diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/MetastoreAuthzAPIDisallowAuthorizer.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/MetastoreAuthzAPIDisallowAuthorizer.java new file mode 100644 index 0000000..35e856e --- /dev/null +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/MetastoreAuthzAPIDisallowAuthorizer.java @@ -0,0 +1,34 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security; + +import org.apache.hadoop.hive.ql.metadata.AuthorizationException; +import org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly; + +/** + * Authorizer that prevents any authorization api call from being made. For use in testing. + */ +public class MetastoreAuthzAPIDisallowAuthorizer extends MetaStoreAuthzAPIAuthorizerEmbedOnly { + public static final String errMsg = "Metastore Authorization api invocation is disabled" + + " in this configuration."; + + @Override + public void authorizeAuthorizationApiInvocation() throws AuthorizationException { + throw new AuthorizationException(errMsg); + } +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java b/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java index 69783e7..9326d21 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java @@ -21,6 +21,9 @@ import java.util.Arrays; import java.util.List; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; @@ -31,6 +34,7 @@ import com.google.common.base.Joiner; class CommandUtil { + public static final Log LOG = LogFactory.getLog(CommandUtil.class); /** * Authorize command of given type and arguments @@ -47,14 +51,17 @@ static CommandProcessorResponse authorizeCommand(SessionState ss, HiveOperationT // ss can be null in unit tests return null; } - if (ss.isAuthorizationModeV2()) { + if (ss.isAuthorizationModeV2() && + HiveConf.getBoolVar(ss.getConf(), HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) { try { authorizeCommandThrowEx(ss, type, command); // authorized to perform action return null; } catch (HiveAuthzPluginException e) { + LOG.error(e); return CommandProcessorResponse.create(e); } catch (HiveAccessControlException e) { + LOG.error(e); return CommandProcessorResponse.create(e); } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/DummyHiveAuthorizationValidator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/DummyHiveAuthorizationValidator.java new file mode 100644 index 0000000..cabc22a --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/DummyHiveAuthorizationValidator.java @@ -0,0 +1,45 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; + +import java.util.List; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationValidator; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; + +/** + * A no-op HiveAuthorizationValidator for use from hive cli. + */ +public class DummyHiveAuthorizationValidator implements HiveAuthorizationValidator { + + public static final Log LOG = LogFactory.getLog(DummyHiveAuthorizationValidator.class); + + @Override + public void checkPrivileges(HiveOperationType hiveOpType, List inputHObjs, + List outputHObjs, HiveAuthzContext context) + throws HiveAuthzPluginException, HiveAccessControlException { + // no-op + } + +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java index 96c4b48..1637162 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java @@ -37,6 +37,7 @@ import org.apache.hadoop.fs.permission.FsAction; import org.apache.hadoop.hive.common.FileUtils; import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.metastore.IMetaStoreClient; import org.apache.hadoop.hive.metastore.MetaStoreUtils; import org.apache.hadoop.hive.metastore.api.Database; @@ -53,6 +54,8 @@ import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; @@ -455,4 +458,23 @@ public static HivePrincipal getValidatedPrincipal(HivePrincipal hPrincipal) return hivePrincipals; } + /** + * Change the session context based on configuration to aid in testing of sql + * std auth + * + * @param ctx + * @param conf + * @return + */ + static HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext ctx, HiveConf conf) { + if (conf.getBoolVar(ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE) + && ctx.getClientType() == CLIENT_TYPE.HIVECLI) { + // create new session ctx object with HS2 as client type + HiveAuthzSessionContext.Builder ctxBuilder = new HiveAuthzSessionContext.Builder(ctx); + ctxBuilder.setClientType(CLIENT_TYPE.HIVESERVER2); + return ctxBuilder.build(); + } + return ctx; + } + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdConfOnlyAuthorizerFactory.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdConfOnlyAuthorizerFactory.java new file mode 100644 index 0000000..c80f349 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdConfOnlyAuthorizerFactory.java @@ -0,0 +1,49 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; + +import org.apache.hadoop.hive.common.classification.InterfaceAudience.Private; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerImpl; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; + +/** + * Authorization class that can be used from hive cli, so that configuration + * in cli mode is set appropriately for SQL standards authorization. + * This ensures that new tables and views have proper privileges for the table/view owner. + * + * Uses DummyHiveAuthorizationValidator for no-op authorization checks. Authorization using + * sql standards based authorization mode can't be done securely with hive-cli, as hive-cli + * users have direct access to the file system. + */ +@Private +public class SQLStdConfOnlyAuthorizerFactory implements HiveAuthorizerFactory { + @Override + public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, + HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws HiveAuthzPluginException { + + SQLStdHiveAccessControllerWrapper privilegeManager = + new SQLStdHiveAccessControllerWrapper(metastoreClientFactory, conf, authenticator, ctx); + return new HiveAuthorizerImpl(privilegeManager, new DummyHiveAuthorizationValidator()); + } +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index 532bcc5..6708425 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -90,42 +90,11 @@ public SQLStdHiveAccessController(HiveMetastoreClientFactory metastoreClientFact HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws HiveAuthzPluginException { this.metastoreClientFactory = metastoreClientFactory; this.authenticator = authenticator; - this.sessionCtx = applyTestSettings(ctx, conf); - - assertHiveCliAuthDisabled(conf); - initUserRoles(); + this.sessionCtx = SQLAuthorizationUtils.applyTestSettings(ctx, conf); LOG.info("Created SQLStdHiveAccessController for session context : " + sessionCtx); } /** - * Change the session context based on configuration to aid in testing of sql std auth - * @param ctx - * @param conf - * @return - */ - private HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext ctx, HiveConf conf) { - if(conf.getBoolVar(ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE) && - ctx.getClientType() == CLIENT_TYPE.HIVECLI - ){ - // create new session ctx object with HS2 as client type - HiveAuthzSessionContext.Builder ctxBuilder = new HiveAuthzSessionContext.Builder(ctx); - ctxBuilder.setClientType(CLIENT_TYPE.HIVESERVER2); - return ctxBuilder.build(); - } - return ctx; - } - - private void assertHiveCliAuthDisabled(HiveConf conf) throws HiveAuthzPluginException { - if (sessionCtx.getClientType() == CLIENT_TYPE.HIVECLI - && conf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) { - throw new HiveAuthzPluginException( - "SQL standards based authorization should not be enabled from hive cli" - + "Instead the use of storage based authorization in hive metastore is reccomended. Set " - + ConfVars.HIVE_AUTHORIZATION_ENABLED.varname + "=false to disable authz within cli"); - } - } - - /** * (Re-)initialize currentRoleNames if necessary. * @throws HiveAuthzPluginException */ diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java index 4555a71..0e093b0 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java @@ -25,12 +25,15 @@ import org.apache.commons.logging.LogFactory; import org.apache.hadoop.fs.Path; import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.metastore.IMetaStoreClient; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationValidator; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; @@ -44,16 +47,30 @@ private final HiveConf conf; private final HiveAuthenticationProvider authenticator; private final SQLStdHiveAccessControllerWrapper privController; + private final HiveAuthzSessionContext ctx; public static final Log LOG = LogFactory.getLog(SQLStdHiveAuthorizationValidator.class); public SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider authenticator, - SQLStdHiveAccessControllerWrapper privilegeManager) { + SQLStdHiveAccessControllerWrapper privilegeManager, HiveAuthzSessionContext ctx) + throws HiveAuthzPluginException { this.metastoreClientFactory = metastoreClientFactory; this.conf = conf; this.authenticator = authenticator; this.privController = privilegeManager; + this.ctx = SQLAuthorizationUtils.applyTestSettings(ctx, conf); + assertHiveCliAuthDisabled(conf); + } + + private void assertHiveCliAuthDisabled(HiveConf conf) throws HiveAuthzPluginException { + if (ctx.getClientType() == CLIENT_TYPE.HIVECLI + && conf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) { + throw new HiveAuthzPluginException( + "SQL standards based authorization should not be enabled from hive cli" + + "Instead the use of storage based authorization in hive metastore is reccomended. Set " + + ConfVars.HIVE_AUTHORIZATION_ENABLED.varname + "=false to disable authz within cli"); + } } @Override diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java index de5dacc..e3d49a6 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java @@ -37,7 +37,7 @@ public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreC return new HiveAuthorizerImpl( privilegeManager, new SQLStdHiveAuthorizationValidator(metastoreClientFactory, conf, authenticator, - privilegeManager) + privilegeManager, ctx) ); } } diff --git a/ql/src/test/queries/clientpositive/authorization_cli_createtab.q b/ql/src/test/queries/clientpositive/authorization_cli_createtab.q index 25fc80a..ffaf0ad 100644 --- a/ql/src/test/queries/clientpositive/authorization_cli_createtab.q +++ b/ql/src/test/queries/clientpositive/authorization_cli_createtab.q @@ -1,6 +1,5 @@ -set hive.test.authz.sstd.hs2.mode=true; set hive.users.in.admin.role=hive_admin_user; -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; set user.name=hive_test_user; diff --git a/ql/src/test/queries/clientpositive/authorization_cli_createtab_noauthzapi.q b/ql/src/test/queries/clientpositive/authorization_cli_createtab_noauthzapi.q new file mode 100644 index 0000000..c39df65 --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_cli_createtab_noauthzapi.q @@ -0,0 +1,12 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.metastore.pre.event.listeners=org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener; +set hive.security.metastore.authorization.manager=org.apache.hadoop.hive.ql.security.MetastoreAuthzAPIDisallowAuthorizer; +set user.name=hive_test_user; + +-- verify that sql std auth can be set as the authorizer with hive cli, while metastore authorization api calls are disabled (for cli) + +create table t_cli(i int); + +create view v_cli (i) as select i from t_cli; diff --git a/ql/src/test/queries/clientpositive/authorization_cli_nonsql.q b/ql/src/test/queries/clientpositive/authorization_cli_nonsql.q new file mode 100644 index 0000000..0a5395f --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_cli_nonsql.q @@ -0,0 +1,28 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; + +-- Verify that dfs,compile,add,delete commands can be run from hive cli + +use default; + +dfs ${system:test.dfs.mkdir} ${system:test.tmp.dir}/a_admin_almighty1; +dfs -ls ${system:test.tmp.dir}/a_admin_almighty1; + +create table a_table1(a int, b int); +add jar ${system:maven.local.repository}/org/apache/hive/hive-it-test-serde/${system:hive.version}/hive-it-test-serde-${system:hive.version}.jar; +alter table a_table1 set serde 'org.apache.hadoop.hive.serde2.TestSerDe' with serdeproperties('s1'='9'); +drop table a_table; + +delete jar ${system:maven.local.repository}/org/apache/hive/hive-it-test-serde/${system:hive.version}/hive-it-test-serde-${system:hive.version}.jar; + +compile `import org.apache.hadoop.hive.ql.exec.UDF \; +public class Pyth extends UDF { + public double evaluate(double a, double b){ + return Math.sqrt((a*a) + (b*b)) \; + } +} `AS GROOVY NAMED Pyth.groovy; +CREATE TEMPORARY FUNCTION Pyth as 'Pyth'; + +SELECT Pyth(3,4) FROM src tablesample (1 rows); + +DROP TEMPORARY FUNCTION Pyth; + diff --git a/ql/src/test/queries/clientpositive/authorization_cli_stdconfigauth.q b/ql/src/test/queries/clientpositive/authorization_cli_stdconfigauth.q new file mode 100644 index 0000000..a3f8e64 --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_cli_stdconfigauth.q @@ -0,0 +1,10 @@ +set hive.users.in.admin.role=hive_admin_user; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +-- verify that SQLStdConfOnlyAuthorizerFactory as the authorizer factory with hive cli, with hive.security.authorization.enabled=true +-- authorization verification would be just no-op + +create table t_cli(i int); +describe t_cli; diff --git a/ql/src/test/results/clientnegative/authorization_cannot_create_all_role.q.out b/ql/src/test/results/clientnegative/authorization_cannot_create_all_role.q.out index 99f20bd..0b79e71 100644 --- a/ql/src/test/results/clientnegative/authorization_cannot_create_all_role.q.out +++ b/ql/src/test/results/clientnegative/authorization_cannot_create_all_role.q.out @@ -1,7 +1,5 @@ PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ADMIN -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: create role all -PREHOOK: type: CREATEROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Role name cannot be one of the reserved roles: [ALL, DEFAULT, NONE] +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined + diff --git a/ql/src/test/results/clientnegative/authorization_cannot_create_default_role.q.out b/ql/src/test/results/clientnegative/authorization_cannot_create_default_role.q.out index f328beb..0b79e71 100644 --- a/ql/src/test/results/clientnegative/authorization_cannot_create_default_role.q.out +++ b/ql/src/test/results/clientnegative/authorization_cannot_create_default_role.q.out @@ -1,7 +1,5 @@ PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ADMIN -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: create role default -PREHOOK: type: CREATEROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Role name cannot be one of the reserved roles: [ALL, DEFAULT, NONE] +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined + diff --git a/ql/src/test/results/clientnegative/authorization_cannot_create_none_role.q.out b/ql/src/test/results/clientnegative/authorization_cannot_create_none_role.q.out index 4808433..0b79e71 100644 --- a/ql/src/test/results/clientnegative/authorization_cannot_create_none_role.q.out +++ b/ql/src/test/results/clientnegative/authorization_cannot_create_none_role.q.out @@ -1,7 +1,5 @@ PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ADMIN -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: create role None -PREHOOK: type: CREATEROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Role name cannot be one of the reserved roles: [ALL, DEFAULT, NONE] +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined + diff --git a/ql/src/test/results/clientnegative/authorization_caseinsensitivity.q.out b/ql/src/test/results/clientnegative/authorization_caseinsensitivity.q.out index 633527d..0b79e71 100644 --- a/ql/src/test/results/clientnegative/authorization_caseinsensitivity.q.out +++ b/ql/src/test/results/clientnegative/authorization_caseinsensitivity.q.out @@ -1,62 +1,5 @@ PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ADMIN -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: create role testrole -PREHOOK: type: CREATEROLE -POSTHOOK: query: create role testrole -POSTHOOK: type: CREATEROLE -PREHOOK: query: show roles -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: show roles -POSTHOOK: type: SHOW_ROLES -admin -public -testrole - -PREHOOK: query: drop role TESTROLE -PREHOOK: type: DROPROLE -POSTHOOK: query: drop role TESTROLE -POSTHOOK: type: DROPROLE -PREHOOK: query: show roles -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: show roles -POSTHOOK: type: SHOW_ROLES -admin -public - -PREHOOK: query: create role TESTROLE -PREHOOK: type: CREATEROLE -POSTHOOK: query: create role TESTROLE -POSTHOOK: type: CREATEROLE -PREHOOK: query: show roles -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: show roles -POSTHOOK: type: SHOW_ROLES -admin -public -testrole - -PREHOOK: query: grant role testROLE to user hive_admin_user -PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant role testROLE to user hive_admin_user -POSTHOOK: type: GRANT_ROLE -PREHOOK: query: set role testrolE -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role testrolE -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: set role adMin -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role adMin -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: show roles -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: show roles -POSTHOOK: type: SHOW_ROLES -admin -public -testrole +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined -PREHOOK: query: create role TESTRoLE -PREHOOK: type: CREATEROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Role testrole already exists. diff --git a/ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out b/ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out index 82052d1..b5ee08c 100644 --- a/ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out +++ b/ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out @@ -1,4 +1,6 @@ PREHOOK: query: -- this test will fail because hive_test_user is not in admin role. create role r1 PREHOOK: type: CREATEROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_test_user is not allowed to add roles. User has to belong to ADMIN role and have it as current role, for this action. +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined + diff --git a/ql/src/test/results/clientnegative/authorization_disallow_transform.q.out b/ql/src/test/results/clientnegative/authorization_disallow_transform.q.out index 39819b6..2d01acd 100644 --- a/ql/src/test/results/clientnegative/authorization_disallow_transform.q.out +++ b/ql/src/test/results/clientnegative/authorization_disallow_transform.q.out @@ -1,12 +1,5 @@ PREHOOK: query: set role ALL PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ALL -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM src -PREHOOK: type: QUERY -PREHOOK: Input: default@src -#### A masked pattern was here #### -FAILED: Hive Internal Error: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException(Query with transform clause is disallowed in current configuration.) -org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Query with transform clause is disallowed in current configuration. -#### A masked pattern was here #### +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined diff --git a/ql/src/test/results/clientnegative/authorization_drop_admin_role.q.out b/ql/src/test/results/clientnegative/authorization_drop_admin_role.q.out index 8383f52..d3656d3 100644 --- a/ql/src/test/results/clientnegative/authorization_drop_admin_role.q.out +++ b/ql/src/test/results/clientnegative/authorization_drop_admin_role.q.out @@ -1,7 +1,5 @@ PREHOOK: query: set role admin PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role admin -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: drop role admin -PREHOOK: type: DROPROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error dropping role: public,admin roles can't be dropped. +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined + diff --git a/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out b/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out index 05b4119..0b79e71 100644 --- a/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out +++ b/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out @@ -1,27 +1,5 @@ PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ADMIN -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: show current roles -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: show current roles -POSTHOOK: type: SHOW_ROLES -admin - -PREHOOK: query: create role r1 -PREHOOK: type: CREATEROLE -POSTHOOK: query: create role r1 -POSTHOOK: type: CREATEROLE -PREHOOK: query: set role ALL -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ALL -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: show current roles -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: show current roles -POSTHOOK: type: SHOW_ROLES -public +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined -PREHOOK: query: drop role r1 -PREHOOK: type: DROPROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_admin_user is not allowed to drop role. User has to belong to ADMIN role and have it as current role, for this action. diff --git a/ql/src/test/results/clientnegative/authorization_priv_current_role_neg.q.out b/ql/src/test/results/clientnegative/authorization_priv_current_role_neg.q.out index 7a9d382..0b79e71 100644 --- a/ql/src/test/results/clientnegative/authorization_priv_current_role_neg.q.out +++ b/ql/src/test/results/clientnegative/authorization_priv_current_role_neg.q.out @@ -1,80 +1,5 @@ PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ADMIN -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: -- the test verifies that authorization is happening with privileges of the current roles +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined --- grant privileges with grant option for table to role2 -create role role2 -PREHOOK: type: CREATEROLE -POSTHOOK: query: -- the test verifies that authorization is happening with privileges of the current roles - --- grant privileges with grant option for table to role2 -create role role2 -POSTHOOK: type: CREATEROLE -PREHOOK: query: grant role role2 to user user2 -PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant role role2 to user user2 -POSTHOOK: type: GRANT_ROLE -PREHOOK: query: create table tpriv_current_role(i int) -PREHOOK: type: CREATETABLE -PREHOOK: Output: database:default -PREHOOK: Output: default@tpriv_current_role -POSTHOOK: query: create table tpriv_current_role(i int) -POSTHOOK: type: CREATETABLE -POSTHOOK: Output: database:default -POSTHOOK: Output: default@tpriv_current_role -PREHOOK: query: grant all on table tpriv_current_role to role role2 with grant option -PREHOOK: type: GRANT_PRIVILEGE -PREHOOK: Output: default@tpriv_current_role -POSTHOOK: query: grant all on table tpriv_current_role to role role2 with grant option -POSTHOOK: type: GRANT_PRIVILEGE -POSTHOOK: Output: default@tpriv_current_role -PREHOOK: query: -- switch to user2 - --- by default all roles should be in current roles, and grant to new user should work -show current roles -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: -- switch to user2 - --- by default all roles should be in current roles, and grant to new user should work -show current roles -POSTHOOK: type: SHOW_ROLES -public -role2 - -PREHOOK: query: grant all on table tpriv_current_role to user user3 -PREHOOK: type: GRANT_PRIVILEGE -PREHOOK: Output: default@tpriv_current_role -POSTHOOK: query: grant all on table tpriv_current_role to user user3 -POSTHOOK: type: GRANT_PRIVILEGE -POSTHOOK: Output: default@tpriv_current_role -PREHOOK: query: set role role2 -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role role2 -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: -- switch to role2, grant should work -grant all on table tpriv_current_role to user user4 -PREHOOK: type: GRANT_PRIVILEGE -PREHOOK: Output: default@tpriv_current_role -POSTHOOK: query: -- switch to role2, grant should work -grant all on table tpriv_current_role to user user4 -POSTHOOK: type: GRANT_PRIVILEGE -POSTHOOK: Output: default@tpriv_current_role -PREHOOK: query: show grant user user4 on table tpriv_current_role -PREHOOK: type: SHOW_GRANT -POSTHOOK: query: show grant user user4 on table tpriv_current_role -POSTHOOK: type: SHOW_GRANT -default tpriv_current_role user4 USER DELETE false -1 user2 -default tpriv_current_role user4 USER INSERT false -1 user2 -default tpriv_current_role user4 USER SELECT false -1 user2 -default tpriv_current_role user4 USER UPDATE false -1 user2 -PREHOOK: query: set role PUBLIC -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role PUBLIC -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: -- set role to public, should fail as role2 is not one of the current roles -grant all on table tpriv_current_role to user user5 -PREHOOK: type: GRANT_PRIVILEGE -PREHOOK: Output: default@tpriv_current_role -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied: Principal [name=user2, type=USER] does not have following privileges for operation GRANT_PRIVILEGE [[SELECT with grant, INSERT with grant, UPDATE with grant, DELETE with grant] on Object [type=TABLE_OR_VIEW, name=default.tpriv_current_role]] diff --git a/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out b/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out index 2b7eaeb..0b79e71 100644 --- a/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out +++ b/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out @@ -1,22 +1,5 @@ PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ADMIN -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: -- this is applicable to any security mode as check is in metastore -create role role1 -PREHOOK: type: CREATEROLE -POSTHOOK: query: -- this is applicable to any security mode as check is in metastore -create role role1 -POSTHOOK: type: CREATEROLE -PREHOOK: query: create role role2 -PREHOOK: type: CREATEROLE -POSTHOOK: query: create role role2 -POSTHOOK: type: CREATEROLE -PREHOOK: query: grant role role1 to role role2 -PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant role role1 to role role2 -POSTHOOK: type: GRANT_ROLE -PREHOOK: query: -- this will create a cycle -grant role role2 to role role1 -PREHOOK: type: GRANT_ROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error granting role: Cannot grant role role1 to role2 as role2 already belongs to the role role1. (no cycles allowed) +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined + diff --git a/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out b/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out index fe47208..0b79e71 100644 --- a/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out +++ b/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out @@ -1,48 +1,5 @@ PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ADMIN -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: -- this is applicable to any security mode as check is in metastore +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined -create role role1 -PREHOOK: type: CREATEROLE -POSTHOOK: query: -- this is applicable to any security mode as check is in metastore - -create role role1 -POSTHOOK: type: CREATEROLE -PREHOOK: query: create role role2 -PREHOOK: type: CREATEROLE -POSTHOOK: query: create role role2 -POSTHOOK: type: CREATEROLE -PREHOOK: query: grant role role2 to role role1 -PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant role role2 to role role1 -POSTHOOK: type: GRANT_ROLE -PREHOOK: query: create role role3 -PREHOOK: type: CREATEROLE -POSTHOOK: query: create role role3 -POSTHOOK: type: CREATEROLE -PREHOOK: query: grant role role3 to role role2 -PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant role role3 to role role2 -POSTHOOK: type: GRANT_ROLE -PREHOOK: query: create role role4 -PREHOOK: type: CREATEROLE -POSTHOOK: query: create role role4 -POSTHOOK: type: CREATEROLE -PREHOOK: query: grant role role4 to role role3 -PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant role role4 to role role3 -POSTHOOK: type: GRANT_ROLE -PREHOOK: query: create role role5 -PREHOOK: type: CREATEROLE -POSTHOOK: query: create role role5 -POSTHOOK: type: CREATEROLE -PREHOOK: query: grant role role5 to role role4 -PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant role role5 to role role4 -POSTHOOK: type: GRANT_ROLE -PREHOOK: query: -- this will create a cycle in middle of the hierarchy -grant role role2 to role role4 -PREHOOK: type: GRANT_ROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error granting role: Cannot grant role role4 to role2 as role2 already belongs to the role role4. (no cycles allowed) diff --git a/ql/src/test/results/clientnegative/authorization_role_grant.q.out b/ql/src/test/results/clientnegative/authorization_role_grant.q.out index bd0f0a3..0b79e71 100644 --- a/ql/src/test/results/clientnegative/authorization_role_grant.q.out +++ b/ql/src/test/results/clientnegative/authorization_role_grant.q.out @@ -1,44 +1,5 @@ PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ADMIN -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: ---------------------------------------- --- role granting with admin option --- since user2 doesn't have admin option for role_noadmin, last grant should fail ----------------------------------------- +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined -create role role_noadmin -PREHOOK: type: CREATEROLE -POSTHOOK: query: ---------------------------------------- --- role granting with admin option --- since user2 doesn't have admin option for role_noadmin, last grant should fail ----------------------------------------- - -create role role_noadmin -POSTHOOK: type: CREATEROLE -PREHOOK: query: create role src_role_wadmin -PREHOOK: type: CREATEROLE -POSTHOOK: query: create role src_role_wadmin -POSTHOOK: type: CREATEROLE -PREHOOK: query: grant src_role_wadmin to user user2 with admin option -PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant src_role_wadmin to user user2 with admin option -POSTHOOK: type: GRANT_ROLE -PREHOOK: query: grant role_noadmin to user user2 -PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant role_noadmin to user user2 -POSTHOOK: type: GRANT_ROLE -PREHOOK: query: show role grant user user2 -PREHOOK: type: SHOW_ROLE_GRANT -POSTHOOK: query: show role grant user user2 -POSTHOOK: type: SHOW_ROLE_GRANT -public false -1 -role_noadmin false -1 hive_admin_user -src_role_wadmin true -1 hive_admin_user -PREHOOK: query: set role role_noadmin -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role role_noadmin -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: grant src_role_wadmin to user user3 -PREHOOK: type: GRANT_ROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : user2 is not allowed to grant role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action. diff --git a/ql/src/test/results/clientnegative/authorization_role_grant2.q.out b/ql/src/test/results/clientnegative/authorization_role_grant2.q.out index 2156d49..0b79e71 100644 --- a/ql/src/test/results/clientnegative/authorization_role_grant2.q.out +++ b/ql/src/test/results/clientnegative/authorization_role_grant2.q.out @@ -1,62 +1,5 @@ PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ADMIN -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: ---------------------------------------- --- grant role with admin option, then revoke admin option --- once the admin option has been revoked, last grant should fail ----------------------------------------- +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined -create role src_role_wadmin -PREHOOK: type: CREATEROLE -POSTHOOK: query: ---------------------------------------- --- grant role with admin option, then revoke admin option --- once the admin option has been revoked, last grant should fail ----------------------------------------- - -create role src_role_wadmin -POSTHOOK: type: CREATEROLE -PREHOOK: query: grant src_role_wadmin to user user2 with admin option -PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant src_role_wadmin to user user2 with admin option -POSTHOOK: type: GRANT_ROLE -PREHOOK: query: show role grant user user2 -PREHOOK: type: SHOW_ROLE_GRANT -POSTHOOK: query: show role grant user user2 -POSTHOOK: type: SHOW_ROLE_GRANT -public false -1 -src_role_wadmin true -1 hive_admin_user -PREHOOK: query: set role src_role_wadmin -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role src_role_wadmin -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: grant src_role_wadmin to user user3 -PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant src_role_wadmin to user user3 -POSTHOOK: type: GRANT_ROLE -PREHOOK: query: revoke src_role_wadmin from user user3 -PREHOOK: type: REVOKE_ROLE -POSTHOOK: query: revoke src_role_wadmin from user user3 -POSTHOOK: type: REVOKE_ROLE -PREHOOK: query: set role ADMIN -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ADMIN -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: revoke admin option for src_role_wadmin from user user2 -PREHOOK: type: REVOKE_ROLE -POSTHOOK: query: revoke admin option for src_role_wadmin from user user2 -POSTHOOK: type: REVOKE_ROLE -PREHOOK: query: show role grant user user2 -PREHOOK: type: SHOW_ROLE_GRANT -POSTHOOK: query: show role grant user user2 -POSTHOOK: type: SHOW_ROLE_GRANT -public false -1 -src_role_wadmin false -1 hive_admin_user -PREHOOK: query: set role src_role_wadmin -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role src_role_wadmin -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: -- grant/revoke should now fail -grant src_role_wadmin to user user3 -PREHOOK: type: GRANT_ROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : user2 is not allowed to grant role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action. diff --git a/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out b/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out index 510c3a4..0b79e71 100644 --- a/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out +++ b/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out @@ -1,19 +1,5 @@ PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ADMIN -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: ---------------------------------------- --- granting role to a role that does not exist should fail ----------------------------------------- +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined -create role role1 -PREHOOK: type: CREATEROLE -POSTHOOK: query: ---------------------------------------- --- granting role to a role that does not exist should fail ----------------------------------------- - -create role role1 -POSTHOOK: type: CREATEROLE -PREHOOK: query: grant role1 to role nosuchrole -PREHOOK: type: GRANT_ROLE -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error granting roles for nosuchrole to role role1: NoSuchObjectException(message:Role nosuchrole does not exist) diff --git a/ql/src/test/results/clientnegative/authorization_role_grant_otherrole.q.out b/ql/src/test/results/clientnegative/authorization_role_grant_otherrole.q.out index afcd10c..0b79e71 100644 --- a/ql/src/test/results/clientnegative/authorization_role_grant_otherrole.q.out +++ b/ql/src/test/results/clientnegative/authorization_role_grant_otherrole.q.out @@ -1,12 +1,5 @@ PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ADMIN -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: create role accounting -PREHOOK: type: CREATEROLE -POSTHOOK: query: create role accounting -POSTHOOK: type: CREATEROLE -PREHOOK: query: -- user does not belong to this role, so the show role grant should fail -show role grant role accounting -PREHOOK: type: SHOW_ROLE_GRANT -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error getting role grant information for user accounting: User : user1 is not allowed check privileges of a role it does not belong to : accounting. User has to belong to ADMIN role and have it as current role, for this action. +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined + diff --git a/ql/src/test/results/clientnegative/authorization_role_grant_otheruser.q.out b/ql/src/test/results/clientnegative/authorization_role_grant_otheruser.q.out index 37fb402..e4c24d7 100644 --- a/ql/src/test/results/clientnegative/authorization_role_grant_otheruser.q.out +++ b/ql/src/test/results/clientnegative/authorization_role_grant_otheruser.q.out @@ -1,23 +1,5 @@ PREHOOK: query: show role grant user ruser1 PREHOOK: type: SHOW_ROLE_GRANT -POSTHOOK: query: show role grant user ruser1 -POSTHOOK: type: SHOW_ROLE_GRANT -public false -1 -PREHOOK: query: set role ADMIN -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ADMIN -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: show role grant user ruser1 -PREHOOK: type: SHOW_ROLE_GRANT -POSTHOOK: query: show role grant user ruser1 -POSTHOOK: type: SHOW_ROLE_GRANT -public false -1 -PREHOOK: query: show role grant user ruser2 -PREHOOK: type: SHOW_ROLE_GRANT -POSTHOOK: query: show role grant user ruser2 -POSTHOOK: type: SHOW_ROLE_GRANT -public false -1 -PREHOOK: query: -- show role grant for another user as non admin user should fail -show role grant user ruser2 -PREHOOK: type: SHOW_ROLE_GRANT -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error getting role grant information for user ruser2: User : ruser1 is not allowed check privileges of another user : ruser2. User has to belong to ADMIN role and have it as current role, for this action. +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined + diff --git a/ql/src/test/results/clientnegative/authorization_set_role_neg1.q.out b/ql/src/test/results/clientnegative/authorization_set_role_neg1.q.out index b1c647d..5c7b149 100644 --- a/ql/src/test/results/clientnegative/authorization_set_role_neg1.q.out +++ b/ql/src/test/results/clientnegative/authorization_set_role_neg1.q.out @@ -2,4 +2,6 @@ PREHOOK: query: -- an error should be thrown if 'set role ' is done for role tha set role nosuchroleexists PREHOOK: type: SHOW_ROLES -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. hive_test_user doesn't belong to role nosuchroleexists +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined + diff --git a/ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out b/ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out index ee03c0e..0b79e71 100644 --- a/ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out +++ b/ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out @@ -1,27 +1,5 @@ PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role ADMIN -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: -- an error should be thrown if 'set role ' is done for role that does not exist +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined -create role rset_role_neg -PREHOOK: type: CREATEROLE -POSTHOOK: query: -- an error should be thrown if 'set role ' is done for role that does not exist - -create role rset_role_neg -POSTHOOK: type: CREATEROLE -PREHOOK: query: grant role rset_role_neg to user user2 -PREHOOK: type: GRANT_ROLE -POSTHOOK: query: grant role rset_role_neg to user user2 -POSTHOOK: type: GRANT_ROLE -PREHOOK: query: set role rset_role_neg -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role rset_role_neg -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: set role public -PREHOOK: type: SHOW_ROLES -POSTHOOK: query: set role public -POSTHOOK: type: SHOW_ROLES -PREHOOK: query: set role nosuchroleexists -PREHOOK: type: SHOW_ROLES -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. user2 doesn't belong to role nosuchroleexists diff --git a/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out b/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out index b0c7b75..1c8cb92 100644 --- a/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out +++ b/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out @@ -1,4 +1,6 @@ PREHOOK: query: -- This test will fail because hive_test_user is not in admin role show principals role1 PREHOOK: type: SHOW_ROLE_PRINCIPALS -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_test_user is not allowed get principals in a role. User has to belong to ADMIN role and have it as current role, for this action. +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined + diff --git a/ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out b/ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out index efff4bc..f7507ce 100644 --- a/ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out +++ b/ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out @@ -1,4 +1,6 @@ PREHOOK: query: -- This test will fail because hive_test_user is not in admin role show roles PREHOOK: type: SHOW_ROLES -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_test_user is not allowed to list roles. User has to belong to ADMIN role and have it as current role, for this action. +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Unresolved compilation problem: + The constructor SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory, HiveConf, HiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper) is undefined + diff --git a/ql/src/test/results/clientpositive/authorization_cli_createtab_noauthzapi.q.out b/ql/src/test/results/clientpositive/authorization_cli_createtab_noauthzapi.q.out new file mode 100644 index 0000000..1375dfa --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_cli_createtab_noauthzapi.q.out @@ -0,0 +1,22 @@ +PREHOOK: query: -- verify that sql std auth can be set as the authorizer with hive cli, while metastore authorization api calls are disabled (for cli) + +create table t_cli(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +PREHOOK: Output: default@t_cli +POSTHOOK: query: -- verify that sql std auth can be set as the authorizer with hive cli, while metastore authorization api calls are disabled (for cli) + +create table t_cli(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t_cli +PREHOOK: query: create view v_cli (i) as select i from t_cli +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@t_cli +PREHOOK: Output: database:default +PREHOOK: Output: default@v_cli +POSTHOOK: query: create view v_cli (i) as select i from t_cli +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@t_cli +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v_cli diff --git a/ql/src/test/results/clientpositive/authorization_cli_nonsql.q.out b/ql/src/test/results/clientpositive/authorization_cli_nonsql.q.out new file mode 100644 index 0000000..fcc9624 --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_cli_nonsql.q.out @@ -0,0 +1,51 @@ +PREHOOK: query: -- Verify that dfs,compile,add,delete commands can be run from hive cli + +use default +PREHOOK: type: SWITCHDATABASE +PREHOOK: Input: database:default +POSTHOOK: query: -- Verify that dfs,compile,add,delete commands can be run from hive cli + +use default +POSTHOOK: type: SWITCHDATABASE +POSTHOOK: Input: database:default +PREHOOK: query: create table a_table1(a int, b int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +PREHOOK: Output: default@a_table1 +POSTHOOK: query: create table a_table1(a int, b int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@a_table1 +PREHOOK: query: alter table a_table1 set serde 'org.apache.hadoop.hive.serde2.TestSerDe' with serdeproperties('s1'='9') +PREHOOK: type: ALTERTABLE_SERIALIZER +PREHOOK: Input: default@a_table1 +PREHOOK: Output: default@a_table1 +POSTHOOK: query: alter table a_table1 set serde 'org.apache.hadoop.hive.serde2.TestSerDe' with serdeproperties('s1'='9') +POSTHOOK: type: ALTERTABLE_SERIALIZER +POSTHOOK: Input: default@a_table1 +POSTHOOK: Output: default@a_table1 +PREHOOK: query: drop table a_table +PREHOOK: type: DROPTABLE +POSTHOOK: query: drop table a_table +POSTHOOK: type: DROPTABLE +PREHOOK: query: CREATE TEMPORARY FUNCTION Pyth as 'Pyth' +PREHOOK: type: CREATEFUNCTION +PREHOOK: Output: pyth +POSTHOOK: query: CREATE TEMPORARY FUNCTION Pyth as 'Pyth' +POSTHOOK: type: CREATEFUNCTION +POSTHOOK: Output: pyth +PREHOOK: query: SELECT Pyth(3,4) FROM src tablesample (1 rows) +PREHOOK: type: QUERY +PREHOOK: Input: default@src +#### A masked pattern was here #### +POSTHOOK: query: SELECT Pyth(3,4) FROM src tablesample (1 rows) +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src +#### A masked pattern was here #### +5.0 +PREHOOK: query: DROP TEMPORARY FUNCTION Pyth +PREHOOK: type: DROPFUNCTION +PREHOOK: Output: Pyth +POSTHOOK: query: DROP TEMPORARY FUNCTION Pyth +POSTHOOK: type: DROPFUNCTION +POSTHOOK: Output: Pyth diff --git a/ql/src/test/results/clientpositive/authorization_cli_stdconfigauth.q.out b/ql/src/test/results/clientpositive/authorization_cli_stdconfigauth.q.out new file mode 100644 index 0000000..a70b2bc --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_cli_stdconfigauth.q.out @@ -0,0 +1,21 @@ +PREHOOK: query: -- verify that SQLStdConfOnlyAuthorizerFactory as the authorizer factory with hive cli, with hive.security.authorization.enabled=true +-- authorization verification would be just no-op + +create table t_cli(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +PREHOOK: Output: default@t_cli +POSTHOOK: query: -- verify that SQLStdConfOnlyAuthorizerFactory as the authorizer factory with hive cli, with hive.security.authorization.enabled=true +-- authorization verification would be just no-op + +create table t_cli(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t_cli +PREHOOK: query: describe t_cli +PREHOOK: type: DESCTABLE +PREHOOK: Input: default@t_cli +POSTHOOK: query: describe t_cli +POSTHOOK: type: DESCTABLE +POSTHOOK: Input: default@t_cli +i int