commit 42bb08f1966d12426ecd2e5e60d0a7bd9f464c54 Author: Thejas M Nair Date: Mon Jan 30 09:24:28 2017 -0800 msck fix diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java index 0f472e7..dda2140 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java @@ -3024,7 +3024,9 @@ private void analyzeMetastoreCheck(CommonTree ast) throws SemanticException { tableName = getUnescapedName((ASTNode) ast.getChild(1)); } } - List> specs = getPartitionSpecs(getTable(tableName), ast); + Table tab = getTable(tableName); + List> specs = getPartitionSpecs(tab, ast); + outputs.add(new WriteEntity(tab, WriteEntity.WriteType.DDL_SHARED)); MsckDesc checkDesc = new MsckDesc(tableName, specs, ctx.getResFile(), repair); rootTasks.add(TaskFactory.get(new DDLWork(getInputs(), getOutputs(), diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java index e7bbd54..18b0e1c 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java @@ -161,9 +161,12 @@ public HivePrivilegeObjectType getObjectType() { op2Priv.put(HiveOperationType.DESCFUNCTION, PrivRequirement.newIOPrivRequirement (null, null)); - // meta store check command - require admin priv + // meta store check command - equivalent to add partition command + // no input objects are passed to it currently, but keeping admin priv + // requirement on inputs just in case some input object like file + // uri is added later op2Priv.put(HiveOperationType.MSCK, PrivRequirement.newIOPrivRequirement -(ADMIN_PRIV_AR, null)); +(ADMIN_PRIV_AR, INS_NOGRANT_AR)); //alter table commands require table ownership diff --git a/ql/src/test/queries/clientnegative/authorization_msck.q b/ql/src/test/queries/clientnegative/authorization_msck.q new file mode 100644 index 0000000..8c7edce --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_msck.q @@ -0,0 +1,20 @@ +set hive.test.authz.sstd.hs2.mode=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest; +set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; +set hive.security.authorization.enabled=true; +set user.name=user1; + +-- check if alter table fails as different user +create table t1(i int); +msck repair table t1; + + +set user.name=user1; +GRANT INSERT ON t1 TO USER user2; + +set user.name=user2; +msck repair table t1; + +set user.name=user3; +msck repair table t1; + diff --git a/ql/src/test/results/clientnegative/authorization_msck.q.out b/ql/src/test/results/clientnegative/authorization_msck.q.out new file mode 100644 index 0000000..7e36488 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_msck.q.out @@ -0,0 +1,27 @@ +PREHOOK: query: create table t1(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +PREHOOK: Output: default@t1 +POSTHOOK: query: create table t1(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t1 +PREHOOK: query: msck repair table t1 +PREHOOK: type: MSCK +PREHOOK: Output: default@t1 +POSTHOOK: query: msck repair table t1 +POSTHOOK: type: MSCK +POSTHOOK: Output: default@t1 +PREHOOK: query: GRANT INSERT ON t1 TO USER user2 +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@t1 +POSTHOOK: query: GRANT INSERT ON t1 TO USER user2 +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@t1 +PREHOOK: query: msck repair table t1 +PREHOOK: type: MSCK +PREHOOK: Output: default@t1 +POSTHOOK: query: msck repair table t1 +POSTHOOK: type: MSCK +POSTHOOK: Output: default@t1 +FAILED: HiveAccessControlException Permission denied: Principal [name=user3, type=USER] does not have following privileges for operation MSCK [[INSERT] on Object [type=TABLE_OR_VIEW, name=default.t1]]