commit 853e2ce6484d1f3731e60b28682128190425e113 Author: Thejas Nair Date: Thu Oct 9 19:51:54 2014 -0700 allow role admin to see all principals in role diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java index 6708425..658ff76 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java @@ -18,6 +18,7 @@ package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; import java.util.ArrayList; +import java.util.Arrays; import java.util.HashMap; import java.util.HashSet; import java.util.List; @@ -350,9 +351,9 @@ public void revokeRole(List hivePrincipals, List roleName @Override public List getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { // only user belonging to admin role can list role - if (!isUserAdmin()) { + if (!isUserAdmin() && !doesUserHasAdminOption(Arrays.asList(roleName))) { throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" - + " allowed get principals in a role. " + ADMIN_ONLY_MSG); + + " allowed get principals in a role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG); } try { return getHiveRoleGrants(metastoreClientFactory.getHiveMetastoreClient(), roleName); diff --git a/ql/src/test/queries/clientpositive/authorization_role_grant2.q b/ql/src/test/queries/clientpositive/authorization_role_grant2.q index 59359a7..224ee28 100644 --- a/ql/src/test/queries/clientpositive/authorization_role_grant2.q +++ b/ql/src/test/queries/clientpositive/authorization_role_grant2.q @@ -20,6 +20,7 @@ show principals src_role_wadmin; set user.name=user2; set role src_role_WadMin; +show principals src_role_wadmin; -- grant role to another user grant src_Role_wadmin to user user3; diff --git a/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out b/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out index b0c7b75..659edcc 100644 --- a/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out +++ b/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out @@ -1,4 +1,4 @@ PREHOOK: query: -- This test will fail because hive_test_user is not in admin role show principals role1 PREHOOK: type: SHOW_ROLE_PRINCIPALS -FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_test_user is not allowed get principals in a role. User has to belong to ADMIN role and have it as current role, for this action. +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_test_user is not allowed get principals in a role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action. diff --git a/ql/src/test/results/clientpositive/authorization_role_grant2.q.out b/ql/src/test/results/clientpositive/authorization_role_grant2.q.out index 27d4f33..3db507e 100644 --- a/ql/src/test/results/clientpositive/authorization_role_grant2.q.out +++ b/ql/src/test/results/clientpositive/authorization_role_grant2.q.out @@ -41,6 +41,12 @@ PREHOOK: query: set role src_role_WadMin PREHOOK: type: SHOW_ROLES POSTHOOK: query: set role src_role_WadMin POSTHOOK: type: SHOW_ROLES +PREHOOK: query: show principals src_role_wadmin +PREHOOK: type: SHOW_ROLE_PRINCIPALS +POSTHOOK: query: show principals src_role_wadmin +POSTHOOK: type: SHOW_ROLE_PRINCIPALS +principal_name principal_type grant_option grantor grantor_type grant_time +user2 USER true hive_admin_user USER -1 PREHOOK: query: -- grant role to another user grant src_Role_wadmin to user user3 PREHOOK: type: GRANT_ROLE