commit c84bb68783ecd4923c64a96dc85ada4041ed5d09 Author: Thejas Nair Date: Mon Oct 20 21:21:31 2014 -0700 initial commit diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index 0683921..3197098 100644 --- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -76,7 +76,7 @@ private final List restrictList = new ArrayList(); private boolean isWhiteListRestrictionEnabled = false; - private final List modWhiteList = new ArrayList(); + private Pattern modWhiteListPattern; static { @@ -1403,8 +1403,16 @@ // if this is not set default value is added by sql standard authorizer. // Default value can't be set in this constructor as it would refer names in other ConfVars // whose constructor would not have been called - HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST("hive.security.authorization.sqlstd.confwhitelist", "", - "interal variable. List of modifiable configurations by user."), + HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST( + "hive.security.authorization.sqlstd.confwhitelist", "", + "List of comma separated java regexes. Configurations parameters that match these " + + "regexes can be modified by user when sql std auth is enabled. Default value is " + + "defined by the authorization implementation."), + + HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST_APPEND( + "hive.security.authorization.sqlstd.confwhitelist.append", "", + "List of comma separated java regexes, to be appended to list set in " + + "hive.security.authorization.sqlstd.confwhitelist."), HIVE_CLI_PRINT_HEADER("hive.cli.print.header", false, "Whether to print the names of the columns in query output."), @@ -2035,8 +2043,9 @@ private static synchronized InputStream getConfVarInputStream() { } public void verifyAndSet(String name, String value) throws IllegalArgumentException { - if (isWhiteListRestrictionEnabled) { - if (!modWhiteList.contains(name)) { + if (isWhiteListRestrictionEnabled && modWhiteListPattern != null) { + Matcher wlMatcher = modWhiteListPattern.matcher(name); + if (!wlMatcher.matches()) { throw new IllegalArgumentException("Cannot modify " + name + " at runtime. " + "It is not in list of params that are allowed to be modified at runtime"); } @@ -2529,16 +2538,16 @@ public void setIsModWhiteListEnabled(boolean isEnabled) { } /** - * Add config parameter name to whitelist of parameters that can be modified + * Set white list of parameters that are allowed to be modified * - * @param paramname + * @param paramNameRegex */ @LimitedPrivate(value = { "Currently only for use by HiveAuthorizer" }) - public void addToModifiableWhiteList(String paramname) { - if (paramname == null) { + public void setModifiableWhiteListRegex(String paramNameRegex) { + if (paramNameRegex == null) { return; } - modWhiteList.add(paramname); + modWhiteListPattern = Pattern.compile(paramNameRegex); } /** diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java new file mode 100644 index 0000000..493311e --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java @@ -0,0 +1,208 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; +import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving; +import org.apache.hadoop.hive.common.classification.InterfaceStability.Unstable; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; + +import com.google.common.base.Joiner; + +/** + * Helper class that can be used by authorization implementations to set a + * default list of 'safe' HiveConf parameters that can be edited by user. It + * uses HiveConf white list parameters to enforce this. This can be called from + * HiveAuthorizer.applyAuthorizationConfigPolicy + * + * The set of config parameters that can be set is restricted to parameters that + * don't allow for any code injection, and config parameters that are not + * considered an 'admin config' option. + * + */ +@LimitedPrivate(value = { "Apache Argus (incubating)" }) +@Evolving +@Unstable +public class SettableConfigUpdater { + + public static void setHiveConfWhiteList(HiveConf hiveConf) { + + hiveConf.setIsModWhiteListEnabled(true); + + String whiteListParamsStr = hiveConf + .getVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST); + if (whiteListParamsStr != null && !whiteListParamsStr.trim().equals("")) { + //for backward compatibility reasons we need to support comma separated list of regexes + // convert "," into "|" + whiteListParamsStr = whiteListParamsStr.trim().replaceAll(",", "|"); + } else { + // set the default configs in whitelist + whiteListParamsStr = getDefaultWhiteListPattern(); + } + // set it in hiveconf so that current value can be seen for debugging purposes + hiveConf + .setVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST, whiteListParamsStr); + + // append regexes that user wanted to add + String whiteListAppend = hiveConf + .getVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST_APPEND); + if (whiteListAppend != null && !whiteListAppend.trim().equals("")) { + whiteListAppend = whiteListAppend.trim().replaceAll(",", "|"); + whiteListParamsStr = whiteListParamsStr + "|" + whiteListAppend; + } + + hiveConf.setModifiableWhiteListRegex(whiteListParamsStr); + + } + + private static String getDefaultWhiteListPattern() { + String confVarPatternStr = Joiner.on("|").join(convertDotsToSlashDot(defaultConfVars)); + String regexPatternStr = Joiner.on("|").join( + convertStarToDotStar(convertDotsToSlashDot(defaultPatterns))); + return regexPatternStr + "|" + confVarPatternStr; + } + + /** + * @param paramList list of parameter strings + * @return list of parameter strings with "." replaced by "\." + */ + private static String[] convertDotsToSlashDot(String[] paramList) { + String[] regexes = new String[paramList.length]; + for(int i=0; i roleNames) throws HiveAuthzP } } - - /** - * Default list of modifiable config parameters for sql standard authorization - */ - static final String [] defaultModWhiteListSqlStdAuth = new String [] { - ConfVars.BYTESPERREDUCER.varname, - ConfVars.MAXREDUCERS.varname, - ConfVars.HIVEMAPSIDEAGGREGATE.varname, - ConfVars.HIVEMAPAGGRHASHMEMORY.varname, - ConfVars.HIVEMAPAGGRMEMORYTHRESHOLD.varname, - ConfVars.HIVEMAPAGGRHASHMINREDUCTION.varname, - ConfVars.HIVEGROUPBYSKEW.varname, - ConfVars.HIVE_OPTIMIZE_MULTI_GROUPBY_COMMON_DISTINCTS.varname, - ConfVars.HIVEOPTGBYUSINGINDEX.varname, - ConfVars.HIVEOPTPPD.varname, - ConfVars.HIVEOPTPPD_STORAGE.varname, - ConfVars.HIVEOPTPPD_STORAGE.varname, - ConfVars.HIVEPPDRECOGNIZETRANSITIVITY.varname, - ConfVars.HIVEOPTGROUPBY.varname, - ConfVars.HIVEOPTSORTDYNAMICPARTITION.varname, - ConfVars.HIVE_OPTIMIZE_SKEWJOIN_COMPILETIME.varname, - ConfVars.HIVE_OPTIMIZE_UNION_REMOVE.varname, - ConfVars.HIVEMULTIGROUPBYSINGLEREDUCER.varname, - ConfVars.HIVE_MAP_GROUPBY_SORT.varname, - ConfVars.HIVE_MAP_GROUPBY_SORT_TESTMODE.varname, - ConfVars.HIVESKEWJOIN.varname, - ConfVars.HIVE_OPTIMIZE_SKEWJOIN_COMPILETIME.varname, - ConfVars.HIVEMAPREDMODE.varname, - ConfVars.HIVEENFORCEBUCKETMAPJOIN.varname, - ConfVars.COMPRESSRESULT.varname, - ConfVars.COMPRESSINTERMEDIATE.varname, - ConfVars.EXECPARALLEL.varname, - ConfVars.EXECPARALLETHREADNUMBER.varname, - ConfVars.EXECPARALLETHREADNUMBER.varname, - ConfVars.HIVEROWOFFSET.varname, - ConfVars.HIVEMERGEMAPFILES.varname, - ConfVars.HIVEMERGEMAPREDFILES.varname, - ConfVars.HIVEMERGETEZFILES.varname, - ConfVars.HIVEIGNOREMAPJOINHINT.varname, - ConfVars.HIVECONVERTJOIN.varname, - ConfVars.HIVECONVERTJOINNOCONDITIONALTASK.varname, - ConfVars.HIVECONVERTJOINNOCONDITIONALTASKTHRESHOLD.varname, - ConfVars.HIVECONVERTJOINUSENONSTAGED.varname, - ConfVars.HIVECONVERTJOINNOCONDITIONALTASK.varname, - ConfVars.HIVECONVERTJOINNOCONDITIONALTASKTHRESHOLD.varname, - ConfVars.HIVECONVERTJOINUSENONSTAGED.varname, - ConfVars.HIVEENFORCEBUCKETING.varname, - ConfVars.HIVEENFORCESORTING.varname, - ConfVars.HIVEENFORCESORTMERGEBUCKETMAPJOIN.varname, - ConfVars.HIVE_AUTO_SORTMERGE_JOIN.varname, - ConfVars.HIVE_EXECUTION_ENGINE.varname, - ConfVars.HIVE_VECTORIZATION_ENABLED.varname, - ConfVars.HIVEMAPJOINUSEOPTIMIZEDKEYS.varname, - ConfVars.HIVEMAPJOINLAZYHASHTABLE.varname, - ConfVars.HIVE_CHECK_CROSS_PRODUCT.varname, - ConfVars.HIVE_COMPAT.varname, - ConfVars.DYNAMICPARTITIONINGMODE.varname, - "mapred.reduce.tasks", - "mapred.output.compression.codec", - "mapred.map.output.compression.codec", - "mapreduce.job.reduce.slowstart.completedmaps", - "mapreduce.job.queuename", - }; - @Override public void applyAuthorizationConfigPolicy(HiveConf hiveConf) { // First apply configuration applicable to both Hive Cli and HiveServer2 @@ -683,28 +619,21 @@ public void applyAuthorizationConfigPolicy(HiveConf hiveConf) { hiveConf.setVar(ConfVars.HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS, "INSERT,SELECT,UPDATE,DELETE"); // Apply rest of the configuration only to HiveServer2 - if(sessionCtx.getClientType() == CLIENT_TYPE.HIVESERVER2) { + if (sessionCtx.getClientType() == CLIENT_TYPE.HIVESERVER2 + && hiveConf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) { + // Configure PREEXECHOOKS with DisallowTransformHook to disallow transform queries String hooks = hiveConf.getVar(ConfVars.PREEXECHOOKS).trim(); if (hooks.isEmpty()) { hooks = DisallowTransformHook.class.getName(); } else { - hooks = hooks + "," +DisallowTransformHook.class.getName(); + hooks = hooks + "," + DisallowTransformHook.class.getName(); } LOG.debug("Configuring hooks : " + hooks); hiveConf.setVar(ConfVars.PREEXECHOOKS, hooks); - // restrict the variables that can be set using set command to a list in whitelist - hiveConf.setIsModWhiteListEnabled(true); - String whiteListParamsStr = hiveConf.getVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST); - if (whiteListParamsStr == null || whiteListParamsStr.trim().equals("")){ - // set the default configs in whitelist - whiteListParamsStr = Joiner.on(",").join(defaultModWhiteListSqlStdAuth); - hiveConf.setVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST, whiteListParamsStr); - } - for(String whiteListParam : whiteListParamsStr.split(",")){ - hiveConf.addToModifiableWhiteList(whiteListParam); - } + SettableConfigUpdater.setHiveConfWhiteList(hiveConf); + } } diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestSQLStdHiveAccessControllerHS2.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestSQLStdHiveAccessControllerHS2.java new file mode 100644 index 0000000..ffd2815 --- /dev/null +++ b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestSQLStdHiveAccessControllerHS2.java @@ -0,0 +1,165 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hadoop.hive.ql.security.HadoopDefaultAuthenticator; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.Builder; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE; +import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController; +import org.junit.Test; + +import com.google.common.base.Joiner; + +/** + * Test SQLStdHiveAccessController + */ +public class TestSQLStdHiveAccessControllerHS2 { + + /** + * Test if SQLStdHiveAccessController is applying configuration security + * policy on hiveconf correctly + * + * @throws HiveAuthzPluginException + */ + @Test + public void testConfigProcessing() throws HiveAuthzPluginException { + HiveConf processedConf = newAuthEnabledConf(); + SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null, + processedConf, new HadoopDefaultAuthenticator(), getHS2SessionCtx() + ); + accessController.applyAuthorizationConfigPolicy(processedConf); + + // check that hook to disable transforms has been added + assertTrue("Check for transform query disabling hook", + processedConf.getVar(ConfVars.PREEXECHOOKS).contains(DisallowTransformHook.class.getName())); + + String[] settableParams = getSettableParams(); + verifyParamSettability(settableParams, processedConf); + + } + + private HiveConf newAuthEnabledConf() { + HiveConf conf = new HiveConf(); + conf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, true); + return conf; + } + + /** + * @return list of parameters that should be possible to set + */ + private String[] getSettableParams() { + List settableParams = new ArrayList( + Arrays.asList(SettableConfigUpdater.defaultConfVars)); + for (String regex : SettableConfigUpdater.defaultPatterns) { + // create dummy param that matches regex + String confParam = regex.replace(".*", ".dummy"); + settableParams.add(confParam); + } + return settableParams.toArray(new String[0]); + } + + private HiveAuthzSessionContext getHS2SessionCtx() { + Builder ctxBuilder = new HiveAuthzSessionContext.Builder(); + ctxBuilder.setClientType(CLIENT_TYPE.HIVESERVER2); + return ctxBuilder.build(); + } + + /** + * Verify that params in settableParams can be modified, and other random ones can't be modified + * @param settableParams + * @param processedConf + */ + private void verifyParamSettability(String [] settableParams, HiveConf processedConf) { + // verify that the whitlelist params can be set + for (String param : settableParams) { + try { + processedConf.verifyAndSet(param, "dummy"); + } catch (IllegalArgumentException e) { + fail("Unable to set value for parameter in whitelist " + param + " " + e); + } + } + + // verify that non whitelist params can't be set + assertConfModificationException(processedConf, "dummy.param"); + // does not make sense to have any of the metastore config variables to be + // modifiable + for (ConfVars metaVar : HiveConf.metaVars) { + assertConfModificationException(processedConf, metaVar.varname); + } + } + + /** + * Test that setting HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST_APPEND config works + * @throws HiveAuthzPluginException + */ + @Test + public void testConfigProcessingCustomSetWhitelistAppend() throws HiveAuthzPluginException { + // append new config params to whitelist + String[] paramRegexes = { "hive.ctest.param", "hive.abc..*" }; + String[] settableParams = { "hive.ctest.param", "hive.abc.def" }; + verifySettability(paramRegexes, settableParams, + ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST_APPEND); + } + + /** + * Test that setting HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST config works + * @throws HiveAuthzPluginException + */ + @Test + public void testConfigProcessingCustomSetWhitelist() throws HiveAuthzPluginException { + // append new config params to whitelist + String[] paramRegexes = { "hive.ctest.param", "hive.abc..*" }; + String[] settableParams = { "hive.ctest.param", "hive.abc.def" }; + verifySettability(paramRegexes, settableParams, + ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST); + } + + private void verifySettability(String[] paramRegexes, String[] settableParams, + ConfVars hiveAuthorizationSqlStdAuthConfigWhitelist) throws HiveAuthzPluginException { + HiveConf processedConf = newAuthEnabledConf(); + processedConf.setVar(hiveAuthorizationSqlStdAuthConfigWhitelist, + Joiner.on(",").join(paramRegexes)); + + SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null, + processedConf, new HadoopDefaultAuthenticator(), getHS2SessionCtx()); + accessController.applyAuthorizationConfigPolicy(processedConf); + + verifyParamSettability(settableParams, processedConf); + } + + private void assertConfModificationException(HiveConf processedConf, String param) { + boolean caughtEx = false; + try { + processedConf.verifyAndSet(param, "dummy"); + } catch (IllegalArgumentException e) { + caughtEx = true; + } + assertTrue("Exception should be thrown while modifying the param " + param, caughtEx); + } + + +} diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerHS2.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerHS2.java deleted file mode 100644 index f13cf7e..0000000 --- a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerHS2.java +++ /dev/null @@ -1,123 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd; - -import static org.junit.Assert.assertTrue; -import static org.junit.Assert.fail; - -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.conf.HiveConf.ConfVars; -import org.apache.hadoop.hive.ql.security.HadoopDefaultAuthenticator; -import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.Builder; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE; -import org.junit.Test; - -import com.google.common.base.Joiner; - -/** - * Test SQLStdHiveAccessController - */ -public class TestSQLStdHiveAccessControllerHS2 { - - /** - * Test if SQLStdHiveAccessController is applying configuration security - * policy on hiveconf correctly - * - * @throws HiveAuthzPluginException - */ - @Test - public void testConfigProcessing() throws HiveAuthzPluginException { - HiveConf processedConf = new HiveConf(); - SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null, - processedConf, new HadoopDefaultAuthenticator(), getHS2SessionCtx() - ); - accessController.applyAuthorizationConfigPolicy(processedConf); - - // check that hook to disable transforms has been added - assertTrue("Check for transform query disabling hook", - processedConf.getVar(ConfVars.PREEXECHOOKS).contains(DisallowTransformHook.class.getName())); - - verifyParamSettability(SQLStdHiveAccessController.defaultModWhiteListSqlStdAuth, processedConf); - - } - - private HiveAuthzSessionContext getHS2SessionCtx() { - Builder ctxBuilder = new HiveAuthzSessionContext.Builder(); - ctxBuilder.setClientType(CLIENT_TYPE.HIVESERVER2); - return ctxBuilder.build(); - } - - /** - * Verify that params in settableParams can be modified, and other random ones can't be modified - * @param settableParams - * @param processedConf - */ - private void verifyParamSettability(String [] settableParams, HiveConf processedConf) { - // verify that the whitlelist params can be set - for (String param : settableParams) { - try { - processedConf.verifyAndSet(param, "dummy"); - } catch (IllegalArgumentException e) { - fail("Unable to set value for parameter in whitelist " + param + " " + e); - } - } - - // verify that non whitelist params can't be set - assertConfModificationException(processedConf, "dummy.param"); - // does not make sense to have any of the metastore config variables to be - // modifiable - for (ConfVars metaVar : HiveConf.metaVars) { - assertConfModificationException(processedConf, metaVar.varname); - } - } - - /** - * Test that modifying HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST config works - * @throws HiveAuthzPluginException - */ - @Test - public void testConfigProcessingCustomSetWhitelist() throws HiveAuthzPluginException { - - HiveConf processedConf = new HiveConf(); - // add custom value, including one from the default, one new one - String[] settableParams = { SQLStdHiveAccessController.defaultModWhiteListSqlStdAuth[0], - "abcs.dummy.test.param" }; - processedConf.setVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST, - Joiner.on(",").join(settableParams)); - - SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null, - processedConf, new HadoopDefaultAuthenticator(), getHS2SessionCtx()); - accessController.applyAuthorizationConfigPolicy(processedConf); - verifyParamSettability(settableParams, processedConf); - - } - - private void assertConfModificationException(HiveConf processedConf, String param) { - boolean caughtEx = false; - try { - processedConf.verifyAndSet(param, "dummy"); - } catch (IllegalArgumentException e) { - caughtEx = true; - } - assertTrue("Exception should be thrown while modifying the param " + param, caughtEx); - } - -}