diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java index 366737a0ba..f6d840f4f7 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java @@ -122,9 +122,8 @@ public HivePrivilegeObjectType getObjectType() { private static SQLPrivTypeGrant[] INS_NOGRANT_AR = arr(SQLPrivTypeGrant.INSERT_NOGRANT); private static SQLPrivTypeGrant[] DEL_NOGRANT_AR = arr(SQLPrivTypeGrant.DELETE_NOGRANT); private static SQLPrivTypeGrant[] UPD_NOGRANT_AR = arr(SQLPrivTypeGrant.UPDATE_NOGRANT); - private static SQLPrivTypeGrant[] OWNER_INS_SEL_DEL_NOGRANT_AR = - arr(SQLPrivTypeGrant.OWNER_PRIV, - SQLPrivTypeGrant.INSERT_NOGRANT, + private static SQLPrivTypeGrant[] INS_SEL_DEL_NOGRANT_AR = + arr(SQLPrivTypeGrant.INSERT_NOGRANT, SQLPrivTypeGrant.DELETE_NOGRANT, SQLPrivTypeGrant.SELECT_NOGRANT); @@ -140,8 +139,8 @@ public HivePrivilegeObjectType getObjectType() { SEL_NOGRANT_AR)); //?? op2Priv.put(HiveOperationType.CREATEDATABASE, PrivRequirement.newPrivRequirementList( - new PrivRequirement(OWNER_INS_SEL_DEL_NOGRANT_AR, HivePrivilegeObjectType.DFS_URI), - new PrivRequirement(OWNER_INS_SEL_DEL_NOGRANT_AR, HivePrivilegeObjectType.LOCAL_URI))); + new PrivRequirement(INS_SEL_DEL_NOGRANT_AR, HivePrivilegeObjectType.DFS_URI), + new PrivRequirement(INS_SEL_DEL_NOGRANT_AR, HivePrivilegeObjectType.LOCAL_URI))); op2Priv.put(HiveOperationType.DROPDATABASE, PrivRequirement.newIOPrivRequirement (null, OWNER_PRIV_AR)); @@ -222,9 +221,9 @@ public HivePrivilegeObjectType getObjectType() { op2Priv.put(HiveOperationType.ALTERPARTITION_FILEFORMAT, PrivRequirement.newIOPrivRequirement (OWNER_PRIV_AR, OWNER_PRIV_AR)); op2Priv.put(HiveOperationType.ALTERTABLE_LOCATION, PrivRequirement.newIOPrivRequirement -(OWNER_PRIV_AR, OWNER_INS_SEL_DEL_NOGRANT_AR)); +(OWNER_PRIV_AR, INS_SEL_DEL_NOGRANT_AR)); op2Priv.put(HiveOperationType.ALTERPARTITION_LOCATION, PrivRequirement.newIOPrivRequirement -(OWNER_PRIV_AR, OWNER_INS_SEL_DEL_NOGRANT_AR)); +(OWNER_PRIV_AR, INS_SEL_DEL_NOGRANT_AR)); op2Priv.put(HiveOperationType.ALTERTABLE_MERGEFILES, PrivRequirement.newIOPrivRequirement (OWNER_PRIV_AR, OWNER_PRIV_AR)); op2Priv.put(HiveOperationType.ALTERPARTITION_MERGEFILES, PrivRequirement.newIOPrivRequirement @@ -232,7 +231,7 @@ public HivePrivilegeObjectType getObjectType() { op2Priv.put(HiveOperationType.ALTERTABLE_SKEWED, PrivRequirement.newIOPrivRequirement (OWNER_PRIV_AR, OWNER_PRIV_AR)); op2Priv.put(HiveOperationType.ALTERTBLPART_SKEWED_LOCATION, PrivRequirement.newIOPrivRequirement -(OWNER_PRIV_AR, OWNER_INS_SEL_DEL_NOGRANT_AR)); +(OWNER_PRIV_AR, INS_SEL_DEL_NOGRANT_AR)); op2Priv.put(HiveOperationType.ALTERTABLE_COMPACT, PrivRequirement.newIOPrivRequirement (OWNER_PRIV_AR, OWNER_PRIV_AR)); op2Priv.put(HiveOperationType.TRUNCATETABLE, PrivRequirement.newIOPrivRequirement @@ -244,7 +243,7 @@ public HivePrivilegeObjectType getObjectType() { //table ownership for create/drop/alter index op2Priv.put(HiveOperationType.CREATEINDEX, PrivRequirement.newIOPrivRequirement -(OWNER_PRIV_AR, OWNER_INS_SEL_DEL_NOGRANT_AR)); +(OWNER_PRIV_AR, INS_SEL_DEL_NOGRANT_AR)); op2Priv.put(HiveOperationType.DROPINDEX, PrivRequirement.newIOPrivRequirement (OWNER_PRIV_AR, OWNER_PRIV_AR)); op2Priv.put(HiveOperationType.ALTERINDEX_REBUILD, PrivRequirement.newIOPrivRequirement @@ -280,18 +279,18 @@ public HivePrivilegeObjectType getObjectType() { (DEL_NOGRANT_AR, null)); // in alter-table-add-partition, the table is output, and location is input op2Priv.put(HiveOperationType.ALTERTABLE_ADDPARTS, PrivRequirement.newIOPrivRequirement -(OWNER_INS_SEL_DEL_NOGRANT_AR, INS_NOGRANT_AR)); +(INS_SEL_DEL_NOGRANT_AR, INS_NOGRANT_AR)); // select with grant for exporting contents op2Priv.put(HiveOperationType.EXPORT, PrivRequirement.newIOPrivRequirement -(SEL_GRANT_AR, OWNER_INS_SEL_DEL_NOGRANT_AR)); +(SEL_GRANT_AR, INS_SEL_DEL_NOGRANT_AR)); // For import statement, require uri rwx+owner privileges on input uri, and // necessary privileges on the output table and database // NOTE : privileges are only checked if the object of that type is marked as part of ReadEntity or WriteEntity // So, if a table is present, Import will mark a table as a WriteEntity, and we'll authorize for that, and if not present, // Import will mark the parent db as a WriteEntity, thus ensuring that we check for table creation privileges. op2Priv.put(HiveOperationType.IMPORT, PrivRequirement.newPrivRequirementList( - new PrivRequirement(OWNER_INS_SEL_DEL_NOGRANT_AR, IOType.INPUT), + new PrivRequirement(INS_SEL_DEL_NOGRANT_AR, IOType.INPUT), new PrivRequirement(arr(SQLPrivTypeGrant.INSERT_NOGRANT, SQLPrivTypeGrant.DELETE_NOGRANT), IOType.OUTPUT, null, HivePrivilegeObjectType.TABLE_OR_VIEW), new PrivRequirement(OWNER_PRIV_AR, IOType.OUTPUT, null, HivePrivilegeObjectType.DATABASE))); @@ -321,7 +320,7 @@ public HivePrivilegeObjectType getObjectType() { (SEL_NOGRANT_AR, null)); op2Priv.put(HiveOperationType.CREATETABLE_AS_SELECT, PrivRequirement.newPrivRequirementList( new PrivRequirement(SEL_NOGRANT_AR, IOType.INPUT), - new PrivRequirement(OWNER_INS_SEL_DEL_NOGRANT_AR, HivePrivilegeObjectType.DFS_URI), + new PrivRequirement(INS_SEL_DEL_NOGRANT_AR, HivePrivilegeObjectType.DFS_URI), new PrivRequirement(OWNER_PRIV_AR, HivePrivilegeObjectType.DATABASE))); // QUERY,LOAD op can contain an insert & overwrite, @@ -341,7 +340,7 @@ public HivePrivilegeObjectType getObjectType() { ); op2Priv.put(HiveOperationType.LOAD, PrivRequirement.newIOPrivRequirement -(OWNER_INS_SEL_DEL_NOGRANT_AR, +(INS_SEL_DEL_NOGRANT_AR, arr(SQLPrivTypeGrant.INSERT_NOGRANT, SQLPrivTypeGrant.DELETE_NOGRANT))); // show create table is more sensitive information, includes table properties etc @@ -393,7 +392,7 @@ public HivePrivilegeObjectType getObjectType() { // require db ownership, if there is a file require SELECT , INSERT, and DELETE op2Priv.put(HiveOperationType.CREATETABLE, PrivRequirement.newPrivRequirementList( - new PrivRequirement(OWNER_INS_SEL_DEL_NOGRANT_AR, IOType.INPUT), + new PrivRequirement(INS_SEL_DEL_NOGRANT_AR, IOType.INPUT), new PrivRequirement(OWNER_PRIV_AR, HivePrivilegeObjectType.DATABASE))); op2Priv.put(HiveOperationType.ALTERDATABASE, PrivRequirement.newIOPrivRequirement