commit 17106e61ca4c542abf6c508d6306a2a0bd589f7c Author: Daniel Dai Date: Thu May 10 15:24:33 2018 -0700 HIVE-19440: Make StorageBasedAuthorizer work with information schema diff --git a/hcatalog/core/src/main/java/org/apache/hive/hcatalog/storagehandler/DummyHCatAuthProvider.java b/hcatalog/core/src/main/java/org/apache/hive/hcatalog/storagehandler/DummyHCatAuthProvider.java index a53028f..86d9a18 100644 --- a/hcatalog/core/src/main/java/org/apache/hive/hcatalog/storagehandler/DummyHCatAuthProvider.java +++ b/hcatalog/core/src/main/java/org/apache/hive/hcatalog/storagehandler/DummyHCatAuthProvider.java @@ -30,6 +30,8 @@ import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider; import org.apache.hadoop.hive.ql.security.authorization.Privilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; /** * This class is a dummy implementation of HiveAuthorizationProvider to provide @@ -141,4 +143,9 @@ public void authorize(Table table, Partition part, List columns, throws HiveException, AuthorizationException { } + @Override + public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException { + return null; + } + } diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestHDFSPermissionPolicyProvider.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestHDFSPermissionPolicyProvider.java new file mode 100644 index 0000000..2497467 --- /dev/null +++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestHDFSPermissionPolicyProvider.java @@ -0,0 +1,174 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; + +import static org.junit.Assert.*; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.fs.Path; +import org.apache.hadoop.fs.permission.FsPermission; +import org.apache.hadoop.hdfs.MiniDFSCluster; +import org.apache.hadoop.hive.metastore.HiveMetaStoreClient; +import org.apache.hadoop.hive.metastore.TableType; +import org.apache.hadoop.hive.metastore.api.Database; +import org.apache.hadoop.hive.metastore.api.FieldSchema; +import org.apache.hadoop.hive.metastore.api.SerDeInfo; +import org.apache.hadoop.hive.metastore.api.StorageDescriptor; +import org.apache.hadoop.hive.metastore.api.Table; +import org.apache.hadoop.hive.metastore.conf.MetastoreConf; +import org.apache.hadoop.hive.ql.metadata.Hive; +import org.apache.hadoop.hive.ql.security.authorization.HDFSPermissionPolicyProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs; +import org.junit.BeforeClass; +import org.junit.Test; + +public class TestHDFSPermissionPolicyProvider { + private static MiniDFSCluster m_dfs; + private static HiveMetaStoreClient client; + private static Configuration conf; + private static String defaultTbl1Loc, defaultTbl2Loc, db1Loc, db1Tbl1Loc; + + @BeforeClass + public static void setup() throws Exception { + m_dfs = new MiniDFSCluster.Builder(new Configuration()).numDataNodes(1).format(true).build(); + conf = new Configuration(); + conf.set("fs.defaultFS", "hdfs://" + m_dfs.getNameNode().getHostAndPort()); + String warehouseLocation = "hdfs://" + m_dfs.getNameNode().getHostAndPort() + + MetastoreConf.ConfVars.WAREHOUSE.getDefaultVal(); + conf.set(MetastoreConf.ConfVars.WAREHOUSE.getVarname(), warehouseLocation); + conf.set(MetastoreConf.ConfVars.AUTO_CREATE_ALL.getVarname(), "true"); + conf.set(MetastoreConf.ConfVars.SCHEMA_VERIFICATION.getVarname(), "false"); + client = new HiveMetaStoreClient(conf); + Hive.get(conf, TestHDFSPermissionPolicyProvider.class); + + try {client.dropTable("default", "tbl1");} catch(Exception e) {}; + try {client.dropTable("default", "tbl2");} catch(Exception e) {}; + try {client.dropTable("db1", "tbl1");} catch(Exception e) {}; + try {client.dropDatabase("db1");} catch(Exception e) {}; + + defaultTbl1Loc = warehouseLocation + "/tbl1"; + defaultTbl2Loc = warehouseLocation + "/tbl2"; + db1Loc = warehouseLocation + "/db1"; + db1Tbl1Loc = warehouseLocation + "/db1/tbl1"; + + int now = (int)System.currentTimeMillis() / 1000; + FieldSchema col1 = new FieldSchema("col1", "int", "no comment"); + List cols = new ArrayList(); + cols.add(col1); + SerDeInfo serde = new SerDeInfo("serde", "seriallib", null); + StorageDescriptor sd = + new StorageDescriptor(cols, defaultTbl1Loc, "input", "output", false, 0, serde, null, null, + new HashMap()); + Table tbl = + new Table("tbl1", "default", "foo", now, now, 0, sd, null, + new HashMap(), null, null, TableType.MANAGED_TABLE.toString()); + client.createTable(tbl); + + sd = new StorageDescriptor(cols, defaultTbl2Loc, "input", "output", false, 0, serde, + null, null, new HashMap()); + tbl = new Table("tbl2", "default", "foo", now, now, 0, sd, null, + new HashMap(), null, null, TableType.MANAGED_TABLE.toString()); + client.createTable(tbl); + + Database db = new Database("db1", "no description", db1Loc, new HashMap()); + client.createDatabase(db); + + sd = new StorageDescriptor(cols, db1Tbl1Loc, "input", "output", false, 0, serde, null, null, + new HashMap()); + tbl = new Table("tbl1", "db1", "foo", now, now, 0, sd, null, + new HashMap(), null, null, TableType.MANAGED_TABLE.toString()); + client.createTable(tbl); + } + + @Test + public void testPolicyProvider() throws Exception { + HDFSPermissionPolicyProvider policyProvider = new HDFSPermissionPolicyProvider(conf); + FileSystem fs = FileSystem.get(conf); + fs.setOwner(new Path(defaultTbl1Loc), "user1", "group1"); + fs.setOwner(new Path(defaultTbl2Loc), "user1", "group1"); + fs.setOwner(new Path(db1Loc), "user1", "group1"); + fs.setOwner(new Path(db1Tbl1Loc), "user1", "group1"); + fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("444")); // r--r--r-- + HiveResourceACLs acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 2); + assertTrue(acls.getGroupPermissions().keySet().contains("group1")); + assertTrue(acls.getGroupPermissions().keySet().contains("public")); + + fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("440")); // r--r----- + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 1); + assertEquals(acls.getUserPermissions().keySet().iterator().next(), "user1"); + assertEquals(acls.getGroupPermissions().size(), 1); + assertTrue(acls.getGroupPermissions().keySet().contains("group1")); + + fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("404")); // r-----r-- + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 1); + assertTrue(acls.getGroupPermissions().keySet().contains("public")); + + fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("400")); // r-------- + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 0); + + fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("004")); // ------r-- + fs.setPermission(new Path(defaultTbl2Loc), new FsPermission("777")); // rwxrwxrwx + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 0); + assertEquals(acls.getGroupPermissions().size(), 1); + assertTrue(acls.getGroupPermissions().keySet().contains("public")); + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl2")); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 2); + assertTrue(acls.getGroupPermissions().keySet().contains("group1")); + assertTrue(acls.getGroupPermissions().keySet().contains("public")); + + fs.setPermission(new Path(db1Loc), new FsPermission("400")); // ------r-- + fs.delete(new Path(db1Tbl1Loc), true); + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.DATABASE, "db1", null)); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 0); + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "db1", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 0); + + } +} diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java index 31e795c..3fdacac 100644 --- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java @@ -32,6 +32,8 @@ import org.apache.hadoop.hive.ql.metadata.Table; import org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider; import org.apache.hadoop.hive.ql.security.authorization.Privilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; /** * Dummy implementation for use by unit tests. Tracks the context of calls made to @@ -211,6 +213,8 @@ public void authorizeAuthorizationApiInvocation() throws HiveException, Authoriz authCalls.add(new AuthCallContext(AuthCallContextType.AUTHORIZATION, null, null)); } - - + @Override + public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException { + return null; + } } diff --git a/metastore/scripts/upgrade/hive/hive-schema-3.0.0.hive.sql b/metastore/scripts/upgrade/hive/hive-schema-3.0.0.hive.sql index d9606d8..d6dd7ce 100644 --- a/metastore/scripts/upgrade/hive/hive-schema-3.0.0.hive.sql +++ b/metastore/scripts/upgrade/hive/hive-schema-3.0.0.hive.sql @@ -109,6 +109,7 @@ CREATE TABLE IF NOT EXISTS `DB_PRIVS` ( `PRINCIPAL_NAME` string, `PRINCIPAL_TYPE` string, `DB_PRIV` string, + `AUTHORIZER` string, CONSTRAINT `SYS_PK_DB_PRIVS` PRIMARY KEY (`DB_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -124,7 +125,8 @@ TBLPROPERTIES ( \"GRANTOR_TYPE\", \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", - \"DB_PRIV\" + \"DB_PRIV\", + \"AUTHORIZER\" FROM \"DB_PRIVS\"" ); @@ -138,6 +140,7 @@ CREATE TABLE IF NOT EXISTS `GLOBAL_PRIVS` ( `PRINCIPAL_NAME` string, `PRINCIPAL_TYPE` string, `USER_PRIV` string, + `AUTHORIZER` string, CONSTRAINT `SYS_PK_GLOBAL_PRIVS` PRIMARY KEY (`USER_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -152,7 +155,8 @@ TBLPROPERTIES ( \"GRANTOR_TYPE\", \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", - \"USER_PRIV\" + \"USER_PRIV\", + \"AUTHORIZER\" FROM \"GLOBAL_PRIVS\"" ); @@ -250,6 +254,7 @@ CREATE TABLE IF NOT EXISTS `PART_COL_PRIVS` ( `PRINCIPAL_NAME` string, `PRINCIPAL_TYPE` string, `PART_COL_PRIV` string, + `AUTHORIZER` string, CONSTRAINT `SYS_PK_PART_COL_PRIVS` PRIMARY KEY (`PART_COLUMN_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -266,7 +271,8 @@ TBLPROPERTIES ( \"PART_ID\", \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", - \"PART_COL_PRIV\" + \"PART_COL_PRIV\", + \"AUTHORIZER\" FROM \"PART_COL_PRIVS\"" ); @@ -281,6 +287,7 @@ CREATE TABLE IF NOT EXISTS `PART_PRIVS` ( `PRINCIPAL_NAME` string, `PRINCIPAL_TYPE` string, `PART_PRIV` string, + `AUTHORIZER` string, CONSTRAINT `SYS_PK_PART_PRIVS` PRIMARY KEY (`PART_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -296,7 +303,8 @@ TBLPROPERTIES ( \"PART_ID\", \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", - \"PART_PRIV\" + \"PART_PRIV\", + \"AUTHORIZER\" FROM \"PART_PRIVS\"" ); @@ -652,6 +660,7 @@ CREATE TABLE IF NOT EXISTS `TBL_COL_PRIVS` ( `PRINCIPAL_TYPE` string, `TBL_COL_PRIV` string, `TBL_ID` bigint, + `AUTHORIZER` string, CONSTRAINT `SYS_PK_TBL_COL_PRIVS` PRIMARY KEY (`TBL_COLUMN_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -668,7 +677,8 @@ TBLPROPERTIES ( \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", \"TBL_COL_PRIV\", - \"TBL_ID\" + \"TBL_ID\", + \"AUTHORIZER\" FROM \"TBL_COL_PRIVS\"" ); @@ -683,6 +693,7 @@ CREATE TABLE IF NOT EXISTS `TBL_PRIVS` ( `PRINCIPAL_TYPE` string, `TBL_PRIV` string, `TBL_ID` bigint, + `AUTHOZIER` string, CONSTRAINT `SYS_PK_TBL_PRIVS` PRIMARY KEY (`TBL_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -698,7 +709,8 @@ TBLPROPERTIES ( \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", \"TBL_PRIV\", - \"TBL_ID\" + \"TBL_ID\", + \"AUTHORIZER\" FROM \"TBL_PRIVS\"" ); @@ -1082,7 +1094,8 @@ WHERE D.`DB_ID` = T.`DB_ID` AND T.`TBL_ID` = P.`TBL_ID` AND (P.`PRINCIPAL_NAME`=current_user() AND P.`PRINCIPAL_TYPE`='USER' - OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP')); + OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP')) + AND current_authorizer() = P.`AUTHORIZER`; CREATE VIEW IF NOT EXISTS `TABLES` ( @@ -1118,8 +1131,8 @@ WHERE D.`DB_ID` = T.`DB_ID` AND (NOT restrict_information_schema() OR T.`TBL_ID` = P.`TBL_ID` AND (P.`PRINCIPAL_NAME`=current_user() AND P.`PRINCIPAL_TYPE`='USER' - OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP')) - AND P.`TBL_PRIV`='SELECT'); + OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP'))) + AND P.`TBL_PRIV`='SELECT' AND P.`AUTHORIZER`=current_authorizer(); CREATE VIEW IF NOT EXISTS `TABLE_PRIVILEGES` ( @@ -1152,8 +1165,8 @@ WHERE AND (NOT restrict_information_schema() OR P.`TBL_ID` = P2.`TBL_ID` AND P.`PRINCIPAL_NAME` = P2.`PRINCIPAL_NAME` AND P.`PRINCIPAL_TYPE` = P2.`PRINCIPAL_TYPE` AND (P2.`PRINCIPAL_NAME`=current_user() AND P2.`PRINCIPAL_TYPE`='USER' - OR ((array_contains(current_groups(), P2.`PRINCIPAL_NAME`) OR P2.`PRINCIPAL_NAME` = 'public') AND P2.`PRINCIPAL_TYPE`='GROUP')) - AND P2.`TBL_PRIV`='SELECT'); + OR ((array_contains(current_groups(), P2.`PRINCIPAL_NAME`) OR P2.`PRINCIPAL_NAME` = 'public') AND P2.`PRINCIPAL_TYPE`='GROUP'))) + AND P2.`TBL_PRIV`='SELECT' AND P1.`AUTHORIZER` = current_authorizer() AND P2.`AUTHORIZER` = current_authorizer(); CREATE VIEW IF NOT EXISTS `COLUMNS` ( @@ -1308,7 +1321,7 @@ WHERE AND C.`COLUMN_NAME` = P.`COLUMN_NAME` AND (P.`PRINCIPAL_NAME`=current_user() AND P.`PRINCIPAL_TYPE`='USER' OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP')) - AND P.`TBL_COL_PRIV`='SELECT'); + AND P.`TBL_COL_PRIV`='SELECT' AND P.`AUTHORIZER`=current_authorizer()); CREATE VIEW IF NOT EXISTS `COLUMN_PRIVILEGES` ( @@ -1344,7 +1357,7 @@ WHERE P.`TBL_ID` = P2.`TBL_ID` AND P.`PRINCIPAL_NAME` = P2.`PRINCIPAL_NAME` AND P.`PRINCIPAL_TYPE` = P2.`PRINCIPAL_TYPE` AND (P2.`PRINCIPAL_NAME`=current_user() AND P2.`PRINCIPAL_TYPE`='USER' OR ((array_contains(current_groups(), P2.`PRINCIPAL_NAME`) OR P2.`PRINCIPAL_NAME` = 'public') AND P2.`PRINCIPAL_TYPE`='GROUP')) - AND P2.`TBL_PRIV`='SELECT'); + AND P2.`TBL_PRIV`='SELECT' AND P.`AUTHORIZER`=current_authorizer() AND P2.`AUTHORIZER`=current_authorizer()); CREATE VIEW IF NOT EXISTS `VIEWS` ( @@ -1381,4 +1394,4 @@ WHERE T.`TBL_ID` = P.`TBL_ID` AND (P.`PRINCIPAL_NAME`=current_user() AND P.`PRINCIPAL_TYPE`='USER' OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP')) - AND P.`TBL_PRIV`='SELECT'); + AND P.`TBL_PRIV`='SELECT' AND P.`AUTHORIZER`=current_authorizer()); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/FunctionRegistry.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/FunctionRegistry.java index 4611ce9..4502612 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/exec/FunctionRegistry.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/FunctionRegistry.java @@ -359,6 +359,7 @@ system.registerGenericUDF("current_groups", GenericUDFCurrentGroups.class); system.registerGenericUDF("logged_in_user", GenericUDFLoggedInUser.class); system.registerGenericUDF("restrict_information_schema", GenericUDFRestrictInformationSchema.class); + system.registerGenericUDF("current_authorizer", GenericUDFCurrentAuthorizer.class); system.registerGenericUDF("isnull", GenericUDFOPNull.class); system.registerGenericUDF("isnotnull", GenericUDFOPNotNull.class); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HDFSPermissionPolicyProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HDFSPermissionPolicyProvider.java new file mode 100644 index 0000000..27e4dba --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HDFSPermissionPolicyProvider.java @@ -0,0 +1,117 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization; + +import java.io.IOException; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.FileStatus; +import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.fs.Path; +import org.apache.hadoop.fs.permission.FsAction; +import org.apache.hadoop.fs.permission.FsPermission; +import org.apache.hadoop.hive.common.FileUtils; +import org.apache.hadoop.hive.metastore.api.Database; +import org.apache.hadoop.hive.ql.metadata.Hive; +import org.apache.hadoop.hive.ql.metadata.Table; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyChangeListener; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLsImpl; + +public class HDFSPermissionPolicyProvider implements HivePolicyProvider { + + private Configuration conf; + + public HDFSPermissionPolicyProvider(Configuration conf) { + this.conf = conf; + } + + @Override + public HiveResourceACLs getResourceACLs(HivePrivilegeObject hiveObject) { + HiveResourceACLs acls = null; + try { + switch (hiveObject.getType()) { + case DATABASE: + Database db = Hive.get().getDatabase(hiveObject.getDbname()); + acls = getResourceACLs(new Path(db.getLocationUri())); + break; + case TABLE_OR_VIEW: + case COLUMN: + Table table = Hive.get().getTable(hiveObject.getDbname(), hiveObject.getObjectName()); + acls = getResourceACLs(new Path(table.getTTable().getSd().getLocation())); + break; + default: + // Shall never happen + throw new RuntimeException("Unknown request type:" + hiveObject.getType()); + } + } catch (Exception e) { + } + return acls; + } + + private HiveResourceACLs getResourceACLs(Path path) throws IOException { + if (path == null) { + throw new IllegalArgumentException("path is null"); + } + + final FileSystem fs = path.getFileSystem(conf); + + FileStatus pathStatus = FileUtils.getFileStatusOrNull(fs, path); + if (pathStatus != null) { + return getResourceACLs(fs, pathStatus); + } else if (path.getParent() != null) { + // find the ancestor which exists to check its permissions + Path par = path.getParent(); + FileStatus parStatus = null; + while (par != null) { + parStatus = FileUtils.getFileStatusOrNull(fs, par); + if (parStatus != null) { + break; + } + par = par.getParent(); + } + return getResourceACLs(fs, parStatus); + } + return null; + } + + private HiveResourceACLs getResourceACLs(final FileSystem fs, final FileStatus stat) { + String owner = stat.getOwner(); + String group = stat.getGroup(); + HiveResourceACLsImpl acls = new HiveResourceACLsImpl(); + FsPermission permission = stat.getPermission(); + if (permission.getUserAction().implies(FsAction.READ)) { + acls.addUserEntry(owner, HiveResourceACLs.Privilege.SELECT, HiveResourceACLs.AccessResult.ALLOWED); + } + if (permission.getGroupAction().implies(FsAction.READ)) { + acls.addGroupEntry(group, HiveResourceACLs.Privilege.SELECT, HiveResourceACLs.AccessResult.ALLOWED); + } + if (permission.getOtherAction().implies(FsAction.READ)) { + acls.addGroupEntry("public", HiveResourceACLs.Privilege.SELECT, HiveResourceACLs.AccessResult.ALLOWED); + } + return acls; + } + + @Override + public void registerHivePolicyChangeListener(HivePolicyChangeListener listener) { + // Not implemented + } + +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java index 8a7c06d..d3e13a5 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java @@ -36,6 +36,8 @@ import org.apache.hadoop.hive.ql.metadata.Hive; import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; import org.apache.thrift.TException; public abstract class HiveAuthorizationProviderBase implements @@ -133,4 +135,8 @@ public void setAuthenticator(HiveAuthenticationProvider authenticator) { this.authenticator = authenticator; } + @Override + public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException { + return null; + } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java index 0dab334..de9b8d1 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java @@ -21,6 +21,8 @@ import org.apache.hadoop.hive.metastore.IHMSHandler; import org.apache.hadoop.hive.ql.metadata.AuthorizationException; import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; /** * HiveMetastoreAuthorizationProvider : An extension of HiveAuthorizaytionProvider @@ -44,5 +46,10 @@ */ void authorizeAuthorizationApiInvocation() throws HiveException, AuthorizationException; + /** + * @return HivePolicyProvider instance (expected to be a singleton) + * @throws HiveAuthzPluginException + */ + HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException; } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PolicyProviderContainer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PolicyProviderContainer.java new file mode 100644 index 0000000..dfc6964 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PolicyProviderContainer.java @@ -0,0 +1,74 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization; + +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; + +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; + +public class PolicyProviderContainer implements Iterable { + List authorizers = new ArrayList(); + List authorizationProviders = new ArrayList(); + + public void addAuthorizer(HiveAuthorizer authorizer) { + authorizers.add(authorizer); + } + + public void addAuthorizationProvider(HiveMetastoreAuthorizationProvider authorizationProvider) { + authorizationProviders.add(authorizationProvider); + } + + public int size() { + return authorizers.size() + authorizationProviders.size(); + } + + @Override + public Iterator iterator() { + return new PolicyIterator(); + } + + class PolicyIterator implements Iterator { + int currentAuthorizerPosition = 0; + int AuthorizationProviderPosition = 0; + @Override + public boolean hasNext() { + if (currentAuthorizerPosition < authorizers.size() + || AuthorizationProviderPosition < authorizationProviders.size()) { + return true; + } + return false; + } + + @Override + public HivePolicyProvider next() { + try { + if (currentAuthorizerPosition < authorizers.size()) { + return authorizers.get(currentAuthorizerPosition++).getHivePolicyProvider(); + } else { + return authorizationProviders.get(AuthorizationProviderPosition++).getHivePolicyProvider(); + } + } catch (HiveAuthzPluginException e) { + throw new RuntimeException(e); + } + } + } +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java index 9b2e6cd..f5788d4 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java @@ -32,7 +32,6 @@ import org.apache.hadoop.hive.metastore.api.PrivilegeBag; import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo; import org.apache.hadoop.hive.metastore.api.Table; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactoryImpl; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; @@ -53,23 +52,24 @@ private IMetaStoreClient hiveClient; private LeaderLatch privilegeSynchonizerLatch; private HiveConf hiveConf; - private HiveAuthorizer authorizer; + private PolicyProviderContainer policyProviderContainer; - public PrivilegeSynchonizer(LeaderLatch privilegeSynchonizerLatch, HiveAuthorizer authorizer, HiveConf hiveConf) { + public PrivilegeSynchonizer(LeaderLatch privilegeSynchonizerLatch, + PolicyProviderContainer policyProviderContainer, HiveConf hiveConf) { try { hiveClient = new HiveMetastoreClientFactoryImpl().getHiveMetastoreClient(); } catch (HiveAuthzPluginException e) { throw new RuntimeException("Error creating getHiveMetastoreClient", e); } this.privilegeSynchonizerLatch = privilegeSynchonizerLatch; - this.authorizer = authorizer; + this.policyProviderContainer = policyProviderContainer; this.hiveConf = hiveConf; } private void addACLsToBag( Map> principalAclsMap, PrivilegeBag privBag, HiveObjectType objectType, String dbName, String tblName, String columnName, - PrincipalType principalType) { + PrincipalType principalType, String authorizer) { for (Map.Entry> principalAcls : principalAclsMap.entrySet()) { @@ -82,19 +82,19 @@ private void addACLsToBag( privBag.addToPrivileges( new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.DATABASE, dbName, null, null, null), principal, principalType, new PrivilegeGrantInfo(acl.getKey().toString(), - (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false))); + (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false), authorizer)); break; case TABLE: privBag.addToPrivileges( new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.TABLE, dbName, tblName, null, null), principal, principalType, new PrivilegeGrantInfo(acl.getKey().toString(), - (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false))); + (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false), authorizer)); break; case COLUMN: privBag.addToPrivileges( new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.COLUMN, dbName, tblName, null, columnName), principal, principalType, new PrivilegeGrantInfo(acl.getKey().toString(), - (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false))); + (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false), authorizer)); break; default: throw new RuntimeException("Get unknown object type " + objectType); @@ -123,7 +123,7 @@ private HiveObjectRef getObjToRefresh(HiveObjectType type, String dbName, String } private void addGrantPrivilegesToBag(HivePolicyProvider policyProvider, PrivilegeBag privBag, HiveObjectType type, - String dbName, String tblName, String columnName) throws Exception { + String dbName, String tblName, String columnName, String authorizer) throws Exception { HiveResourceACLs objectAcls = null; @@ -151,51 +151,58 @@ private void addGrantPrivilegesToBag(HivePolicyProvider policyProvider, Privileg return; } - addACLsToBag(objectAcls.getUserPermissions(), privBag, type, dbName, tblName, columnName, PrincipalType.USER); - addACLsToBag(objectAcls.getGroupPermissions(), privBag, type, dbName, tblName, columnName, PrincipalType.GROUP); + addACLsToBag(objectAcls.getUserPermissions(), privBag, type, dbName, tblName, columnName, + PrincipalType.USER, authorizer); + addACLsToBag(objectAcls.getGroupPermissions(), privBag, type, dbName, tblName, columnName, + PrincipalType.GROUP, authorizer); } @Override public void run() { while (true) { + long interval = HiveConf.getTimeVar(hiveConf, ConfVars.HIVE_PRIVILEGE_SYNCHRONIZER_INTERVAL, TimeUnit.SECONDS); try { - HivePolicyProvider policyProvider = authorizer.getHivePolicyProvider(); - long interval = HiveConf.getTimeVar(hiveConf, ConfVars.HIVE_PRIVILEGE_SYNCHRONIZER_INTERVAL, TimeUnit.SECONDS); - if (hiveConf.getBoolVar(ConfVars.HIVE_PRIVILEGE_SYNCHRONIZER)) { - if (!privilegeSynchonizerLatch.await(interval, TimeUnit.SECONDS)) { - continue; - } - LOG.debug("Start synchonize privilege"); - for (String dbName : hiveClient.getAllDatabases()) { - HiveObjectRef dbToRefresh = getObjToRefresh(HiveObjectType.DATABASE, dbName, null); - PrivilegeBag grantDatabaseBag = new PrivilegeBag(); - addGrantPrivilegesToBag(policyProvider, grantDatabaseBag, HiveObjectType.DATABASE, dbName, null, null); - hiveClient.refresh_privileges(dbToRefresh, grantDatabaseBag); - - for (String tblName : hiveClient.getAllTables(dbName)) { - HiveObjectRef tableToRefresh = getObjToRefresh(HiveObjectType.TABLE, dbName, tblName); - PrivilegeBag grantTableBag = new PrivilegeBag(); - addGrantPrivilegesToBag(policyProvider, grantTableBag, HiveObjectType.TABLE, dbName, tblName, null); - hiveClient.refresh_privileges(tableToRefresh, grantTableBag); - - HiveObjectRef tableOfColumnsToRefresh = getObjToRefresh(HiveObjectType.COLUMN, dbName, tblName); - PrivilegeBag grantColumnBag = new PrivilegeBag(); - Table tbl = hiveClient.getTable(dbName, tblName); - for (FieldSchema fs : tbl.getPartitionKeys()) { - addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, dbName, tblName, - fs.getName()); - } - for (FieldSchema fs : tbl.getSd().getCols()) { - addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, dbName, tblName, - fs.getName()); + for (HivePolicyProvider policyProvider : policyProviderContainer) { + String authorizer = policyProvider.getClass().getSimpleName(); + if (hiveConf.getBoolVar(ConfVars.HIVE_PRIVILEGE_SYNCHRONIZER)) { + if (!privilegeSynchonizerLatch.await(interval, TimeUnit.SECONDS)) { + continue; + } + LOG.debug("Start synchonize privilege"); + for (String dbName : hiveClient.getAllDatabases()) { + HiveObjectRef dbToRefresh = getObjToRefresh(HiveObjectType.DATABASE, dbName, null); + PrivilegeBag grantDatabaseBag = new PrivilegeBag(); + addGrantPrivilegesToBag(policyProvider, grantDatabaseBag, HiveObjectType.DATABASE, + dbName, null, null, authorizer); + hiveClient.refresh_privileges(dbToRefresh, grantDatabaseBag); + + for (String tblName : hiveClient.getAllTables(dbName)) { + HiveObjectRef tableToRefresh = getObjToRefresh(HiveObjectType.TABLE, dbName, tblName); + PrivilegeBag grantTableBag = new PrivilegeBag(); + addGrantPrivilegesToBag(policyProvider, grantTableBag, HiveObjectType.TABLE, + dbName, tblName, null, authorizer); + hiveClient.refresh_privileges(tableToRefresh, grantTableBag); + + HiveObjectRef tableOfColumnsToRefresh = getObjToRefresh(HiveObjectType.COLUMN, dbName, tblName); + PrivilegeBag grantColumnBag = new PrivilegeBag(); + Table tbl = hiveClient.getTable(dbName, tblName); + for (FieldSchema fs : tbl.getPartitionKeys()) { + addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, + dbName, tblName, fs.getName(), authorizer); + } + for (FieldSchema fs : tbl.getSd().getCols()) { + addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, + dbName, tblName, fs.getName(), authorizer); + } + hiveClient.refresh_privileges(tableOfColumnsToRefresh, grantColumnBag); } - hiveClient.refresh_privileges(tableOfColumnsToRefresh, grantColumnBag); } } + // Wait if no exception happens, otherwise, retry immediately } - // Wait if no exception happens, otherwise, retry immediately Thread.sleep(interval * 1000); LOG.debug("Success synchonize privilege"); + } catch (Exception e) { LOG.error("Error initializing PrivilegeSynchonizer: " + e.getMessage(), e); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java index b66d188..f074d39 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java @@ -45,6 +45,8 @@ import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.metadata.Partition; import org.apache.hadoop.hive.ql.metadata.Table; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; /** * StorageBasedAuthorizationProvider is an implementation of @@ -491,4 +493,9 @@ public void setHasDropPrivilege(boolean hasDropPrivilege) { } + @Override + public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException { + return new HDFSPermissionPolicyProvider(getConf()); + } + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java index 48798d8..ffa5cd1 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java @@ -47,6 +47,7 @@ public class HiveV1Authorizer extends AbstractHiveAuthorizer { private final HiveConf conf; + private final static String AUTHORIZER = "v1"; public HiveV1Authorizer(HiveConf conf) { this.conf = conf; @@ -77,7 +78,7 @@ public void grantPrivileges( HivePrincipal grantor, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { try { - PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption); + PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption, AUTHORIZER); grantOrRevokePrivs(principals, privBag, true, grantOption); } catch (Exception e) { throw new HiveAuthzPluginException(e); @@ -90,7 +91,7 @@ public void revokePrivileges( HivePrincipal grantor, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { try { - PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption); + PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption, AUTHORIZER); grantOrRevokePrivs(principals, privBag, false, grantOption); } catch (Exception e) { throw new HiveAuthzPluginException(e); @@ -115,7 +116,7 @@ private void grantOrRevokePrivs(List principals, PrivilegeBag pri } private PrivilegeBag toPrivilegeBag(List privileges, - HivePrivilegeObject privObject, HivePrincipal grantor, boolean grantOption) + HivePrivilegeObject privObject, HivePrincipal grantor, boolean grantOption, String authorizer) throws HiveException { PrivilegeBag privBag = new PrivilegeBag(); @@ -136,7 +137,7 @@ private PrivilegeBag toPrivilegeBag(List privileges, privBag.addToPrivileges(new HiveObjectPrivilege(new HiveObjectRef( HiveObjectType.GLOBAL, null, null, null, null), null, null, new PrivilegeGrantInfo(priv.getName(), 0, grantor.getName(), grantorType, - grantOption))); + grantOption), authorizer)); } return privBag; } @@ -186,23 +187,23 @@ private PrivilegeBag toPrivilegeBag(List privileges, privBag.addToPrivileges(new HiveObjectPrivilege( new HiveObjectRef(HiveObjectType.COLUMN, dbObj.getName(), tableObj.getTableName(), partValues, columns.get(i)), null, null, - new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption), authorizer)); } } else if (tableObj == null) { privBag.addToPrivileges(new HiveObjectPrivilege( new HiveObjectRef(HiveObjectType.DATABASE, dbObj.getName(), null, null, null), null, null, - new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption), authorizer)); } else if (partValues == null) { privBag.addToPrivileges(new HiveObjectPrivilege( new HiveObjectRef(HiveObjectType.TABLE, dbObj.getName(), tableObj.getTableName(), null, null), null, null, - new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption), authorizer)); } else { privBag.addToPrivileges(new HiveObjectPrivilege( new HiveObjectRef(HiveObjectType.PARTITION, dbObj.getName(), tableObj.getTableName(), partValues, null), null, null, - new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption), authorizer)); } } return privBag; diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java index 02ed7aa..e787538 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java @@ -99,7 +99,7 @@ static PrivilegeBag getThriftPrivilegesBag(List hivePrincipals, grantOption, 0 /*real grant time added by metastore*/); for (HivePrincipal principal : hivePrincipals) { HiveObjectPrivilege objPriv = new HiveObjectPrivilege(privObj, principal.getName(), - AuthorizationUtils.getThriftPrincipalType(principal.getType()), grantInfo); + AuthorizationUtils.getThriftPrincipalType(principal.getType()), grantInfo, "SQL"); privBag.addToPrivileges(objPriv); } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/udf/generic/GenericUDFCurrentAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/udf/generic/GenericUDFCurrentAuthorizer.java new file mode 100644 index 0000000..406089d --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/udf/generic/GenericUDFCurrentAuthorizer.java @@ -0,0 +1,119 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hive.ql.udf.generic; + +import java.util.List; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.metastore.conf.MetastoreConf; +import org.apache.hadoop.hive.ql.exec.Description; +import org.apache.hadoop.hive.ql.exec.UDFArgumentException; +import org.apache.hadoop.hive.ql.exec.UDFArgumentLengthException; +import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.metadata.HiveUtils; +import org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.session.SessionState; +import org.apache.hadoop.hive.ql.udf.UDFType; +import org.apache.hadoop.hive.serde2.objectinspector.ObjectInspector; +import org.apache.hadoop.hive.serde2.objectinspector.primitive.PrimitiveObjectInspectorFactory; +import org.apache.hadoop.io.Text; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * UDF to determine the current authorizer (class name of the authorizer) + * This is intended for internal usage only. This function is not a deterministic function, + * but a runtime constant. The return value is constant within a query but can be different between queries + */ +@UDFType(deterministic = false, runtimeConstant = true) +@Description(name = "current_authorizer", + value = "_FUNC_() - Returns the current authorizer (class name of the authorizer). ") +@NDV(maxNdv = 1) +public class GenericUDFCurrentAuthorizer extends GenericUDF { + private static final Logger LOG = LoggerFactory.getLogger(GenericUDFCurrentAuthorizer.class.getName()); + protected Text authorizer; + + @Override + public ObjectInspector initialize(ObjectInspector[] arguments) throws UDFArgumentException { + if (arguments.length != 0) { + throw new UDFArgumentLengthException( + "The function CurrentAuthorizer does not take any arguments, but found " + arguments.length); + } + + if (authorizer == null) { + + HiveConf hiveConf = SessionState.getSessionConf(); + HiveAuthorizer hiveAuthorizer = SessionState.get().getAuthorizerV2(); + try { + if (hiveAuthorizer.getHivePolicyProvider() != null) { + authorizer = new Text(hiveAuthorizer.getHivePolicyProvider().getClass().getSimpleName()); + } + } catch (HiveAuthzPluginException e) { + LOG.warn("Error getting HivePolicyProvider", e); + } + + if (authorizer == null) { + if (MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS) != null && + !MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS).isEmpty() && + HiveConf.getVar(hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER) != null) { + List authorizerProviders; + try { + authorizerProviders = HiveUtils.getMetaStoreAuthorizeProviderManagers( + hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER, + SessionState.get().getAuthenticator()); + for (HiveMetastoreAuthorizationProvider authProvider : authorizerProviders) { + if (authProvider.getHivePolicyProvider() != null) { + authorizer = new Text(authProvider.getHivePolicyProvider().getClass().getSimpleName()); + break; + } + } + } catch (HiveAuthzPluginException e) { + LOG.warn("Error getting HivePolicyProvider", e); + } catch (HiveException e) { + LOG.warn("Error instantiating hive.security.metastore.authorization.manager", e); + } + } + } + } + + return PrimitiveObjectInspectorFactory.writableStringObjectInspector; + } + + @Override + public Object evaluate(DeferredObject[] arguments) throws HiveException { + return authorizer; + } + + @Override + public String getDisplayString(String[] children) { + return "CURRENT_AUTHORIZER()"; + } + + @Override + public void copyToNewInstance(Object newInstance) throws UDFArgumentException { + super.copyToNewInstance(newInstance); + // Need to preserve authorizer flag + GenericUDFCurrentAuthorizer other = (GenericUDFCurrentAuthorizer) newInstance; + if (this.authorizer != null) { + other.authorizer = new Text(this.authorizer); + } + } +} diff --git a/service/src/java/org/apache/hive/service/server/HiveServer2.java b/service/src/java/org/apache/hive/service/server/HiveServer2.java index cf3edbf..66d6772 100644 --- a/service/src/java/org/apache/hive/service/server/HiveServer2.java +++ b/service/src/java/org/apache/hive/service/server/HiveServer2.java @@ -74,6 +74,7 @@ import org.apache.hadoop.hive.metastore.api.WMFullResourcePlan; import org.apache.hadoop.hive.metastore.api.WMPool; import org.apache.hadoop.hive.metastore.api.WMResourcePlan; +import org.apache.hadoop.hive.metastore.conf.MetastoreConf; import org.apache.hadoop.hive.ql.cache.results.QueryResultsCache; import org.apache.hadoop.hive.ql.exec.spark.session.SparkSessionManagerImpl; import org.apache.hadoop.hive.ql.exec.tez.TezSessionPoolManager; @@ -81,8 +82,11 @@ import org.apache.hadoop.hive.ql.metadata.Hive; import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.metadata.HiveMaterializedViewsRegistry; +import org.apache.hadoop.hive.ql.metadata.HiveUtils; import org.apache.hadoop.hive.ql.metadata.events.NotificationEventPoll; import org.apache.hadoop.hive.ql.plan.mapper.StatsSources; +import org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider; +import org.apache.hadoop.hive.ql.security.authorization.PolicyProviderContainer; import org.apache.hadoop.hive.ql.security.authorization.PrivilegeSynchonizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.session.ClearDanglingScratchDir; @@ -978,16 +982,33 @@ public void startPrivilegeSynchonizer(HiveConf hiveConf) throws Exception { + ZooKeeperHiveHelper.ZOOKEEPER_PATH_SEPARATOR + "leader"; LeaderLatch privilegeSynchonizerLatch = new LeaderLatch(zKClientForPrivSync, path); privilegeSynchonizerLatch.start(); + PolicyProviderContainer policyContainer = new PolicyProviderContainer(); HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); - if (authorizer.getHivePolicyProvider() == null) { + if (authorizer.getHivePolicyProvider() != null) { + policyContainer.addAuthorizer(authorizer); + } + if (hiveConf.get(MetastoreConf.ConfVars.PRE_EVENT_LISTENERS.getVarname()) != null && + hiveConf.get(MetastoreConf.ConfVars.PRE_EVENT_LISTENERS.getVarname()).contains( + "org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener") && + hiveConf.get(MetastoreConf.ConfVars.HIVE_AUTHORIZATION_MANAGER.getVarname())!= null) { + List providers = HiveUtils.getMetaStoreAuthorizeProviderManagers( + hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER, SessionState.get().getAuthenticator()); + for (HiveMetastoreAuthorizationProvider provider : providers) { + if (provider.getHivePolicyProvider() != null) { + policyContainer.addAuthorizationProvider(provider); + } + } + } + + if (policyContainer.size() > 0) { + Thread privilegeSynchonizerThread = new Thread( + new PrivilegeSynchonizer(privilegeSynchonizerLatch, policyContainer, hiveConf), "PrivilegeSynchonizer"); + privilegeSynchonizerThread.start(); + } else { LOG.warn( - "Cannot start PrivilegeSynchonizer, policyProvider of " + authorizer.getClass().getName() + " is null"); + "No policy provider found, stop PrivilegeSynchonizer"); privilegeSynchonizerLatch.close(); - return; } - Thread privilegeSynchonizerThread = new Thread( - new PrivilegeSynchonizer(privilegeSynchonizerLatch, authorizer, hiveConf), "PrivilegeSynchonizer"); - privilegeSynchonizerThread.start(); } } diff --git a/standalone-metastore/src/gen/thrift/gen-cpp/hive_metastore_types.cpp b/standalone-metastore/src/gen/thrift/gen-cpp/hive_metastore_types.cpp index af975fc..8925fe2 100644 --- a/standalone-metastore/src/gen/thrift/gen-cpp/hive_metastore_types.cpp +++ b/standalone-metastore/src/gen/thrift/gen-cpp/hive_metastore_types.cpp @@ -2658,6 +2658,10 @@ void HiveObjectPrivilege::__set_grantInfo(const PrivilegeGrantInfo& val) { this->grantInfo = val; } +void HiveObjectPrivilege::__set_authorizer(const std::string& val) { + this->authorizer = val; +} + uint32_t HiveObjectPrivilege::read(::apache::thrift::protocol::TProtocol* iprot) { apache::thrift::protocol::TInputRecursionTracker tracker(*iprot); @@ -2713,6 +2717,14 @@ uint32_t HiveObjectPrivilege::read(::apache::thrift::protocol::TProtocol* iprot) xfer += iprot->skip(ftype); } break; + case 5: + if (ftype == ::apache::thrift::protocol::T_STRING) { + xfer += iprot->readString(this->authorizer); + this->__isset.authorizer = true; + } else { + xfer += iprot->skip(ftype); + } + break; default: xfer += iprot->skip(ftype); break; @@ -2746,6 +2758,10 @@ uint32_t HiveObjectPrivilege::write(::apache::thrift::protocol::TProtocol* oprot xfer += this->grantInfo.write(oprot); xfer += oprot->writeFieldEnd(); + xfer += oprot->writeFieldBegin("authorizer", ::apache::thrift::protocol::T_STRING, 5); + xfer += oprot->writeString(this->authorizer); + xfer += oprot->writeFieldEnd(); + xfer += oprot->writeFieldStop(); xfer += oprot->writeStructEnd(); return xfer; @@ -2757,6 +2773,7 @@ void swap(HiveObjectPrivilege &a, HiveObjectPrivilege &b) { swap(a.principalName, b.principalName); swap(a.principalType, b.principalType); swap(a.grantInfo, b.grantInfo); + swap(a.authorizer, b.authorizer); swap(a.__isset, b.__isset); } @@ -2765,6 +2782,7 @@ HiveObjectPrivilege::HiveObjectPrivilege(const HiveObjectPrivilege& other37) { principalName = other37.principalName; principalType = other37.principalType; grantInfo = other37.grantInfo; + authorizer = other37.authorizer; __isset = other37.__isset; } HiveObjectPrivilege& HiveObjectPrivilege::operator=(const HiveObjectPrivilege& other38) { @@ -2772,6 +2790,7 @@ HiveObjectPrivilege& HiveObjectPrivilege::operator=(const HiveObjectPrivilege& o principalName = other38.principalName; principalType = other38.principalType; grantInfo = other38.grantInfo; + authorizer = other38.authorizer; __isset = other38.__isset; return *this; } @@ -2782,6 +2801,7 @@ void HiveObjectPrivilege::printTo(std::ostream& out) const { out << ", " << "principalName=" << to_string(principalName); out << ", " << "principalType=" << to_string(principalType); out << ", " << "grantInfo=" << to_string(grantInfo); + out << ", " << "authorizer=" << to_string(authorizer); out << ")"; } diff --git a/standalone-metastore/src/gen/thrift/gen-cpp/hive_metastore_types.h b/standalone-metastore/src/gen/thrift/gen-cpp/hive_metastore_types.h index 7b42182..78656d9 100644 --- a/standalone-metastore/src/gen/thrift/gen-cpp/hive_metastore_types.h +++ b/standalone-metastore/src/gen/thrift/gen-cpp/hive_metastore_types.h @@ -1622,11 +1622,12 @@ inline std::ostream& operator<<(std::ostream& out, const PrivilegeGrantInfo& obj } typedef struct _HiveObjectPrivilege__isset { - _HiveObjectPrivilege__isset() : hiveObject(false), principalName(false), principalType(false), grantInfo(false) {} + _HiveObjectPrivilege__isset() : hiveObject(false), principalName(false), principalType(false), grantInfo(false), authorizer(false) {} bool hiveObject :1; bool principalName :1; bool principalType :1; bool grantInfo :1; + bool authorizer :1; } _HiveObjectPrivilege__isset; class HiveObjectPrivilege { @@ -1634,7 +1635,7 @@ class HiveObjectPrivilege { HiveObjectPrivilege(const HiveObjectPrivilege&); HiveObjectPrivilege& operator=(const HiveObjectPrivilege&); - HiveObjectPrivilege() : principalName(), principalType((PrincipalType::type)0) { + HiveObjectPrivilege() : principalName(), principalType((PrincipalType::type)0), authorizer() { } virtual ~HiveObjectPrivilege() throw(); @@ -1642,6 +1643,7 @@ class HiveObjectPrivilege { std::string principalName; PrincipalType::type principalType; PrivilegeGrantInfo grantInfo; + std::string authorizer; _HiveObjectPrivilege__isset __isset; @@ -1653,6 +1655,8 @@ class HiveObjectPrivilege { void __set_grantInfo(const PrivilegeGrantInfo& val); + void __set_authorizer(const std::string& val); + bool operator == (const HiveObjectPrivilege & rhs) const { if (!(hiveObject == rhs.hiveObject)) @@ -1663,6 +1667,8 @@ class HiveObjectPrivilege { return false; if (!(grantInfo == rhs.grantInfo)) return false; + if (!(authorizer == rhs.authorizer)) + return false; return true; } bool operator != (const HiveObjectPrivilege &rhs) const { diff --git a/standalone-metastore/src/gen/thrift/gen-javabean/org/apache/hadoop/hive/metastore/api/HiveObjectPrivilege.java b/standalone-metastore/src/gen/thrift/gen-javabean/org/apache/hadoop/hive/metastore/api/HiveObjectPrivilege.java index ef2e535..8b2817d 100644 --- a/standalone-metastore/src/gen/thrift/gen-javabean/org/apache/hadoop/hive/metastore/api/HiveObjectPrivilege.java +++ b/standalone-metastore/src/gen/thrift/gen-javabean/org/apache/hadoop/hive/metastore/api/HiveObjectPrivilege.java @@ -42,6 +42,7 @@ private static final org.apache.thrift.protocol.TField PRINCIPAL_NAME_FIELD_DESC = new org.apache.thrift.protocol.TField("principalName", org.apache.thrift.protocol.TType.STRING, (short)2); private static final org.apache.thrift.protocol.TField PRINCIPAL_TYPE_FIELD_DESC = new org.apache.thrift.protocol.TField("principalType", org.apache.thrift.protocol.TType.I32, (short)3); private static final org.apache.thrift.protocol.TField GRANT_INFO_FIELD_DESC = new org.apache.thrift.protocol.TField("grantInfo", org.apache.thrift.protocol.TType.STRUCT, (short)4); + private static final org.apache.thrift.protocol.TField AUTHORIZER_FIELD_DESC = new org.apache.thrift.protocol.TField("authorizer", org.apache.thrift.protocol.TType.STRING, (short)5); private static final Map, SchemeFactory> schemes = new HashMap, SchemeFactory>(); static { @@ -53,6 +54,7 @@ private String principalName; // required private PrincipalType principalType; // required private PrivilegeGrantInfo grantInfo; // required + private String authorizer; // required /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */ public enum _Fields implements org.apache.thrift.TFieldIdEnum { @@ -63,7 +65,8 @@ * @see PrincipalType */ PRINCIPAL_TYPE((short)3, "principalType"), - GRANT_INFO((short)4, "grantInfo"); + GRANT_INFO((short)4, "grantInfo"), + AUTHORIZER((short)5, "authorizer"); private static final Map byName = new HashMap(); @@ -86,6 +89,8 @@ public static _Fields findByThriftId(int fieldId) { return PRINCIPAL_TYPE; case 4: // GRANT_INFO return GRANT_INFO; + case 5: // AUTHORIZER + return AUTHORIZER; default: return null; } @@ -137,6 +142,8 @@ public String getFieldName() { new org.apache.thrift.meta_data.EnumMetaData(org.apache.thrift.protocol.TType.ENUM, PrincipalType.class))); tmpMap.put(_Fields.GRANT_INFO, new org.apache.thrift.meta_data.FieldMetaData("grantInfo", org.apache.thrift.TFieldRequirementType.DEFAULT, new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, PrivilegeGrantInfo.class))); + tmpMap.put(_Fields.AUTHORIZER, new org.apache.thrift.meta_data.FieldMetaData("authorizer", org.apache.thrift.TFieldRequirementType.DEFAULT, + new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); metaDataMap = Collections.unmodifiableMap(tmpMap); org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(HiveObjectPrivilege.class, metaDataMap); } @@ -148,13 +155,15 @@ public HiveObjectPrivilege( HiveObjectRef hiveObject, String principalName, PrincipalType principalType, - PrivilegeGrantInfo grantInfo) + PrivilegeGrantInfo grantInfo, + String authorizer) { this(); this.hiveObject = hiveObject; this.principalName = principalName; this.principalType = principalType; this.grantInfo = grantInfo; + this.authorizer = authorizer; } /** @@ -173,6 +182,9 @@ public HiveObjectPrivilege(HiveObjectPrivilege other) { if (other.isSetGrantInfo()) { this.grantInfo = new PrivilegeGrantInfo(other.grantInfo); } + if (other.isSetAuthorizer()) { + this.authorizer = other.authorizer; + } } public HiveObjectPrivilege deepCopy() { @@ -185,6 +197,7 @@ public void clear() { this.principalName = null; this.principalType = null; this.grantInfo = null; + this.authorizer = null; } public HiveObjectRef getHiveObject() { @@ -287,6 +300,29 @@ public void setGrantInfoIsSet(boolean value) { } } + public String getAuthorizer() { + return this.authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } + + public void unsetAuthorizer() { + this.authorizer = null; + } + + /** Returns true if field authorizer is set (has been assigned a value) and false otherwise */ + public boolean isSetAuthorizer() { + return this.authorizer != null; + } + + public void setAuthorizerIsSet(boolean value) { + if (!value) { + this.authorizer = null; + } + } + public void setFieldValue(_Fields field, Object value) { switch (field) { case HIVE_OBJECT: @@ -321,6 +357,14 @@ public void setFieldValue(_Fields field, Object value) { } break; + case AUTHORIZER: + if (value == null) { + unsetAuthorizer(); + } else { + setAuthorizer((String)value); + } + break; + } } @@ -338,6 +382,9 @@ public Object getFieldValue(_Fields field) { case GRANT_INFO: return getGrantInfo(); + case AUTHORIZER: + return getAuthorizer(); + } throw new IllegalStateException(); } @@ -357,6 +404,8 @@ public boolean isSet(_Fields field) { return isSetPrincipalType(); case GRANT_INFO: return isSetGrantInfo(); + case AUTHORIZER: + return isSetAuthorizer(); } throw new IllegalStateException(); } @@ -410,6 +459,15 @@ public boolean equals(HiveObjectPrivilege that) { return false; } + boolean this_present_authorizer = true && this.isSetAuthorizer(); + boolean that_present_authorizer = true && that.isSetAuthorizer(); + if (this_present_authorizer || that_present_authorizer) { + if (!(this_present_authorizer && that_present_authorizer)) + return false; + if (!this.authorizer.equals(that.authorizer)) + return false; + } + return true; } @@ -437,6 +495,11 @@ public int hashCode() { if (present_grantInfo) list.add(grantInfo); + boolean present_authorizer = true && (isSetAuthorizer()); + list.add(present_authorizer); + if (present_authorizer) + list.add(authorizer); + return list.hashCode(); } @@ -488,6 +551,16 @@ public int compareTo(HiveObjectPrivilege other) { return lastComparison; } } + lastComparison = Boolean.valueOf(isSetAuthorizer()).compareTo(other.isSetAuthorizer()); + if (lastComparison != 0) { + return lastComparison; + } + if (isSetAuthorizer()) { + lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.authorizer, other.authorizer); + if (lastComparison != 0) { + return lastComparison; + } + } return 0; } @@ -539,6 +612,14 @@ public String toString() { sb.append(this.grantInfo); } first = false; + if (!first) sb.append(", "); + sb.append("authorizer:"); + if (this.authorizer == null) { + sb.append("null"); + } else { + sb.append(this.authorizer); + } + first = false; sb.append(")"); return sb.toString(); } @@ -622,6 +703,14 @@ public void read(org.apache.thrift.protocol.TProtocol iprot, HiveObjectPrivilege org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } break; + case 5: // AUTHORIZER + if (schemeField.type == org.apache.thrift.protocol.TType.STRING) { + struct.authorizer = iprot.readString(); + struct.setAuthorizerIsSet(true); + } else { + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + break; default: org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } @@ -655,6 +744,11 @@ public void write(org.apache.thrift.protocol.TProtocol oprot, HiveObjectPrivileg struct.grantInfo.write(oprot); oprot.writeFieldEnd(); } + if (struct.authorizer != null) { + oprot.writeFieldBegin(AUTHORIZER_FIELD_DESC); + oprot.writeString(struct.authorizer); + oprot.writeFieldEnd(); + } oprot.writeFieldStop(); oprot.writeStructEnd(); } @@ -685,7 +779,10 @@ public void write(org.apache.thrift.protocol.TProtocol prot, HiveObjectPrivilege if (struct.isSetGrantInfo()) { optionals.set(3); } - oprot.writeBitSet(optionals, 4); + if (struct.isSetAuthorizer()) { + optionals.set(4); + } + oprot.writeBitSet(optionals, 5); if (struct.isSetHiveObject()) { struct.hiveObject.write(oprot); } @@ -698,12 +795,15 @@ public void write(org.apache.thrift.protocol.TProtocol prot, HiveObjectPrivilege if (struct.isSetGrantInfo()) { struct.grantInfo.write(oprot); } + if (struct.isSetAuthorizer()) { + oprot.writeString(struct.authorizer); + } } @Override public void read(org.apache.thrift.protocol.TProtocol prot, HiveObjectPrivilege struct) throws org.apache.thrift.TException { TTupleProtocol iprot = (TTupleProtocol) prot; - BitSet incoming = iprot.readBitSet(4); + BitSet incoming = iprot.readBitSet(5); if (incoming.get(0)) { struct.hiveObject = new HiveObjectRef(); struct.hiveObject.read(iprot); @@ -722,6 +822,10 @@ public void read(org.apache.thrift.protocol.TProtocol prot, HiveObjectPrivilege struct.grantInfo.read(iprot); struct.setGrantInfoIsSet(true); } + if (incoming.get(4)) { + struct.authorizer = iprot.readString(); + struct.setAuthorizerIsSet(true); + } } } diff --git a/standalone-metastore/src/gen/thrift/gen-php/metastore/Types.php b/standalone-metastore/src/gen/thrift/gen-php/metastore/Types.php index 353c0de..fe54515 100644 --- a/standalone-metastore/src/gen/thrift/gen-php/metastore/Types.php +++ b/standalone-metastore/src/gen/thrift/gen-php/metastore/Types.php @@ -2719,6 +2719,10 @@ class HiveObjectPrivilege { * @var \metastore\PrivilegeGrantInfo */ public $grantInfo = null; + /** + * @var string + */ + public $authorizer = null; public function __construct($vals=null) { if (!isset(self::$_TSPEC)) { @@ -2741,6 +2745,10 @@ class HiveObjectPrivilege { 'type' => TType::STRUCT, 'class' => '\metastore\PrivilegeGrantInfo', ), + 5 => array( + 'var' => 'authorizer', + 'type' => TType::STRING, + ), ); } if (is_array($vals)) { @@ -2756,6 +2764,9 @@ class HiveObjectPrivilege { if (isset($vals['grantInfo'])) { $this->grantInfo = $vals['grantInfo']; } + if (isset($vals['authorizer'])) { + $this->authorizer = $vals['authorizer']; + } } } @@ -2808,6 +2819,13 @@ class HiveObjectPrivilege { $xfer += $input->skip($ftype); } break; + case 5: + if ($ftype == TType::STRING) { + $xfer += $input->readString($this->authorizer); + } else { + $xfer += $input->skip($ftype); + } + break; default: $xfer += $input->skip($ftype); break; @@ -2847,6 +2865,11 @@ class HiveObjectPrivilege { $xfer += $this->grantInfo->write($output); $xfer += $output->writeFieldEnd(); } + if ($this->authorizer !== null) { + $xfer += $output->writeFieldBegin('authorizer', TType::STRING, 5); + $xfer += $output->writeString($this->authorizer); + $xfer += $output->writeFieldEnd(); + } $xfer += $output->writeFieldStop(); $xfer += $output->writeStructEnd(); return $xfer; diff --git a/standalone-metastore/src/gen/thrift/gen-py/hive_metastore/ttypes.py b/standalone-metastore/src/gen/thrift/gen-py/hive_metastore/ttypes.py index fdec32e..786c8c5 100644 --- a/standalone-metastore/src/gen/thrift/gen-py/hive_metastore/ttypes.py +++ b/standalone-metastore/src/gen/thrift/gen-py/hive_metastore/ttypes.py @@ -2013,6 +2013,7 @@ class HiveObjectPrivilege: - principalName - principalType - grantInfo + - authorizer """ thrift_spec = ( @@ -2021,13 +2022,15 @@ class HiveObjectPrivilege: (2, TType.STRING, 'principalName', None, None, ), # 2 (3, TType.I32, 'principalType', None, None, ), # 3 (4, TType.STRUCT, 'grantInfo', (PrivilegeGrantInfo, PrivilegeGrantInfo.thrift_spec), None, ), # 4 + (5, TType.STRING, 'authorizer', None, None, ), # 5 ) - def __init__(self, hiveObject=None, principalName=None, principalType=None, grantInfo=None,): + def __init__(self, hiveObject=None, principalName=None, principalType=None, grantInfo=None, authorizer=None,): self.hiveObject = hiveObject self.principalName = principalName self.principalType = principalType self.grantInfo = grantInfo + self.authorizer = authorizer def read(self, iprot): if iprot.__class__ == TBinaryProtocol.TBinaryProtocolAccelerated and isinstance(iprot.trans, TTransport.CReadableTransport) and self.thrift_spec is not None and fastbinary is not None: @@ -2060,6 +2063,11 @@ def read(self, iprot): self.grantInfo.read(iprot) else: iprot.skip(ftype) + elif fid == 5: + if ftype == TType.STRING: + self.authorizer = iprot.readString() + else: + iprot.skip(ftype) else: iprot.skip(ftype) iprot.readFieldEnd() @@ -2086,6 +2094,10 @@ def write(self, oprot): oprot.writeFieldBegin('grantInfo', TType.STRUCT, 4) self.grantInfo.write(oprot) oprot.writeFieldEnd() + if self.authorizer is not None: + oprot.writeFieldBegin('authorizer', TType.STRING, 5) + oprot.writeString(self.authorizer) + oprot.writeFieldEnd() oprot.writeFieldStop() oprot.writeStructEnd() @@ -2099,6 +2111,7 @@ def __hash__(self): value = (value * 31) ^ hash(self.principalName) value = (value * 31) ^ hash(self.principalType) value = (value * 31) ^ hash(self.grantInfo) + value = (value * 31) ^ hash(self.authorizer) return value def __repr__(self): diff --git a/standalone-metastore/src/gen/thrift/gen-rb/hive_metastore_types.rb b/standalone-metastore/src/gen/thrift/gen-rb/hive_metastore_types.rb index fb73b28..9174596 100644 --- a/standalone-metastore/src/gen/thrift/gen-rb/hive_metastore_types.rb +++ b/standalone-metastore/src/gen/thrift/gen-rb/hive_metastore_types.rb @@ -507,12 +507,14 @@ class HiveObjectPrivilege PRINCIPALNAME = 2 PRINCIPALTYPE = 3 GRANTINFO = 4 + AUTHORIZER = 5 FIELDS = { HIVEOBJECT => {:type => ::Thrift::Types::STRUCT, :name => 'hiveObject', :class => ::HiveObjectRef}, PRINCIPALNAME => {:type => ::Thrift::Types::STRING, :name => 'principalName'}, PRINCIPALTYPE => {:type => ::Thrift::Types::I32, :name => 'principalType', :enum_class => ::PrincipalType}, - GRANTINFO => {:type => ::Thrift::Types::STRUCT, :name => 'grantInfo', :class => ::PrivilegeGrantInfo} + GRANTINFO => {:type => ::Thrift::Types::STRUCT, :name => 'grantInfo', :class => ::PrivilegeGrantInfo}, + AUTHORIZER => {:type => ::Thrift::Types::STRING, :name => 'authorizer'} } def struct_fields; FIELDS; end diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java index 3978b88..c899382 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java @@ -802,7 +802,7 @@ private void createDefaultRoles_core() throws MetaException { PrivilegeBag privs = new PrivilegeBag(); privs.addToPrivileges(new HiveObjectPrivilege( new HiveObjectRef(HiveObjectType.GLOBAL, null, null, null, null), ADMIN, PrincipalType.ROLE, new PrivilegeGrantInfo("All", 0, ADMIN, - PrincipalType.ROLE, true))); + PrincipalType.ROLE, true), "SQL")); try { ms.grantPrivileges(privs); } catch (InvalidObjectException e) { diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java index b43334b..5e5f344 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java @@ -1314,13 +1314,13 @@ public void createTable(Table tbl) throws InvalidObjectException, MetaException int now = (int)(System.currentTimeMillis()/1000); Map> userPrivs = principalPrivs.getUserPrivileges(); - putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, userPrivs, PrincipalType.USER); + putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, userPrivs, PrincipalType.USER, "SQL"); Map> groupPrivs = principalPrivs.getGroupPrivileges(); - putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, groupPrivs, PrincipalType.GROUP); + putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, groupPrivs, PrincipalType.GROUP, "SQL"); Map> rolePrivs = principalPrivs.getRolePrivileges(); - putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, rolePrivs, PrincipalType.ROLE); + putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, rolePrivs, PrincipalType.ROLE, "SQL"); } pm.makePersistentAll(toPersistPrivObjs); commited = commitTransaction(); @@ -1350,7 +1350,7 @@ public void createTable(Table tbl) throws InvalidObjectException, MetaException * @param type */ private void putPersistentPrivObjects(MTable mtbl, List toPersistPrivObjs, - int now, Map> privMap, PrincipalType type) { + int now, Map> privMap, PrincipalType type, String authorizer) { if (privMap != null) { for (Map.Entry> entry : privMap .entrySet()) { @@ -1364,7 +1364,7 @@ private void putPersistentPrivObjects(MTable mtbl, List toPersistPrivObj MTablePrivilege mTblSec = new MTablePrivilege( principalName, type.toString(), mtbl, priv.getPrivilege(), now, priv.getGrantor(), priv.getGrantorType().toString(), priv - .isGrantOption()); + .isGrantOption(), authorizer); toPersistPrivObjs.add(mTblSec); } } @@ -2242,7 +2242,8 @@ public boolean addPartitions(String catName, String dbName, String tblName, List for (MTablePrivilege tab: tabGrants) { toPersist.add(new MPartitionPrivilege(tab.getPrincipalName(), tab.getPrincipalType(), mpart, tab.getPrivilege(), now, - tab.getGrantor(), tab.getGrantorType(), tab.getGrantOption())); + tab.getGrantor(), tab.getGrantorType(), tab.getGrantOption(), + tab.getAuthorizer())); } } @@ -2250,7 +2251,8 @@ public boolean addPartitions(String catName, String dbName, String tblName, List for (MTableColumnPrivilege col : tabColumnGrants) { toPersist.add(new MPartitionColumnPrivilege(col.getPrincipalName(), col.getPrincipalType(), mpart, col.getColumnName(), col.getPrivilege(), - now, col.getGrantor(), col.getGrantorType(), col.getGrantOption())); + now, col.getGrantor(), col.getGrantorType(), col.getGrantOption(), + col.getAuthorizer())); } } } @@ -2314,7 +2316,8 @@ public boolean addPartitions(String catName, String dbName, String tblName, for (MTablePrivilege tab : tabGrants) { pm.makePersistent(new MPartitionPrivilege(tab.getPrincipalName(), tab.getPrincipalType(), mpart, tab.getPrivilege(), now, - tab.getGrantor(), tab.getGrantorType(), tab.getGrantOption())); + tab.getGrantor(), tab.getGrantorType(), tab.getGrantOption(), + tab.getAuthorizer())); } } @@ -2322,7 +2325,8 @@ public boolean addPartitions(String catName, String dbName, String tblName, for (MTableColumnPrivilege col : tabColumnGrants) { pm.makePersistent(new MPartitionColumnPrivilege(col.getPrincipalName(), col.getPrincipalType(), mpart, col.getColumnName(), col.getPrivilege(), - now, col.getGrantor(), col.getGrantorType(), col.getGrantOption())); + now, col.getGrantor(), col.getGrantorType(), col.getGrantOption(), + col.getAuthorizer())); } } } @@ -2363,7 +2367,7 @@ public boolean addPartition(Partition part) throws InvalidObjectException, MPartitionPrivilege partGrant = new MPartitionPrivilege(tab .getPrincipalName(), tab.getPrincipalType(), mpart, tab.getPrivilege(), now, tab.getGrantor(), tab - .getGrantorType(), tab.getGrantOption()); + .getGrantorType(), tab.getGrantOption(), tab.getAuthorizer()); toPersist.add(partGrant); } } @@ -2373,7 +2377,7 @@ public boolean addPartition(Partition part) throws InvalidObjectException, MPartitionColumnPrivilege partColumn = new MPartitionColumnPrivilege(col .getPrincipalName(), col.getPrincipalType(), mpart, col .getColumnName(), col.getPrivilege(), now, col.getGrantor(), col - .getGrantorType(), col.getGrantOption()); + .getGrantorType(), col.getGrantOption(), col.getAuthorizer()); toPersist.add(partColumn); } @@ -5633,6 +5637,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce String privilegeStr = privDef.getGrantInfo().getPrivilege(); String[] privs = privilegeStr.split(","); String userName = privDef.getPrincipalName(); + String authorizer = privDef.getAuthorizer(); PrincipalType principalType = privDef.getPrincipalType(); String grantor = privDef.getGrantInfo().getGrantor(); String grantorType = privDef.getGrantInfo().getGrantorType().toString(); @@ -5661,7 +5666,8 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce + " is already granted by " + grantor); } MGlobalPrivilege mGlobalPrivs = new MGlobalPrivilege(userName, - principalType.toString(), privilege, now, grantor, grantorType, grantOption); + principalType.toString(), privilege, now, grantor, grantorType, grantOption, + authorizer); persistentObjs.add(mGlobalPrivs); } } else if (hiveObject.getObjectType() == HiveObjectType.DATABASE) { @@ -5683,7 +5689,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce + hiveObject.getDbName() + " by " + grantor); } MDBPrivilege mDb = new MDBPrivilege(userName, principalType - .toString(), dbObj, privilege, now, grantor, grantorType, grantOption); + .toString(), dbObj, privilege, now, grantor, grantorType, grantOption, authorizer); persistentObjs.add(mDb); } } @@ -5711,7 +5717,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce } MTablePrivilege mTab = new MTablePrivilege( userName, principalType.toString(), tblObj, - privilege, now, grantor, grantorType, grantOption); + privilege, now, grantor, grantorType, grantOption, authorizer); persistentObjs.add(mTab); } } @@ -5742,7 +5748,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce } MPartitionPrivilege mTab = new MPartitionPrivilege(userName, principalType.toString(), partObj, privilege, now, grantor, - grantorType, grantOption); + grantorType, grantOption, authorizer); persistentObjs.add(mTab); } } @@ -5782,7 +5788,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce MPartitionColumnPrivilege mCol = new MPartitionColumnPrivilege(userName, principalType.toString(), partObj, hiveObject .getColumnName(), privilege, now, grantor, grantorType, - grantOption); + grantOption, authorizer); persistentObjs.add(mCol); } @@ -5810,7 +5816,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce MTableColumnPrivilege mCol = new MTableColumnPrivilege(userName, principalType.toString(), tblObj, hiveObject .getColumnName(), privilege, now, grantor, grantorType, - grantOption); + grantOption, authorizer); persistentObjs.add(mCol); } } @@ -6251,7 +6257,8 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP objectRef, sUsr.getPrincipalName(), principalType, new PrivilegeGrantInfo(sUsr.getPrivilege(), sUsr .getCreateTime(), sUsr.getGrantor(), PrincipalType - .valueOf(sUsr.getGrantorType()), sUsr.getGrantOption())); + .valueOf(sUsr.getGrantorType()), sUsr.getGrantOption()), + sUsr.getAuthorizer()); result.add(secUser); } return result; @@ -6277,13 +6284,14 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP List result = new ArrayList<>(); for (MGlobalPrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); HiveObjectRef objectRef = new HiveObjectRef(HiveObjectType.GLOBAL, null, null, null, null); PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } @@ -6336,7 +6344,7 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP sDB.getPrincipalName(), principalType, new PrivilegeGrantInfo(sDB.getPrivilege(), sDB .getCreateTime(), sDB.getGrantor(), PrincipalType - .valueOf(sDB.getGrantorType()), sDB.getGrantOption())); + .valueOf(sDB.getGrantorType()), sDB.getGrantOption()), sDB.getAuthorizer()); result.add(secObj); } return result; @@ -6367,6 +6375,7 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP List result = new ArrayList<>(); for (MDBPrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); String database = priv.getDatabase().getName(); @@ -6376,7 +6385,7 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } @@ -6721,7 +6730,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl sTbl.getPrincipalName(), principalType, new PrivilegeGrantInfo(sTbl.getPrivilege(), sTbl.getCreateTime(), sTbl .getGrantor(), PrincipalType.valueOf(sTbl - .getGrantorType()), sTbl.getGrantOption())); + .getGrantorType()), sTbl.getGrantOption()), sTbl.getAuthorizer()); result.add(secObj); } return result; @@ -6788,7 +6797,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl new PrivilegeGrantInfo(sPart.getPrivilege(), sPart .getCreateTime(), sPart.getGrantor(), PrincipalType .valueOf(sPart.getGrantorType()), sPart - .getGrantOption())); + .getGrantOption()), sPart.getAuthorizer()); result.add(secObj); } @@ -6854,7 +6863,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl new PrivilegeGrantInfo(sCol.getPrivilege(), sCol .getCreateTime(), sCol.getGrantor(), PrincipalType .valueOf(sCol.getGrantorType()), sCol - .getGrantOption())); + .getGrantOption()), sCol.getAuthorizer()); result.add(secObj); } return result; @@ -6922,7 +6931,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl sCol.getPrincipalName(), principalType, new PrivilegeGrantInfo(sCol.getPrivilege(), sCol .getCreateTime(), sCol.getGrantor(), PrincipalType - .valueOf(sCol.getGrantorType()), sCol.getGrantOption())); + .valueOf(sCol.getGrantorType()), sCol.getGrantOption()), sCol.getAuthorizer()); result.add(secObj); } return result; @@ -6993,6 +7002,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl List result = new ArrayList<>(); for (MPartitionColumnPrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); MPartition mpartition = priv.getPartition(); @@ -7005,7 +7015,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } @@ -7095,6 +7105,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl List result = new ArrayList<>(); for (MTablePrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); String table = priv.getTable().getTableName(); @@ -7106,7 +7117,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } @@ -7195,6 +7206,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl List result = new ArrayList<>(); for (MPartitionPrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); MPartition mpartition = priv.getPartition(); @@ -7207,7 +7219,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } @@ -7304,6 +7316,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl List result = new ArrayList<>(); for (MTableColumnPrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); MTable mtable = priv.getTable(); @@ -7315,7 +7328,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/client/builder/HiveObjectPrivilegeBuilder.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/client/builder/HiveObjectPrivilegeBuilder.java index d802e1a..ed32f1c 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/client/builder/HiveObjectPrivilegeBuilder.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/client/builder/HiveObjectPrivilegeBuilder.java @@ -31,6 +31,7 @@ private String principleName; private PrincipalType principalType; private PrivilegeGrantInfo grantInfo; + private String authorizer; public HiveObjectPrivilegeBuilder setHiveObjectRef(HiveObjectRef hiveObjectRef) { this.hiveObjectRef = hiveObjectRef; @@ -52,12 +53,17 @@ public HiveObjectPrivilegeBuilder setGrantInfo(PrivilegeGrantInfo grantInfo) { return this; } + public HiveObjectPrivilegeBuilder setAuthorizer(String authorizer) { + this.authorizer = authorizer; + return this; + } + public HiveObjectPrivilege build() throws MetaException { if (hiveObjectRef == null || principleName == null || principalType == null || grantInfo == null) { throw new MetaException("hive object reference, principle name and type, and grant info " + "must all be provided"); } - return new HiveObjectPrivilege(hiveObjectRef, principleName, principalType, grantInfo); + return new HiveObjectPrivilege(hiveObjectRef, principleName, principalType, grantInfo, authorizer); } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MDBPrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MDBPrivilege.java index 3d8fa21..5f51692 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MDBPrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MDBPrivilege.java @@ -36,12 +36,14 @@ private boolean grantOption; + private String authorizer; + public MDBPrivilege() { } public MDBPrivilege(String principalName, String principalType, MDatabase database, String dbPrivileges, int createTime, String grantor, - String grantorType, boolean grantOption) { + String grantorType, boolean grantOption, String authorizer) { super(); this.principalName = principalName; this.principalType = principalType; @@ -51,6 +53,7 @@ public MDBPrivilege(String principalName, String principalType, this.grantorType = grantorType; this.grantOption = grantOption; this.grantor = grantor; + this.authorizer = authorizer; } /** @@ -129,4 +132,11 @@ public void setPrincipalType(String principalType) { this.principalType = principalType; } + public String getAuthorizer() { + return authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MGlobalPrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MGlobalPrivilege.java index 5b496e0..a6ce541 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MGlobalPrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MGlobalPrivilege.java @@ -38,13 +38,15 @@ private boolean grantOption; + private String authorizer; + public MGlobalPrivilege() { super(); } public MGlobalPrivilege(String userName, String principalType, String dbPrivilege, int createTime, String grantor, String grantorType, - boolean grantOption) { + boolean grantOption, String authorizer) { super(); this.principalName = userName; this.principalType = principalType; @@ -53,6 +55,7 @@ public MGlobalPrivilege(String userName, String principalType, this.grantor = grantor; this.grantorType = grantorType; this.grantOption = grantOption; + this.authorizer = authorizer; } /** @@ -117,4 +120,11 @@ public void setGrantorType(String grantorType) { this.grantorType = grantorType; } + public String getAuthorizer() { + return authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionColumnPrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionColumnPrivilege.java index ab50a92..cc87f75 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionColumnPrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionColumnPrivilege.java @@ -39,6 +39,8 @@ private boolean grantOption; + private String authorizer; + public MPartitionColumnPrivilege() { } @@ -52,10 +54,11 @@ public MPartitionColumnPrivilege() { * @param grantor * @param grantorType * @param grantOption + * @param authorizer */ public MPartitionColumnPrivilege(String principalName, String principalType, MPartition partition, String columnName, String privileges, int createTime, - String grantor, String grantorType, boolean grantOption) { + String grantor, String grantorType, boolean grantOption, String authorizer) { super(); this.principalName = principalName; this.principalType = principalType; @@ -66,6 +69,7 @@ public MPartitionColumnPrivilege(String principalName, String principalType, this.grantor = grantor; this.grantorType = grantorType; this.grantOption = grantOption; + this.authorizer = authorizer; } /** @@ -157,5 +161,11 @@ public String getPrincipalType() { public void setPrincipalType(String principalType) { this.principalType = principalType; } + public String getAuthorizer() { + return authorizer; + } + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionPrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionPrivilege.java index 3193bc1..b2ec5e1 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionPrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionPrivilege.java @@ -36,12 +36,14 @@ private boolean grantOption; + private String authorizer; + public MPartitionPrivilege() { } public MPartitionPrivilege(String principalName, String principalType, MPartition partition, String privilege, int createTime, - String grantor, String grantorType, boolean grantOption) { + String grantor, String grantorType, boolean grantOption, String authorizer) { super(); this.principalName = principalName; this.principalType = principalType; @@ -51,6 +53,7 @@ public MPartitionPrivilege(String principalName, String principalType, this.grantor = grantor; this.grantorType = grantorType; this.grantOption = grantOption; + this.authorizer = authorizer; } public String getPrincipalName() { @@ -136,4 +139,11 @@ public void setGrantorType(String grantorType) { this.grantorType = grantorType; } + public String getAuthorizer() { + return authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTableColumnPrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTableColumnPrivilege.java index ad7322f..e2cc0f1 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTableColumnPrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTableColumnPrivilege.java @@ -38,6 +38,8 @@ private boolean grantOption; + private String authorizer; + public MTableColumnPrivilege() { } @@ -54,7 +56,7 @@ public MTableColumnPrivilege() { */ public MTableColumnPrivilege(String principalName, String principalType, MTable table, String columnName, String privileges, int createTime, - String grantor, String grantorType, boolean grantOption) { + String grantor, String grantorType, boolean grantOption, String authorizer) { super(); this.principalName = principalName; this.principalType = principalType; @@ -65,6 +67,7 @@ public MTableColumnPrivilege(String principalName, String principalType, this.grantor = grantor; this.grantorType = grantorType; this.grantOption = grantOption; + this.authorizer = authorizer; } /** @@ -157,4 +160,11 @@ public void setPrincipalType(String principalType) { this.principalType = principalType; } + public String getAuthorizer() { + return authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTablePrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTablePrivilege.java index 6460400..f45576c 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTablePrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTablePrivilege.java @@ -36,12 +36,14 @@ private boolean grantOption; + private String authorizer; + public MTablePrivilege() { } public MTablePrivilege(String principalName, String principalType, MTable table, String privilege, int createTime, - String grantor, String grantorType, boolean grantOption) { + String grantor, String grantorType, boolean grantOption, String authorizer) { super(); this.principalName = principalName; this.principalType = principalType; @@ -51,6 +53,7 @@ public MTablePrivilege(String principalName, String principalType, this.grantor = grantor; this.grantorType = grantorType; this.grantOption = grantOption; + this.authorizer = authorizer; } public String getPrincipalName() { @@ -136,4 +139,11 @@ public void setGrantorType(String grantorType) { this.grantorType = grantorType; } + public String getAuthorizer() { + return authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/sql/derby/hive-schema-3.0.0.derby.sql b/standalone-metastore/src/main/sql/derby/hive-schema-3.0.0.derby.sql index 8e09755..30d7e81 100644 --- a/standalone-metastore/src/main/sql/derby/hive-schema-3.0.0.derby.sql +++ b/standalone-metastore/src/main/sql/derby/hive-schema-3.0.0.derby.sql @@ -29,7 +29,7 @@ CREATE TABLE "APP"."TBL_PRIVS" ("TBL_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" IN CREATE TABLE "APP"."DATABASE_PARAMS" ("DB_ID" BIGINT NOT NULL, "PARAM_KEY" VARCHAR(180) NOT NULL, "PARAM_VALUE" VARCHAR(4000)); -CREATE TABLE "APP"."TBL_COL_PRIVS" ("TBL_COLUMN_GRANT_ID" BIGINT NOT NULL, "COLUMN_NAME" VARCHAR(767), "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "TBL_COL_PRIV" VARCHAR(128), "TBL_ID" BIGINT); +CREATE TABLE "APP"."TBL_COL_PRIVS" ("TBL_COLUMN_GRANT_ID" BIGINT NOT NULL, "COLUMN_NAME" VARCHAR(767), "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "TBL_COL_PRIV" VARCHAR(128), "TBL_ID" BIGINT, "AUTHORIZER" VARCHAR(128)); CREATE TABLE "APP"."SERDE_PARAMS" ("SERDE_ID" BIGINT NOT NULL, "PARAM_KEY" VARCHAR(256) NOT NULL, "PARAM_VALUE" CLOB); @@ -41,7 +41,7 @@ CREATE TABLE "APP"."CDS" ("CD_ID" BIGINT NOT NULL); CREATE TABLE "APP"."PARTITION_KEY_VALS" ("PART_ID" BIGINT NOT NULL, "PART_KEY_VAL" VARCHAR(256), "INTEGER_IDX" INTEGER NOT NULL); -CREATE TABLE "APP"."DB_PRIVS" ("DB_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "DB_ID" BIGINT, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "DB_PRIV" VARCHAR(128)); +CREATE TABLE "APP"."DB_PRIVS" ("DB_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "DB_ID" BIGINT, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "DB_PRIV" VARCHAR(128), "AUTHORIZER" VARCHAR(128)); CREATE TABLE "APP"."IDXS" ("INDEX_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "DEFERRED_REBUILD" CHAR(1) NOT NULL, "INDEX_HANDLER_CLASS" VARCHAR(4000), "INDEX_NAME" VARCHAR(128), "INDEX_TBL_ID" BIGINT, "LAST_ACCESS_TIME" INTEGER NOT NULL, "ORIG_TBL_ID" BIGINT, "SD_ID" BIGINT); @@ -51,13 +51,13 @@ CREATE TABLE "APP"."PARTITIONS" ("PART_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGE CREATE TABLE "APP"."SERDES" ("SERDE_ID" BIGINT NOT NULL, "NAME" VARCHAR(128), "SLIB" VARCHAR(4000), "DESCRIPTION" VARCHAR(4000), "SERIALIZER_CLASS" VARCHAR(4000), "DESERIALIZER_CLASS" VARCHAR(4000), SERDE_TYPE INTEGER); -CREATE TABLE "APP"."PART_PRIVS" ("PART_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PART_ID" BIGINT, "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "PART_PRIV" VARCHAR(128)); +CREATE TABLE "APP"."PART_PRIVS" ("PART_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PART_ID" BIGINT, "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "PART_PRIV" VARCHAR(128), "AUTHORIZER" VARCHAR(128)); CREATE TABLE "APP"."ROLE_MAP" ("ROLE_GRANT_ID" BIGINT NOT NULL, "ADD_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "ROLE_ID" BIGINT); CREATE TABLE "APP"."TYPES" ("TYPES_ID" BIGINT NOT NULL, "TYPE_NAME" VARCHAR(128), "TYPE1" VARCHAR(767), "TYPE2" VARCHAR(767)); -CREATE TABLE "APP"."GLOBAL_PRIVS" ("USER_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "USER_PRIV" VARCHAR(128)); +CREATE TABLE "APP"."GLOBAL_PRIVS" ("USER_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "USER_PRIV" VARCHAR(128), "AUTHORIZER" VARCHAR(128)); CREATE TABLE "APP"."PARTITION_PARAMS" ("PART_ID" BIGINT NOT NULL, "PARAM_KEY" VARCHAR(256) NOT NULL, "PARAM_VALUE" VARCHAR(4000)); @@ -79,7 +79,7 @@ CREATE TABLE "APP"."TBLS" ("TBL_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT N CREATE TABLE "APP"."PARTITION_KEYS" ("TBL_ID" BIGINT NOT NULL, "PKEY_COMMENT" VARCHAR(4000), "PKEY_NAME" VARCHAR(128) NOT NULL, "PKEY_TYPE" VARCHAR(767) NOT NULL, "INTEGER_IDX" INTEGER NOT NULL); -CREATE TABLE "APP"."PART_COL_PRIVS" ("PART_COLUMN_GRANT_ID" BIGINT NOT NULL, "COLUMN_NAME" VARCHAR(767), "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PART_ID" BIGINT, "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "PART_COL_PRIV" VARCHAR(128)); +CREATE TABLE "APP"."PART_COL_PRIVS" ("PART_COLUMN_GRANT_ID" BIGINT NOT NULL, "COLUMN_NAME" VARCHAR(767), "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PART_ID" BIGINT, "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "PART_COL_PRIV" VARCHAR(128), "AUTHORIZER" VARCHAR(128)); CREATE TABLE "APP"."SDS" ("SD_ID" BIGINT NOT NULL, "INPUT_FORMAT" VARCHAR(4000), "IS_COMPRESSED" CHAR(1) NOT NULL, "LOCATION" VARCHAR(4000), "NUM_BUCKETS" INTEGER NOT NULL, "OUTPUT_FORMAT" VARCHAR(4000), "SERDE_ID" BIGINT, "CD_ID" BIGINT, "IS_STOREDASSUBDIRECTORIES" CHAR(1) NOT NULL); @@ -225,17 +225,17 @@ INSERT INTO "APP"."SEQUENCE_TABLE" ("SEQUENCE_NAME", "NEXT_VAL") SELECT * FROM ( CREATE UNIQUE INDEX "APP"."UNIQUEINDEX" ON "APP"."IDXS" ("INDEX_NAME", "ORIG_TBL_ID"); -CREATE INDEX "APP"."TABLECOLUMNPRIVILEGEINDEX" ON "APP"."TBL_COL_PRIVS" ("TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "APP"."TABLECOLUMNPRIVILEGEINDEX" ON "APP"."TBL_COL_PRIVS" ("AUTHORIZER", "TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); -CREATE UNIQUE INDEX "APP"."DBPRIVILEGEINDEX" ON "APP"."DB_PRIVS" ("DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE UNIQUE INDEX "APP"."DBPRIVILEGEINDEX" ON "APP"."DB_PRIVS" ("AUTHORIZER", "DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); CREATE INDEX "APP"."PCS_STATS_IDX" ON "APP"."PART_COL_STATS" ("CAT_NAME", "DB_NAME","TABLE_NAME","COLUMN_NAME","PARTITION_NAME"); -CREATE INDEX "APP"."PARTPRIVILEGEINDEX" ON "APP"."PART_PRIVS" ("PART_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "APP"."PARTPRIVILEGEINDEX" ON "APP"."PART_PRIVS" ("AUTHORIZER", "PART_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_PRIV", "GRANTOR", "GRANTOR_TYPE"); CREATE UNIQUE INDEX "APP"."ROLEENTITYINDEX" ON "APP"."ROLES" ("ROLE_NAME"); -CREATE INDEX "APP"."TABLEPRIVILEGEINDEX" ON "APP"."TBL_PRIVS" ("TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "APP"."TABLEPRIVILEGEINDEX" ON "APP"."TBL_PRIVS" ("AUTHORIZER", "TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); CREATE UNIQUE INDEX "APP"."UNIQUETABLE" ON "APP"."TBLS" ("TBL_NAME", "DB_ID"); @@ -243,11 +243,11 @@ CREATE UNIQUE INDEX "APP"."UNIQUE_DATABASE" ON "APP"."DBS" ("NAME", "CTLG_NAME") CREATE UNIQUE INDEX "APP"."USERROLEMAPINDEX" ON "APP"."ROLE_MAP" ("PRINCIPAL_NAME", "ROLE_ID", "GRANTOR", "GRANTOR_TYPE"); -CREATE UNIQUE INDEX "APP"."GLOBALPRIVILEGEINDEX" ON "APP"."GLOBAL_PRIVS" ("PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE UNIQUE INDEX "APP"."GLOBALPRIVILEGEINDEX" ON "APP"."GLOBAL_PRIVS" ("AUTHORIZER", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); CREATE UNIQUE INDEX "APP"."UNIQUE_TYPE" ON "APP"."TYPES" ("TYPE_NAME"); -CREATE INDEX "APP"."PARTITIONCOLUMNPRIVILEGEINDEX" ON "APP"."PART_COL_PRIVS" ("PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "APP"."PARTITIONCOLUMNPRIVILEGEINDEX" ON "APP"."PART_COL_PRIVS" ("AUTHORIZER", "PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); CREATE UNIQUE INDEX "APP"."UNIQUEPARTITION" ON "APP"."PARTITIONS" ("PART_NAME", "TBL_ID"); diff --git a/standalone-metastore/src/main/sql/derby/upgrade-2.3.0-to-3.0.0.derby.sql b/standalone-metastore/src/main/sql/derby/upgrade-2.3.0-to-3.0.0.derby.sql index 73bef36..553e573 100644 --- a/standalone-metastore/src/main/sql/derby/upgrade-2.3.0-to-3.0.0.derby.sql +++ b/standalone-metastore/src/main/sql/derby/upgrade-2.3.0-to-3.0.0.derby.sql @@ -254,6 +254,31 @@ CREATE TABLE "APP"."RUNTIME_STATS" ( CREATE INDEX IDX_RUNTIME_STATS_CREATE_TIME ON RUNTIME_STATS(CREATE_TIME); +-- HIVE-19440 +ALTER TABLE "APP"."GLOBAL_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."GLOBALPRIVILEGEINDEX"; +CREATE UNIQUE INDEX "APP"."GLOBALPRIVILEGEINDEX" ON "APP"."GLOBAL_PRIVS" ("AUTHORIZER", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "APP"."DB_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."DBPRIVILEGEINDEX"; +CREATE UNIQUE INDEX "APP"."DBPRIVILEGEINDEX" ON "APP"."DB_PRIVS" ("AUTHORIZER", "DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "APP"."TBL_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."TABLEPRIVILEGEINDEX"; +CREATE INDEX "APP"."TABLEPRIVILEGEINDEX" ON "APP"."TBL_PRIVS" ("AUTHORIZER", "TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "APP"."PART_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."PARTPRIVILEGEINDEX"; +CREATE INDEX "APP"."PARTPRIVILEGEINDEX" ON "APP"."PART_PRIVS" ("AUTHORIZER", "PART_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "APP"."TBL_COL_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."TABLECOLUMNPRIVILEGEINDEX"; +CREATE INDEX "APP"."TABLECOLUMNPRIVILEGEINDEX" ON "APP"."TBL_COL_PRIVS" ("AUTHORIZER", "TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "APP"."PART_COL_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."PARTITIONCOLUMNPRIVILEGEINDEX"; +CREATE INDEX "APP"."PARTITIONCOLUMNPRIVILEGEINDEX" ON "APP"."PART_COL_PRIVS" ("AUTHORIZER", "PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + -- This needs to be the last thing done. Insert any changes above this line. UPDATE "APP".VERSION SET SCHEMA_VERSION='3.0.0', VERSION_COMMENT='Hive release version 3.0.0' where VER_ID=1; diff --git a/standalone-metastore/src/main/sql/mssql/hive-schema-3.0.0.mssql.sql b/standalone-metastore/src/main/sql/mssql/hive-schema-3.0.0.mssql.sql index 51df92c..ddd3442 100644 --- a/standalone-metastore/src/main/sql/mssql/hive-schema-3.0.0.mssql.sql +++ b/standalone-metastore/src/main/sql/mssql/hive-schema-3.0.0.mssql.sql @@ -112,7 +112,8 @@ CREATE TABLE PART_PRIVS PART_ID bigint NULL, PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, - PART_PRIV nvarchar(128) NULL + PART_PRIV nvarchar(128) NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE PART_PRIVS ADD CONSTRAINT PART_PRIVS_PK PRIMARY KEY (PART_GRANT_ID); @@ -177,7 +178,8 @@ CREATE TABLE GLOBAL_PRIVS GRANTOR_TYPE nvarchar(128) NULL, PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, - USER_PRIV nvarchar(128) NULL + USER_PRIV nvarchar(128) NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE GLOBAL_PRIVS ADD CONSTRAINT GLOBAL_PRIVS_PK PRIMARY KEY (USER_GRANT_ID); @@ -194,7 +196,8 @@ CREATE TABLE PART_COL_PRIVS PART_ID bigint NULL, PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, - PART_COL_PRIV nvarchar(128) NULL + PART_COL_PRIV nvarchar(128) NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE PART_COL_PRIVS ADD CONSTRAINT PART_COL_PRIVS_PK PRIMARY KEY (PART_COLUMN_GRANT_ID); @@ -210,7 +213,8 @@ CREATE TABLE DB_PRIVS GRANTOR_TYPE nvarchar(128) NULL, PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, - DB_PRIV nvarchar(128) NULL + DB_PRIV nvarchar(128) NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE DB_PRIVS ADD CONSTRAINT DB_PRIVS_PK PRIMARY KEY (DB_GRANT_ID); @@ -265,7 +269,8 @@ CREATE TABLE TBL_PRIVS PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, TBL_PRIV nvarchar(128) NULL, - TBL_ID bigint NULL + TBL_ID bigint NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE TBL_PRIVS ADD CONSTRAINT TBL_PRIVS_PK PRIMARY KEY (TBL_GRANT_ID); @@ -296,7 +301,8 @@ CREATE TABLE TBL_COL_PRIVS PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, TBL_COL_PRIV nvarchar(128) NULL, - TBL_ID bigint NULL + TBL_ID bigint NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE TBL_COL_PRIVS ADD CONSTRAINT TBL_COL_PRIVS_PK PRIMARY KEY (TBL_COLUMN_GRANT_ID); @@ -721,7 +727,7 @@ CREATE INDEX PART_COL_STATS_N49 ON PART_COL_STATS (PART_ID); -- Constraints for table PART_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MPartitionPrivilege] ALTER TABLE PART_PRIVS ADD CONSTRAINT PART_PRIVS_FK1 FOREIGN KEY (PART_ID) REFERENCES PARTITIONS (PART_ID) ; -CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (AUTHORIZER,PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX PART_PRIVS_N49 ON PART_PRIVS (PART_ID); @@ -749,7 +755,7 @@ CREATE UNIQUE INDEX UNIQUEPARTITION ON PARTITIONS (PART_NAME,TBL_ID); -- Constraints for table VERSION for class(es) [org.apache.hadoop.hive.metastore.model.MVersionTable] -- Constraints for table GLOBAL_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MGlobalPrivilege] -CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (AUTHORIZER,PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table PART_COL_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MPartitionColumnPrivilege] @@ -757,13 +763,13 @@ ALTER TABLE PART_COL_PRIVS ADD CONSTRAINT PART_COL_PRIVS_FK1 FOREIGN KEY (PART_I CREATE INDEX PART_COL_PRIVS_N49 ON PART_COL_PRIVS (PART_ID); -CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (AUTHORIZE,PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table DB_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MDBPrivilege] ALTER TABLE DB_PRIVS ADD CONSTRAINT DB_PRIVS_FK1 FOREIGN KEY (DB_ID) REFERENCES DBS (DB_ID) ; -CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (AUTHORIZER,DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX DB_PRIVS_N49 ON DB_PRIVS (DB_ID); @@ -783,7 +789,7 @@ ALTER TABLE TBL_PRIVS ADD CONSTRAINT TBL_PRIVS_FK1 FOREIGN KEY (TBL_ID) REFERENC CREATE INDEX TBL_PRIVS_N49 ON TBL_PRIVS (TBL_ID); -CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (AUTHORIZER,TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table DBS for class(es) [org.apache.hadoop.hive.metastore.model.MDatabase] @@ -793,7 +799,7 @@ CREATE UNIQUE INDEX UNIQUEDATABASE ON DBS ("NAME", "CTLG_NAME"); -- Constraints for table TBL_COL_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MTableColumnPrivilege] ALTER TABLE TBL_COL_PRIVS ADD CONSTRAINT TBL_COL_PRIVS_FK1 FOREIGN KEY (TBL_ID) REFERENCES TBLS (TBL_ID) ; -CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (AUTHORIZER,TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX TBL_COL_PRIVS_N49 ON TBL_COL_PRIVS (TBL_ID); diff --git a/standalone-metastore/src/main/sql/mssql/upgrade-2.3.0-to-3.0.0.mssql.sql b/standalone-metastore/src/main/sql/mssql/upgrade-2.3.0-to-3.0.0.mssql.sql index a7232dd..0727ef3 100644 --- a/standalone-metastore/src/main/sql/mssql/upgrade-2.3.0-to-3.0.0.mssql.sql +++ b/standalone-metastore/src/main/sql/mssql/upgrade-2.3.0-to-3.0.0.mssql.sql @@ -321,6 +321,31 @@ CREATE TABLE RUNTIME_STATS ( CREATE INDEX IDX_RUNTIME_STATS_CREATE_TIME ON RUNTIME_STATS(CREATE_TIME); +-- HIVE-19440 +ALTER TABLE GLOBAL_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX GLOBAL_PRIVS.GLOBALPRIVILEGEINDEX; +CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (AUTHORIZER,PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE DB_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX DB_PRIVS.DBPRIVILEGEINDEX; +CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (AUTHORIZER,DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE TBL_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX TBL_PRIVS.TABLEPRIVILEGEINDEX; +CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (AUTHORIZER,TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE PART_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX PART_PRIVS.PARTPRIVILEGEINDEX; +CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (AUTHORIZER,PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE TBL_COL_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX TBL_COL_PRIVS.TABLECOLUMNPRIVILEGEINDEX; +CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (AUTHORIZER,TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE PART_COL_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX PART_COL_PRIVS.PARTITIONCOLUMNPRIVILEGEINDEX; +CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (AUTHORIZE,PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); + -- These lines need to be last. Insert any changes above. UPDATE VERSION SET SCHEMA_VERSION='3.0.0', VERSION_COMMENT='Hive release version 3.0.0' where VER_ID=1; SELECT 'Finished upgrading MetaStore schema from 2.3.0 to 3.0.0' AS MESSAGE; diff --git a/standalone-metastore/src/main/sql/mysql/hive-schema-3.0.0.mysql.sql b/standalone-metastore/src/main/sql/mysql/hive-schema-3.0.0.mysql.sql index 8e55e94..2cf8d29 100644 --- a/standalone-metastore/src/main/sql/mysql/hive-schema-3.0.0.mysql.sql +++ b/standalone-metastore/src/main/sql/mysql/hive-schema-3.0.0.mysql.sql @@ -122,8 +122,9 @@ CREATE TABLE IF NOT EXISTS `DB_PRIVS` ( `PRINCIPAL_NAME` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `DB_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`DB_GRANT_ID`), - UNIQUE KEY `DBPRIVILEGEINDEX` (`DB_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`DB_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + UNIQUE KEY `DBPRIVILEGEINDEX` (`AUTHORIZER`,`DB_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`DB_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), KEY `DB_PRIVS_N49` (`DB_ID`), CONSTRAINT `DB_PRIVS_FK1` FOREIGN KEY (`DB_ID`) REFERENCES `DBS` (`DB_ID`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; @@ -144,8 +145,9 @@ CREATE TABLE IF NOT EXISTS `GLOBAL_PRIVS` ( `PRINCIPAL_NAME` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `USER_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`USER_GRANT_ID`), - UNIQUE KEY `GLOBALPRIVILEGEINDEX` (`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`USER_PRIV`,`GRANTOR`,`GRANTOR_TYPE`) + UNIQUE KEY `GLOBALPRIVILEGEINDEX` (`AUTHORIZER`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`USER_PRIV`,`GRANTOR`,`GRANTOR_TYPE`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; @@ -317,9 +319,10 @@ CREATE TABLE IF NOT EXISTS `PART_COL_PRIVS` ( `PRINCIPAL_NAME` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PART_COL_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`PART_COLUMN_GRANT_ID`), KEY `PART_COL_PRIVS_N49` (`PART_ID`), - KEY `PARTITIONCOLUMNPRIVILEGEINDEX` (`PART_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + KEY `PARTITIONCOLUMNPRIVILEGEINDEX` (`AUTHORIZER`,`PART_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), CONSTRAINT `PART_COL_PRIVS_FK1` FOREIGN KEY (`PART_ID`) REFERENCES `PARTITIONS` (`PART_ID`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; @@ -340,8 +343,9 @@ CREATE TABLE IF NOT EXISTS `PART_PRIVS` ( `PRINCIPAL_NAME` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PART_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`PART_GRANT_ID`), - KEY `PARTPRIVILEGEINDEX` (`PART_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + KEY `PARTPRIVILEGEINDEX` (`AUTHORIZER`,`PART_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), KEY `PART_PRIVS_N49` (`PART_ID`), CONSTRAINT `PART_PRIVS_FK1` FOREIGN KEY (`PART_ID`) REFERENCES `PARTITIONS` (`PART_ID`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; @@ -665,8 +669,9 @@ CREATE TABLE IF NOT EXISTS `TBL_COL_PRIVS` ( `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `TBL_COL_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `TBL_ID` bigint(20) DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`TBL_COLUMN_GRANT_ID`), - KEY `TABLECOLUMNPRIVILEGEINDEX` (`TBL_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + KEY `TABLECOLUMNPRIVILEGEINDEX` (`AUTHORIZER`,`TBL_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), KEY `TBL_COL_PRIVS_N49` (`TBL_ID`), CONSTRAINT `TBL_COL_PRIVS_FK1` FOREIGN KEY (`TBL_ID`) REFERENCES `TBLS` (`TBL_ID`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; @@ -688,9 +693,10 @@ CREATE TABLE IF NOT EXISTS `TBL_PRIVS` ( `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `TBL_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `TBL_ID` bigint(20) DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`TBL_GRANT_ID`), KEY `TBL_PRIVS_N49` (`TBL_ID`), - KEY `TABLEPRIVILEGEINDEX` (`TBL_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + KEY `TABLEPRIVILEGEINDEX` (`AUTHORIZER`,`TBL_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), CONSTRAINT `TBL_PRIVS_FK1` FOREIGN KEY (`TBL_ID`) REFERENCES `TBLS` (`TBL_ID`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; diff --git a/standalone-metastore/src/main/sql/mysql/upgrade-2.3.0-to-3.0.0.mysql.sql b/standalone-metastore/src/main/sql/mysql/upgrade-2.3.0-to-3.0.0.mysql.sql index 9a48346..c7857c7 100644 --- a/standalone-metastore/src/main/sql/mysql/upgrade-2.3.0-to-3.0.0.mysql.sql +++ b/standalone-metastore/src/main/sql/mysql/upgrade-2.3.0-to-3.0.0.mysql.sql @@ -292,8 +292,33 @@ CREATE TABLE RUNTIME_STATS ( CREATE INDEX IDX_RUNTIME_STATS_CREATE_TIME ON RUNTIME_STATS(CREATE_TIME); +-- HIVE-19440 +ALTER TABLE `GLOBAL_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `GLOBAL_PRIVS` DROP INDEX `GLOBALPRIVILEGEINDEX`; +ALTER TABLE `GLOBAL_PRIVS` ADD CONSTRAINT `GLOBALPRIVILEGEINDEX` UNIQUE(`AUTHORIZER`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`USER_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + +ALTER TABLE `DB_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `DB_PRIVS` DROP INDEX `DBPRIVILEGEINDEX`; +ALTER TABLE `DB_PRIVS` ADD CONSTRAINT `DBPRIVILEGEINDEX` UNIQUE(`AUTHORIZER`,`DB_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`DB_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + +ALTER TABLE `TBL_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `TBL_PRIVS` DROP INDEX `TABLEPRIVILEGEINDEX`; +ALTER TABLE `TBL_PRIVS` ADD INDEX `TABLEPRIVILEGEINDEX` (`AUTHORIZER`,`TBL_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + +ALTER TABLE `PART_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `PART_PRIVS` DROP INDEX `PARTPRIVILEGEINDEX`; +ALTER TABLE `PART_PRIVS` ADD INDEX `PARTPRIVILEGEINDEX` (`AUTHORIZER`,`PART_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + +ALTER TABLE `TBL_COL_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `TBL_COL_PRIVS` DROP INDEX `TABLECOLUMNPRIVILEGEINDEX`; +ALTER TABLE `TBL_COL_PRIVS` ADD INDEX `TABLECOLUMNPRIVILEGEINDEX` (`AUTHORIZER`,`TBL_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + +ALTER TABLE `PART_COL_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `PART_COL_PRIVS` DROP INDEX `PARTITIONCOLUMNPRIVILEGEINDEX`; +ALTER TABLE `PART_COL_PRIVS` ADD INDEX `PARTITIONCOLUMNPRIVILEGEINDEX` (`AUTHORIZER`,`PART_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + -- These lines need to be last. Insert any changes above. UPDATE VERSION SET SCHEMA_VERSION='3.0.0', VERSION_COMMENT='Hive release version 3.0.0' where VER_ID=1; SELECT 'Finished upgrading MetaStore schema from 2.3.0 to 3.0.0' AS ' '; -ALTER TABLE `TBLS` ADD COLUMN `OWNER_TYPE` VARCHAR(10) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; \ No newline at end of file +ALTER TABLE `TBLS` ADD COLUMN `OWNER_TYPE` VARCHAR(10) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; diff --git a/standalone-metastore/src/main/sql/oracle/hive-schema-3.0.0.oracle.sql b/standalone-metastore/src/main/sql/oracle/hive-schema-3.0.0.oracle.sql index 3a12e08..9cd878d 100644 --- a/standalone-metastore/src/main/sql/oracle/hive-schema-3.0.0.oracle.sql +++ b/standalone-metastore/src/main/sql/oracle/hive-schema-3.0.0.oracle.sql @@ -39,7 +39,8 @@ CREATE TABLE PART_COL_PRIVS PART_ID NUMBER NULL, PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, - PART_COL_PRIV VARCHAR2(128) NULL + PART_COL_PRIV VARCHAR2(128) NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE PART_COL_PRIVS ADD CONSTRAINT PART_COL_PRIVS_PK PRIMARY KEY (PART_COLUMN_GRANT_ID); @@ -189,7 +190,8 @@ CREATE TABLE TBL_COL_PRIVS PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, TBL_COL_PRIV VARCHAR2(128) NULL, - TBL_ID NUMBER NULL + TBL_ID NUMBER NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE TBL_COL_PRIVS ADD CONSTRAINT TBL_COL_PRIVS_PK PRIMARY KEY (TBL_COLUMN_GRANT_ID); @@ -252,7 +254,8 @@ CREATE TABLE GLOBAL_PRIVS GRANTOR_TYPE VARCHAR2(128) NULL, PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, - USER_PRIV VARCHAR2(128) NULL + USER_PRIV VARCHAR2(128) NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE GLOBAL_PRIVS ADD CONSTRAINT GLOBAL_PRIVS_PK PRIMARY KEY (USER_GRANT_ID); @@ -305,7 +308,8 @@ CREATE TABLE TBL_PRIVS PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, TBL_PRIV VARCHAR2(128) NULL, - TBL_ID NUMBER NULL + TBL_ID NUMBER NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE TBL_PRIVS ADD CONSTRAINT TBL_PRIVS_PK PRIMARY KEY (TBL_GRANT_ID); @@ -356,7 +360,8 @@ CREATE TABLE PART_PRIVS PART_ID NUMBER NULL, PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, - PART_PRIV VARCHAR2(128) NULL + PART_PRIV VARCHAR2(128) NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE PART_PRIVS ADD CONSTRAINT PART_PRIVS_PK PRIMARY KEY (PART_GRANT_ID); @@ -372,7 +377,8 @@ CREATE TABLE DB_PRIVS GRANTOR_TYPE VARCHAR2(128) NULL, PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, - DB_PRIV VARCHAR2(128) NULL + DB_PRIV VARCHAR2(128) NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE DB_PRIVS ADD CONSTRAINT DB_PRIVS_PK PRIMARY KEY (DB_GRANT_ID); @@ -683,7 +689,7 @@ ALTER TABLE PART_COL_PRIVS ADD CONSTRAINT PART_COL_PRIVS_FK1 FOREIGN KEY (PART_I CREATE INDEX PART_COL_PRIVS_N49 ON PART_COL_PRIVS (PART_ID); -CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (AUTHORIZER,PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table COLUMNS_V2 @@ -745,7 +751,7 @@ CREATE INDEX INDEX_PARAMS_N49 ON INDEX_PARAMS (INDEX_ID); -- Constraints for table TBL_COL_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MTableColumnPrivilege] ALTER TABLE TBL_COL_PRIVS ADD CONSTRAINT TBL_COL_PRIVS_FK1 FOREIGN KEY (TBL_ID) REFERENCES TBLS (TBL_ID) INITIALLY DEFERRED ; -CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (AUTHORIZER,TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX TBL_COL_PRIVS_N49 ON TBL_COL_PRIVS (TBL_ID); @@ -785,7 +791,7 @@ CREATE INDEX SD_PARAMS_N49 ON SD_PARAMS (SD_ID); -- Constraints for table GLOBAL_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MGlobalPrivilege] -CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (AUTHORIZER,PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table SDS for class(es) [org.apache.hadoop.hive.metastore.model.MStorageDescriptor] @@ -813,7 +819,7 @@ ALTER TABLE TBL_PRIVS ADD CONSTRAINT TBL_PRIVS_FK1 FOREIGN KEY (TBL_ID) REFERENC CREATE INDEX TBL_PRIVS_N49 ON TBL_PRIVS (TBL_ID); -CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (AUTHORIZER,TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table DATABASE_PARAMS @@ -839,7 +845,7 @@ CREATE INDEX SERDE_PARAMS_N49 ON SERDE_PARAMS (SERDE_ID); -- Constraints for table PART_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MPartitionPrivilege] ALTER TABLE PART_PRIVS ADD CONSTRAINT PART_PRIVS_FK1 FOREIGN KEY (PART_ID) REFERENCES PARTITIONS (PART_ID) INITIALLY DEFERRED ; -CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (AUTHORIZER,PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX PART_PRIVS_N49 ON PART_PRIVS (PART_ID); @@ -847,7 +853,7 @@ CREATE INDEX PART_PRIVS_N49 ON PART_PRIVS (PART_ID); -- Constraints for table DB_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MDBPrivilege] ALTER TABLE DB_PRIVS ADD CONSTRAINT DB_PRIVS_FK1 FOREIGN KEY (DB_ID) REFERENCES DBS (DB_ID) INITIALLY DEFERRED ; -CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (AUTHORIZER,DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX DB_PRIVS_N49 ON DB_PRIVS (DB_ID); diff --git a/standalone-metastore/src/main/sql/oracle/upgrade-2.3.0-to-3.0.0.oracle.sql b/standalone-metastore/src/main/sql/oracle/upgrade-2.3.0-to-3.0.0.oracle.sql index 3be7e65..7ac27f7 100644 --- a/standalone-metastore/src/main/sql/oracle/upgrade-2.3.0-to-3.0.0.oracle.sql +++ b/standalone-metastore/src/main/sql/oracle/upgrade-2.3.0-to-3.0.0.oracle.sql @@ -310,8 +310,34 @@ CREATE TABLE RUNTIME_STATS ( CREATE INDEX IDX_RUNTIME_STATS_CREATE_TIME ON RUNTIME_STATS(CREATE_TIME); +-- HIVE-19440 +ALTER TABLE GLOBAL_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX GLOBALPRIVILEGEINDEX; +CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (AUTHORIZER,PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE DB_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX DBPRIVILEGEINDEX; +CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (AUTHORIZER,DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE TBL_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX TABLEPRIVILEGEINDEX; +CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (AUTHORIZER,TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); + "GRANTOR_TYPE"); + +ALTER TABLE PART_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX PARTPRIVILEGEINDEX; +CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (AUTHORIZER,PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE);; + +ALTER TABLE TBL_COL_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX TABLECOLUMNPRIVILEGEINDEX; +CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (AUTHORIZER,TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE PART_COL_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX PARTITIONCOLUMNPRIVILEGEINDEX; +CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (AUTHORIZER,PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); + -- These lines need to be last. Insert any changes above. UPDATE VERSION SET SCHEMA_VERSION='3.0.0', VERSION_COMMENT='Hive release version 3.0.0' where VER_ID=1; SELECT 'Finished upgrading MetaStore schema from 2.3.0 to 3.0.0' AS Status from dual; -ALTER TABLE TBLS ADD OWNER_TYPE VARCHAR2(10) NULL; \ No newline at end of file +ALTER TABLE TBLS ADD OWNER_TYPE VARCHAR2(10) NULL; diff --git a/standalone-metastore/src/main/sql/postgres/hive-schema-3.0.0.postgres.sql b/standalone-metastore/src/main/sql/postgres/hive-schema-3.0.0.postgres.sql index 0152f48..61b0e8f 100644 --- a/standalone-metastore/src/main/sql/postgres/hive-schema-3.0.0.postgres.sql +++ b/standalone-metastore/src/main/sql/postgres/hive-schema-3.0.0.postgres.sql @@ -94,7 +94,8 @@ CREATE TABLE "DB_PRIVS" ( "GRANTOR_TYPE" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, - "DB_PRIV" character varying(128) DEFAULT NULL::character varying + "DB_PRIV" character varying(128) DEFAULT NULL::character varying, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying ); @@ -110,7 +111,8 @@ CREATE TABLE "GLOBAL_PRIVS" ( "GRANTOR_TYPE" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, - "USER_PRIV" character varying(128) DEFAULT NULL::character varying + "USER_PRIV" character varying(128) DEFAULT NULL::character varying, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying ); @@ -234,7 +236,8 @@ CREATE TABLE "PART_COL_PRIVS" ( "PART_ID" bigint, "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, - "PART_COL_PRIV" character varying(128) DEFAULT NULL::character varying + "PART_COL_PRIV" character varying(128) DEFAULT NULL::character varying, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying ); @@ -251,7 +254,8 @@ CREATE TABLE "PART_PRIVS" ( "PART_ID" bigint, "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, - "PART_PRIV" character varying(128) DEFAULT NULL::character varying + "PART_PRIV" character varying(128) DEFAULT NULL::character varying, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying ); @@ -426,7 +430,8 @@ CREATE TABLE "TBL_COL_PRIVS" ( "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, "TBL_COL_PRIV" character varying(128) DEFAULT NULL::character varying, - "TBL_ID" bigint + "TBL_ID" bigint, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying, ); @@ -443,7 +448,8 @@ CREATE TABLE "TBL_PRIVS" ( "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, "TBL_PRIV" character varying(128) DEFAULT NULL::character varying, - "TBL_ID" bigint + "TBL_ID" bigint, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying ); @@ -735,7 +741,7 @@ ALTER TABLE ONLY "DATABASE_PARAMS" -- ALTER TABLE ONLY "DB_PRIVS" - ADD CONSTRAINT "DBPRIVILEGEINDEX" UNIQUE ("DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); + ADD CONSTRAINT "DBPRIVILEGEINDEX" UNIQUE ("AUTHORIZER", "DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- @@ -759,7 +765,7 @@ ALTER TABLE ONLY "DB_PRIVS" -- ALTER TABLE ONLY "GLOBAL_PRIVS" - ADD CONSTRAINT "GLOBALPRIVILEGEINDEX" UNIQUE ("PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); + ADD CONSTRAINT "GLOBALPRIVILEGEINDEX" UNIQUE ("AUTHORIZER", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- @@ -1127,7 +1133,7 @@ CREATE INDEX "INDEX_PARAMS_N49" ON "INDEX_PARAMS" USING btree ("INDEX_ID"); -- Name: PARTITIONCOLUMNPRIVILEGEINDEX; Type: INDEX; Schema: public; Owner: hiveuser; Tablespace: -- -CREATE INDEX "PARTITIONCOLUMNPRIVILEGEINDEX" ON "PART_COL_PRIVS" USING btree ("PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "PARTITIONCOLUMNPRIVILEGEINDEX" ON "PART_COL_PRIVS" USING btree ("AUTHORIZER", "PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- @@ -1176,7 +1182,7 @@ CREATE INDEX "PARTITION_PARAMS_N49" ON "PARTITION_PARAMS" USING btree ("PART_ID" -- Name: PARTPRIVILEGEINDEX; Type: INDEX; Schema: public; Owner: hiveuser; Tablespace: -- -CREATE INDEX "PARTPRIVILEGEINDEX" ON "PART_PRIVS" USING btree ("PART_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "PARTPRIVILEGEINDEX" ON "PART_PRIVS" USING btree ("AUTHORIZER", "PART_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- @@ -1239,14 +1245,14 @@ CREATE INDEX "SORT_COLS_N49" ON "SORT_COLS" USING btree ("SD_ID"); -- Name: TABLECOLUMNPRIVILEGEINDEX; Type: INDEX; Schema: public; Owner: hiveuser; Tablespace: -- -CREATE INDEX "TABLECOLUMNPRIVILEGEINDEX" ON "TBL_COL_PRIVS" USING btree ("TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "TABLECOLUMNPRIVILEGEINDEX" ON "TBL_COL_PRIVS" USING btree ("AUTHORIZER", "TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- -- Name: TABLEPRIVILEGEINDEX; Type: INDEX; Schema: public; Owner: hiveuser; Tablespace: -- -CREATE INDEX "TABLEPRIVILEGEINDEX" ON "TBL_PRIVS" USING btree ("TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "TABLEPRIVILEGEINDEX" ON "TBL_PRIVS" USING btree ("AUTHORIZER", "TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- diff --git a/standalone-metastore/src/main/sql/postgres/upgrade-2.3.0-to-3.0.0.postgres.sql b/standalone-metastore/src/main/sql/postgres/upgrade-2.3.0-to-3.0.0.postgres.sql index fed8a93..1542e87 100644 --- a/standalone-metastore/src/main/sql/postgres/upgrade-2.3.0-to-3.0.0.postgres.sql +++ b/standalone-metastore/src/main/sql/postgres/upgrade-2.3.0-to-3.0.0.postgres.sql @@ -329,6 +329,34 @@ CREATE TABLE RUNTIME_STATS ( CREATE INDEX IDX_RUNTIME_STATS_CREATE_TIME ON RUNTIME_STATS(CREATE_TIME); +-- HIVE-19440 +ALTER TABLE "GLOBAL_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "GLOBAL_PRIVS" DROP CONSTRAINT "GLOBALPRIVILEGEINDEX"; +ALTER TABLE ONLY "GLOBAL_PRIVS" + ADD CONSTRAINT "GLOBALPRIVILEGEINDEX" UNIQUE ("AUTHORIZER", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "DB_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "DB_PRIVS" DROP CONSTRAINT "DBPRIVILEGEINDEX"; +ALTER TABLE ONLY "DB_PRIVS" + ADD CONSTRAINT "DBPRIVILEGEINDEX" UNIQUE ("AUTHORIZER", "DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "TBL_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "TBL_PRIVS" DROP CONSTRAINT "DBPRIVILEGEINDEX"; +ALTER TABLE ONLY "DB_PRIVS" + ADD CONSTRAINT "DBPRIVILEGEINDEX" UNIQUE ("AUTHORIZER", "DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "PART_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "PART_PRIVS" DROP CONSTRAINT "TABLEPRIVILEGEINDEX"; +CREATE INDEX "TABLEPRIVILEGEINDEX" ON "TBL_PRIVS" USING btree ("AUTHORIZER", "TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "TBL_COL_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "TBL_COL_PRIVS" DROP CONSTRAINT "TABLECOLUMNPRIVILEGEINDEX"; +CREATE INDEX "TABLECOLUMNPRIVILEGEINDEX" ON "TBL_COL_PRIVS" USING btree ("AUTHORIZER", "TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "PART_COL_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "PART_COL_PRIVS" DROP CONSTRAINT "PARTITIONCOLUMNPRIVILEGEINDEX"; +CREATE INDEX "PARTITIONCOLUMNPRIVILEGEINDEX" ON "PART_COL_PRIVS" USING btree ("AUTHORIZER", "PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + -- These lines need to be last. Insert any changes above. UPDATE "VERSION" SET "SCHEMA_VERSION"='3.0.0', "VERSION_COMMENT"='Hive release version 3.0.0' where "VER_ID"=1; SELECT 'Finished upgrading MetaStore schema from 2.3.0 to 3.0.0'; diff --git a/standalone-metastore/src/main/thrift/hive_metastore.thrift b/standalone-metastore/src/main/thrift/hive_metastore.thrift index 19d4433..2fcdc91 100644 --- a/standalone-metastore/src/main/thrift/hive_metastore.thrift +++ b/standalone-metastore/src/main/thrift/hive_metastore.thrift @@ -255,6 +255,7 @@ struct HiveObjectPrivilege { 2: string principalName, 3: PrincipalType principalType, 4: PrivilegeGrantInfo grantInfo, + 5: string authorizer, } struct PrivilegeBag {