlException { + // validate principals + hivePrincipals = SQLAuthorizationUtils.getValidatedPrincipals(hivePrincipals); + roles = getLowerCaseRoleNames(roles); + grantorPrinc = SQLAuthorizationUtils.getValidatedPrincipal(grantorPrinc); + + hiveAccessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc); + } + + @Override + public void revokeRole(List hivePrincipals, List roles, + boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, + HiveAccessControlException { + // validate + hivePrincipals = SQLAuthorizationUtils.getValidatedPrincipals(hivePrincipals); + roles = getLowerCaseRoleNames(roles); + grantorPrinc = SQLAuthorizationUtils.getValidatedPrincipal(grantorPrinc); + + hiveAccessController.revokeRole(hivePrincipals, roles, grantOption, grantorPrinc); + } + + @Override + public List getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException { + return hiveAccessController.getAllRoles(); + } + + @Override + public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) + throws HiveAuthzPluginException, HiveAccessControlException { + // validate + principal = SQLAuthorizationUtils.getValidatedPrincipal(principal); + + return hiveAccessController.showPrivileges(principal, privObj); + } + + @Override + public void setCurrentRole(String roleName) throws HiveAuthzPluginException, + HiveAccessControlException { + // validate + roleName = roleName.toLowerCase(); + + hiveAccessController.setCurrentRole(roleName); + } + + @Override + public List getCurrentRoleNames() throws HiveAuthzPluginException { + return hiveAccessController.getCurrentRoleNames(); + } + + @Override + public List getPrincipalGrantInfoForRole(String roleName) + throws HiveAuthzPluginException, HiveAccessControlException { + // validate + roleName = roleName.toLowerCase(); + + return hiveAccessController.getPrincipalGrantInfoForRole(roleName); + } + + @Override + public List getRoleGrantInfoForPrincipal(HivePrincipal principal) + throws HiveAuthzPluginException, HiveAccessControlException { + // validate + principal = SQLAuthorizationUtils.getValidatedPrincipal(principal); + + return hiveAccessController.getRoleGrantInfoForPrincipal(principal); + } + + @Override + public void applyAuthorizationConfigPolicy(HiveConf hiveConf) { + hiveAccessController.applyAuthorizationConfigPolicy(hiveConf); + } + + public boolean isUserAdmin() throws HiveAuthzPluginException { + return hiveAccessController.isUserAdmin(); + } + + private List getLowerCaseRoleNames(List roles) { + ListIterator roleIter = roles.listIterator(); + while (roleIter.hasNext()) { + roleIter.set(roleIter.next().toLowerCase()); + } + return roles; + } + +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java index 9ceac0c..4555a71 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java @@ -43,17 +43,17 @@ private final HiveMetastoreClientFactory metastoreClientFactory; private final HiveConf conf; private final HiveAuthenticationProvider authenticator; - private final SQLStdHiveAccessController privController; + private final SQLStdHiveAccessControllerWrapper privController; public static final Log LOG = LogFactory.getLog(SQLStdHiveAuthorizationValidator.class); public SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider authenticator, - SQLStdHiveAccessController privController) { + SQLStdHiveAccessControllerWrapper privilegeManager) { this.metastoreClientFactory = metastoreClientFactory; this.conf = conf; this.authenticator = authenticator; - this.privController = privController; + this.privController = privilegeManager; } @Override diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java index 9db3d74..de5dacc 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java @@ -32,8 +32,8 @@ @Override public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws HiveAuthzPluginException { - SQLStdHiveAccessController privilegeManager = - new SQLStdHiveAccessController(metastoreClientFactory, conf, authenticator, ctx); + SQLStdHiveAccessControllerWrapper privilegeManager = + new SQLStdHiveAccessControllerWrapper(metastoreClientFactory, conf, authenticator, ctx); return new HiveAuthorizerImpl( privilegeManager, new SQLStdHiveAuthorizationValidator(metastoreClientFactory, conf, authenticator, diff --git a/ql/src/test/queries/clientnegative/authorization_grant_group.q b/ql/src/test/queries/clientnegative/authorization_grant_group.q new file mode 100644 index 0000000..0325508 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_grant_group.q @@ -0,0 +1,11 @@ +set hive.test.authz.sstd.hs2.mode=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; + +set user.name=user1; +-- current user has been set (comment line before the set cmd is resulting in parse error!!) + +CREATE TABLE table_gg(i int); + +-- grant insert on group should fail +GRANT INSERT ON table_gg TO group g1; diff --git a/ql/src/test/queries/clientnegative/authorization_public_create.q b/ql/src/test/queries/clientnegative/authorization_public_create.q index 002389f..8298ce9 100644 --- a/ql/src/test/queries/clientnegative/authorization_public_create.q +++ b/ql/src/test/queries/clientnegative/authorization_public_create.q @@ -1 +1 @@ -create role PUBLIC; +create role public; diff --git a/ql/src/test/queries/clientnegative/authorization_public_drop.q b/ql/src/test/queries/clientnegative/authorization_public_drop.q index 69c5a8d..7e89f6e 100644 --- a/ql/src/test/queries/clientnegative/authorization_public_drop.q +++ b/ql/src/test/queries/clientnegative/authorization_public_drop.q @@ -1 +1 @@ -drop role PUBLIC; +drop role public; diff --git a/ql/src/test/queries/clientnegative/authorization_role_case.q b/ql/src/test/queries/clientnegative/authorization_role_case.q new file mode 100644 index 0000000..339239a --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_role_case.q @@ -0,0 +1,10 @@ +create role mixCaseRole1; +create role mixCaseRole2; + +show roles; + + +create table t1(i int); +grant SELECT on table t1 to role mixCaseRole1; +-- grant with wrong case should fail with legacy auth +grant UPDATE on table t1 to role mixcaserole2; diff --git a/ql/src/test/queries/clientnegative/authorize_grant_public.q b/ql/src/test/queries/clientnegative/authorize_grant_public.q index bfd3165..e024b50 100644 --- a/ql/src/test/queries/clientnegative/authorize_grant_public.q +++ b/ql/src/test/queries/clientnegative/authorize_grant_public.q @@ -1 +1 @@ -grant role PUBLIC to user hive_test_user; +grant role public to user hive_test_user; diff --git a/ql/src/test/queries/clientnegative/authorize_revoke_public.q b/ql/src/test/queries/clientnegative/authorize_revoke_public.q index 2b29822..dadd424 100644 --- a/ql/src/test/queries/clientnegative/authorize_revoke_public.q +++ b/ql/src/test/queries/clientnegative/authorize_revoke_public.q @@ -1 +1 @@ -revoke role PUBLIC from user hive_test_user; +revoke role public from user hive_test_user; diff --git a/ql/src/test/queries/clientpositive/authorization_1.q b/ql/src/test/queries/clientpositive/authorization_1.q index 25c9918..d5fd2ec 100644 --- a/ql/src/test/queries/clientpositive/authorization_1.q +++ b/ql/src/test/queries/clientpositive/authorization_1.q @@ -57,33 +57,33 @@ show grant group hive_test_group1 on table src_autho_test; show grant group hive_test_group1 on table src_autho_test(key); --role -create role src_role; -grant role src_role to user hive_test_user; +create role sRc_roLE; +grant role sRc_roLE to user hive_test_user; show role grant user hive_test_user; --column grant to role -grant select(key) on table src_autho_test to role src_role; +grant select(key) on table src_autho_test to role sRc_roLE; -show grant role src_role on table src_autho_test; -show grant role src_role on table src_autho_test(key); +show grant role sRc_roLE on table src_autho_test; +show grant role sRc_roLE on table src_autho_test(key); select key from src_autho_test order by key limit 20; -revoke select(key) on table src_autho_test from role src_role; +revoke select(key) on table src_autho_test from role sRc_roLE; --table grant to role -grant select on table src_autho_test to role src_role; +grant select on table src_autho_test to role sRc_roLE; select key from src_autho_test order by key limit 20; -show grant role src_role on table src_autho_test; -show grant role src_role on table src_autho_test(key); -revoke select on table src_autho_test from role src_role; +show grant role sRc_roLE on table src_autho_test; +show grant role sRc_roLE on table src_autho_test(key); +revoke select on table src_autho_test from role sRc_roLE; -- drop role -drop role src_role; +drop role sRc_roLE; set hive.security.authorization.enabled=false; drop table src_autho_test; \ No newline at end of file diff --git a/ql/src/test/queries/clientpositive/authorization_5.q b/ql/src/test/queries/clientpositive/authorization_5.q index 8869edc..fec27b4 100644 --- a/ql/src/test/queries/clientpositive/authorization_5.q +++ b/ql/src/test/queries/clientpositive/authorization_5.q @@ -8,13 +8,13 @@ GRANT select ON DATABASE test_db TO USER hive_test_user; SHOW GRANT USER hive_test_user ON DATABASE test_db; -CREATE ROLE db_test_role; -GRANT ROLE db_test_role TO USER hive_test_user; +CREATE ROLE db_TEST_Role; +GRANT ROLE db_TEST_Role TO USER hive_test_user; SHOW ROLE GRANT USER hive_test_user; -GRANT drop ON DATABASE test_db TO ROLE db_test_role; -GRANT select ON DATABASE test_db TO ROLE db_test_role; +GRANT drop ON DATABASE test_db TO ROLE db_TEST_Role; +GRANT select ON DATABASE test_db TO ROLE db_TEST_Role; -SHOW GRANT ROLE db_test_role ON DATABASE test_db; +SHOW GRANT ROLE db_TEST_Role ON DATABASE test_db; DROP DATABASE IF EXISTS test_db; diff --git a/ql/src/test/queries/clientpositive/authorization_grant_public_role.q b/ql/src/test/queries/clientpositive/authorization_grant_public_role.q index fe177ac..8f5d762 100644 --- a/ql/src/test/queries/clientpositive/authorization_grant_public_role.q +++ b/ql/src/test/queries/clientpositive/authorization_grant_public_role.q @@ -9,10 +9,10 @@ CREATE TABLE t_gpr1(i int); -- all privileges should have been set for user -GRANT ALL ON t_gpr1 TO ROLE public; +GRANT ALL ON t_gpr1 TO ROLE pubLic; SHOW GRANT USER user1 ON TABLE t_gpr1; -SHOW GRANT ROLE public ON TABLE t_gpr1; +SHOW GRANT ROLE pubLic ON TABLE t_gpr1; set user.name=user2; SHOW CURRENT ROLES; diff --git a/ql/src/test/queries/clientpositive/authorization_role_grant2.q b/ql/src/test/queries/clientpositive/authorization_role_grant2.q index 95fa4e6..59359a7 100644 --- a/ql/src/test/queries/clientpositive/authorization_role_grant2.q +++ b/ql/src/test/queries/clientpositive/authorization_role_grant2.q @@ -31,7 +31,7 @@ set user.name=user2; grant src_role_wadmin to role sRc_role2; set user.name=hive_admin_user; -set role ADMIN; +set role ADMIn; grant src_role2 to user user3; set user.name=user3; diff --git a/ql/src/test/results/clientnegative/authorization_grant_group.q.out b/ql/src/test/results/clientnegative/authorization_grant_group.q.out new file mode 100644 index 0000000..8a96719 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_grant_group.q.out @@ -0,0 +1,17 @@ +PREHOOK: query: -- current user has been set (comment line before the set cmd is resulting in parse error!!) + +CREATE TABLE table_gg(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +PREHOOK: Output: default@table_gg +POSTHOOK: query: -- current user has been set (comment line before the set cmd is resulting in parse error!!) + +CREATE TABLE table_gg(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@table_gg +PREHOOK: query: -- grant insert on group should fail +GRANT INSERT ON table_gg TO group g1 +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@table_gg +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Invalid principal type in principal Principal [name=g1, type=GROUP] diff --git a/ql/src/test/results/clientnegative/authorization_public_create.q.out b/ql/src/test/results/clientnegative/authorization_public_create.q.out index 4c9a2ad..f936dce 100644 --- a/ql/src/test/results/clientnegative/authorization_public_create.q.out +++ b/ql/src/test/results/clientnegative/authorization_public_create.q.out @@ -1,3 +1,3 @@ -PREHOOK: query: create role PUBLIC +PREHOOK: query: create role public PREHOOK: type: CREATEROLE FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:public role implictly exists. It can't be created.) diff --git a/ql/src/test/results/clientnegative/authorization_public_drop.q.out b/ql/src/test/results/clientnegative/authorization_public_drop.q.out index 520b56e..6aaa1ff 100644 --- a/ql/src/test/results/clientnegative/authorization_public_drop.q.out +++ b/ql/src/test/results/clientnegative/authorization_public_drop.q.out @@ -1,3 +1,3 @@ -PREHOOK: query: drop role PUBLIC +PREHOOK: query: drop role public PREHOOK: type: DROPROLE FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:public,admin roles can't be dropped.) diff --git a/ql/src/test/results/clientnegative/authorization_role_case.q.out b/ql/src/test/results/clientnegative/authorization_role_case.q.out new file mode 100644 index 0000000..e254783 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_role_case.q.out @@ -0,0 +1,36 @@ +PREHOOK: query: create role mixCaseRole1 +PREHOOK: type: CREATEROLE +POSTHOOK: query: create role mixCaseRole1 +POSTHOOK: type: CREATEROLE +PREHOOK: query: create role mixCaseRole2 +PREHOOK: type: CREATEROLE +POSTHOOK: query: create role mixCaseRole2 +POSTHOOK: type: CREATEROLE +PREHOOK: query: show roles +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: show roles +POSTHOOK: type: SHOW_ROLES +admin +mixCaseRole1 +mixCaseRole2 +public + +PREHOOK: query: create table t1(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +PREHOOK: Output: default@t1 +POSTHOOK: query: create table t1(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t1 +PREHOOK: query: grant SELECT on table t1 to role mixCaseRole1 +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t1 +POSTHOOK: query: grant SELECT on table t1 to role mixCaseRole1 +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@t1 +PREHOOK: query: -- grant with wrong case should fail with legacy auth +grant UPDATE on table t1 to role mixcaserole2 +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t1 +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: java.lang.RuntimeException: NoSuchObjectException(message:Role mixcaserole2 does not exist) diff --git a/ql/src/test/results/clientnegative/authorize_grant_public.q.out b/ql/src/test/results/clientnegative/authorize_grant_public.q.out index ef4a1b1..eeed219 100644 --- a/ql/src/test/results/clientnegative/authorize_grant_public.q.out +++ b/ql/src/test/results/clientnegative/authorize_grant_public.q.out @@ -1,3 +1,3 @@ -PREHOOK: query: grant role PUBLIC to user hive_test_user +PREHOOK: query: grant role public to user hive_test_user PREHOOK: type: GRANT_ROLE FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:No user can be added to public. Since all users implictly belong to public role.) diff --git a/ql/src/test/results/clientnegative/authorize_revoke_public.q.out b/ql/src/test/results/clientnegative/authorize_revoke_public.q.out index 618fedd..ede7487 100644 --- a/ql/src/test/results/clientnegative/authorize_revoke_public.q.out +++ b/ql/src/test/results/clientnegative/authorize_revoke_public.q.out @@ -1,3 +1,3 @@ -PREHOOK: query: revoke role PUBLIC from user hive_test_user +PREHOOK: query: revoke role public from user hive_test_user PREHOOK: type: REVOKE_ROLE FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:public role can't be revoked.) diff --git a/ql/src/test/results/clientpositive/authorization_1.q.out b/ql/src/test/results/clientpositive/authorization_1.q.out index dac0820..8f24128 100644 --- a/ql/src/test/results/clientpositive/authorization_1.q.out +++ b/ql/src/test/results/clientpositive/authorization_1.q.out @@ -254,40 +254,40 @@ PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant group hive_test_group1 on table src_autho_test(key) POSTHOOK: type: SHOW_GRANT PREHOOK: query: --role -create role src_role +create role sRc_roLE PREHOOK: type: CREATEROLE POSTHOOK: query: --role -create role src_role +create role sRc_roLE POSTHOOK: type: CREATEROLE -PREHOOK: query: grant role src_role to user hive_test_user +PREHOOK: query: grant role sRc_roLE to user hive_test_user PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant role src_role to user hive_test_user +POSTHOOK: query: grant role sRc_roLE to user hive_test_user POSTHOOK: type: GRANT_ROLE PREHOOK: query: show role grant user hive_test_user PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user hive_test_user POSTHOOK: type: SHOW_ROLE_GRANT public false -1 -src_role false -1 hive_test_user +sRc_roLE false -1 hive_test_user PREHOOK: query: --column grant to role -grant select(key) on table src_autho_test to role src_role +grant select(key) on table src_autho_test to role sRc_roLE PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@src_autho_test POSTHOOK: query: --column grant to role -grant select(key) on table src_autho_test to role src_role +grant select(key) on table src_autho_test to role sRc_roLE POSTHOOK: type: GRANT_PRIVILEGE POSTHOOK: Output: default@src_autho_test -PREHOOK: query: show grant role src_role on table src_autho_test +PREHOOK: query: show grant role sRc_roLE on table src_autho_test PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant role src_role on table src_autho_test +POSTHOOK: query: show grant role sRc_roLE on table src_autho_test POSTHOOK: type: SHOW_GRANT -PREHOOK: query: show grant role src_role on table src_autho_test(key) +PREHOOK: query: show grant role sRc_roLE on table src_autho_test(key) PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant role src_role on table src_autho_test(key) +POSTHOOK: query: show grant role sRc_roLE on table src_autho_test(key) POSTHOOK: type: SHOW_GRANT -default src_autho_test [key] src_role ROLE SELECT false -1 hive_test_user +default src_autho_test [key] sRc_roLE ROLE SELECT false -1 hive_test_user PREHOOK: query: select key from src_autho_test order by key limit 20 PREHOOK: type: QUERY PREHOOK: Input: default@src_autho_test @@ -316,20 +316,20 @@ POSTHOOK: Input: default@src_autho_test 118 118 119 -PREHOOK: query: revoke select(key) on table src_autho_test from role src_role +PREHOOK: query: revoke select(key) on table src_autho_test from role sRc_roLE PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@src_autho_test -POSTHOOK: query: revoke select(key) on table src_autho_test from role src_role +POSTHOOK: query: revoke select(key) on table src_autho_test from role sRc_roLE POSTHOOK: type: REVOKE_PRIVILEGE POSTHOOK: Output: default@src_autho_test PREHOOK: query: --table grant to role -grant select on table src_autho_test to role src_role +grant select on table src_autho_test to role sRc_roLE PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@src_autho_test POSTHOOK: query: --table grant to role -grant select on table src_autho_test to role src_role +grant select on table src_autho_test to role sRc_roLE POSTHOOK: type: GRANT_PRIVILEGE POSTHOOK: Output: default@src_autho_test PREHOOK: query: select key from src_autho_test order by key limit 20 @@ -360,26 +360,26 @@ POSTHOOK: Input: default@src_autho_test 118 118 119 -PREHOOK: query: show grant role src_role on table src_autho_test +PREHOOK: query: show grant role sRc_roLE on table src_autho_test PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant role src_role on table src_autho_test +POSTHOOK: query: show grant role sRc_roLE on table src_autho_test POSTHOOK: type: SHOW_GRANT -default src_autho_test src_role ROLE SELECT false -1 hive_test_user -PREHOOK: query: show grant role src_role on table src_autho_test(key) +default src_autho_test sRc_roLE ROLE SELECT false -1 hive_test_user +PREHOOK: query: show grant role sRc_roLE on table src_autho_test(key) PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant role src_role on table src_autho_test(key) +POSTHOOK: query: show grant role sRc_roLE on table src_autho_test(key) POSTHOOK: type: SHOW_GRANT -PREHOOK: query: revoke select on table src_autho_test from role src_role +PREHOOK: query: revoke select on table src_autho_test from role sRc_roLE PREHOOK: type: REVOKE_PRIVILEGE PREHOOK: Output: default@src_autho_test -POSTHOOK: query: revoke select on table src_autho_test from role src_role +POSTHOOK: query: revoke select on table src_autho_test from role sRc_roLE POSTHOOK: type: REVOKE_PRIVILEGE POSTHOOK: Output: default@src_autho_test PREHOOK: query: -- drop role -drop role src_role +drop role sRc_roLE PREHOOK: type: DROPROLE POSTHOOK: query: -- drop role -drop role src_role +drop role sRc_roLE POSTHOOK: type: DROPROLE PREHOOK: query: drop table src_autho_test PREHOOK: type: DROPTABLE diff --git a/ql/src/test/results/clientpositive/authorization_5.q.out b/ql/src/test/results/clientpositive/authorization_5.q.out index 6e5187e..7917dba 100644 --- a/ql/src/test/results/clientpositive/authorization_5.q.out +++ b/ql/src/test/results/clientpositive/authorization_5.q.out @@ -28,34 +28,34 @@ POSTHOOK: query: SHOW GRANT USER hive_test_user ON DATABASE test_db POSTHOOK: type: SHOW_GRANT test_db hive_test_user USER DROP false -1 hive_test_user test_db hive_test_user USER SELECT false -1 hive_test_user -PREHOOK: query: CREATE ROLE db_test_role +PREHOOK: query: CREATE ROLE db_TEST_Role PREHOOK: type: CREATEROLE -POSTHOOK: query: CREATE ROLE db_test_role +POSTHOOK: query: CREATE ROLE db_TEST_Role POSTHOOK: type: CREATEROLE -PREHOOK: query: GRANT ROLE db_test_role TO USER hive_test_user +PREHOOK: query: GRANT ROLE db_TEST_Role TO USER hive_test_user PREHOOK: type: GRANT_ROLE -POSTHOOK: query: GRANT ROLE db_test_role TO USER hive_test_user +POSTHOOK: query: GRANT ROLE db_TEST_Role TO USER hive_test_user POSTHOOK: type: GRANT_ROLE PREHOOK: query: SHOW ROLE GRANT USER hive_test_user PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: SHOW ROLE GRANT USER hive_test_user POSTHOOK: type: SHOW_ROLE_GRANT -db_test_role false -1 hive_test_user +db_TEST_Role false -1 hive_test_user public false -1 -PREHOOK: query: GRANT drop ON DATABASE test_db TO ROLE db_test_role +PREHOOK: query: GRANT drop ON DATABASE test_db TO ROLE db_TEST_Role PREHOOK: type: GRANT_PRIVILEGE -POSTHOOK: query: GRANT drop ON DATABASE test_db TO ROLE db_test_role +POSTHOOK: query: GRANT drop ON DATABASE test_db TO ROLE db_TEST_Role POSTHOOK: type: GRANT_PRIVILEGE -PREHOOK: query: GRANT select ON DATABASE test_db TO ROLE db_test_role +PREHOOK: query: GRANT select ON DATABASE test_db TO ROLE db_TEST_Role PREHOOK: type: GRANT_PRIVILEGE -POSTHOOK: query: GRANT select ON DATABASE test_db TO ROLE db_test_role +POSTHOOK: query: GRANT select ON DATABASE test_db TO ROLE db_TEST_Role POSTHOOK: type: GRANT_PRIVILEGE -PREHOOK: query: SHOW GRANT ROLE db_test_role ON DATABASE test_db +PREHOOK: query: SHOW GRANT ROLE db_TEST_Role ON DATABASE test_db PREHOOK: type: SHOW_GRANT -POSTHOOK: query: SHOW GRANT ROLE db_test_role ON DATABASE test_db +POSTHOOK: query: SHOW GRANT ROLE db_TEST_Role ON DATABASE test_db POSTHOOK: type: SHOW_GRANT -test_db db_test_role ROLE DROP false -1 hive_test_user -test_db db_test_role ROLE SELECT false -1 hive_test_user +test_db db_TEST_Role ROLE DROP false -1 hive_test_user +test_db db_TEST_Role ROLE SELECT false -1 hive_test_user PREHOOK: query: DROP DATABASE IF EXISTS test_db PREHOOK: type: DROPDATABASE PREHOOK: Input: database:test_db diff --git a/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out b/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out index 17b6c8a..2b7b3ad 100644 --- a/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out +++ b/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out @@ -12,12 +12,12 @@ POSTHOOK: Output: database:default POSTHOOK: Output: default@t_gpr1 PREHOOK: query: -- all privileges should have been set for user -GRANT ALL ON t_gpr1 TO ROLE public +GRANT ALL ON t_gpr1 TO ROLE pubLic PREHOOK: type: GRANT_PRIVILEGE PREHOOK: Output: default@t_gpr1 POSTHOOK: query: -- all privileges should have been set for user -GRANT ALL ON t_gpr1 TO ROLE public +GRANT ALL ON t_gpr1 TO ROLE pubLic POSTHOOK: type: GRANT_PRIVILEGE POSTHOOK: Output: default@t_gpr1 PREHOOK: query: SHOW GRANT USER user1 ON TABLE t_gpr1 @@ -28,9 +28,9 @@ default t_gpr1 user1 USER DELETE true -1 user1 default t_gpr1 user1 USER INSERT true -1 user1 default t_gpr1 user1 USER SELECT true -1 user1 default t_gpr1 user1 USER UPDATE true -1 user1 -PREHOOK: query: SHOW GRANT ROLE public ON TABLE t_gpr1 +PREHOOK: query: SHOW GRANT ROLE pubLic ON TABLE t_gpr1 PREHOOK: type: SHOW_GRANT -POSTHOOK: query: SHOW GRANT ROLE public ON TABLE t_gpr1 +POSTHOOK: query: SHOW GRANT ROLE pubLic ON TABLE t_gpr1 POSTHOOK: type: SHOW_GRANT default t_gpr1 public ROLE DELETE false -1 user1 default t_gpr1 public ROLE INSERT false -1 user1 diff --git a/ql/src/test/results/clientpositive/authorization_role_grant2.q.out b/ql/src/test/results/clientpositive/authorization_role_grant2.q.out index 56e7667..27d4f33 100644 --- a/ql/src/test/results/clientpositive/authorization_role_grant2.q.out +++ b/ql/src/test/results/clientpositive/authorization_role_grant2.q.out @@ -60,9 +60,9 @@ PREHOOK: type: GRANT_ROLE POSTHOOK: query: -- grant role to another role grant src_role_wadmin to role sRc_role2 POSTHOOK: type: GRANT_ROLE -PREHOOK: query: set role ADMIN +PREHOOK: query: set role ADMIn PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ADMIN +POSTHOOK: query: set role ADMIn POSTHOOK: type: SHOW_ROLES PREHOOK: query: grant src_role2 to user user3 PREHOOK: type: GRANT_ROLE