diff --git ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g index 25cd3a5..714e7d1 100644 --- ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g +++ ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g @@ -1530,8 +1530,8 @@ principalSpecification principalName @init {pushMsg("user|group|role name", state);} @after {popMsg(state);} - : KW_USER identifier -> ^(TOK_USER identifier) - | KW_GROUP identifier -> ^(TOK_GROUP identifier) + : KW_USER principalIdentifier -> ^(TOK_USER principalIdentifier) + | KW_GROUP principalIdentifier -> ^(TOK_GROUP principalIdentifier) | KW_ROLE identifier -> ^(TOK_ROLE identifier) ; diff --git ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g index 34d2dfc..13d5255 100644 --- ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g +++ ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g @@ -536,6 +536,13 @@ functionIdentifier identifier ; +principalIdentifier +@init { gParent.pushMsg("identifier for principal spec", state); } +@after { gParent.popMsg(state); } + : identifier + | QuotedIdentifier + ; + nonReserved : KW_TRUE | KW_FALSE | KW_LIKE | KW_EXISTS | KW_ASC | KW_DESC | KW_ORDER | KW_GROUP | KW_BY | KW_AS | KW_INSERT | KW_OVERWRITE | KW_OUTER | KW_LEFT | KW_RIGHT | KW_FULL | KW_PARTITION | KW_PARTITIONS | KW_TABLE | KW_TABLES | KW_COLUMNS | KW_INDEX | KW_INDEXES | KW_REBUILD | KW_FUNCTIONS | KW_SHOW | KW_MSCK | KW_REPAIR | KW_DIRECTORY | KW_LOCAL | KW_USING | KW_CLUSTER | KW_DISTRIBUTE | KW_SORT | KW_UNION | KW_LOAD | KW_EXPORT | KW_IMPORT | KW_DATA | KW_INPATH | KW_IS | KW_NULL | KW_CREATE | KW_EXTERNAL | KW_ALTER | KW_CHANGE | KW_FIRST | KW_AFTER | KW_DESCRIBE | KW_DROP | KW_RENAME | KW_IGNORE | KW_PROTECTION | KW_TO | KW_COMMENT | KW_BOOLEAN | KW_TINYINT | KW_SMALLINT | KW_INT | KW_BIGINT | KW_FLOAT | KW_DOUBLE | KW_DATE | KW_DATETIME | KW_TIMESTAMP | KW_DECIMAL | KW_STRING | KW_ARRAY | KW_STRUCT | KW_UNIONTYPE | KW_PARTITIONED | KW_CLUSTERED | KW_SORTED | KW_INTO | KW_BUCKETS | KW_ROW | KW_ROWS | KW_FORMAT | KW_DELIMITED | KW_FIELDS | KW_TERMINATED | KW_ESCAPED | KW_COLLECTION | KW_ITEMS | KW_KEYS | KW_KEY_TYPE | KW_LINES | KW_STORED | KW_FILEFORMAT | KW_INPUTFORMAT | KW_OUTPUTFORMAT | KW_INPUTDRIVER | KW_OUTPUTDRIVER | KW_OFFLINE | KW_ENABLE | KW_DISABLE | KW_READONLY | KW_NO_DROP | KW_LOCATION | KW_BUCKET | KW_OUT | KW_OF | KW_PERCENT | KW_ADD | KW_REPLACE | KW_RLIKE | KW_REGEXP | KW_TEMPORARY | KW_EXPLAIN | KW_FORMATTED | KW_PRETTY | KW_DEPENDENCY | KW_LOGICAL | KW_SERDE | KW_WITH | KW_DEFERRED | KW_SERDEPROPERTIES | KW_DBPROPERTIES | KW_LIMIT | KW_SET | KW_UNSET | KW_TBLPROPERTIES | KW_IDXPROPERTIES | KW_VALUE_TYPE | KW_ELEM_TYPE | KW_MAPJOIN | KW_STREAMTABLE | KW_HOLD_DDLTIME | KW_CLUSTERSTATUS | KW_UTC | KW_UTCTIMESTAMP | KW_LONG | KW_DELETE | KW_PLUS | KW_MINUS | KW_FETCH | KW_INTERSECT | KW_VIEW | KW_IN | KW_DATABASES | KW_MATERIALIZED | KW_SCHEMA | KW_SCHEMAS | KW_GRANT | KW_REVOKE | KW_SSL | KW_UNDO | KW_LOCK | KW_LOCKS | KW_UNLOCK | KW_SHARED | KW_EXCLUSIVE | KW_PROCEDURE | KW_UNSIGNED | KW_WHILE | KW_READ | KW_READS | KW_PURGE | KW_RANGE | KW_ANALYZE | KW_BEFORE | KW_BETWEEN | KW_BOTH | KW_BINARY | KW_CONTINUE | KW_CURSOR | KW_TRIGGER | KW_RECORDREADER | KW_RECORDWRITER | KW_SEMI | KW_LATERAL | KW_TOUCH | KW_ARCHIVE | KW_UNARCHIVE | KW_COMPUTE | KW_STATISTICS | KW_USE | KW_OPTION | KW_CONCATENATE | KW_SHOW_DATABASE | KW_UPDATE | KW_RESTRICT | KW_CASCADE | KW_SKEWED | KW_ROLLUP | KW_CUBE | KW_DIRECTORIES | KW_FOR | KW_GROUPING | KW_SETS | KW_TRUNCATE | KW_NOSCAN | KW_USER | KW_ROLE | KW_ROLES | KW_INNER | KW_DEFINED | KW_ADMIN | KW_JAR | KW_FILE | KW_OWNER | KW_PRINCIPALS | KW_ALL | KW_DEFAULT | KW_NONE | KW_COMPACT | KW_COMPACTIONS | KW_TRANSACTIONS | KW_REWRITE | KW_AUTHORIZATION | KW_VALUES diff --git ql/src/test/queries/clientpositive/authorization_non_id.q ql/src/test/queries/clientpositive/authorization_non_id.q new file mode 100644 index 0000000..26d4b50 --- /dev/null +++ ql/src/test/queries/clientpositive/authorization_non_id.q @@ -0,0 +1,25 @@ +set hive.test.authz.sstd.hs2.mode=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set user.name=hive_admin_user; + +set role ADMIN; +drop table if exists src_autho_test; +create table src_autho_test (id int); + +create role src_role2; + +grant role src_role2 to user bar; +grant role src_role2 to user `foo-1`; + +show role grant user bar; +show role grant user `foo-1`; + +grant select on table src_autho_test to user bar; +grant select on table src_autho_test to user `foo-1`; + +show grant user bar on all; +show grant user `foo-1` on all; + +drop table src_autho_test; +drop role src_role2; diff --git ql/src/test/results/clientpositive/authorization_non_id.q.out ql/src/test/results/clientpositive/authorization_non_id.q.out new file mode 100644 index 0000000..9b81d22 --- /dev/null +++ ql/src/test/results/clientpositive/authorization_non_id.q.out @@ -0,0 +1,74 @@ +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: drop table if exists src_autho_test +PREHOOK: type: DROPTABLE +POSTHOOK: query: drop table if exists src_autho_test +POSTHOOK: type: DROPTABLE +PREHOOK: query: create table src_autho_test (id int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test (id int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: create role src_role2 +PREHOOK: type: CREATEROLE +POSTHOOK: query: create role src_role2 +POSTHOOK: type: CREATEROLE +PREHOOK: query: grant role src_role2 to user bar +PREHOOK: type: GRANT_ROLE +POSTHOOK: query: grant role src_role2 to user bar +POSTHOOK: type: GRANT_ROLE +PREHOOK: query: grant role src_role2 to user `foo-1` +PREHOOK: type: GRANT_ROLE +POSTHOOK: query: grant role src_role2 to user `foo-1` +POSTHOOK: type: GRANT_ROLE +PREHOOK: query: show role grant user bar +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant user bar +POSTHOOK: type: SHOW_ROLE_GRANT +public false -1 +src_role2 false -1 hive_admin_user +PREHOOK: query: show role grant user `foo-1` +PREHOOK: type: SHOW_ROLE_GRANT +POSTHOOK: query: show role grant user `foo-1` +POSTHOOK: type: SHOW_ROLE_GRANT +public false -1 +src_role2 false -1 hive_admin_user +PREHOOK: query: grant select on table src_autho_test to user bar +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: grant select on table src_autho_test to user bar +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: grant select on table src_autho_test to user `foo-1` +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: grant select on table src_autho_test to user `foo-1` +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: show grant user bar on all +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user bar on all +POSTHOOK: type: SHOW_GRANT +default src_autho_test bar USER SELECT false -1 hive_admin_user +PREHOOK: query: show grant user `foo-1` on all +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user `foo-1` on all +POSTHOOK: type: SHOW_GRANT +default src_autho_test foo-1 USER SELECT false -1 hive_admin_user +PREHOOK: query: drop table src_autho_test +PREHOOK: type: DROPTABLE +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: drop table src_autho_test +POSTHOOK: type: DROPTABLE +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: drop role src_role2 +PREHOOK: type: DROPROLE +POSTHOOK: query: drop role src_role2 +POSTHOOK: type: DROPROLE