diff --git a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java index b50c5a2..f0fda05 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java @@ -733,14 +733,14 @@ public static void doAuthorization(BaseSemanticAnalyzer sem, String command) } } + // column authorization is checked through table scan operators. getTablePartitionUsedColumns(op, sem, tab2Cols, part2Cols, tableUsePartLevelAuth); - - // cache the results for table authorization Set tableAuthChecked = new HashSet(); for (ReadEntity read : inputs) { - if (read.isDummy() || read.isPathType()) { + // if read is not direct, we do not need to check its autho. + if (read.isDummy() || read.isPathType() || !read.isDirect()) { continue; } if (read.getType() == Entity.Type.DATABASE) { @@ -796,46 +796,49 @@ private static void getTablePartitionUsedColumns(HiveOperation op, BaseSemanticA // for a select or create-as-select query, populate the partition to column // (par2Cols) or // table to columns mapping (tab2Cols) - if (op.equals(HiveOperation.CREATETABLE_AS_SELECT) - || op.equals(HiveOperation.QUERY)) { + if (op.equals(HiveOperation.CREATETABLE_AS_SELECT) || op.equals(HiveOperation.QUERY)) { SemanticAnalyzer querySem = (SemanticAnalyzer) sem; ParseContext parseCtx = querySem.getParseContext(); - for (Map.Entry topOpMap : querySem.getParseContext().getTopOps().entrySet()) { - TableScanOperator topOp = topOpMap.getValue(); - TableScanOperator tableScanOp = topOp; - Table tbl = tableScanOp.getConf().getTableMetadata(); - List neededColumnIds = tableScanOp.getNeededColumnIDs(); - List columns = tbl.getCols(); - List cols = new ArrayList(); - for (int i = 0; i < neededColumnIds.size(); i++) { - cols.add(columns.get(neededColumnIds.get(i)).getName()); - } - //map may not contain all sources, since input list may have been optimized out - //or non-existent tho such sources may still be referenced by the TableScanOperator - //if it's null then the partition probably doesn't exist so let's use table permission - if (tbl.isPartitioned() && - Boolean.TRUE.equals(tableUsePartLevelAuth.get(tbl.getTableName()))) { - String alias_id = topOpMap.getKey(); - - PrunedPartitionList partsList = PartitionPruner.prune(tableScanOp, - parseCtx, alias_id); - Set parts = partsList.getPartitions(); - for (Partition part : parts) { - List existingCols = part2Cols.get(part); + for (Map.Entry topOpMap : querySem.getParseContext().getTopOps() + .entrySet()) { + TableScanOperator tableScanOp = topOpMap.getValue(); + if (!tableScanOp.isInsideView()) { + Table tbl = tableScanOp.getConf().getTableMetadata(); + List neededColumnIds = tableScanOp.getNeededColumnIDs(); + List columns = tbl.getCols(); + List cols = new ArrayList(); + for (int i = 0; i < neededColumnIds.size(); i++) { + cols.add(columns.get(neededColumnIds.get(i)).getName()); + } + // map may not contain all sources, since input list may have been + // optimized out + // or non-existent tho such sources may still be referenced by the + // TableScanOperator + // if it's null then the partition probably doesn't exist so let's use + // table permission + if (tbl.isPartitioned() + && Boolean.TRUE.equals(tableUsePartLevelAuth.get(tbl.getTableName()))) { + String alias_id = topOpMap.getKey(); + + PrunedPartitionList partsList = PartitionPruner.prune(tableScanOp, parseCtx, alias_id); + Set parts = partsList.getPartitions(); + for (Partition part : parts) { + List existingCols = part2Cols.get(part); + if (existingCols == null) { + existingCols = new ArrayList(); + } + existingCols.addAll(cols); + part2Cols.put(part, existingCols); + } + } else { + List existingCols = tab2Cols.get(tbl); if (existingCols == null) { existingCols = new ArrayList(); } existingCols.addAll(cols); - part2Cols.put(part, existingCols); - } - } else { - List existingCols = tab2Cols.get(tbl); - if (existingCols == null) { - existingCols = new ArrayList(); + tab2Cols.put(tbl, existingCols); } - existingCols.addAll(cols); - tab2Cols.put(tbl, existingCols); } } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/TableScanOperator.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/TableScanOperator.java index 5253521..1b3cc82 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/exec/TableScanOperator.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/TableScanOperator.java @@ -65,6 +65,8 @@ private transient int rowLimit = -1; private transient int currCount = 0; + // insiderView will tell this TableScan is inside a view or not. + private transient boolean insideView; private String defaultPartitionName; @@ -362,4 +364,12 @@ public boolean supportAutomaticSortMergeJoin() { return ts; } + public boolean isInsideView() { + return insideView; + } + + public void setInsideView(boolean insiderView) { + this.insideView = insiderView; + } + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/reloperators/HiveTableScan.java b/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/reloperators/HiveTableScan.java index e9e9d0b..c9505e4 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/reloperators/HiveTableScan.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/reloperators/HiveTableScan.java @@ -64,6 +64,8 @@ private final String concatQbIDAlias; private final boolean useQBIdInDigest; private final ImmutableSet viurtualOrPartColIndxsInTS; + // insiderView will tell this TableScan is inside a view or not. + private final boolean insideView; public String getTableAlias() { return tblAlias; @@ -86,12 +88,12 @@ public String getConcatQbIDAlias() { * HiveDB table */ public HiveTableScan(RelOptCluster cluster, RelTraitSet traitSet, RelOptHiveTable table, - String alias, String concatQbIDAlias, boolean useQBIdInDigest) { - this(cluster, traitSet, table, alias, concatQbIDAlias, table.getRowType(), useQBIdInDigest); + String alias, String concatQbIDAlias, boolean useQBIdInDigest, boolean insideView) { + this(cluster, traitSet, table, alias, concatQbIDAlias, table.getRowType(), useQBIdInDigest, insideView); } private HiveTableScan(RelOptCluster cluster, RelTraitSet traitSet, RelOptHiveTable table, - String alias, String concatQbIDAlias, RelDataType newRowtype, boolean useQBIdInDigest) { + String alias, String concatQbIDAlias, RelDataType newRowtype, boolean useQBIdInDigest, boolean insideView) { super(cluster, TraitsUtil.getDefaultTraitSet(cluster), table); assert getConvention() == HiveRelNode.CONVENTION; this.tblAlias = alias; @@ -101,6 +103,7 @@ private HiveTableScan(RelOptCluster cluster, RelTraitSet traitSet, RelOptHiveTab this.neededColIndxsFrmReloptHT = colIndxPair.getKey(); this.viurtualOrPartColIndxsInTS = colIndxPair.getValue(); this.useQBIdInDigest = useQBIdInDigest; + this.insideView = insideView; } @Override @@ -118,7 +121,7 @@ public RelNode copy(RelTraitSet traitSet, List inputs) { */ public HiveTableScan copy(RelDataType newRowtype) { return new HiveTableScan(getCluster(), getTraitSet(), ((RelOptHiveTable) table), this.tblAlias, this.concatQbIDAlias, - newRowtype, this.useQBIdInDigest); + newRowtype, this.useQBIdInDigest, this.insideView); } @Override @@ -237,4 +240,16 @@ public RelDataType getPrunedRowType() { return new Pair, ImmutableSet>(neededColIndxsFrmReloptHT, viurtualOrPartColIndxsInTS); } + + public boolean isInsideView() { + return insideView; + } + + // We need to include isInsideView inside digest to differentiate direct + // tables and tables inside view. Otherwise, Calcite will treat them as the same. + public String computeDigest() { + String digest = super.computeDigest(); + return digest + "[" + this.isInsideView() + "]"; + } + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/translator/ASTBuilder.java b/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/translator/ASTBuilder.java index d39744b..682d0cb 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/translator/ASTBuilder.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/translator/ASTBuilder.java @@ -62,6 +62,14 @@ static ASTNode table(TableScan scan) { ASTBuilder.construct(HiveParser.TOK_TABNAME, "TOK_TABNAME") .add(HiveParser.Identifier, hTbl.getHiveTableMD().getDbName()) .add(HiveParser.Identifier, hTbl.getHiveTableMD().getTableName())); + // we need to carry the insideView information from calcite into the ast. + if (((HiveTableScan) scan).isInsideView()) { + b.add(ASTBuilder.construct(HiveParser.TOK_TABLEPROPERTIES, "TOK_TABLEPROPERTIES").add( + ASTBuilder.construct(HiveParser.TOK_TABLEPROPLIST, "TOK_TABLEPROPLIST").add( + ASTBuilder.construct(HiveParser.TOK_TABLEPROPERTY, "TOK_TABLEPROPERTY") + .add(HiveParser.StringLiteral, "\"insideView\"") + .add(HiveParser.StringLiteral, "\"TRUE\"")))); + } // NOTE: Calcite considers tbls to be equal if their names are the same. Hence // we need to provide Calcite the fully qualified table name (dbname.tblname) diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/CalcitePlanner.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/CalcitePlanner.java index c36aa9d..f8860b7 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/CalcitePlanner.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/CalcitePlanner.java @@ -1706,7 +1706,8 @@ private RelNode genTableLogicalPlan(String tableAlias, QB qb) throws SemanticExc tableRel = new HiveTableScan(cluster, cluster.traitSetOf(HiveRelNode.CONVENTION), optTable, null == tableAlias ? tabMetaData.getTableName() : tableAlias, getAliasId(tableAlias, qb), HiveConf.getBoolVar(conf, - HiveConf.ConfVars.HIVE_CBO_RETPATH_HIVEOP)); + HiveConf.ConfVars.HIVE_CBO_RETPATH_HIVEOP), qb.isInsideView() + || qb.getAliasInsideView().contains(tableAlias.toLowerCase())); // 6. Add Schema(RR) to RelNode-Schema map ImmutableMap hiveToCalciteColMap = buildHiveToCalciteColumnMap(rr, diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/QB.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/QB.java index 91352b2..cf3bbf0 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/QB.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/QB.java @@ -21,6 +21,7 @@ import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; +import java.util.HashSet; import java.util.LinkedHashMap; import java.util.List; import java.util.Map; @@ -59,6 +60,8 @@ private CreateTableDesc tblDesc = null; // table descriptor of the final private CreateTableDesc directoryDesc = null ; private List encryptedTargetTablePaths; + private boolean insideView; + private Set aliasInsideView; // used by PTFs /* @@ -123,6 +126,7 @@ public QB(String outer_id, String alias, boolean isSubQ) { ptfNodeToSpec = new LinkedHashMap(); destToWindowingSpec = new LinkedHashMap(); id = getAppendedAliasFromId(outer_id, alias); + aliasInsideView = new HashSet<>(); } // For sub-queries, the id. and alias should be appended since same aliases can be re-used @@ -416,4 +420,16 @@ void addEncryptedTargetTablePath(Path p) { return viewAliasToViewSchema; } + public boolean isInsideView() { + return insideView; + } + + public void setInsideView(boolean insideView) { + this.insideView = insideView; + } + + public Set getAliasInsideView() { + return aliasInsideView; + } + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java index 633c212..2dcb6d6 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java @@ -435,14 +435,19 @@ public CompilationOpContext getOpContext() { return ctx.getOpContext(); } - @SuppressWarnings("nls") public void doPhase1QBExpr(ASTNode ast, QBExpr qbexpr, String id, String alias) throws SemanticException { + doPhase1QBExpr(ast, qbexpr, id, alias, false); + } + @SuppressWarnings("nls") + public void doPhase1QBExpr(ASTNode ast, QBExpr qbexpr, String id, String alias, boolean insideView) + throws SemanticException { assert (ast.getToken() != null); switch (ast.getToken().getType()) { case HiveParser.TOK_QUERY: { QB qb = new QB(id, alias, true); + qb.setInsideView(insideView); Phase1Ctx ctx_1 = initPhase1Ctx(); doPhase1(ast, qb, ctx_1, null); @@ -456,14 +461,14 @@ public void doPhase1QBExpr(ASTNode ast, QBExpr qbexpr, String id, String alias) assert (ast.getChild(0) != null); QBExpr qbexpr1 = new QBExpr(alias + SUBQUERY_TAG_1); doPhase1QBExpr((ASTNode) ast.getChild(0), qbexpr1, id + SUBQUERY_TAG_1, - alias + SUBQUERY_TAG_1); + alias + SUBQUERY_TAG_1, insideView); qbexpr.setQBExpr1(qbexpr1); // query 2 assert (ast.getChild(1) != null); QBExpr qbexpr2 = new QBExpr(alias + SUBQUERY_TAG_2); doPhase1QBExpr((ASTNode) ast.getChild(1), qbexpr2, id + SUBQUERY_TAG_2, - alias + SUBQUERY_TAG_2); + alias + SUBQUERY_TAG_2, insideView); qbexpr.setQBExpr2(qbexpr2); } break; @@ -656,6 +661,10 @@ private String processTable(QB qb, ASTNode tabref) throws SemanticException { if (propsIndex >= 0) { Tree propsAST = tabref.getChild(propsIndex); Map props = DDLSemanticAnalyzer.getProps((ASTNode) propsAST.getChild(0)); + // We get the information from Calcite. + if ("TRUE".equals(props.get("insideView"))) { + qb.getAliasInsideView().add(alias.toLowerCase()); + } qb.setTabProps(alias, props); } @@ -730,6 +739,9 @@ private String processTable(QB qb, ASTNode tabref) throws SemanticException { } // Insert this map into the stats qb.setTabAlias(alias, tabIdName); + if (qb.isInsideView()) { + qb.getAliasInsideView().add(alias.toLowerCase()); + } qb.addAlias(alias); qb.getParseInfo().setSrcForAlias(alias, tableTree); @@ -1895,8 +1907,8 @@ private void getMetaData(QB qb, ReadEntity parentInput) } replaceViewReferenceWithDefinition(qb, tab, tabName, alias); // This is the last time we'll see the Table objects for views, so add it to the inputs - // now - ReadEntity viewInput = new ReadEntity(tab, parentInput); + // now. isInsideView will tell if this view is embedded in another view. + ReadEntity viewInput = new ReadEntity(tab, parentInput, !qb.isInsideView()); viewInput = PlanUtils.addInput(inputs, viewInput); aliasToViewInfo.put(alias, new ObjectPair(fullViewName, viewInput)); viewAliasToInput.put(getAliasId(alias, qb), viewInput); @@ -2303,8 +2315,11 @@ public Object dispatch(Node nd, java.util.Stack stack, throw new SemanticException(sb.toString(), e); } QBExpr qbexpr = new QBExpr(alias); - doPhase1QBExpr(viewTree, qbexpr, qb.getId(), alias); - if (!this.skipAuthorization() + doPhase1QBExpr(viewTree, qbexpr, qb.getId(), alias, true); + // if skip authorization, skip checking; + // if it is inside a view, skip checking; + // if authorization flag is not enabled, skip checking. + if (!this.skipAuthorization() && !qb.isInsideView() && HiveConf.getBoolVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) { qb.rewriteViewToSubq(alias, tab_name, qbexpr, tab); } @@ -9630,6 +9645,9 @@ private Operator genTablePlan(String alias, QB qb) throws SemanticException { top = (TableScanOperator) putOpInsertMap(OperatorFactory.get(getOpContext(), tsDesc, new RowSchema(rwsch.getColumnInfos())), rwsch); + // Set insiderView so that we can skip the column authorization for this. + top.setInsideView(qb.isInsideView() || qb.getAliasInsideView().contains(alias.toLowerCase())); + // Add this to the list of top operators - we always start from a table // scan topOps.put(alias_id, top); diff --git a/ql/src/test/queries/clientnegative/authorization_view_5.q b/ql/src/test/queries/clientnegative/authorization_view_5.q new file mode 100644 index 0000000..3b042c3 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_view_5.q @@ -0,0 +1,16 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v1 as select * from src_autho_test; + +create view v2 as select * from v1; + +set hive.security.authorization.enabled=true; + +--table not grant to user + +--grant select on table v2 to user hive_test_user; + +select * from v2 order by key limit 10; + diff --git a/ql/src/test/queries/clientnegative/authorization_view_6.q b/ql/src/test/queries/clientnegative/authorization_view_6.q new file mode 100644 index 0000000..38873a7 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_view_6.q @@ -0,0 +1,18 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v1 as select * from src_autho_test; + +create view v2 as select * from v1; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select on table v2 to user hive_test_user; + +--grant select(key) on table src_autho_test to user hive_test_user; + +select v2.key from v2 join (select key from src_autho_test)subq on v2.value=subq.key order by key limit 10; + diff --git a/ql/src/test/queries/clientnegative/authorization_view_7.q b/ql/src/test/queries/clientnegative/authorization_view_7.q new file mode 100644 index 0000000..3740bf9 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_view_7.q @@ -0,0 +1,18 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v1 as select * from src; + +create view v2 as select * from v1; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select on table v2 to user hive_test_user; + +--grant select(key) on table src_autho_test to user hive_test_user; + +select v2.key from v2 join (select key from src_autho_test)subq on v2.value=subq.key order by key limit 10; + diff --git a/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_5.q b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_5.q new file mode 100644 index 0000000..a0070c2 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_5.q @@ -0,0 +1,17 @@ +set hive.cbo.enable=false; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v1 as select * from src_autho_test; + +create view v2 as select * from v1; + +set hive.security.authorization.enabled=true; + +--table not grant to user + +--grant select on table v2 to user hive_test_user; + +select * from v2 order by key limit 10; + diff --git a/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_6.q b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_6.q new file mode 100644 index 0000000..bc0d547 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_6.q @@ -0,0 +1,19 @@ +set hive.cbo.enable=false; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v1 as select * from src_autho_test; + +create view v2 as select * from v1; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select on table v2 to user hive_test_user; + +--grant select(key) on table src_autho_test to user hive_test_user; + +select v2.key from v2 join (select key from src_autho_test)subq on v2.value=subq.key order by key limit 10; + diff --git a/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_7.q b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_7.q new file mode 100644 index 0000000..51b453d --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_7.q @@ -0,0 +1,19 @@ +set hive.cbo.enable=false; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v1 as select * from src; + +create view v2 as select * from v1; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select on table v2 to user hive_test_user; + +--grant select(key) on table src_autho_test to user hive_test_user; + +select v2.key from v2 join (select key from src_autho_test)subq on v2.value=subq.key order by key limit 10; + diff --git a/ql/src/test/queries/clientpositive/authorization_view_2.q b/ql/src/test/queries/clientpositive/authorization_view_2.q new file mode 100644 index 0000000..8e6138d --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_view_2.q @@ -0,0 +1,16 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v1 as select * from src_autho_test; + +create view v2 as select * from v1; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select on table v2 to user hive_test_user; + +select * from v2 order by key limit 10; + diff --git a/ql/src/test/queries/clientpositive/authorization_view_3.q b/ql/src/test/queries/clientpositive/authorization_view_3.q new file mode 100644 index 0000000..aaf971e --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_view_3.q @@ -0,0 +1,18 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v1 as select * from src_autho_test; + +create view v2 as select * from v1; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select on table v2 to user hive_test_user; + +grant select(key) on table src_autho_test to user hive_test_user; + +select v2.key from v2 join (select key from src_autho_test)subq on v2.value=subq.key order by key limit 10; + diff --git a/ql/src/test/queries/clientpositive/authorization_view_4.q b/ql/src/test/queries/clientpositive/authorization_view_4.q new file mode 100644 index 0000000..53ce350 --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_view_4.q @@ -0,0 +1,18 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v1 as select * from src; + +create view v2 as select * from v1; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select on table v2 to user hive_test_user; + +grant select(key) on table src_autho_test to user hive_test_user; + +select v2.key from v2 join (select key from src_autho_test)subq on v2.value=subq.key order by key limit 10; + diff --git a/ql/src/test/queries/clientpositive/authorization_view_disable_cbo_2.q b/ql/src/test/queries/clientpositive/authorization_view_disable_cbo_2.q new file mode 100644 index 0000000..03d4387 --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_view_disable_cbo_2.q @@ -0,0 +1,17 @@ +set hive.cbo.enable=false; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v1 as select * from src_autho_test; + +create view v2 as select * from v1; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select on table v2 to user hive_test_user; + +select * from v2 order by key limit 10; + diff --git a/ql/src/test/queries/clientpositive/authorization_view_disable_cbo_3.q b/ql/src/test/queries/clientpositive/authorization_view_disable_cbo_3.q new file mode 100644 index 0000000..44f9503 --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_view_disable_cbo_3.q @@ -0,0 +1,19 @@ +set hive.cbo.enable=false; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v1 as select * from src_autho_test; + +create view v2 as select * from v1; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select on table v2 to user hive_test_user; + +grant select(key) on table src_autho_test to user hive_test_user; + +select v2.key from v2 join (select key from src_autho_test)subq on v2.value=subq.key order by key limit 10; + diff --git a/ql/src/test/queries/clientpositive/authorization_view_disable_cbo_4.q b/ql/src/test/queries/clientpositive/authorization_view_disable_cbo_4.q new file mode 100644 index 0000000..40424c4 --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_view_disable_cbo_4.q @@ -0,0 +1,19 @@ +set hive.cbo.enable=false; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v1 as select * from src; + +create view v2 as select * from v1; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select on table v2 to user hive_test_user; + +grant select(key) on table src_autho_test to user hive_test_user; + +select v2.key from v2 join (select key from src_autho_test)subq on v2.value=subq.key order by key limit 10; + diff --git a/ql/src/test/results/clientnegative/authorization_view_5.q.out b/ql/src/test/results/clientnegative/authorization_view_5.q.out new file mode 100644 index 0000000..a185146 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_view_5.q.out @@ -0,0 +1,35 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +POSTHOOK: Lineage: src_autho_test.key SIMPLE [(src)src.FieldSchema(name:key, type:string, comment:default), ] +POSTHOOK: Lineage: src_autho_test.value SIMPLE [(src)src.FieldSchema(name:value, type:string, comment:default), ] +PREHOOK: query: create view v1 as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v1 +POSTHOOK: query: create view v1 as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v1 +PREHOOK: query: create view v2 as select * from v1 +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v1 +PREHOOK: Output: database:default +PREHOOK: Output: default@v2 +POSTHOOK: query: create view v2 as select * from v1 +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v1 +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v2 +Authorization failed:No privilege 'Select' found for inputs { database:default, table:v2, columnName:key}. Use SHOW GRANT to get more details. diff --git a/ql/src/test/results/clientnegative/authorization_view_6.q.out b/ql/src/test/results/clientnegative/authorization_view_6.q.out new file mode 100644 index 0000000..6584497 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_view_6.q.out @@ -0,0 +1,45 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +POSTHOOK: Lineage: src_autho_test.key SIMPLE [(src)src.FieldSchema(name:key, type:string, comment:default), ] +POSTHOOK: Lineage: src_autho_test.value SIMPLE [(src)src.FieldSchema(name:value, type:string, comment:default), ] +PREHOOK: query: create view v1 as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v1 +POSTHOOK: query: create view v1 as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v1 +PREHOOK: query: create view v2 as select * from v1 +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v1 +PREHOOK: Output: database:default +PREHOOK: Output: default@v2 +POSTHOOK: query: create view v2 as select * from v1 +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v1 +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v2 +PREHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v2 +POSTHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v2 +Authorization failed:No privilege 'Select' found for inputs { database:default, table:src_autho_test, columnName:key}. Use SHOW GRANT to get more details. diff --git a/ql/src/test/results/clientnegative/authorization_view_7.q.out b/ql/src/test/results/clientnegative/authorization_view_7.q.out new file mode 100644 index 0000000..e7c93f7 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_view_7.q.out @@ -0,0 +1,45 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +POSTHOOK: Lineage: src_autho_test.key SIMPLE [(src)src.FieldSchema(name:key, type:string, comment:default), ] +POSTHOOK: Lineage: src_autho_test.value SIMPLE [(src)src.FieldSchema(name:value, type:string, comment:default), ] +PREHOOK: query: create view v1 as select * from src +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@v1 +POSTHOOK: query: create view v1 as select * from src +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v1 +PREHOOK: query: create view v2 as select * from v1 +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src +PREHOOK: Input: default@v1 +PREHOOK: Output: database:default +PREHOOK: Output: default@v2 +POSTHOOK: query: create view v2 as select * from v1 +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src +POSTHOOK: Input: default@v1 +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v2 +PREHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v2 +POSTHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v2 +Authorization failed:No privilege 'Select' found for inputs { database:default, table:src_autho_test, columnName:key}. Use SHOW GRANT to get more details. diff --git a/ql/src/test/results/clientnegative/authorization_view_disable_cbo_5.q.out b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_5.q.out new file mode 100644 index 0000000..4abeba9 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_5.q.out @@ -0,0 +1,33 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: create view v1 as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v1 +POSTHOOK: query: create view v1 as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v1 +PREHOOK: query: create view v2 as select * from v1 +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v1 +PREHOOK: Output: database:default +PREHOOK: Output: default@v2 +POSTHOOK: query: create view v2 as select * from v1 +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v1 +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v2 +Authorization failed:No privilege 'Select' found for inputs { database:default, table:v2, columnName:key}. Use SHOW GRANT to get more details. diff --git a/ql/src/test/results/clientnegative/authorization_view_disable_cbo_6.q.out b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_6.q.out new file mode 100644 index 0000000..22b2eb0 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_6.q.out @@ -0,0 +1,43 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: create view v1 as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v1 +POSTHOOK: query: create view v1 as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v1 +PREHOOK: query: create view v2 as select * from v1 +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v1 +PREHOOK: Output: database:default +PREHOOK: Output: default@v2 +POSTHOOK: query: create view v2 as select * from v1 +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v1 +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v2 +PREHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v2 +POSTHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v2 +Authorization failed:No privilege 'Select' found for inputs { database:default, table:src_autho_test, columnName:key}. Use SHOW GRANT to get more details. diff --git a/ql/src/test/results/clientnegative/authorization_view_disable_cbo_7.q.out b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_7.q.out new file mode 100644 index 0000000..14285f6 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_7.q.out @@ -0,0 +1,43 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: create view v1 as select * from src +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@v1 +POSTHOOK: query: create view v1 as select * from src +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v1 +PREHOOK: query: create view v2 as select * from v1 +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src +PREHOOK: Input: default@v1 +PREHOOK: Output: database:default +PREHOOK: Output: default@v2 +POSTHOOK: query: create view v2 as select * from v1 +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src +POSTHOOK: Input: default@v1 +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v2 +PREHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v2 +POSTHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v2 +Authorization failed:No privilege 'Select' found for inputs { database:default, table:src_autho_test, columnName:key}. Use SHOW GRANT to get more details. diff --git a/ql/src/test/results/clientpositive/authorization_view_2.q.out b/ql/src/test/results/clientpositive/authorization_view_2.q.out new file mode 100644 index 0000000..0b61663 --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_view_2.q.out @@ -0,0 +1,66 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +POSTHOOK: Lineage: src_autho_test.key SIMPLE [(src)src.FieldSchema(name:key, type:string, comment:default), ] +POSTHOOK: Lineage: src_autho_test.value SIMPLE [(src)src.FieldSchema(name:value, type:string, comment:default), ] +PREHOOK: query: create view v1 as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v1 +POSTHOOK: query: create view v1 as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v1 +PREHOOK: query: create view v2 as select * from v1 +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v1 +PREHOOK: Output: database:default +PREHOOK: Output: default@v2 +POSTHOOK: query: create view v2 as select * from v1 +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v1 +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v2 +PREHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v2 +POSTHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v2 +PREHOOK: query: select * from v2 order by key limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v1 +PREHOOK: Input: default@v2 +#### A masked pattern was here #### +POSTHOOK: query: select * from v2 order by key limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v1 +POSTHOOK: Input: default@v2 +#### A masked pattern was here #### +0 val_0 +0 val_0 +0 val_0 +10 val_10 +100 val_100 +100 val_100 +103 val_103 +103 val_103 +104 val_104 +104 val_104 diff --git a/ql/src/test/results/clientpositive/authorization_view_3.q.out b/ql/src/test/results/clientpositive/authorization_view_3.q.out new file mode 100644 index 0000000..cbc40b5 --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_view_3.q.out @@ -0,0 +1,62 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +POSTHOOK: Lineage: src_autho_test.key SIMPLE [(src)src.FieldSchema(name:key, type:string, comment:default), ] +POSTHOOK: Lineage: src_autho_test.value SIMPLE [(src)src.FieldSchema(name:value, type:string, comment:default), ] +PREHOOK: query: create view v1 as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v1 +POSTHOOK: query: create view v1 as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v1 +PREHOOK: query: create view v2 as select * from v1 +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v1 +PREHOOK: Output: database:default +PREHOOK: Output: default@v2 +POSTHOOK: query: create view v2 as select * from v1 +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v1 +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v2 +PREHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v2 +POSTHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v2 +PREHOOK: query: grant select(key) on table src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: grant select(key) on table src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: select v2.key from v2 join (select key from src_autho_test)subq on v2.value=subq.key order by key limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v1 +PREHOOK: Input: default@v2 +#### A masked pattern was here #### +POSTHOOK: query: select v2.key from v2 join (select key from src_autho_test)subq on v2.value=subq.key order by key limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v1 +POSTHOOK: Input: default@v2 +#### A masked pattern was here #### diff --git a/ql/src/test/results/clientpositive/authorization_view_4.q.out b/ql/src/test/results/clientpositive/authorization_view_4.q.out new file mode 100644 index 0000000..f859923 --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_view_4.q.out @@ -0,0 +1,64 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +POSTHOOK: Lineage: src_autho_test.key SIMPLE [(src)src.FieldSchema(name:key, type:string, comment:default), ] +POSTHOOK: Lineage: src_autho_test.value SIMPLE [(src)src.FieldSchema(name:value, type:string, comment:default), ] +PREHOOK: query: create view v1 as select * from src +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@v1 +POSTHOOK: query: create view v1 as select * from src +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v1 +PREHOOK: query: create view v2 as select * from v1 +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src +PREHOOK: Input: default@v1 +PREHOOK: Output: database:default +PREHOOK: Output: default@v2 +POSTHOOK: query: create view v2 as select * from v1 +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src +POSTHOOK: Input: default@v1 +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v2 +PREHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v2 +POSTHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v2 +PREHOOK: query: grant select(key) on table src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: grant select(key) on table src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: select v2.key from v2 join (select key from src_autho_test)subq on v2.value=subq.key order by key limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v1 +PREHOOK: Input: default@v2 +#### A masked pattern was here #### +POSTHOOK: query: select v2.key from v2 join (select key from src_autho_test)subq on v2.value=subq.key order by key limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v1 +POSTHOOK: Input: default@v2 +#### A masked pattern was here #### diff --git a/ql/src/test/results/clientpositive/authorization_view_disable_cbo_2.q.out b/ql/src/test/results/clientpositive/authorization_view_disable_cbo_2.q.out new file mode 100644 index 0000000..0b61663 --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_view_disable_cbo_2.q.out @@ -0,0 +1,66 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +POSTHOOK: Lineage: src_autho_test.key SIMPLE [(src)src.FieldSchema(name:key, type:string, comment:default), ] +POSTHOOK: Lineage: src_autho_test.value SIMPLE [(src)src.FieldSchema(name:value, type:string, comment:default), ] +PREHOOK: query: create view v1 as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v1 +POSTHOOK: query: create view v1 as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v1 +PREHOOK: query: create view v2 as select * from v1 +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v1 +PREHOOK: Output: database:default +PREHOOK: Output: default@v2 +POSTHOOK: query: create view v2 as select * from v1 +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v1 +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v2 +PREHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v2 +POSTHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v2 +PREHOOK: query: select * from v2 order by key limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v1 +PREHOOK: Input: default@v2 +#### A masked pattern was here #### +POSTHOOK: query: select * from v2 order by key limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v1 +POSTHOOK: Input: default@v2 +#### A masked pattern was here #### +0 val_0 +0 val_0 +0 val_0 +10 val_10 +100 val_100 +100 val_100 +103 val_103 +103 val_103 +104 val_104 +104 val_104 diff --git a/ql/src/test/results/clientpositive/authorization_view_disable_cbo_3.q.out b/ql/src/test/results/clientpositive/authorization_view_disable_cbo_3.q.out new file mode 100644 index 0000000..cbc40b5 --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_view_disable_cbo_3.q.out @@ -0,0 +1,62 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +POSTHOOK: Lineage: src_autho_test.key SIMPLE [(src)src.FieldSchema(name:key, type:string, comment:default), ] +POSTHOOK: Lineage: src_autho_test.value SIMPLE [(src)src.FieldSchema(name:value, type:string, comment:default), ] +PREHOOK: query: create view v1 as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v1 +POSTHOOK: query: create view v1 as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v1 +PREHOOK: query: create view v2 as select * from v1 +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v1 +PREHOOK: Output: database:default +PREHOOK: Output: default@v2 +POSTHOOK: query: create view v2 as select * from v1 +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v1 +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v2 +PREHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v2 +POSTHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v2 +PREHOOK: query: grant select(key) on table src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: grant select(key) on table src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: select v2.key from v2 join (select key from src_autho_test)subq on v2.value=subq.key order by key limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v1 +PREHOOK: Input: default@v2 +#### A masked pattern was here #### +POSTHOOK: query: select v2.key from v2 join (select key from src_autho_test)subq on v2.value=subq.key order by key limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v1 +POSTHOOK: Input: default@v2 +#### A masked pattern was here #### diff --git a/ql/src/test/results/clientpositive/authorization_view_disable_cbo_4.q.out b/ql/src/test/results/clientpositive/authorization_view_disable_cbo_4.q.out new file mode 100644 index 0000000..f859923 --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_view_disable_cbo_4.q.out @@ -0,0 +1,64 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +POSTHOOK: Lineage: src_autho_test.key SIMPLE [(src)src.FieldSchema(name:key, type:string, comment:default), ] +POSTHOOK: Lineage: src_autho_test.value SIMPLE [(src)src.FieldSchema(name:value, type:string, comment:default), ] +PREHOOK: query: create view v1 as select * from src +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@v1 +POSTHOOK: query: create view v1 as select * from src +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v1 +PREHOOK: query: create view v2 as select * from v1 +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src +PREHOOK: Input: default@v1 +PREHOOK: Output: database:default +PREHOOK: Output: default@v2 +POSTHOOK: query: create view v2 as select * from v1 +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src +POSTHOOK: Input: default@v1 +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v2 +PREHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v2 +POSTHOOK: query: --table grant to user + +grant select on table v2 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v2 +PREHOOK: query: grant select(key) on table src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: grant select(key) on table src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: select v2.key from v2 join (select key from src_autho_test)subq on v2.value=subq.key order by key limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v1 +PREHOOK: Input: default@v2 +#### A masked pattern was here #### +POSTHOOK: query: select v2.key from v2 join (select key from src_autho_test)subq on v2.value=subq.key order by key limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v1 +POSTHOOK: Input: default@v2 +#### A masked pattern was here #### diff --git a/ql/src/test/results/clientpositive/subquery_views.q.out b/ql/src/test/results/clientpositive/subquery_views.q.out index 6ab2ad0..fab919d 100644 --- a/ql/src/test/results/clientpositive/subquery_views.q.out +++ b/ql/src/test/results/clientpositive/subquery_views.q.out @@ -136,7 +136,7 @@ STAGE PLANS: Map Reduce Map Operator Tree: TableScan - alias: b + alias: a Statistics: Num rows: 500 Data size: 5312 Basic stats: COMPLETE Column stats: NONE Filter Operator predicate: ((value > 'val_11') and (key is null or value is null)) (type: boolean) @@ -217,7 +217,7 @@ STAGE PLANS: Map-reduce partition columns: _col0 (type: string), _col1 (type: string), _col0 (type: string) Statistics: Num rows: 182 Data size: 1939 Basic stats: COMPLETE Column stats: NONE TableScan - alias: b + alias: a Statistics: Num rows: 500 Data size: 5312 Basic stats: COMPLETE Column stats: NONE Filter Operator predicate: ((value > 'val_11') and (key < '11')) (type: boolean) @@ -291,7 +291,7 @@ STAGE PLANS: Map Reduce Map Operator Tree: TableScan - alias: b + alias: a Statistics: Num rows: 500 Data size: 5312 Basic stats: COMPLETE Column stats: NONE Filter Operator predicate: ((value > 'val_11') and (key is null or value is null)) (type: boolean) @@ -372,7 +372,7 @@ STAGE PLANS: Map-reduce partition columns: _col0 (type: string), _col1 (type: string), _col0 (type: string) Statistics: Num rows: 182 Data size: 1939 Basic stats: COMPLETE Column stats: NONE TableScan - alias: b + alias: a Statistics: Num rows: 500 Data size: 5312 Basic stats: COMPLETE Column stats: NONE Filter Operator predicate: ((value > 'val_11') and (key < '11')) (type: boolean) diff --git a/ql/src/test/results/clientpositive/tez/explainuser_1.q.out b/ql/src/test/results/clientpositive/tez/explainuser_1.q.out index a3ff85c..b7a8174 100644 --- a/ql/src/test/results/clientpositive/tez/explainuser_1.q.out +++ b/ql/src/test/results/clientpositive/tez/explainuser_1.q.out @@ -2001,7 +2001,7 @@ Stage-0 Filter Operator [FIL_16] (rows=166 width=178) predicate:((value > 'val_9') and key is not null) TableScan [TS_3] (rows=500 width=178) - default@src_cbo,b,Tbl:COMPLETE,Col:COMPLETE,Output:["key","value"] + default@src_cbo,a,Tbl:COMPLETE,Col:COMPLETE,Output:["key","value"] PREHOOK: query: explain select * from (select *