commit 6fbe4111df1adfaad049bc4a169e4582073c36e9 Author: Alan Gates Date: Thu Mar 19 21:55:09 2015 -0700 HIVE-10018 Fixed various bugs in roles and grants. diff --git itests/hive-unit/src/test/java/org/apache/hadoop/hive/metastore/hbase/IMockUtils.java itests/hive-unit/src/test/java/org/apache/hadoop/hive/metastore/hbase/IMockUtils.java index 2286591..c30ac34 100644 --- itests/hive-unit/src/test/java/org/apache/hadoop/hive/metastore/hbase/IMockUtils.java +++ itests/hive-unit/src/test/java/org/apache/hadoop/hive/metastore/hbase/IMockUtils.java @@ -25,6 +25,8 @@ import org.apache.hadoop.hive.cli.CliSessionState; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.ql.Driver; +import org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; import org.apache.hadoop.hive.ql.session.SessionState; import org.mockito.Mock; import org.mockito.Mockito; @@ -107,6 +109,14 @@ protected void setupDriver() { "org.apache.hadoop.hive.metastore.hbase.HBaseStore"); conf.setBoolVar(HiveConf.ConfVars.METASTORE_FASTPATH, true); conf.setBoolVar(HiveConf.ConfVars.HIVE_SUPPORT_CONCURRENCY, false); + // Setup so we can test SQL standard auth + conf.setBoolVar(HiveConf.ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE, true); + conf.setVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER, + SQLStdHiveAuthorizerFactoryForTest.class.getName()); + conf.setVar(HiveConf.ConfVars.HIVE_AUTHENTICATOR_MANAGER, + SessionStateConfigUserAuthenticator.class.getName()); + conf.setBoolVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED, true); + conf.setVar(HiveConf.ConfVars.USERS_IN_ADMIN_ROLE, System.getProperty("user.name")); HBaseReadWrite.setTestConnection(hconn); SessionState.start(new CliSessionState(conf)); diff --git itests/hive-unit/src/test/java/org/apache/hadoop/hive/metastore/hbase/TestHBaseMetastoreSql.java itests/hive-unit/src/test/java/org/apache/hadoop/hive/metastore/hbase/TestHBaseMetastoreSql.java index 676c389..fe5e8e2 100644 --- itests/hive-unit/src/test/java/org/apache/hadoop/hive/metastore/hbase/TestHBaseMetastoreSql.java +++ itests/hive-unit/src/test/java/org/apache/hadoop/hive/metastore/hbase/TestHBaseMetastoreSql.java @@ -73,7 +73,10 @@ public void insertIntoPartitionTable() throws Exception { public void database() throws Exception { CommandProcessorResponse rsp = driver.run("create database db"); Assert.assertEquals(0, rsp.getResponseCode()); - rsp = driver.run("alter database db set owner user me"); + rsp = driver.run("set role admin"); + Assert.assertEquals(0, rsp.getResponseCode()); + // security doesn't let me change the properties + rsp = driver.run("alter database db set dbproperties ('key' = 'value')"); Assert.assertEquals(0, rsp.getResponseCode()); rsp = driver.run("drop database db"); Assert.assertEquals(0, rsp.getResponseCode()); @@ -124,5 +127,58 @@ public void partitionedTable() throws Exception { Assert.assertEquals(0, rsp.getResponseCode()); } + @Test + public void role() throws Exception { + CommandProcessorResponse rsp = driver.run("set role admin"); + Assert.assertEquals(0, rsp.getResponseCode()); + rsp = driver.run("create role role1"); + Assert.assertEquals(0, rsp.getResponseCode()); + rsp = driver.run("grant role1 to user fred with admin option"); + Assert.assertEquals(0, rsp.getResponseCode()); + rsp = driver.run("create role role2"); + Assert.assertEquals(0, rsp.getResponseCode()); + rsp = driver.run("grant role1 to role role2"); + Assert.assertEquals(0, rsp.getResponseCode()); + rsp = driver.run("show principals role1"); + Assert.assertEquals(0, rsp.getResponseCode()); + rsp = driver.run("show role grant role role1"); + Assert.assertEquals(0, rsp.getResponseCode()); + rsp = driver.run("show role grant user " + System.getProperty("user.name")); + Assert.assertEquals(0, rsp.getResponseCode()); + rsp = driver.run("show roles"); + Assert.assertEquals(0, rsp.getResponseCode()); + rsp = driver.run("revoke admin option for role1 from user fred"); + Assert.assertEquals(0, rsp.getResponseCode()); + rsp = driver.run("revoke role1 from user fred"); + Assert.assertEquals(0, rsp.getResponseCode()); + rsp = driver.run("revoke role1 from role role2"); + Assert.assertEquals(0, rsp.getResponseCode()); + rsp = driver.run("show current roles"); + Assert.assertEquals(0, rsp.getResponseCode()); + + rsp = driver.run("drop role role2"); + Assert.assertEquals(0, rsp.getResponseCode()); + rsp = driver.run("drop role role1"); + Assert.assertEquals(0, rsp.getResponseCode()); + } + + @Test + public void grant() throws Exception { + CommandProcessorResponse rsp = driver.run("set role admin"); + Assert.assertEquals(0, rsp.getResponseCode()); + rsp = driver.run("create role role3"); + Assert.assertEquals(0, rsp.getResponseCode()); + driver.run("create table granttbl (c int)"); + Assert.assertEquals(0, rsp.getResponseCode()); + driver.run("grant select on granttbl to " + System.getProperty("user.name")); + Assert.assertEquals(0, rsp.getResponseCode()); + driver.run("grant select on granttbl to role3 with grant option"); + Assert.assertEquals(0, rsp.getResponseCode()); + driver.run("revoke select on granttbl from " + System.getProperty("user.name")); + Assert.assertEquals(0, rsp.getResponseCode()); + driver.run("revoke grant option for select on granttbl from role3"); + Assert.assertEquals(0, rsp.getResponseCode()); + } + } diff --git metastore/src/java/org/apache/hadoop/hive/metastore/hbase/HBaseStore.java metastore/src/java/org/apache/hadoop/hive/metastore/hbase/HBaseStore.java index b106252..159b9e7 100644 --- metastore/src/java/org/apache/hadoop/hive/metastore/hbase/HBaseStore.java +++ metastore/src/java/org/apache/hadoop/hive/metastore/hbase/HBaseStore.java @@ -617,17 +617,22 @@ public PrincipalPrivilegeSet getUserPrivilegeSet(String userName, List g PrincipalPrivilegeSet pps = new PrincipalPrivilegeSet(); PrincipalPrivilegeSet global = getHBase().getGlobalPrivs(); if (global == null) return null; - List pgi = global.getUserPrivileges().get(userName); - if (pgi != null) { - pps.putToUserPrivileges(userName, pgi); + List pgi; + if (global.getUserPrivileges() != null) { + pgi = global.getUserPrivileges().get(userName); + if (pgi != null) { + pps.putToUserPrivileges(userName, pgi); + } } - List roles = getHBase().getUserRoles(userName); - if (roles != null) { - for (String role : roles) { - pgi = global.getRolePrivileges().get(role); - if (pgi != null) { - pps.putToRolePrivileges(role, pgi); + if (global.getRolePrivileges() != null) { + List roles = getHBase().getUserRoles(userName); + if (roles != null) { + for (String role : roles) { + pgi = global.getRolePrivileges().get(role); + if (pgi != null) { + pps.putToRolePrivileges(role, pgi); + } } } } @@ -645,18 +650,25 @@ public PrincipalPrivilegeSet getDBPrivilegeSet(String dbName, String userName, try { PrincipalPrivilegeSet pps = new PrincipalPrivilegeSet(); Database db = getHBase().getDb(dbName); - // Find the user privileges for this db - List pgi = db.getPrivileges().getUserPrivileges().get(userName); - if (pgi != null) { - pps.putToUserPrivileges(userName, pgi); - } - - List roles = getHBase().getUserRoles(userName); - if (roles != null) { - for (String role : roles) { - pgi = db.getPrivileges().getRolePrivileges().get(role); + if (db.getPrivileges() != null) { + List pgi; + // Find the user privileges for this db + if (db.getPrivileges().getUserPrivileges() != null) { + pgi = db.getPrivileges().getUserPrivileges().get(userName); if (pgi != null) { - pps.putToRolePrivileges(role, pgi); + pps.putToUserPrivileges(userName, pgi); + } + } + + if (db.getPrivileges().getRolePrivileges() != null) { + List roles = getHBase().getUserRoles(userName); + if (roles != null) { + for (String role : roles) { + pgi = db.getPrivileges().getRolePrivileges().get(role); + if (pgi != null) { + pps.putToRolePrivileges(role, pgi); + } + } } } } @@ -674,18 +686,24 @@ public PrincipalPrivilegeSet getTablePrivilegeSet(String dbName, String tableNam try { PrincipalPrivilegeSet pps = new PrincipalPrivilegeSet(); Table table = getHBase().getTable(dbName, tableName); - // Find the user privileges for this db - List pgi = table.getPrivileges().getUserPrivileges().get(userName); - if (pgi != null) { - pps.putToUserPrivileges(userName, pgi); - } - - List roles = getHBase().getUserRoles(userName); - if (roles != null) { - for (String role : roles) { - pgi = table.getPrivileges().getRolePrivileges().get(role); + List pgi; + if (table.getPrivileges() != null) { + if (table.getPrivileges().getUserPrivileges() != null) { + pgi = table.getPrivileges().getUserPrivileges().get(userName); if (pgi != null) { - pps.putToRolePrivileges(role, pgi); + pps.putToUserPrivileges(userName, pgi); + } + } + + if (table.getPrivileges().getRolePrivileges() != null) { + List roles = getHBase().getUserRoles(userName); + if (roles != null) { + for (String role : roles) { + pgi = table.getPrivileges().getRolePrivileges().get(role); + if (pgi != null) { + pps.putToRolePrivileges(role, pgi); + } + } } } } @@ -1068,12 +1086,14 @@ public Role getRole(String roleName) throws NoSuchObjectException { List rpgs = new ArrayList(roles.size()); for (Role role : roles) { HbaseMetastoreProto.RoleGrantInfoList grants = getHBase().getRolePrincipals(role.getRoleName()); - for (HbaseMetastoreProto.RoleGrantInfo grant : grants.getGrantInfoList()) { - if (grant.getPrincipalType().equals(principalType) && - grant.getPrincipalName().equals(principalName)) { - rpgs.add(new RolePrincipalGrant(role.getRoleName(), principalName, principalType, - grant.getGrantOption(), (int)grant.getAddTime(), grant.getGrantor(), - HBaseUtils.convertPrincipalTypes(grant.getGrantorType()))); + if (grants != null) { + for (HbaseMetastoreProto.RoleGrantInfo grant : grants.getGrantInfoList()) { + if (grant.getPrincipalType() == HBaseUtils.convertPrincipalTypes(principalType) && + grant.getPrincipalName().equals(principalName)) { + rpgs.add(new RolePrincipalGrant(role.getRoleName(), principalName, principalType, + grant.getGrantOption(), (int) grant.getAddTime(), grant.getGrantor(), + HBaseUtils.convertPrincipalTypes(grant.getGrantorType()))); + } } } }