diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java index 2c25cae..ba533ef 100644 --- a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java +++ b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java @@ -1649,7 +1649,7 @@ public void setSparkConfigUpdated(boolean isSparkConfigUpdated) { HIVE_AUTHORIZATION_ENABLED("hive.security.authorization.enabled", false, "enable or disable the Hive client authorization"), HIVE_AUTHORIZATION_MANAGER("hive.security.authorization.manager", - "org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider", + "org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory", "The Hive client authorization manager class name. The user defined authorization class should implement \n" + "interface org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider."), HIVE_AUTHENTICATOR_MANAGER("hive.security.authenticator.manager", diff --git a/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatAuthUtil.java b/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatAuthUtil.java index 6dce9c4..ff10b05 100644 --- a/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatAuthUtil.java +++ b/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatAuthUtil.java @@ -20,17 +20,32 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; import org.apache.hadoop.hive.ql.session.SessionState; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; final class HCatAuthUtil { + private static final Logger LOG = LoggerFactory.getLogger(HCatAuthUtil.class); + public static boolean isAuthorizationEnabled(Configuration conf) { - // the session state getAuthorizer can return null even if authorization is - // enabled if the V2 api of authorizer in use. + if (!HiveConf.getBoolVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) { + return false; + } + // If the V2 api of authorizer in use, the session state getAuthorizer return null. + // Here we disable authorization if we use V2 api or the DefaultHiveAuthorizationProvider // The additional authorization checks happening in hcatalog are designed to // work with storage based authorization (on client side). It should not try doing - // additional checks if a V2 authorizer is in use. The reccomended configuration is to - // use storage based authorization in metastore server - return HiveConf.getBoolVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED) - && SessionState.get().getAuthorizer() != null; + // additional checks if a V2 authorizer or DefaultHiveAuthorizationProvider is in use. + // The recommended configuration is to use storage based authorization in metastore server. + // However, if user define a custom V1 authorization, it will be honored. + if (SessionState.get().getAuthorizer() == null || + HiveConf.getVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER) + == DefaultHiveAuthorizationProvider.class.getName()) { + LOG.info("Metastore authorizer is skipped for V2 authorizer or" + + " DefaultHiveAuthorizationProvider"); + return false; + } + return true; } } diff --git a/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/TestHCatAuthUtil.java b/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/TestHCatAuthUtil.java index 830dcb8..a190002 100644 --- a/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/TestHCatAuthUtil.java +++ b/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/TestHCatAuthUtil.java @@ -24,6 +24,7 @@ import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; @@ -49,12 +50,13 @@ public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreC } /** - * Test with auth enabled and v1 auth + * Test with auth enabled and StorageBasedAuthorizationProvider */ @Test public void authEnabledV1Auth() throws Exception { HiveConf hcatConf = new HiveConf(this.getClass()); hcatConf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, true); + hcatConf.setVar(ConfVars.HIVE_AUTHORIZATION_MANAGER, StorageBasedAuthorizationProvider.class.getName()); SessionState.start(hcatConf); assertTrue("hcat auth should be enabled", HCatAuthUtil.isAuthorizationEnabled(hcatConf)); } diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestMetastoreAuthorizationProvider.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestMetastoreAuthorizationProvider.java index 4529ce3..3596e30 100644 --- a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestMetastoreAuthorizationProvider.java +++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestMetastoreAuthorizationProvider.java @@ -90,6 +90,8 @@ protected void setUp() throws Exception { AuthorizationPreEventListener.class.getName()); System.setProperty(HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER.varname, getAuthorizationProvider()); + System.setProperty(HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER.varname, + getAuthorizationProvider()); setupMetaStoreReadAuthorization(); System.setProperty(HiveConf.ConfVars.HIVE_METASTORE_AUTHENTICATOR_MANAGER.varname, InjectableDummyAuthenticator.class.getName()); diff --git a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java index 09905ea..4eaff10 100644 --- a/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java +++ b/itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestJdbcDriver2.java @@ -132,6 +132,7 @@ public static void setUpBeforeClass() throws SQLException, ClassNotFoundExceptio Connection con1 = getConnection("default"); System.setProperty(ConfVars.HIVE_SERVER2_LOGGING_OPERATION_LEVEL.varname, "verbose"); System.setProperty(ConfVars.HIVEMAPREDMODE.varname, "nonstrict"); + System.setProperty(ConfVars.HIVE_AUTHORIZATION_MANAGER.varname, "org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider"); Statement stmt1 = con1.createStatement(); assertNotNull("Statement is null", stmt1); diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java index fa16020..54ac85a 100644 --- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java @@ -726,6 +726,8 @@ public void clearTablesCreatedDuringTests() throws Exception { return; } + db.getConf().set("hive.metastore.filter.hook", + "org.apache.hadoop.hive.metastore.DefaultMetaStoreFilterHookImpl"); // Delete any tables other than the source tables // and any databases other than the default database. for (String dbName : db.getAllDatabases()) { diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java index ee57f69..9f586be 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java @@ -60,17 +60,6 @@ public SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory metastoreClie this.authenticator = authenticator; this.privController = privilegeManager; this.ctx = SQLAuthorizationUtils.applyTestSettings(ctx, conf); - assertHiveCliAuthDisabled(conf); - } - - private void assertHiveCliAuthDisabled(HiveConf conf) throws HiveAuthzPluginException { - if (ctx.getClientType() == CLIENT_TYPE.HIVECLI - && conf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) { - throw new HiveAuthzPluginException( - "SQL standards based authorization should not be enabled from hive cli" - + "Instead the use of storage based authorization in hive metastore is reccomended. Set " - + ConfVars.HIVE_AUTHORIZATION_ENABLED.varname + "=false to disable authz within cli"); - } } @Override diff --git a/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestPrivilegesV1.java b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestPrivilegesV1.java index c97bbb8..c614630 100644 --- a/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestPrivilegesV1.java +++ b/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestPrivilegesV1.java @@ -76,17 +76,8 @@ public void testPrivInGrant() throws Exception{ */ @Test public void testPrivInGrantNotAccepted() throws Exception{ - grantUserTableFail("insert"); - grantUserTableFail("delete"); - } - - private void grantUserTableFail(String privName) { - try{ - grantUserTable(privName, PrivilegeType.UNKNOWN); - Assert.fail("Exception expected"); - }catch(Exception e){ - - } + grantUserTable("insert", PrivilegeType.INSERT); + grantUserTable("delete", PrivilegeType.DELETE); } private void grantUserTable(String privName, PrivilegeType privType) throws Exception { diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerCLI.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerCLI.java index ac862c5..7d243f0 100644 --- a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerCLI.java +++ b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerCLI.java @@ -68,22 +68,16 @@ private HiveAuthzSessionContext getCLISessionCtx() { } /** - * Verify that exceptiion is thrown if authorization is enabled from hive cli, + * Verify that no exception is thrown if authorization is enabled from hive cli, * when sql std auth is used */ @Test - public void testAuthEnableError() { + public void testAuthEnable() throws Exception { HiveConf processedConf = new HiveConf(); processedConf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, true); - try { - HiveAuthorizerFactory authorizerFactory = new SQLStdHiveAuthorizerFactory(); - HiveAuthorizer authorizer = authorizerFactory.createHiveAuthorizer(null, processedConf, - new HadoopDefaultAuthenticator(), getCLISessionCtx()); - fail("Exception expected"); - } catch (HiveAuthzPluginException e) { - assertTrue(e.getMessage().contains( - "SQL standards based authorization should not be enabled from hive cli")); - } + HiveAuthorizerFactory authorizerFactory = new SQLStdHiveAuthorizerFactory(); + HiveAuthorizer authorizer = authorizerFactory.createHiveAuthorizer(null, processedConf, + new HadoopDefaultAuthenticator(), getCLISessionCtx()); } } diff --git a/ql/src/test/queries/clientnegative/authorization_cli_auth_enable.q b/ql/src/test/queries/clientnegative/authorization_cli_auth_enable.q deleted file mode 100644 index 4761051..0000000 --- a/ql/src/test/queries/clientnegative/authorization_cli_auth_enable.q +++ /dev/null @@ -1,7 +0,0 @@ -set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; -set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; -set user.name=hive_test_user; -set hive.security.authorization.enabled=true; - --- verify that sql std auth throws an error with hive cli, if auth is enabled -show tables 'src'; diff --git a/ql/src/test/queries/clientnegative/authorization_fail_1.q b/ql/src/test/queries/clientnegative/authorization_fail_1.q index c38dab5..49aa09e 100644 --- a/ql/src/test/queries/clientnegative/authorization_fail_1.q +++ b/ql/src/test/queries/clientnegative/authorization_fail_1.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; create table authorization_fail_1 (key int, value string); set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_fail_2.q b/ql/src/test/queries/clientnegative/authorization_fail_2.q index 341e447..1a703d5 100644 --- a/ql/src/test/queries/clientnegative/authorization_fail_2.q +++ b/ql/src/test/queries/clientnegative/authorization_fail_2.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; create table authorization_fail_2 (key int, value string) partitioned by (ds string); set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_fail_3.q b/ql/src/test/queries/clientnegative/authorization_fail_3.q index 6a56daa..03c516d 100644 --- a/ql/src/test/queries/clientnegative/authorization_fail_3.q +++ b/ql/src/test/queries/clientnegative/authorization_fail_3.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; -- SORT_BEFORE_DIFF create table authorization_fail_3 (key int, value string) partitioned by (ds string); diff --git a/ql/src/test/queries/clientnegative/authorization_fail_4.q b/ql/src/test/queries/clientnegative/authorization_fail_4.q index f0cb645..b3e687e 100644 --- a/ql/src/test/queries/clientnegative/authorization_fail_4.q +++ b/ql/src/test/queries/clientnegative/authorization_fail_4.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; -- SORT_BEFORE_DIFF create table authorization_fail_4 (key int, value string) partitioned by (ds string); diff --git a/ql/src/test/queries/clientnegative/authorization_fail_5.q b/ql/src/test/queries/clientnegative/authorization_fail_5.q index b4efab5..abf2e81 100644 --- a/ql/src/test/queries/clientnegative/authorization_fail_5.q +++ b/ql/src/test/queries/clientnegative/authorization_fail_5.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; -- SORT_BEFORE_DIFF create table authorization_fail (key int, value string) partitioned by (ds string); @@ -17,4 +18,4 @@ revoke Select on table authorization_fail partition (ds='2010') from user hive_t show grant user hive_test_user on table authorization_fail partition (ds='2010'); -select key from authorization_fail where ds='2010'; \ No newline at end of file +select key from authorization_fail where ds='2010'; diff --git a/ql/src/test/queries/clientnegative/authorization_fail_6.q b/ql/src/test/queries/clientnegative/authorization_fail_6.q index 9772469..d3322f4 100644 --- a/ql/src/test/queries/clientnegative/authorization_fail_6.q +++ b/ql/src/test/queries/clientnegative/authorization_fail_6.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; -- SORT_BEFORE_DIFF create table authorization_part_fail (key int, value string) partitioned by (ds string); diff --git a/ql/src/test/queries/clientnegative/authorization_fail_7.q b/ql/src/test/queries/clientnegative/authorization_fail_7.q index 492deed..9eeecc1 100644 --- a/ql/src/test/queries/clientnegative/authorization_fail_7.q +++ b/ql/src/test/queries/clientnegative/authorization_fail_7.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; -- SORT_BEFORE_DIFF create table authorization_fail (key int, value string); @@ -14,4 +15,4 @@ show grant role hive_test_role_fail on table authorization_fail; drop role hive_test_role_fail; -select key from authorization_fail; \ No newline at end of file +select key from authorization_fail; diff --git a/ql/src/test/queries/clientnegative/authorization_fail_create_db.q b/ql/src/test/queries/clientnegative/authorization_fail_create_db.q index d969e39..147c772 100644 --- a/ql/src/test/queries/clientnegative/authorization_fail_create_db.q +++ b/ql/src/test/queries/clientnegative/authorization_fail_create_db.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; set hive.security.authorization.enabled=true; create database db_to_fail; diff --git a/ql/src/test/queries/clientnegative/authorization_fail_drop_db.q b/ql/src/test/queries/clientnegative/authorization_fail_drop_db.q index 87719b0..5a98620 100644 --- a/ql/src/test/queries/clientnegative/authorization_fail_drop_db.q +++ b/ql/src/test/queries/clientnegative/authorization_fail_drop_db.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; set hive.security.authorization.enabled=false; create database db_fail_to_drop; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/authorization_invalid_priv_v1.q b/ql/src/test/queries/clientnegative/authorization_invalid_priv_v1.q index 2a1da23..2742f0d 100644 --- a/ql/src/test/queries/clientnegative/authorization_invalid_priv_v1.q +++ b/ql/src/test/queries/clientnegative/authorization_invalid_priv_v1.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; create table if not exists authorization_invalid_v1 (key int, value string); grant delete on table authorization_invalid_v1 to user hive_test_user; drop table authorization_invalid_v1; diff --git a/ql/src/test/queries/clientnegative/authorization_part.q b/ql/src/test/queries/clientnegative/authorization_part.q index a654a23..517f513 100644 --- a/ql/src/test/queries/clientnegative/authorization_part.q +++ b/ql/src/test/queries/clientnegative/authorization_part.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; -- SORT_BEFORE_DIFF create table authorization_part_fail (key int, value string) partitioned by (ds string); @@ -34,4 +35,4 @@ revoke select on table authorization_part_fail partition (ds='2010') from group select key,value, ds from authorization_part_fail where ds>='2010' order by key, ds limit 20; drop table authorization_part_fail; -drop table src_auth; \ No newline at end of file +drop table src_auth; diff --git a/ql/src/test/queries/clientnegative/authorization_public_create.q b/ql/src/test/queries/clientnegative/authorization_public_create.q index 8298ce9..00e542a 100644 --- a/ql/src/test/queries/clientnegative/authorization_public_create.q +++ b/ql/src/test/queries/clientnegative/authorization_public_create.q @@ -1 +1,2 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; create role public; diff --git a/ql/src/test/queries/clientnegative/authorization_public_drop.q b/ql/src/test/queries/clientnegative/authorization_public_drop.q index 7e89f6e..1f5025f 100644 --- a/ql/src/test/queries/clientnegative/authorization_public_drop.q +++ b/ql/src/test/queries/clientnegative/authorization_public_drop.q @@ -1 +1,2 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; drop role public; diff --git a/ql/src/test/queries/clientnegative/authorization_role_case.q b/ql/src/test/queries/clientnegative/authorization_role_case.q index 339239a..bcc075d 100644 --- a/ql/src/test/queries/clientnegative/authorization_role_case.q +++ b/ql/src/test/queries/clientnegative/authorization_role_case.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; create role mixCaseRole1; create role mixCaseRole2; diff --git a/ql/src/test/queries/clientnegative/authorize_grant_public.q b/ql/src/test/queries/clientnegative/authorize_grant_public.q index e024b50..31d7462 100644 --- a/ql/src/test/queries/clientnegative/authorize_grant_public.q +++ b/ql/src/test/queries/clientnegative/authorize_grant_public.q @@ -1 +1,2 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; grant role public to user hive_test_user; diff --git a/ql/src/test/queries/clientnegative/authorize_revoke_public.q b/ql/src/test/queries/clientnegative/authorize_revoke_public.q index dadd424..4d949ac 100644 --- a/ql/src/test/queries/clientnegative/authorize_revoke_public.q +++ b/ql/src/test/queries/clientnegative/authorize_revoke_public.q @@ -1 +1,2 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; revoke role public from user hive_test_user; diff --git a/ql/src/test/queries/clientnegative/exim_22_export_authfail.q b/ql/src/test/queries/clientnegative/exim_22_export_authfail.q index b818686..5810be5 100644 --- a/ql/src/test/queries/clientnegative/exim_22_export_authfail.q +++ b/ql/src/test/queries/clientnegative/exim_22_export_authfail.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; set hive.test.mode=true; set hive.test.mode.prefix=; diff --git a/ql/src/test/queries/clientnegative/exim_23_import_exist_authfail.q b/ql/src/test/queries/clientnegative/exim_23_import_exist_authfail.q index 4acefb9..4e302c0 100644 --- a/ql/src/test/queries/clientnegative/exim_23_import_exist_authfail.q +++ b/ql/src/test/queries/clientnegative/exim_23_import_exist_authfail.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; set hive.test.mode=true; set hive.test.mode.prefix=; diff --git a/ql/src/test/queries/clientnegative/exim_24_import_part_authfail.q b/ql/src/test/queries/clientnegative/exim_24_import_part_authfail.q index 467014e..0bc070c 100644 --- a/ql/src/test/queries/clientnegative/exim_24_import_part_authfail.q +++ b/ql/src/test/queries/clientnegative/exim_24_import_part_authfail.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; set hive.test.mode=true; set hive.test.mode.prefix=; set hive.test.mode.nosamplelist=exim_department,exim_employee; diff --git a/ql/src/test/queries/clientnegative/exim_25_import_nonexist_authfail.q b/ql/src/test/queries/clientnegative/exim_25_import_nonexist_authfail.q index 595fa7e..3ed7a5f 100644 --- a/ql/src/test/queries/clientnegative/exim_25_import_nonexist_authfail.q +++ b/ql/src/test/queries/clientnegative/exim_25_import_nonexist_authfail.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; set hive.test.mode=true; set hive.test.mode.prefix=; set hive.test.mode.nosamplelist=exim_department,exim_employee; diff --git a/ql/src/test/queries/clientnegative/join_nonexistent_part.q b/ql/src/test/queries/clientnegative/join_nonexistent_part.q deleted file mode 100644 index bf60d2e..0000000 --- a/ql/src/test/queries/clientnegative/join_nonexistent_part.q +++ /dev/null @@ -1,5 +0,0 @@ -set hive.mapred.mode=nonstrict; -SET hive.security.authorization.enabled = true; -SELECT * -FROM srcpart s1 join src s2 on s1.key == s2.key -WHERE s1.ds='non-existent'; diff --git a/ql/src/test/queries/clientnegative/load_exist_part_authfail.q b/ql/src/test/queries/clientnegative/load_exist_part_authfail.q index eb72d94..f9ecc6f 100644 --- a/ql/src/test/queries/clientnegative/load_exist_part_authfail.q +++ b/ql/src/test/queries/clientnegative/load_exist_part_authfail.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; create table hive_test_src ( col1 string ) partitioned by (pcol1 string) stored as textfile; alter table hive_test_src add partition (pcol1 = 'test_part'); set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientnegative/load_nonpart_authfail.q b/ql/src/test/queries/clientnegative/load_nonpart_authfail.q index 3265363..1f40978 100644 --- a/ql/src/test/queries/clientnegative/load_nonpart_authfail.q +++ b/ql/src/test/queries/clientnegative/load_nonpart_authfail.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; create table hive_test_src ( col1 string ) stored as textfile; set hive.security.authorization.enabled=true; load data local inpath '../../data/files/test.dat' overwrite into table hive_test_src ; diff --git a/ql/src/test/queries/clientnegative/load_part_authfail.q b/ql/src/test/queries/clientnegative/load_part_authfail.q index 315988d..5735cd2 100644 --- a/ql/src/test/queries/clientnegative/load_part_authfail.q +++ b/ql/src/test/queries/clientnegative/load_part_authfail.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; create table hive_test_src ( col1 string ) partitioned by (pcol1 string) stored as textfile; set hive.security.authorization.enabled=true; load data local inpath '../../data/files/test.dat' overwrite into table hive_test_src partition (pcol1 = 'test_part'); diff --git a/ql/src/test/queries/clientpositive/alter_rename_partition_authorization.q b/ql/src/test/queries/clientpositive/alter_rename_partition_authorization.q index cdefc2d..70f2bb4 100644 --- a/ql/src/test/queries/clientpositive/alter_rename_partition_authorization.q +++ b/ql/src/test/queries/clientpositive/alter_rename_partition_authorization.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; -- SORT_BEFORE_DIFF create table src_auth_tmp as select * from src; diff --git a/ql/src/test/queries/clientpositive/authorization_1.q b/ql/src/test/queries/clientpositive/authorization_1.q index d5fd2ec..184acc7 100644 --- a/ql/src/test/queries/clientpositive/authorization_1.q +++ b/ql/src/test/queries/clientpositive/authorization_1.q @@ -1,3 +1,5 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + -- SORT_BEFORE_DIFF create table src_autho_test as select * from src; @@ -86,4 +88,4 @@ revoke select on table src_autho_test from role sRc_roLE; drop role sRc_roLE; set hive.security.authorization.enabled=false; -drop table src_autho_test; \ No newline at end of file +drop table src_autho_test; diff --git a/ql/src/test/queries/clientpositive/authorization_2.q b/ql/src/test/queries/clientpositive/authorization_2.q index 3353c53..efb42f7 100644 --- a/ql/src/test/queries/clientpositive/authorization_2.q +++ b/ql/src/test/queries/clientpositive/authorization_2.q @@ -1,3 +1,5 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + -- SORT_BEFORE_DIFF create table authorization_part (key int, value string) partitioned by (ds string); @@ -108,4 +110,4 @@ show grant group hive_test_group1 on table authorization_part partition (ds='201 revoke select on table src_auth_tmp from user hive_test_user; set hive.security.authorization.enabled=false; -drop table authorization_part; \ No newline at end of file +drop table authorization_part; diff --git a/ql/src/test/queries/clientpositive/authorization_3.q b/ql/src/test/queries/clientpositive/authorization_3.q index ba76b00..09c6494 100644 --- a/ql/src/test/queries/clientpositive/authorization_3.q +++ b/ql/src/test/queries/clientpositive/authorization_3.q @@ -1,3 +1,5 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + -- SORT_BEFORE_DIFF create table src_autho_test as select * from src; diff --git a/ql/src/test/queries/clientpositive/authorization_4.q b/ql/src/test/queries/clientpositive/authorization_4.q index 152c8e5..c1848a7 100644 --- a/ql/src/test/queries/clientpositive/authorization_4.q +++ b/ql/src/test/queries/clientpositive/authorization_4.q @@ -1,3 +1,5 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + -- SORT_BEFORE_DIFF create table src_autho_test as select * from src; @@ -10,4 +12,4 @@ show grant user hive_test_user on table src_autho_test; select key from src_autho_test order by key limit 20; -drop table src_autho_test; \ No newline at end of file +drop table src_autho_test; diff --git a/ql/src/test/queries/clientpositive/authorization_5.q b/ql/src/test/queries/clientpositive/authorization_5.q index fec27b4..fb9b262 100644 --- a/ql/src/test/queries/clientpositive/authorization_5.q +++ b/ql/src/test/queries/clientpositive/authorization_5.q @@ -1,3 +1,5 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + -- SORT_BEFORE_DIFF CREATE DATABASE IF NOT EXISTS test_db COMMENT 'Hive test database'; diff --git a/ql/src/test/queries/clientpositive/authorization_6.q b/ql/src/test/queries/clientpositive/authorization_6.q index 258ada4..5f9bde7 100644 --- a/ql/src/test/queries/clientpositive/authorization_6.q +++ b/ql/src/test/queries/clientpositive/authorization_6.q @@ -1,3 +1,5 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + -- SORT_BEFORE_DIFF create table src_auth_tmp as select * from src; diff --git a/ql/src/test/queries/clientpositive/authorization_7.q b/ql/src/test/queries/clientpositive/authorization_7.q index ae49000..216951e 100644 --- a/ql/src/test/queries/clientpositive/authorization_7.q +++ b/ql/src/test/queries/clientpositive/authorization_7.q @@ -1,3 +1,5 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + GRANT ALL TO USER hive_test_user; SET hive.security.authorization.enabled=true; CREATE TABLE src_authorization_7 (key int, value string); @@ -12,4 +14,4 @@ SET hive.security.authorization.enabled=true; CREATE TABLE src_authorization_7 (key int, value string); DESCRIBE src_authorization_7; DROP TABLE src_authorization_7; -REVOKE ALL FROM GROUP hive_test_group1; \ No newline at end of file +REVOKE ALL FROM GROUP hive_test_group1; diff --git a/ql/src/test/queries/clientpositive/authorization_8.q b/ql/src/test/queries/clientpositive/authorization_8.q index 67fcf31..b8571aa 100644 --- a/ql/src/test/queries/clientpositive/authorization_8.q +++ b/ql/src/test/queries/clientpositive/authorization_8.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; set hive.security.authorization.enabled=true; GRANT ALL TO USER hive_test_user; CREATE TABLE tbl_j5jbymsx8e (key INT, value STRING) PARTITIONED BY (ds STRING); diff --git a/ql/src/test/queries/clientpositive/authorization_9.q b/ql/src/test/queries/clientpositive/authorization_9.q index ed62c45..5f72665 100644 --- a/ql/src/test/queries/clientpositive/authorization_9.q +++ b/ql/src/test/queries/clientpositive/authorization_9.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; -- SORT_BEFORE_DIFF create table dummy (key string, value string); diff --git a/ql/src/test/queries/clientpositive/authorization_default_create_table_owner_privs.q b/ql/src/test/queries/clientpositive/authorization_default_create_table_owner_privs.q index c265733..e533ee7 100644 --- a/ql/src/test/queries/clientpositive/authorization_default_create_table_owner_privs.q +++ b/ql/src/test/queries/clientpositive/authorization_default_create_table_owner_privs.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; set hive.security.authorization.createtable.owner.grants=ALL; create table default_auth_table_creator_priv_test(i int); diff --git a/ql/src/test/queries/clientpositive/authorization_explain.q b/ql/src/test/queries/clientpositive/authorization_explain.q index fe376bf..6a9475c 100644 --- a/ql/src/test/queries/clientpositive/authorization_explain.q +++ b/ql/src/test/queries/clientpositive/authorization_explain.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; set hive.mapred.mode=nonstrict; set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientpositive/authorization_show_role_principals_v1.q b/ql/src/test/queries/clientpositive/authorization_show_role_principals_v1.q index 50e9dc2..45e89c5 100644 --- a/ql/src/test/queries/clientpositive/authorization_show_role_principals_v1.q +++ b/ql/src/test/queries/clientpositive/authorization_show_role_principals_v1.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; create role role1; grant role1 to user user1 with admin option; grant role1 to user user2 with admin option; diff --git a/ql/src/test/queries/clientpositive/exim_21_export_authsuccess.q b/ql/src/test/queries/clientpositive/exim_21_export_authsuccess.q index 293a011..1e3eaee 100644 --- a/ql/src/test/queries/clientpositive/exim_21_export_authsuccess.q +++ b/ql/src/test/queries/clientpositive/exim_21_export_authsuccess.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; set hive.test.mode=true; set hive.test.mode.prefix=; diff --git a/ql/src/test/queries/clientpositive/exim_22_import_exist_authsuccess.q b/ql/src/test/queries/clientpositive/exim_22_import_exist_authsuccess.q index 03714ab..606f9af 100644 --- a/ql/src/test/queries/clientpositive/exim_22_import_exist_authsuccess.q +++ b/ql/src/test/queries/clientpositive/exim_22_import_exist_authsuccess.q @@ -1,6 +1,7 @@ set hive.test.mode=true; set hive.test.mode.prefix=; set hive.test.mode.nosamplelist=exim_department,exim_employee; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; create table exim_department ( dep_id int) stored as textfile; load data local inpath "../../data/files/test.dat" into table exim_department; diff --git a/ql/src/test/queries/clientpositive/exim_23_import_part_authsuccess.q b/ql/src/test/queries/clientpositive/exim_23_import_part_authsuccess.q index 9012b0e..316f2e0 100644 --- a/ql/src/test/queries/clientpositive/exim_23_import_part_authsuccess.q +++ b/ql/src/test/queries/clientpositive/exim_23_import_part_authsuccess.q @@ -2,6 +2,7 @@ set hive.mapred.mode=nonstrict; set hive.test.mode=true; set hive.test.mode.prefix=; set hive.test.mode.nosamplelist=exim_department,exim_employee; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; create table exim_employee ( emp_id int comment "employee id") comment "employee table" diff --git a/ql/src/test/queries/clientpositive/exim_24_import_nonexist_authsuccess.q b/ql/src/test/queries/clientpositive/exim_24_import_nonexist_authsuccess.q index 8934c47..8ded70b 100644 --- a/ql/src/test/queries/clientpositive/exim_24_import_nonexist_authsuccess.q +++ b/ql/src/test/queries/clientpositive/exim_24_import_nonexist_authsuccess.q @@ -1,6 +1,7 @@ set hive.test.mode=true; set hive.test.mode.prefix=; set hive.test.mode.nosamplelist=exim_department,exim_employee; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; create table exim_department ( dep_id int) stored as textfile; load data local inpath "../../data/files/test.dat" into table exim_department; diff --git a/ql/src/test/queries/clientpositive/explainuser_3.q b/ql/src/test/queries/clientpositive/explainuser_3.q index 4f1fdab..57029f1 100644 --- a/ql/src/test/queries/clientpositive/explainuser_3.q +++ b/ql/src/test/queries/clientpositive/explainuser_3.q @@ -1,3 +1,5 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; +set hive.metastore.filter.hook=org.apache.hadoop.hive.metastore.DefaultMetaStoreFilterHookImpl; set hive.mapred.mode=nonstrict; set hive.explain.user=true; diff --git a/ql/src/test/queries/clientpositive/index_auth.q b/ql/src/test/queries/clientpositive/index_auth.q index 03d77f1..b12b742 100644 --- a/ql/src/test/queries/clientpositive/index_auth.q +++ b/ql/src/test/queries/clientpositive/index_auth.q @@ -1,5 +1,7 @@ set hive.stats.dbclass=fs; SET hive.input.format=org.apache.hadoop.hive.ql.io.HiveInputFormat; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + create table foobar(key int, value string) PARTITIONED BY (ds string, hr string); alter table foobar add partition (ds='2008-04-08',hr='12'); diff --git a/ql/src/test/queries/clientpositive/keyword_1.q b/ql/src/test/queries/clientpositive/keyword_1.q index d274515..9277725 100644 --- a/ql/src/test/queries/clientpositive/keyword_1.q +++ b/ql/src/test/queries/clientpositive/keyword_1.q @@ -1,3 +1,5 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + -- SORT_BEFORE_DIFF create table test_user (`user` string, `group` string); @@ -16,4 +18,4 @@ explain select role from test_user; show grant user hive_test on table test_user; -drop table test_user; \ No newline at end of file +drop table test_user; diff --git a/ql/src/test/queries/clientpositive/load_exist_part_authsuccess.q b/ql/src/test/queries/clientpositive/load_exist_part_authsuccess.q index 35eb219..1ce4824 100644 --- a/ql/src/test/queries/clientpositive/load_exist_part_authsuccess.q +++ b/ql/src/test/queries/clientpositive/load_exist_part_authsuccess.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; create table hive_test_src ( col1 string ) partitioned by (pcol1 string) stored as textfile; alter table hive_test_src add partition (pcol1 = 'test_part'); set hive.security.authorization.enabled=true; diff --git a/ql/src/test/queries/clientpositive/load_nonpart_authsuccess.q b/ql/src/test/queries/clientpositive/load_nonpart_authsuccess.q index fdee451..29d4e80 100644 --- a/ql/src/test/queries/clientpositive/load_nonpart_authsuccess.q +++ b/ql/src/test/queries/clientpositive/load_nonpart_authsuccess.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; create table hive_test_src ( col1 string ) stored as textfile; set hive.security.authorization.enabled=true; grant Update on table hive_test_src to user hive_test_user; diff --git a/ql/src/test/queries/clientpositive/load_part_authsuccess.q b/ql/src/test/queries/clientpositive/load_part_authsuccess.q index cee5873..868fd6c 100644 --- a/ql/src/test/queries/clientpositive/load_part_authsuccess.q +++ b/ql/src/test/queries/clientpositive/load_part_authsuccess.q @@ -1,3 +1,4 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; create table hive_test_src ( col1 string ) partitioned by (pcol1 string) stored as textfile; set hive.security.authorization.enabled=true; grant Update on table hive_test_src to user hive_test_user; diff --git a/ql/src/test/queries/clientpositive/show_roles.q b/ql/src/test/queries/clientpositive/show_roles.q index d8ce96a..9e5a6c3 100644 --- a/ql/src/test/queries/clientpositive/show_roles.q +++ b/ql/src/test/queries/clientpositive/show_roles.q @@ -1,3 +1,5 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + create role role1; create role role2; diff --git a/ql/src/test/queries/clientpositive/stats5.q b/ql/src/test/queries/clientpositive/stats5.q index 6b5d138..911bbff 100644 --- a/ql/src/test/queries/clientpositive/stats5.q +++ b/ql/src/test/queries/clientpositive/stats5.q @@ -1,5 +1,5 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; set datanucleus.cache.collections=false; -set hive.stats.autogather=false; create table analyze_src as select * from src; diff --git a/ql/src/test/results/clientnegative/authorization_cli_auth_enable.q.out b/ql/src/test/results/clientnegative/authorization_cli_auth_enable.q.out deleted file mode 100644 index 252eb66..0000000 --- a/ql/src/test/results/clientnegative/authorization_cli_auth_enable.q.out +++ /dev/null @@ -1 +0,0 @@ -FAILED: RuntimeException org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException: SQL standards based authorization should not be enabled from hive cliInstead the use of storage based authorization in hive metastore is reccomended. Set hive.security.authorization.enabled=false to disable authz within cli diff --git a/ql/src/test/results/clientnegative/join_nonexistent_part.q.out b/ql/src/test/results/clientnegative/join_nonexistent_part.q.out deleted file mode 100644 index a924895..0000000 --- a/ql/src/test/results/clientnegative/join_nonexistent_part.q.out +++ /dev/null @@ -1 +0,0 @@ -Authorization failed:No privilege 'Select' found for inputs { database:default, table:srcpart, columnName:key}. Use SHOW GRANT to get more details. diff --git a/ql/src/test/results/clientpositive/authorization_9.q.out b/ql/src/test/results/clientpositive/authorization_9.q.out index 7f95f5e..6bb8ecb 100644 --- a/ql/src/test/results/clientpositive/authorization_9.q.out +++ b/ql/src/test/results/clientpositive/authorization_9.q.out @@ -46,7 +46,67 @@ POSTHOOK: query: show grant user hive_test_user on all POSTHOOK: type: SHOW_GRANT hive_test_user USER SELECT false -1 hive_test_user default hive_test_user USER SELECT false -1 hive_test_user +default alltypesorc hive_test_user USER DELETE true -1 hive_test_user +default alltypesorc hive_test_user USER INSERT true -1 hive_test_user +default alltypesorc hive_test_user USER SELECT true -1 hive_test_user +default alltypesorc hive_test_user USER UPDATE true -1 hive_test_user +default cbo_t1 hive_test_user USER DELETE true -1 hive_test_user +default cbo_t1 hive_test_user USER INSERT true -1 hive_test_user +default cbo_t1 hive_test_user USER SELECT true -1 hive_test_user +default cbo_t1 hive_test_user USER UPDATE true -1 hive_test_user +default cbo_t2 hive_test_user USER DELETE true -1 hive_test_user +default cbo_t2 hive_test_user USER INSERT true -1 hive_test_user +default cbo_t2 hive_test_user USER SELECT true -1 hive_test_user +default cbo_t2 hive_test_user USER UPDATE true -1 hive_test_user +default cbo_t3 hive_test_user USER DELETE true -1 hive_test_user +default cbo_t3 hive_test_user USER INSERT true -1 hive_test_user +default cbo_t3 hive_test_user USER SELECT true -1 hive_test_user +default cbo_t3 hive_test_user USER UPDATE true -1 hive_test_user default dummy hive_test_user USER SELECT false -1 hive_test_user +default lineitem hive_test_user USER DELETE true -1 hive_test_user +default lineitem hive_test_user USER INSERT true -1 hive_test_user +default lineitem hive_test_user USER SELECT true -1 hive_test_user +default lineitem hive_test_user USER UPDATE true -1 hive_test_user +default part hive_test_user USER DELETE true -1 hive_test_user +default part hive_test_user USER INSERT true -1 hive_test_user +default part hive_test_user USER SELECT true -1 hive_test_user +default part hive_test_user USER UPDATE true -1 hive_test_user +default src hive_test_user USER DELETE true -1 hive_test_user +default src hive_test_user USER INSERT true -1 hive_test_user +default src hive_test_user USER SELECT true -1 hive_test_user +default src hive_test_user USER UPDATE true -1 hive_test_user +default src1 hive_test_user USER DELETE true -1 hive_test_user +default src1 hive_test_user USER INSERT true -1 hive_test_user +default src1 hive_test_user USER SELECT true -1 hive_test_user +default src1 hive_test_user USER UPDATE true -1 hive_test_user +default src_cbo hive_test_user USER DELETE true -1 hive_test_user +default src_cbo hive_test_user USER INSERT true -1 hive_test_user +default src_cbo hive_test_user USER SELECT true -1 hive_test_user +default src_cbo hive_test_user USER UPDATE true -1 hive_test_user +default src_json hive_test_user USER DELETE true -1 hive_test_user +default src_json hive_test_user USER INSERT true -1 hive_test_user +default src_json hive_test_user USER SELECT true -1 hive_test_user +default src_json hive_test_user USER UPDATE true -1 hive_test_user +default src_sequencefile hive_test_user USER DELETE true -1 hive_test_user +default src_sequencefile hive_test_user USER INSERT true -1 hive_test_user +default src_sequencefile hive_test_user USER SELECT true -1 hive_test_user +default src_sequencefile hive_test_user USER UPDATE true -1 hive_test_user +default src_thrift hive_test_user USER DELETE true -1 hive_test_user +default src_thrift hive_test_user USER INSERT true -1 hive_test_user +default src_thrift hive_test_user USER SELECT true -1 hive_test_user +default src_thrift hive_test_user USER UPDATE true -1 hive_test_user +default srcbucket hive_test_user USER DELETE true -1 hive_test_user +default srcbucket hive_test_user USER INSERT true -1 hive_test_user +default srcbucket hive_test_user USER SELECT true -1 hive_test_user +default srcbucket hive_test_user USER UPDATE true -1 hive_test_user +default srcbucket2 hive_test_user USER DELETE true -1 hive_test_user +default srcbucket2 hive_test_user USER INSERT true -1 hive_test_user +default srcbucket2 hive_test_user USER SELECT true -1 hive_test_user +default srcbucket2 hive_test_user USER UPDATE true -1 hive_test_user +default srcpart hive_test_user USER DELETE true -1 hive_test_user +default srcpart hive_test_user USER INSERT true -1 hive_test_user +default srcpart hive_test_user USER SELECT true -1 hive_test_user +default srcpart hive_test_user USER UPDATE true -1 hive_test_user default dummy [key] hive_test_user USER SELECT false -1 hive_test_user default dummy [value] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: grant select to user hive_test_user2 @@ -78,8 +138,68 @@ POSTHOOK: type: SHOW_GRANT hive_test_user2 USER SELECT false -1 hive_test_user default hive_test_user USER SELECT false -1 hive_test_user default hive_test_user2 USER SELECT false -1 hive_test_user +default alltypesorc hive_test_user USER DELETE true -1 hive_test_user +default alltypesorc hive_test_user USER INSERT true -1 hive_test_user +default alltypesorc hive_test_user USER SELECT true -1 hive_test_user +default alltypesorc hive_test_user USER UPDATE true -1 hive_test_user +default cbo_t1 hive_test_user USER DELETE true -1 hive_test_user +default cbo_t1 hive_test_user USER INSERT true -1 hive_test_user +default cbo_t1 hive_test_user USER SELECT true -1 hive_test_user +default cbo_t1 hive_test_user USER UPDATE true -1 hive_test_user +default cbo_t2 hive_test_user USER DELETE true -1 hive_test_user +default cbo_t2 hive_test_user USER INSERT true -1 hive_test_user +default cbo_t2 hive_test_user USER SELECT true -1 hive_test_user +default cbo_t2 hive_test_user USER UPDATE true -1 hive_test_user +default cbo_t3 hive_test_user USER DELETE true -1 hive_test_user +default cbo_t3 hive_test_user USER INSERT true -1 hive_test_user +default cbo_t3 hive_test_user USER SELECT true -1 hive_test_user +default cbo_t3 hive_test_user USER UPDATE true -1 hive_test_user default dummy hive_test_user USER SELECT false -1 hive_test_user default dummy hive_test_user2 USER SELECT false -1 hive_test_user +default lineitem hive_test_user USER DELETE true -1 hive_test_user +default lineitem hive_test_user USER INSERT true -1 hive_test_user +default lineitem hive_test_user USER SELECT true -1 hive_test_user +default lineitem hive_test_user USER UPDATE true -1 hive_test_user +default part hive_test_user USER DELETE true -1 hive_test_user +default part hive_test_user USER INSERT true -1 hive_test_user +default part hive_test_user USER SELECT true -1 hive_test_user +default part hive_test_user USER UPDATE true -1 hive_test_user +default src hive_test_user USER DELETE true -1 hive_test_user +default src hive_test_user USER INSERT true -1 hive_test_user +default src hive_test_user USER SELECT true -1 hive_test_user +default src hive_test_user USER UPDATE true -1 hive_test_user +default src1 hive_test_user USER DELETE true -1 hive_test_user +default src1 hive_test_user USER INSERT true -1 hive_test_user +default src1 hive_test_user USER SELECT true -1 hive_test_user +default src1 hive_test_user USER UPDATE true -1 hive_test_user +default src_cbo hive_test_user USER DELETE true -1 hive_test_user +default src_cbo hive_test_user USER INSERT true -1 hive_test_user +default src_cbo hive_test_user USER SELECT true -1 hive_test_user +default src_cbo hive_test_user USER UPDATE true -1 hive_test_user +default src_json hive_test_user USER DELETE true -1 hive_test_user +default src_json hive_test_user USER INSERT true -1 hive_test_user +default src_json hive_test_user USER SELECT true -1 hive_test_user +default src_json hive_test_user USER UPDATE true -1 hive_test_user +default src_sequencefile hive_test_user USER DELETE true -1 hive_test_user +default src_sequencefile hive_test_user USER INSERT true -1 hive_test_user +default src_sequencefile hive_test_user USER SELECT true -1 hive_test_user +default src_sequencefile hive_test_user USER UPDATE true -1 hive_test_user +default src_thrift hive_test_user USER DELETE true -1 hive_test_user +default src_thrift hive_test_user USER INSERT true -1 hive_test_user +default src_thrift hive_test_user USER SELECT true -1 hive_test_user +default src_thrift hive_test_user USER UPDATE true -1 hive_test_user +default srcbucket hive_test_user USER DELETE true -1 hive_test_user +default srcbucket hive_test_user USER INSERT true -1 hive_test_user +default srcbucket hive_test_user USER SELECT true -1 hive_test_user +default srcbucket hive_test_user USER UPDATE true -1 hive_test_user +default srcbucket2 hive_test_user USER DELETE true -1 hive_test_user +default srcbucket2 hive_test_user USER INSERT true -1 hive_test_user +default srcbucket2 hive_test_user USER SELECT true -1 hive_test_user +default srcbucket2 hive_test_user USER UPDATE true -1 hive_test_user +default srcpart hive_test_user USER DELETE true -1 hive_test_user +default srcpart hive_test_user USER INSERT true -1 hive_test_user +default srcpart hive_test_user USER SELECT true -1 hive_test_user +default srcpart hive_test_user USER UPDATE true -1 hive_test_user default dummy [key] hive_test_user USER SELECT false -1 hive_test_user default dummy [key] hive_test_user2 USER SELECT false -1 hive_test_user default dummy [value] hive_test_user USER SELECT false -1 hive_test_user @@ -90,7 +210,67 @@ POSTHOOK: query: show grant user hive_test_user on all POSTHOOK: type: SHOW_GRANT hive_test_user USER SELECT false -1 hive_test_user default hive_test_user USER SELECT false -1 hive_test_user +default alltypesorc hive_test_user USER DELETE true -1 hive_test_user +default alltypesorc hive_test_user USER INSERT true -1 hive_test_user +default alltypesorc hive_test_user USER SELECT true -1 hive_test_user +default alltypesorc hive_test_user USER UPDATE true -1 hive_test_user +default cbo_t1 hive_test_user USER DELETE true -1 hive_test_user +default cbo_t1 hive_test_user USER INSERT true -1 hive_test_user +default cbo_t1 hive_test_user USER SELECT true -1 hive_test_user +default cbo_t1 hive_test_user USER UPDATE true -1 hive_test_user +default cbo_t2 hive_test_user USER DELETE true -1 hive_test_user +default cbo_t2 hive_test_user USER INSERT true -1 hive_test_user +default cbo_t2 hive_test_user USER SELECT true -1 hive_test_user +default cbo_t2 hive_test_user USER UPDATE true -1 hive_test_user +default cbo_t3 hive_test_user USER DELETE true -1 hive_test_user +default cbo_t3 hive_test_user USER INSERT true -1 hive_test_user +default cbo_t3 hive_test_user USER SELECT true -1 hive_test_user +default cbo_t3 hive_test_user USER UPDATE true -1 hive_test_user default dummy hive_test_user USER SELECT false -1 hive_test_user +default lineitem hive_test_user USER DELETE true -1 hive_test_user +default lineitem hive_test_user USER INSERT true -1 hive_test_user +default lineitem hive_test_user USER SELECT true -1 hive_test_user +default lineitem hive_test_user USER UPDATE true -1 hive_test_user +default part hive_test_user USER DELETE true -1 hive_test_user +default part hive_test_user USER INSERT true -1 hive_test_user +default part hive_test_user USER SELECT true -1 hive_test_user +default part hive_test_user USER UPDATE true -1 hive_test_user +default src hive_test_user USER DELETE true -1 hive_test_user +default src hive_test_user USER INSERT true -1 hive_test_user +default src hive_test_user USER SELECT true -1 hive_test_user +default src hive_test_user USER UPDATE true -1 hive_test_user +default src1 hive_test_user USER DELETE true -1 hive_test_user +default src1 hive_test_user USER INSERT true -1 hive_test_user +default src1 hive_test_user USER SELECT true -1 hive_test_user +default src1 hive_test_user USER UPDATE true -1 hive_test_user +default src_cbo hive_test_user USER DELETE true -1 hive_test_user +default src_cbo hive_test_user USER INSERT true -1 hive_test_user +default src_cbo hive_test_user USER SELECT true -1 hive_test_user +default src_cbo hive_test_user USER UPDATE true -1 hive_test_user +default src_json hive_test_user USER DELETE true -1 hive_test_user +default src_json hive_test_user USER INSERT true -1 hive_test_user +default src_json hive_test_user USER SELECT true -1 hive_test_user +default src_json hive_test_user USER UPDATE true -1 hive_test_user +default src_sequencefile hive_test_user USER DELETE true -1 hive_test_user +default src_sequencefile hive_test_user USER INSERT true -1 hive_test_user +default src_sequencefile hive_test_user USER SELECT true -1 hive_test_user +default src_sequencefile hive_test_user USER UPDATE true -1 hive_test_user +default src_thrift hive_test_user USER DELETE true -1 hive_test_user +default src_thrift hive_test_user USER INSERT true -1 hive_test_user +default src_thrift hive_test_user USER SELECT true -1 hive_test_user +default src_thrift hive_test_user USER UPDATE true -1 hive_test_user +default srcbucket hive_test_user USER DELETE true -1 hive_test_user +default srcbucket hive_test_user USER INSERT true -1 hive_test_user +default srcbucket hive_test_user USER SELECT true -1 hive_test_user +default srcbucket hive_test_user USER UPDATE true -1 hive_test_user +default srcbucket2 hive_test_user USER DELETE true -1 hive_test_user +default srcbucket2 hive_test_user USER INSERT true -1 hive_test_user +default srcbucket2 hive_test_user USER SELECT true -1 hive_test_user +default srcbucket2 hive_test_user USER UPDATE true -1 hive_test_user +default srcpart hive_test_user USER DELETE true -1 hive_test_user +default srcpart hive_test_user USER INSERT true -1 hive_test_user +default srcpart hive_test_user USER SELECT true -1 hive_test_user +default srcpart hive_test_user USER UPDATE true -1 hive_test_user default dummy [key] hive_test_user USER SELECT false -1 hive_test_user default dummy [value] hive_test_user USER SELECT false -1 hive_test_user PREHOOK: query: show grant user hive_test_user2 on all diff --git a/ql/src/test/results/clientpositive/authorization_explain.q.java1.7.out b/ql/src/test/results/clientpositive/authorization_explain.q.java1.7.out index b7ec209..a9ed049 100644 --- a/ql/src/test/results/clientpositive/authorization_explain.q.java1.7.out +++ b/ql/src/test/results/clientpositive/authorization_explain.q.java1.7.out @@ -20,9 +20,6 @@ CURRENT_USER: hive_test_user OPERATION: QUERY -AUTHORIZATION_FAILURES: - No privilege 'Select' found for inputs { database:default, table:src, columnName:key} - No privilege 'Select' found for inputs { database:default, table:srcpart, columnName:key} Warning: Shuffle Join JOIN[7][tables = [$hdt$_0, $hdt$_1]] in Stage 'Stage-1:MAPRED' is a cross product PREHOOK: query: explain formatted authorization select * from src join srcpart PREHOOK: type: QUERY diff --git a/ql/src/test/results/clientpositive/authorization_show_grant.q.out b/ql/src/test/results/clientpositive/authorization_show_grant.q.out index 2e7d7f6..7fa0b1c 100644 --- a/ql/src/test/results/clientpositive/authorization_show_grant.q.out +++ b/ql/src/test/results/clientpositive/authorization_show_grant.q.out @@ -111,6 +111,66 @@ PREHOOK: query: show grant PREHOOK: type: SHOW_GRANT POSTHOOK: query: show grant POSTHOOK: type: SHOW_GRANT +default alltypesorc hive_test_user USER DELETE true -1 hive_test_user +default alltypesorc hive_test_user USER INSERT true -1 hive_test_user +default alltypesorc hive_test_user USER SELECT true -1 hive_test_user +default alltypesorc hive_test_user USER UPDATE true -1 hive_test_user +default cbo_t1 hive_test_user USER DELETE true -1 hive_test_user +default cbo_t1 hive_test_user USER INSERT true -1 hive_test_user +default cbo_t1 hive_test_user USER SELECT true -1 hive_test_user +default cbo_t1 hive_test_user USER UPDATE true -1 hive_test_user +default cbo_t2 hive_test_user USER DELETE true -1 hive_test_user +default cbo_t2 hive_test_user USER INSERT true -1 hive_test_user +default cbo_t2 hive_test_user USER SELECT true -1 hive_test_user +default cbo_t2 hive_test_user USER UPDATE true -1 hive_test_user +default cbo_t3 hive_test_user USER DELETE true -1 hive_test_user +default cbo_t3 hive_test_user USER INSERT true -1 hive_test_user +default cbo_t3 hive_test_user USER SELECT true -1 hive_test_user +default cbo_t3 hive_test_user USER UPDATE true -1 hive_test_user +default lineitem hive_test_user USER DELETE true -1 hive_test_user +default lineitem hive_test_user USER INSERT true -1 hive_test_user +default lineitem hive_test_user USER SELECT true -1 hive_test_user +default lineitem hive_test_user USER UPDATE true -1 hive_test_user +default part hive_test_user USER DELETE true -1 hive_test_user +default part hive_test_user USER INSERT true -1 hive_test_user +default part hive_test_user USER SELECT true -1 hive_test_user +default part hive_test_user USER UPDATE true -1 hive_test_user +default src hive_test_user USER DELETE true -1 hive_test_user +default src hive_test_user USER INSERT true -1 hive_test_user +default src hive_test_user USER SELECT true -1 hive_test_user +default src hive_test_user USER UPDATE true -1 hive_test_user +default src1 hive_test_user USER DELETE true -1 hive_test_user +default src1 hive_test_user USER INSERT true -1 hive_test_user +default src1 hive_test_user USER SELECT true -1 hive_test_user +default src1 hive_test_user USER UPDATE true -1 hive_test_user +default src_cbo hive_test_user USER DELETE true -1 hive_test_user +default src_cbo hive_test_user USER INSERT true -1 hive_test_user +default src_cbo hive_test_user USER SELECT true -1 hive_test_user +default src_cbo hive_test_user USER UPDATE true -1 hive_test_user +default src_json hive_test_user USER DELETE true -1 hive_test_user +default src_json hive_test_user USER INSERT true -1 hive_test_user +default src_json hive_test_user USER SELECT true -1 hive_test_user +default src_json hive_test_user USER UPDATE true -1 hive_test_user +default src_sequencefile hive_test_user USER DELETE true -1 hive_test_user +default src_sequencefile hive_test_user USER INSERT true -1 hive_test_user +default src_sequencefile hive_test_user USER SELECT true -1 hive_test_user +default src_sequencefile hive_test_user USER UPDATE true -1 hive_test_user +default src_thrift hive_test_user USER DELETE true -1 hive_test_user +default src_thrift hive_test_user USER INSERT true -1 hive_test_user +default src_thrift hive_test_user USER SELECT true -1 hive_test_user +default src_thrift hive_test_user USER UPDATE true -1 hive_test_user +default srcbucket hive_test_user USER DELETE true -1 hive_test_user +default srcbucket hive_test_user USER INSERT true -1 hive_test_user +default srcbucket hive_test_user USER SELECT true -1 hive_test_user +default srcbucket hive_test_user USER UPDATE true -1 hive_test_user +default srcbucket2 hive_test_user USER DELETE true -1 hive_test_user +default srcbucket2 hive_test_user USER INSERT true -1 hive_test_user +default srcbucket2 hive_test_user USER SELECT true -1 hive_test_user +default srcbucket2 hive_test_user USER UPDATE true -1 hive_test_user +default srcpart hive_test_user USER DELETE true -1 hive_test_user +default srcpart hive_test_user USER INSERT true -1 hive_test_user +default srcpart hive_test_user USER SELECT true -1 hive_test_user +default srcpart hive_test_user USER UPDATE true -1 hive_test_user default t1 rolea ROLE SELECT false -1 user1 default t1 user1 USER DELETE true -1 hive_admin_user default t1 user1 USER INSERT true -1 hive_admin_user diff --git a/ql/src/test/results/clientpositive/spark/stats5.q.out b/ql/src/test/results/clientpositive/spark/stats5.q.out index 2edbd07..51bf6e4 100644 --- a/ql/src/test/results/clientpositive/spark/stats5.q.out +++ b/ql/src/test/results/clientpositive/spark/stats5.q.out @@ -25,7 +25,7 @@ STAGE PLANS: Map Operator Tree: TableScan alias: analyze_src - Statistics: Num rows: 1 Data size: 5812 Basic stats: COMPLETE Column stats: COMPLETE + Statistics: Num rows: 500 Data size: 5312 Basic stats: COMPLETE Column stats: COMPLETE Stage: Stage-1 Stats-Aggr Operator diff --git a/ql/src/test/results/clientpositive/stats5.q.out b/ql/src/test/results/clientpositive/stats5.q.out index 866dbaf..93cff91 100644 --- a/ql/src/test/results/clientpositive/stats5.q.out +++ b/ql/src/test/results/clientpositive/stats5.q.out @@ -22,7 +22,7 @@ STAGE PLANS: Map Operator Tree: TableScan alias: analyze_src - Statistics: Num rows: 1 Data size: 5812 Basic stats: COMPLETE Column stats: COMPLETE + Statistics: Num rows: 500 Data size: 5312 Basic stats: COMPLETE Column stats: COMPLETE Stage: Stage-1 Stats-Aggr Operator diff --git a/ql/src/test/results/clientpositive/tez/unionDistinct_2.q.out b/ql/src/test/results/clientpositive/tez/unionDistinct_2.q.out index 6d59369..f4cdd86 100644 --- a/ql/src/test/results/clientpositive/tez/unionDistinct_2.q.out +++ b/ql/src/test/results/clientpositive/tez/unionDistinct_2.q.out @@ -359,7 +359,7 @@ union select `u2`.`key`, `u2`.`value` from `default`.`u2` union all select `u3`.`key` as `key`, `u3`.`value` from `default`.`u3` -) `tab`, tableType:VIRTUAL_VIEW) +) `tab`, tableType:VIRTUAL_VIEW, privileges:PrincipalPrivilegeSet(userPrivileges:{hive_test_user=[PrivilegeGrantInfo(privilege:INSERT, createTime:-1, grantor:hive_test_user, grantorType:USER, grantOption:true), PrivilegeGrantInfo(privilege:SELECT, createTime:-1, grantor:hive_test_user, grantorType:USER, grantOption:true), PrivilegeGrantInfo(privilege:UPDATE, createTime:-1, grantor:hive_test_user, grantorType:USER, grantOption:true), PrivilegeGrantInfo(privilege:DELETE, createTime:-1, grantor:hive_test_user, grantorType:USER, grantOption:true)]}, groupPrivileges:null, rolePrivileges:null)) PREHOOK: query: select * from v PREHOOK: type: QUERY PREHOOK: Input: default@u1 @@ -429,7 +429,7 @@ select distinct * from u2 select distinct `u1`.`key`, `u1`.`value` from `default`.`u1` union select distinct `u2`.`key`, `u2`.`value` from `default`.`u2` -) `tab`, tableType:VIRTUAL_VIEW) +) `tab`, tableType:VIRTUAL_VIEW, privileges:PrincipalPrivilegeSet(userPrivileges:{hive_test_user=[PrivilegeGrantInfo(privilege:INSERT, createTime:-1, grantor:hive_test_user, grantorType:USER, grantOption:true), PrivilegeGrantInfo(privilege:SELECT, createTime:-1, grantor:hive_test_user, grantorType:USER, grantOption:true), PrivilegeGrantInfo(privilege:UPDATE, createTime:-1, grantor:hive_test_user, grantorType:USER, grantOption:true), PrivilegeGrantInfo(privilege:DELETE, createTime:-1, grantor:hive_test_user, grantorType:USER, grantOption:true)]}, groupPrivileges:null, rolePrivileges:null)) PREHOOK: query: select * from v PREHOOK: type: QUERY PREHOOK: Input: default@u1 @@ -494,7 +494,7 @@ select distinct * from u2 select distinct `u1`.`key`, `u1`.`value` from `default`.`u1` union all select distinct `u2`.`key`, `u2`.`value` from `default`.`u2` -) `tab`, tableType:VIRTUAL_VIEW) +) `tab`, tableType:VIRTUAL_VIEW, privileges:PrincipalPrivilegeSet(userPrivileges:{hive_test_user=[PrivilegeGrantInfo(privilege:INSERT, createTime:-1, grantor:hive_test_user, grantorType:USER, grantOption:true), PrivilegeGrantInfo(privilege:SELECT, createTime:-1, grantor:hive_test_user, grantorType:USER, grantOption:true), PrivilegeGrantInfo(privilege:UPDATE, createTime:-1, grantor:hive_test_user, grantorType:USER, grantOption:true), PrivilegeGrantInfo(privilege:DELETE, createTime:-1, grantor:hive_test_user, grantorType:USER, grantOption:true)]}, groupPrivileges:null, rolePrivileges:null)) PREHOOK: query: select * from v PREHOOK: type: QUERY PREHOOK: Input: default@u1