diff --git a/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/CreateTableHook.java b/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/CreateTableHook.java index 172ff01..8b69223 100644 --- a/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/CreateTableHook.java +++ b/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/CreateTableHook.java @@ -26,7 +26,6 @@ import org.apache.commons.lang.StringUtils; import org.apache.hadoop.fs.Path; -import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.metastore.api.FieldSchema; import org.apache.hadoop.hive.ql.exec.DDLTask; import org.apache.hadoop.hive.ql.exec.Task; @@ -195,8 +194,7 @@ public void postAnalyze(HiveSemanticAnalyzerHookContext context, //authorize against the table operation so that location permissions can be checked if any - if (HiveConf.getBoolVar(context.getConf(), - HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) { + if (HCatAuthUtil.isAuthorizationEnabled(context.getConf())) { authorize(table, Privilege.CREATE); } } catch (HiveException ex) { diff --git a/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatAuthUtil.java b/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatAuthUtil.java new file mode 100644 index 0000000..6dce9c4 --- /dev/null +++ b/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatAuthUtil.java @@ -0,0 +1,36 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.hive.hcatalog.cli.SemanticAnalysis; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.session.SessionState; + +final class HCatAuthUtil { + public static boolean isAuthorizationEnabled(Configuration conf) { + // the session state getAuthorizer can return null even if authorization is + // enabled if the V2 api of authorizer in use. + // The additional authorization checks happening in hcatalog are designed to + // work with storage based authorization (on client side). It should not try doing + // additional checks if a V2 authorizer is in use. The reccomended configuration is to + // use storage based authorization in metastore server + return HiveConf.getBoolVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED) + && SessionState.get().getAuthorizer() != null; + } +} diff --git a/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java b/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java index 0184dc0..5b3ef94 100644 --- a/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java +++ b/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java @@ -22,7 +22,6 @@ import java.io.Serializable; import java.util.List; -import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.metastore.api.Database; import org.apache.hadoop.hive.ql.exec.Task; import org.apache.hadoop.hive.ql.metadata.AuthorizationException; @@ -89,8 +88,7 @@ public void postAnalyze(HiveSemanticAnalyzerHookContext context, protected void authorizeDDL(HiveSemanticAnalyzerHookContext context, List> rootTasks) throws SemanticException { - if (!HiveConf.getBoolVar(context.getConf(), - HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) { + if (!HCatAuthUtil.isAuthorizationEnabled(context.getConf())) { return; } diff --git a/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/TestHCatAuthUtil.java b/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/TestHCatAuthUtil.java new file mode 100644 index 0000000..830dcb8 --- /dev/null +++ b/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/TestHCatAuthUtil.java @@ -0,0 +1,84 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.hive.hcatalog.cli.SemanticAnalysis; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; +import org.apache.hadoop.hive.ql.session.SessionState; +import org.junit.Test; +import org.mockito.Mockito; + +/** + * Test HCatAuthUtil + */ +public class TestHCatAuthUtil { + + public static class DummyV2AuthorizerFactory implements HiveAuthorizerFactory { + + @Override + public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, + HiveConf conf, HiveAuthenticationProvider hiveAuthenticator, HiveAuthzSessionContext ctx) + throws HiveAuthzPluginException { + return Mockito.mock(HiveAuthorizer.class); + } + } + + /** + * Test with auth enabled and v1 auth + */ + @Test + public void authEnabledV1Auth() throws Exception { + HiveConf hcatConf = new HiveConf(this.getClass()); + hcatConf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, true); + SessionState.start(hcatConf); + assertTrue("hcat auth should be enabled", HCatAuthUtil.isAuthorizationEnabled(hcatConf)); + } + + /** + * Test with auth enabled and v2 auth + */ + @Test + public void authEnabledV2Auth() throws Exception { + HiveConf hcatConf = new HiveConf(this.getClass()); + hcatConf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, true); + hcatConf.setVar(ConfVars.HIVE_AUTHORIZATION_MANAGER, DummyV2AuthorizerFactory.class.getName()); + SessionState.start(hcatConf); + assertFalse("hcat auth should be disabled", HCatAuthUtil.isAuthorizationEnabled(hcatConf)); + } + + /** + * Test with auth disabled + */ + @Test + public void authDisabled() throws Exception { + HiveConf hcatConf = new HiveConf(this.getClass()); + hcatConf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, false); + SessionState.start(hcatConf); + assertFalse("hcat auth should be disabled", HCatAuthUtil.isAuthorizationEnabled(hcatConf)); + } +} diff --git a/hcatalog/pom.xml b/hcatalog/pom.xml index 4b75ef5..cff3837 100644 --- a/hcatalog/pom.xml +++ b/hcatalog/pom.xml @@ -46,6 +46,15 @@ streaming + + + org.mockito + mockito-all + ${mockito-all.version} + test + + + hadoop-1