diff --git a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java index f27f938..8bb70fb 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java @@ -582,9 +582,9 @@ public static void doAuthorization(HiveOperation op, BaseSemanticAnalyzer sem, S } Set additionalOutputs = new HashSet(); - for (Entity e : sem.getOutputs()) { + for (WriteEntity e : sem.getOutputs()) { if (e.getType() == Entity.Type.PARTITION) { - additionalOutputs.add(new WriteEntity(e.getTable(), WriteEntity.WriteType.DDL_NO_LOCK)); + additionalOutputs.add(new WriteEntity(e.getTable(), e.getWriteType())); } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/hooks/WriteEntity.java b/ql/src/java/org/apache/hadoop/hive/ql/hooks/WriteEntity.java index 2194a6d..fe66104 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/hooks/WriteEntity.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/hooks/WriteEntity.java @@ -168,7 +168,7 @@ public boolean equals(Object o) { if (o instanceof WriteEntity) { WriteEntity ore = (WriteEntity) o; - return (toString().equalsIgnoreCase(ore.toString())); + return (toString().equalsIgnoreCase(ore.toString()) && writeType == ore.getWriteType()); } else { return false; } diff --git a/ql/src/test/queries/clientnegative/authorization_insertpart_noinspriv.q b/ql/src/test/queries/clientnegative/authorization_insertpart_noinspriv.q new file mode 100644 index 0000000..225eff4 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_insertpart_noinspriv.q @@ -0,0 +1,15 @@ +set hive.test.authz.sstd.hs2.mode=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; + +-- check insert without select priv +create table testp(i int) partitioned by (dt string); +grant select on table testp to user user1; + +set user.name=user1; +create table user2tab(i int); +explain authorization insert into table testp partition (dt = '2012') values (1); +explain authorization insert overwrite table testp partition (dt = '2012') values (1); +insert into table testp partition (dt = '2012') values (1); +insert overwrite table testp partition (dt = '2012') values (1); diff --git a/ql/src/test/results/clientnegative/authorization_insertpart_noinspriv.q.out b/ql/src/test/results/clientnegative/authorization_insertpart_noinspriv.q.out new file mode 100644 index 0000000..f15dadc --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_insertpart_noinspriv.q.out @@ -0,0 +1,53 @@ +PREHOOK: query: -- check insert without select priv +create table testp(i int) partitioned by (dt string) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +PREHOOK: Output: default@testp +POSTHOOK: query: -- check insert without select priv +create table testp(i int) partitioned by (dt string) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@testp +PREHOOK: query: grant select on table testp to user user1 +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@testp +POSTHOOK: query: grant select on table testp to user user1 +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@testp +PREHOOK: query: create table user2tab(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +PREHOOK: Output: default@user2tab +POSTHOOK: query: create table user2tab(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@user2tab +PREHOOK: query: explain authorization insert into table testp partition (dt = '2012') values (1) +PREHOOK: type: QUERY +POSTHOOK: query: explain authorization insert into table testp partition (dt = '2012') values (1) +POSTHOOK: type: QUERY +INPUTS: + default@values__tmp__table__1 +OUTPUTS: + default@testp@dt=2012 +CURRENT_USER: + user1 +OPERATION: + QUERY +AUTHORIZATION_FAILURES: + Permission denied: Principal [name=user1, type=USER] does not have following privileges for operation QUERY [[INSERT] on Object [type=TABLE_OR_VIEW, name=default.testp, action=INSERT]] +PREHOOK: query: explain authorization insert overwrite table testp partition (dt = '2012') values (1) +PREHOOK: type: QUERY +POSTHOOK: query: explain authorization insert overwrite table testp partition (dt = '2012') values (1) +POSTHOOK: type: QUERY +INPUTS: + default@values__tmp__table__2 +OUTPUTS: + default@testp@dt=2012 +CURRENT_USER: + user1 +OPERATION: + QUERY +AUTHORIZATION_FAILURES: + Permission denied: Principal [name=user1, type=USER] does not have following privileges for operation QUERY [[INSERT, DELETE] on Object [type=TABLE_OR_VIEW, name=default.testp, action=INSERT_OVERWRITE]] +FAILED: HiveAccessControlException Permission denied: Principal [name=user1, type=USER] does not have following privileges for operation QUERY [[INSERT] on Object [type=TABLE_OR_VIEW, name=default.testp, action=INSERT]]