diff --git a/ql/src/test/queries/clientnegative/authorization_not_owner_drop_tab2.q b/ql/src/test/queries/clientnegative/authorization_not_owner_drop_tab2.q new file mode 100644 index 0000000..c4ef868 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_not_owner_drop_tab2.q @@ -0,0 +1,14 @@ +set hive.test.authz.sstd.hs2.mode=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; +set user.name=user1; + +create database db1; +use db1; +-- check if create table fails as different user. use db.table sytax +create table t1(i int); +use default; + +set user.name=user2; +drop table db1.t1; diff --git a/ql/src/test/queries/clientnegative/authorization_show_columns.q b/ql/src/test/queries/clientnegative/authorization_show_columns.q new file mode 100644 index 0000000..a6597af --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_show_columns.q @@ -0,0 +1,13 @@ +set hive.test.authz.sstd.hs2.mode=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +create database db1; +use db1; +-- check query without select privilege fails +create table t1(i int); + +set user.name=user1; +show columns in t1; + diff --git a/ql/src/test/queries/clientpositive/authorization_grant_option_role.q b/ql/src/test/queries/clientpositive/authorization_grant_option_role.q new file mode 100644 index 0000000..ea0b51b --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_grant_option_role.q @@ -0,0 +1,28 @@ +set hive.test.authz.sstd.hs2.mode=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; + +set user.name=hive_admin_user; +set role admin; +create role r1; +grant role r1 to user r1user; + +set user.name=user1; +CREATE TABLE t1(i int); + +-- all privileges should have been set for user + +GRANT ALL ON t1 TO ROLE r1 WITH GRANT OPTION; + +set user.name=r1user; +-- check if user belong to role r1 can grant privileges to others +GRANT ALL ON t1 TO USER user3; + +set user.name=hive_admin_user; +set role admin; +-- check privileges on table +show grant on table t1; + +-- check if drop role removes privileges for that role +drop role r1; +show grant on table t1; diff --git a/ql/src/test/results/clientnegative/authorization_not_owner_drop_tab2.q.out b/ql/src/test/results/clientnegative/authorization_not_owner_drop_tab2.q.out new file mode 100644 index 0000000..0308e09 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_not_owner_drop_tab2.q.out @@ -0,0 +1,29 @@ +PREHOOK: query: create database db1 +PREHOOK: type: CREATEDATABASE +PREHOOK: Output: database:db1 +POSTHOOK: query: create database db1 +POSTHOOK: type: CREATEDATABASE +POSTHOOK: Output: database:db1 +PREHOOK: query: use db1 +PREHOOK: type: SWITCHDATABASE +PREHOOK: Input: database:db1 +POSTHOOK: query: use db1 +POSTHOOK: type: SWITCHDATABASE +POSTHOOK: Input: database:db1 +PREHOOK: query: -- check if create table fails as different user. use db.table sytax +create table t1(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:db1 +PREHOOK: Output: db1@t1 +POSTHOOK: query: -- check if create table fails as different user. use db.table sytax +create table t1(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:db1 +POSTHOOK: Output: db1@t1 +PREHOOK: query: use default +PREHOOK: type: SWITCHDATABASE +PREHOOK: Input: database:default +POSTHOOK: query: use default +POSTHOOK: type: SWITCHDATABASE +POSTHOOK: Input: database:default +FAILED: HiveAccessControlException Permission denied: Principal [name=user2, type=USER] does not have following privileges for operation DROPTABLE [[OBJECT OWNERSHIP] on Object [type=TABLE_OR_VIEW, name=db1.t1]] diff --git a/ql/src/test/results/clientnegative/authorization_show_columns.q.out b/ql/src/test/results/clientnegative/authorization_show_columns.q.out new file mode 100644 index 0000000..7dca55e --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_show_columns.q.out @@ -0,0 +1,23 @@ +PREHOOK: query: create database db1 +PREHOOK: type: CREATEDATABASE +PREHOOK: Output: database:db1 +POSTHOOK: query: create database db1 +POSTHOOK: type: CREATEDATABASE +POSTHOOK: Output: database:db1 +PREHOOK: query: use db1 +PREHOOK: type: SWITCHDATABASE +PREHOOK: Input: database:db1 +POSTHOOK: query: use db1 +POSTHOOK: type: SWITCHDATABASE +POSTHOOK: Input: database:db1 +PREHOOK: query: -- check query without select privilege fails +create table t1(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:db1 +PREHOOK: Output: db1@t1 +POSTHOOK: query: -- check query without select privilege fails +create table t1(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:db1 +POSTHOOK: Output: db1@t1 +FAILED: HiveAccessControlException Permission denied: Principal [name=user1, type=USER] does not have following privileges for operation SHOWCOLUMNS [[SELECT] on Object [type=TABLE_OR_VIEW, name=db1.t1]] diff --git a/ql/src/test/results/clientpositive/authorization_grant_option_role.q.out b/ql/src/test/results/clientpositive/authorization_grant_option_role.q.out new file mode 100644 index 0000000..745a8ae --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_grant_option_role.q.out @@ -0,0 +1,78 @@ +PREHOOK: query: set role admin +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role admin +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: create role r1 +PREHOOK: type: CREATEROLE +POSTHOOK: query: create role r1 +POSTHOOK: type: CREATEROLE +PREHOOK: query: grant role r1 to user r1user +PREHOOK: type: GRANT_ROLE +POSTHOOK: query: grant role r1 to user r1user +POSTHOOK: type: GRANT_ROLE +PREHOOK: query: CREATE TABLE t1(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +PREHOOK: Output: default@t1 +POSTHOOK: query: CREATE TABLE t1(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t1 +PREHOOK: query: -- all privileges should have been set for user + +GRANT ALL ON t1 TO ROLE r1 WITH GRANT OPTION +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t1 +POSTHOOK: query: -- all privileges should have been set for user + +GRANT ALL ON t1 TO ROLE r1 WITH GRANT OPTION +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@t1 +PREHOOK: query: -- check if user belong to role r1 can grant privileges to others +GRANT ALL ON t1 TO USER user3 +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t1 +POSTHOOK: query: -- check if user belong to role r1 can grant privileges to others +GRANT ALL ON t1 TO USER user3 +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@t1 +PREHOOK: query: set role admin +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role admin +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: -- check privileges on table +show grant on table t1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: -- check privileges on table +show grant on table t1 +POSTHOOK: type: SHOW_GRANT +default t1 r1 ROLE DELETE true -1 user1 +default t1 r1 ROLE INSERT true -1 user1 +default t1 r1 ROLE SELECT true -1 user1 +default t1 r1 ROLE UPDATE true -1 user1 +default t1 user1 USER DELETE true -1 hive_admin_user +default t1 user1 USER INSERT true -1 hive_admin_user +default t1 user1 USER SELECT true -1 hive_admin_user +default t1 user1 USER UPDATE true -1 hive_admin_user +default t1 user3 USER DELETE false -1 r1user +default t1 user3 USER INSERT false -1 r1user +default t1 user3 USER SELECT false -1 r1user +default t1 user3 USER UPDATE false -1 r1user +PREHOOK: query: -- check if drop role removes privileges for that role +drop role r1 +PREHOOK: type: DROPROLE +POSTHOOK: query: -- check if drop role removes privileges for that role +drop role r1 +POSTHOOK: type: DROPROLE +PREHOOK: query: show grant on table t1 +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant on table t1 +POSTHOOK: type: SHOW_GRANT +default t1 user1 USER DELETE true -1 hive_admin_user +default t1 user1 USER INSERT true -1 hive_admin_user +default t1 user1 USER SELECT true -1 hive_admin_user +default t1 user1 USER UPDATE true -1 hive_admin_user +default t1 user3 USER DELETE false -1 r1user +default t1 user3 USER INSERT false -1 r1user +default t1 user3 USER SELECT false -1 r1user +default t1 user3 USER UPDATE false -1 r1user