commit 105e39a59407c180523c0ed4efab9a600fc8c439 Author: Daniel Dai Date: Mon May 14 00:14:02 2018 -0700 HIVE-19440: Make StorageBasedAuthorizer work with information schema diff --git a/hcatalog/core/src/main/java/org/apache/hive/hcatalog/storagehandler/DummyHCatAuthProvider.java b/hcatalog/core/src/main/java/org/apache/hive/hcatalog/storagehandler/DummyHCatAuthProvider.java index a53028f..86d9a18 100644 --- a/hcatalog/core/src/main/java/org/apache/hive/hcatalog/storagehandler/DummyHCatAuthProvider.java +++ b/hcatalog/core/src/main/java/org/apache/hive/hcatalog/storagehandler/DummyHCatAuthProvider.java @@ -30,6 +30,8 @@ import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider; import org.apache.hadoop.hive.ql.security.authorization.Privilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; /** * This class is a dummy implementation of HiveAuthorizationProvider to provide @@ -141,4 +143,9 @@ public void authorize(Table table, Partition part, List columns, throws HiveException, AuthorizationException { } + @Override + public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException { + return null; + } + } diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestHDFSPermissionPolicyProvider.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestHDFSPermissionPolicyProvider.java new file mode 100644 index 0000000..2497467 --- /dev/null +++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestHDFSPermissionPolicyProvider.java @@ -0,0 +1,174 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; + +import static org.junit.Assert.*; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.fs.Path; +import org.apache.hadoop.fs.permission.FsPermission; +import org.apache.hadoop.hdfs.MiniDFSCluster; +import org.apache.hadoop.hive.metastore.HiveMetaStoreClient; +import org.apache.hadoop.hive.metastore.TableType; +import org.apache.hadoop.hive.metastore.api.Database; +import org.apache.hadoop.hive.metastore.api.FieldSchema; +import org.apache.hadoop.hive.metastore.api.SerDeInfo; +import org.apache.hadoop.hive.metastore.api.StorageDescriptor; +import org.apache.hadoop.hive.metastore.api.Table; +import org.apache.hadoop.hive.metastore.conf.MetastoreConf; +import org.apache.hadoop.hive.ql.metadata.Hive; +import org.apache.hadoop.hive.ql.security.authorization.HDFSPermissionPolicyProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs; +import org.junit.BeforeClass; +import org.junit.Test; + +public class TestHDFSPermissionPolicyProvider { + private static MiniDFSCluster m_dfs; + private static HiveMetaStoreClient client; + private static Configuration conf; + private static String defaultTbl1Loc, defaultTbl2Loc, db1Loc, db1Tbl1Loc; + + @BeforeClass + public static void setup() throws Exception { + m_dfs = new MiniDFSCluster.Builder(new Configuration()).numDataNodes(1).format(true).build(); + conf = new Configuration(); + conf.set("fs.defaultFS", "hdfs://" + m_dfs.getNameNode().getHostAndPort()); + String warehouseLocation = "hdfs://" + m_dfs.getNameNode().getHostAndPort() + + MetastoreConf.ConfVars.WAREHOUSE.getDefaultVal(); + conf.set(MetastoreConf.ConfVars.WAREHOUSE.getVarname(), warehouseLocation); + conf.set(MetastoreConf.ConfVars.AUTO_CREATE_ALL.getVarname(), "true"); + conf.set(MetastoreConf.ConfVars.SCHEMA_VERIFICATION.getVarname(), "false"); + client = new HiveMetaStoreClient(conf); + Hive.get(conf, TestHDFSPermissionPolicyProvider.class); + + try {client.dropTable("default", "tbl1");} catch(Exception e) {}; + try {client.dropTable("default", "tbl2");} catch(Exception e) {}; + try {client.dropTable("db1", "tbl1");} catch(Exception e) {}; + try {client.dropDatabase("db1");} catch(Exception e) {}; + + defaultTbl1Loc = warehouseLocation + "/tbl1"; + defaultTbl2Loc = warehouseLocation + "/tbl2"; + db1Loc = warehouseLocation + "/db1"; + db1Tbl1Loc = warehouseLocation + "/db1/tbl1"; + + int now = (int)System.currentTimeMillis() / 1000; + FieldSchema col1 = new FieldSchema("col1", "int", "no comment"); + List cols = new ArrayList(); + cols.add(col1); + SerDeInfo serde = new SerDeInfo("serde", "seriallib", null); + StorageDescriptor sd = + new StorageDescriptor(cols, defaultTbl1Loc, "input", "output", false, 0, serde, null, null, + new HashMap()); + Table tbl = + new Table("tbl1", "default", "foo", now, now, 0, sd, null, + new HashMap(), null, null, TableType.MANAGED_TABLE.toString()); + client.createTable(tbl); + + sd = new StorageDescriptor(cols, defaultTbl2Loc, "input", "output", false, 0, serde, + null, null, new HashMap()); + tbl = new Table("tbl2", "default", "foo", now, now, 0, sd, null, + new HashMap(), null, null, TableType.MANAGED_TABLE.toString()); + client.createTable(tbl); + + Database db = new Database("db1", "no description", db1Loc, new HashMap()); + client.createDatabase(db); + + sd = new StorageDescriptor(cols, db1Tbl1Loc, "input", "output", false, 0, serde, null, null, + new HashMap()); + tbl = new Table("tbl1", "db1", "foo", now, now, 0, sd, null, + new HashMap(), null, null, TableType.MANAGED_TABLE.toString()); + client.createTable(tbl); + } + + @Test + public void testPolicyProvider() throws Exception { + HDFSPermissionPolicyProvider policyProvider = new HDFSPermissionPolicyProvider(conf); + FileSystem fs = FileSystem.get(conf); + fs.setOwner(new Path(defaultTbl1Loc), "user1", "group1"); + fs.setOwner(new Path(defaultTbl2Loc), "user1", "group1"); + fs.setOwner(new Path(db1Loc), "user1", "group1"); + fs.setOwner(new Path(db1Tbl1Loc), "user1", "group1"); + fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("444")); // r--r--r-- + HiveResourceACLs acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 2); + assertTrue(acls.getGroupPermissions().keySet().contains("group1")); + assertTrue(acls.getGroupPermissions().keySet().contains("public")); + + fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("440")); // r--r----- + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 1); + assertEquals(acls.getUserPermissions().keySet().iterator().next(), "user1"); + assertEquals(acls.getGroupPermissions().size(), 1); + assertTrue(acls.getGroupPermissions().keySet().contains("group1")); + + fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("404")); // r-----r-- + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 1); + assertTrue(acls.getGroupPermissions().keySet().contains("public")); + + fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("400")); // r-------- + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 0); + + fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("004")); // ------r-- + fs.setPermission(new Path(defaultTbl2Loc), new FsPermission("777")); // rwxrwxrwx + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 0); + assertEquals(acls.getGroupPermissions().size(), 1); + assertTrue(acls.getGroupPermissions().keySet().contains("public")); + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl2")); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 2); + assertTrue(acls.getGroupPermissions().keySet().contains("group1")); + assertTrue(acls.getGroupPermissions().keySet().contains("public")); + + fs.setPermission(new Path(db1Loc), new FsPermission("400")); // ------r-- + fs.delete(new Path(db1Tbl1Loc), true); + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.DATABASE, "db1", null)); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 0); + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "db1", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 0); + + } +} diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java index 31e795c..3fdacac 100644 --- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java @@ -32,6 +32,8 @@ import org.apache.hadoop.hive.ql.metadata.Table; import org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider; import org.apache.hadoop.hive.ql.security.authorization.Privilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; /** * Dummy implementation for use by unit tests. Tracks the context of calls made to @@ -211,6 +213,8 @@ public void authorizeAuthorizationApiInvocation() throws HiveException, Authoriz authCalls.add(new AuthCallContext(AuthCallContextType.AUTHORIZATION, null, null)); } - - + @Override + public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException { + return null; + } } diff --git a/metastore/scripts/upgrade/hive/hive-schema-3.0.0.hive.sql b/metastore/scripts/upgrade/hive/hive-schema-3.0.0.hive.sql index d9606d8..a3ecded 100644 --- a/metastore/scripts/upgrade/hive/hive-schema-3.0.0.hive.sql +++ b/metastore/scripts/upgrade/hive/hive-schema-3.0.0.hive.sql @@ -109,6 +109,7 @@ CREATE TABLE IF NOT EXISTS `DB_PRIVS` ( `PRINCIPAL_NAME` string, `PRINCIPAL_TYPE` string, `DB_PRIV` string, + `AUTHORIZER` string, CONSTRAINT `SYS_PK_DB_PRIVS` PRIMARY KEY (`DB_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -124,7 +125,8 @@ TBLPROPERTIES ( \"GRANTOR_TYPE\", \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", - \"DB_PRIV\" + \"DB_PRIV\", + \"AUTHORIZER\" FROM \"DB_PRIVS\"" ); @@ -138,6 +140,7 @@ CREATE TABLE IF NOT EXISTS `GLOBAL_PRIVS` ( `PRINCIPAL_NAME` string, `PRINCIPAL_TYPE` string, `USER_PRIV` string, + `AUTHORIZER` string, CONSTRAINT `SYS_PK_GLOBAL_PRIVS` PRIMARY KEY (`USER_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -152,7 +155,8 @@ TBLPROPERTIES ( \"GRANTOR_TYPE\", \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", - \"USER_PRIV\" + \"USER_PRIV\", + \"AUTHORIZER\" FROM \"GLOBAL_PRIVS\"" ); @@ -250,6 +254,7 @@ CREATE TABLE IF NOT EXISTS `PART_COL_PRIVS` ( `PRINCIPAL_NAME` string, `PRINCIPAL_TYPE` string, `PART_COL_PRIV` string, + `AUTHORIZER` string, CONSTRAINT `SYS_PK_PART_COL_PRIVS` PRIMARY KEY (`PART_COLUMN_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -266,7 +271,8 @@ TBLPROPERTIES ( \"PART_ID\", \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", - \"PART_COL_PRIV\" + \"PART_COL_PRIV\", + \"AUTHORIZER\" FROM \"PART_COL_PRIVS\"" ); @@ -281,6 +287,7 @@ CREATE TABLE IF NOT EXISTS `PART_PRIVS` ( `PRINCIPAL_NAME` string, `PRINCIPAL_TYPE` string, `PART_PRIV` string, + `AUTHORIZER` string, CONSTRAINT `SYS_PK_PART_PRIVS` PRIMARY KEY (`PART_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -296,7 +303,8 @@ TBLPROPERTIES ( \"PART_ID\", \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", - \"PART_PRIV\" + \"PART_PRIV\", + \"AUTHORIZER\" FROM \"PART_PRIVS\"" ); @@ -652,6 +660,7 @@ CREATE TABLE IF NOT EXISTS `TBL_COL_PRIVS` ( `PRINCIPAL_TYPE` string, `TBL_COL_PRIV` string, `TBL_ID` bigint, + `AUTHORIZER` string, CONSTRAINT `SYS_PK_TBL_COL_PRIVS` PRIMARY KEY (`TBL_COLUMN_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -668,7 +677,8 @@ TBLPROPERTIES ( \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", \"TBL_COL_PRIV\", - \"TBL_ID\" + \"TBL_ID\", + \"AUTHORIZER\" FROM \"TBL_COL_PRIVS\"" ); @@ -683,6 +693,7 @@ CREATE TABLE IF NOT EXISTS `TBL_PRIVS` ( `PRINCIPAL_TYPE` string, `TBL_PRIV` string, `TBL_ID` bigint, + `AUTHORIZER` string, CONSTRAINT `SYS_PK_TBL_PRIVS` PRIMARY KEY (`TBL_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -698,7 +709,8 @@ TBLPROPERTIES ( \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", \"TBL_PRIV\", - \"TBL_ID\" + \"TBL_ID\", + \"AUTHORIZER\" FROM \"TBL_PRIVS\"" ); @@ -1082,7 +1094,8 @@ WHERE D.`DB_ID` = T.`DB_ID` AND T.`TBL_ID` = P.`TBL_ID` AND (P.`PRINCIPAL_NAME`=current_user() AND P.`PRINCIPAL_TYPE`='USER' - OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP')); + OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP')) + AND current_authorizer() = P.`AUTHORIZER`; CREATE VIEW IF NOT EXISTS `TABLES` ( @@ -1118,8 +1131,8 @@ WHERE D.`DB_ID` = T.`DB_ID` AND (NOT restrict_information_schema() OR T.`TBL_ID` = P.`TBL_ID` AND (P.`PRINCIPAL_NAME`=current_user() AND P.`PRINCIPAL_TYPE`='USER' - OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP')) - AND P.`TBL_PRIV`='SELECT'); + OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP'))) + AND P.`TBL_PRIV`='SELECT' AND P.`AUTHORIZER`=current_authorizer(); CREATE VIEW IF NOT EXISTS `TABLE_PRIVILEGES` ( @@ -1152,8 +1165,8 @@ WHERE AND (NOT restrict_information_schema() OR P.`TBL_ID` = P2.`TBL_ID` AND P.`PRINCIPAL_NAME` = P2.`PRINCIPAL_NAME` AND P.`PRINCIPAL_TYPE` = P2.`PRINCIPAL_TYPE` AND (P2.`PRINCIPAL_NAME`=current_user() AND P2.`PRINCIPAL_TYPE`='USER' - OR ((array_contains(current_groups(), P2.`PRINCIPAL_NAME`) OR P2.`PRINCIPAL_NAME` = 'public') AND P2.`PRINCIPAL_TYPE`='GROUP')) - AND P2.`TBL_PRIV`='SELECT'); + OR ((array_contains(current_groups(), P2.`PRINCIPAL_NAME`) OR P2.`PRINCIPAL_NAME` = 'public') AND P2.`PRINCIPAL_TYPE`='GROUP'))) + AND P2.`TBL_PRIV`='SELECT' AND P.`AUTHORIZER` = current_authorizer() AND P2.`AUTHORIZER` = current_authorizer(); CREATE VIEW IF NOT EXISTS `COLUMNS` ( @@ -1308,7 +1321,7 @@ WHERE AND C.`COLUMN_NAME` = P.`COLUMN_NAME` AND (P.`PRINCIPAL_NAME`=current_user() AND P.`PRINCIPAL_TYPE`='USER' OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP')) - AND P.`TBL_COL_PRIV`='SELECT'); + AND P.`TBL_COL_PRIV`='SELECT' AND P.`AUTHORIZER`=current_authorizer()); CREATE VIEW IF NOT EXISTS `COLUMN_PRIVILEGES` ( @@ -1344,7 +1357,7 @@ WHERE P.`TBL_ID` = P2.`TBL_ID` AND P.`PRINCIPAL_NAME` = P2.`PRINCIPAL_NAME` AND P.`PRINCIPAL_TYPE` = P2.`PRINCIPAL_TYPE` AND (P2.`PRINCIPAL_NAME`=current_user() AND P2.`PRINCIPAL_TYPE`='USER' OR ((array_contains(current_groups(), P2.`PRINCIPAL_NAME`) OR P2.`PRINCIPAL_NAME` = 'public') AND P2.`PRINCIPAL_TYPE`='GROUP')) - AND P2.`TBL_PRIV`='SELECT'); + AND P2.`TBL_PRIV`='SELECT' AND P.`AUTHORIZER`=current_authorizer() AND P2.`AUTHORIZER`=current_authorizer()); CREATE VIEW IF NOT EXISTS `VIEWS` ( @@ -1381,4 +1394,4 @@ WHERE T.`TBL_ID` = P.`TBL_ID` AND (P.`PRINCIPAL_NAME`=current_user() AND P.`PRINCIPAL_TYPE`='USER' OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP')) - AND P.`TBL_PRIV`='SELECT'); + AND P.`TBL_PRIV`='SELECT' AND P.`AUTHORIZER`=current_authorizer()); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/FunctionRegistry.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/FunctionRegistry.java index a1f549a..e77fe18 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/exec/FunctionRegistry.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/FunctionRegistry.java @@ -359,6 +359,7 @@ system.registerGenericUDF("current_groups", GenericUDFCurrentGroups.class); system.registerGenericUDF("logged_in_user", GenericUDFLoggedInUser.class); system.registerGenericUDF("restrict_information_schema", GenericUDFRestrictInformationSchema.class); + system.registerGenericUDF("current_authorizer", GenericUDFCurrentAuthorizer.class); system.registerGenericUDF("isnull", GenericUDFOPNull.class); system.registerGenericUDF("isnotnull", GenericUDFOPNotNull.class); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HDFSPermissionPolicyProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HDFSPermissionPolicyProvider.java new file mode 100644 index 0000000..27e4dba --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HDFSPermissionPolicyProvider.java @@ -0,0 +1,117 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization; + +import java.io.IOException; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.FileStatus; +import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.fs.Path; +import org.apache.hadoop.fs.permission.FsAction; +import org.apache.hadoop.fs.permission.FsPermission; +import org.apache.hadoop.hive.common.FileUtils; +import org.apache.hadoop.hive.metastore.api.Database; +import org.apache.hadoop.hive.ql.metadata.Hive; +import org.apache.hadoop.hive.ql.metadata.Table; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyChangeListener; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLsImpl; + +public class HDFSPermissionPolicyProvider implements HivePolicyProvider { + + private Configuration conf; + + public HDFSPermissionPolicyProvider(Configuration conf) { + this.conf = conf; + } + + @Override + public HiveResourceACLs getResourceACLs(HivePrivilegeObject hiveObject) { + HiveResourceACLs acls = null; + try { + switch (hiveObject.getType()) { + case DATABASE: + Database db = Hive.get().getDatabase(hiveObject.getDbname()); + acls = getResourceACLs(new Path(db.getLocationUri())); + break; + case TABLE_OR_VIEW: + case COLUMN: + Table table = Hive.get().getTable(hiveObject.getDbname(), hiveObject.getObjectName()); + acls = getResourceACLs(new Path(table.getTTable().getSd().getLocation())); + break; + default: + // Shall never happen + throw new RuntimeException("Unknown request type:" + hiveObject.getType()); + } + } catch (Exception e) { + } + return acls; + } + + private HiveResourceACLs getResourceACLs(Path path) throws IOException { + if (path == null) { + throw new IllegalArgumentException("path is null"); + } + + final FileSystem fs = path.getFileSystem(conf); + + FileStatus pathStatus = FileUtils.getFileStatusOrNull(fs, path); + if (pathStatus != null) { + return getResourceACLs(fs, pathStatus); + } else if (path.getParent() != null) { + // find the ancestor which exists to check its permissions + Path par = path.getParent(); + FileStatus parStatus = null; + while (par != null) { + parStatus = FileUtils.getFileStatusOrNull(fs, par); + if (parStatus != null) { + break; + } + par = par.getParent(); + } + return getResourceACLs(fs, parStatus); + } + return null; + } + + private HiveResourceACLs getResourceACLs(final FileSystem fs, final FileStatus stat) { + String owner = stat.getOwner(); + String group = stat.getGroup(); + HiveResourceACLsImpl acls = new HiveResourceACLsImpl(); + FsPermission permission = stat.getPermission(); + if (permission.getUserAction().implies(FsAction.READ)) { + acls.addUserEntry(owner, HiveResourceACLs.Privilege.SELECT, HiveResourceACLs.AccessResult.ALLOWED); + } + if (permission.getGroupAction().implies(FsAction.READ)) { + acls.addGroupEntry(group, HiveResourceACLs.Privilege.SELECT, HiveResourceACLs.AccessResult.ALLOWED); + } + if (permission.getOtherAction().implies(FsAction.READ)) { + acls.addGroupEntry("public", HiveResourceACLs.Privilege.SELECT, HiveResourceACLs.AccessResult.ALLOWED); + } + return acls; + } + + @Override + public void registerHivePolicyChangeListener(HivePolicyChangeListener listener) { + // Not implemented + } + +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java index 8a7c06d..d3e13a5 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java @@ -36,6 +36,8 @@ import org.apache.hadoop.hive.ql.metadata.Hive; import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; import org.apache.thrift.TException; public abstract class HiveAuthorizationProviderBase implements @@ -133,4 +135,8 @@ public void setAuthenticator(HiveAuthenticationProvider authenticator) { this.authenticator = authenticator; } + @Override + public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException { + return null; + } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java index 0dab334..de9b8d1 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java @@ -21,6 +21,8 @@ import org.apache.hadoop.hive.metastore.IHMSHandler; import org.apache.hadoop.hive.ql.metadata.AuthorizationException; import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; /** * HiveMetastoreAuthorizationProvider : An extension of HiveAuthorizaytionProvider @@ -44,5 +46,10 @@ */ void authorizeAuthorizationApiInvocation() throws HiveException, AuthorizationException; + /** + * @return HivePolicyProvider instance (expected to be a singleton) + * @throws HiveAuthzPluginException + */ + HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException; } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PolicyProviderContainer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PolicyProviderContainer.java new file mode 100644 index 0000000..dfc6964 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PolicyProviderContainer.java @@ -0,0 +1,74 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization; + +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; + +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; + +public class PolicyProviderContainer implements Iterable { + List authorizers = new ArrayList(); + List authorizationProviders = new ArrayList(); + + public void addAuthorizer(HiveAuthorizer authorizer) { + authorizers.add(authorizer); + } + + public void addAuthorizationProvider(HiveMetastoreAuthorizationProvider authorizationProvider) { + authorizationProviders.add(authorizationProvider); + } + + public int size() { + return authorizers.size() + authorizationProviders.size(); + } + + @Override + public Iterator iterator() { + return new PolicyIterator(); + } + + class PolicyIterator implements Iterator { + int currentAuthorizerPosition = 0; + int AuthorizationProviderPosition = 0; + @Override + public boolean hasNext() { + if (currentAuthorizerPosition < authorizers.size() + || AuthorizationProviderPosition < authorizationProviders.size()) { + return true; + } + return false; + } + + @Override + public HivePolicyProvider next() { + try { + if (currentAuthorizerPosition < authorizers.size()) { + return authorizers.get(currentAuthorizerPosition++).getHivePolicyProvider(); + } else { + return authorizationProviders.get(AuthorizationProviderPosition++).getHivePolicyProvider(); + } + } catch (HiveAuthzPluginException e) { + throw new RuntimeException(e); + } + } + } +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java index 9b2e6cd..c9994df 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java @@ -32,7 +32,6 @@ import org.apache.hadoop.hive.metastore.api.PrivilegeBag; import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo; import org.apache.hadoop.hive.metastore.api.Table; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactoryImpl; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; @@ -53,23 +52,24 @@ private IMetaStoreClient hiveClient; private LeaderLatch privilegeSynchonizerLatch; private HiveConf hiveConf; - private HiveAuthorizer authorizer; + private PolicyProviderContainer policyProviderContainer; - public PrivilegeSynchonizer(LeaderLatch privilegeSynchonizerLatch, HiveAuthorizer authorizer, HiveConf hiveConf) { + public PrivilegeSynchonizer(LeaderLatch privilegeSynchonizerLatch, + PolicyProviderContainer policyProviderContainer, HiveConf hiveConf) { try { hiveClient = new HiveMetastoreClientFactoryImpl().getHiveMetastoreClient(); } catch (HiveAuthzPluginException e) { throw new RuntimeException("Error creating getHiveMetastoreClient", e); } this.privilegeSynchonizerLatch = privilegeSynchonizerLatch; - this.authorizer = authorizer; + this.policyProviderContainer = policyProviderContainer; this.hiveConf = hiveConf; } private void addACLsToBag( Map> principalAclsMap, PrivilegeBag privBag, HiveObjectType objectType, String dbName, String tblName, String columnName, - PrincipalType principalType) { + PrincipalType principalType, String authorizer) { for (Map.Entry> principalAcls : principalAclsMap.entrySet()) { @@ -82,19 +82,19 @@ private void addACLsToBag( privBag.addToPrivileges( new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.DATABASE, dbName, null, null, null), principal, principalType, new PrivilegeGrantInfo(acl.getKey().toString(), - (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false))); + (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false), authorizer)); break; case TABLE: privBag.addToPrivileges( new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.TABLE, dbName, tblName, null, null), principal, principalType, new PrivilegeGrantInfo(acl.getKey().toString(), - (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false))); + (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false), authorizer)); break; case COLUMN: privBag.addToPrivileges( new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.COLUMN, dbName, tblName, null, columnName), principal, principalType, new PrivilegeGrantInfo(acl.getKey().toString(), - (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false))); + (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false), authorizer)); break; default: throw new RuntimeException("Get unknown object type " + objectType); @@ -123,7 +123,7 @@ private HiveObjectRef getObjToRefresh(HiveObjectType type, String dbName, String } private void addGrantPrivilegesToBag(HivePolicyProvider policyProvider, PrivilegeBag privBag, HiveObjectType type, - String dbName, String tblName, String columnName) throws Exception { + String dbName, String tblName, String columnName, String authorizer) throws Exception { HiveResourceACLs objectAcls = null; @@ -151,51 +151,58 @@ private void addGrantPrivilegesToBag(HivePolicyProvider policyProvider, Privileg return; } - addACLsToBag(objectAcls.getUserPermissions(), privBag, type, dbName, tblName, columnName, PrincipalType.USER); - addACLsToBag(objectAcls.getGroupPermissions(), privBag, type, dbName, tblName, columnName, PrincipalType.GROUP); + addACLsToBag(objectAcls.getUserPermissions(), privBag, type, dbName, tblName, columnName, + PrincipalType.USER, authorizer); + addACLsToBag(objectAcls.getGroupPermissions(), privBag, type, dbName, tblName, columnName, + PrincipalType.GROUP, authorizer); } @Override public void run() { while (true) { + long interval = HiveConf.getTimeVar(hiveConf, ConfVars.HIVE_PRIVILEGE_SYNCHRONIZER_INTERVAL, TimeUnit.SECONDS); try { - HivePolicyProvider policyProvider = authorizer.getHivePolicyProvider(); - long interval = HiveConf.getTimeVar(hiveConf, ConfVars.HIVE_PRIVILEGE_SYNCHRONIZER_INTERVAL, TimeUnit.SECONDS); - if (hiveConf.getBoolVar(ConfVars.HIVE_PRIVILEGE_SYNCHRONIZER)) { - if (!privilegeSynchonizerLatch.await(interval, TimeUnit.SECONDS)) { - continue; - } - LOG.debug("Start synchonize privilege"); - for (String dbName : hiveClient.getAllDatabases()) { - HiveObjectRef dbToRefresh = getObjToRefresh(HiveObjectType.DATABASE, dbName, null); - PrivilegeBag grantDatabaseBag = new PrivilegeBag(); - addGrantPrivilegesToBag(policyProvider, grantDatabaseBag, HiveObjectType.DATABASE, dbName, null, null); - hiveClient.refresh_privileges(dbToRefresh, grantDatabaseBag); - - for (String tblName : hiveClient.getAllTables(dbName)) { - HiveObjectRef tableToRefresh = getObjToRefresh(HiveObjectType.TABLE, dbName, tblName); - PrivilegeBag grantTableBag = new PrivilegeBag(); - addGrantPrivilegesToBag(policyProvider, grantTableBag, HiveObjectType.TABLE, dbName, tblName, null); - hiveClient.refresh_privileges(tableToRefresh, grantTableBag); - - HiveObjectRef tableOfColumnsToRefresh = getObjToRefresh(HiveObjectType.COLUMN, dbName, tblName); - PrivilegeBag grantColumnBag = new PrivilegeBag(); - Table tbl = hiveClient.getTable(dbName, tblName); - for (FieldSchema fs : tbl.getPartitionKeys()) { - addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, dbName, tblName, - fs.getName()); - } - for (FieldSchema fs : tbl.getSd().getCols()) { - addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, dbName, tblName, - fs.getName()); + for (HivePolicyProvider policyProvider : policyProviderContainer) { + String authorizer = policyProvider.getClass().getSimpleName(); + if (hiveConf.getBoolVar(ConfVars.HIVE_PRIVILEGE_SYNCHRONIZER)) { + if (!privilegeSynchonizerLatch.await(interval, TimeUnit.SECONDS)) { + continue; + } + LOG.debug("Start synchonize privilege"); + for (String dbName : hiveClient.getAllDatabases()) { + HiveObjectRef dbToRefresh = getObjToRefresh(HiveObjectType.DATABASE, dbName, null); + PrivilegeBag grantDatabaseBag = new PrivilegeBag(); + addGrantPrivilegesToBag(policyProvider, grantDatabaseBag, HiveObjectType.DATABASE, + dbName, null, null, authorizer); + hiveClient.refresh_privileges(dbToRefresh, authorizer, grantDatabaseBag); + + for (String tblName : hiveClient.getAllTables(dbName)) { + HiveObjectRef tableToRefresh = getObjToRefresh(HiveObjectType.TABLE, dbName, tblName); + PrivilegeBag grantTableBag = new PrivilegeBag(); + addGrantPrivilegesToBag(policyProvider, grantTableBag, HiveObjectType.TABLE, + dbName, tblName, null, authorizer); + hiveClient.refresh_privileges(tableToRefresh, authorizer, grantTableBag); + + HiveObjectRef tableOfColumnsToRefresh = getObjToRefresh(HiveObjectType.COLUMN, dbName, tblName); + PrivilegeBag grantColumnBag = new PrivilegeBag(); + Table tbl = hiveClient.getTable(dbName, tblName); + for (FieldSchema fs : tbl.getPartitionKeys()) { + addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, + dbName, tblName, fs.getName(), authorizer); + } + for (FieldSchema fs : tbl.getSd().getCols()) { + addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, + dbName, tblName, fs.getName(), authorizer); + } + hiveClient.refresh_privileges(tableOfColumnsToRefresh, authorizer, grantColumnBag); } - hiveClient.refresh_privileges(tableOfColumnsToRefresh, grantColumnBag); } } + // Wait if no exception happens, otherwise, retry immediately } - // Wait if no exception happens, otherwise, retry immediately Thread.sleep(interval * 1000); LOG.debug("Success synchonize privilege"); + } catch (Exception e) { LOG.error("Error initializing PrivilegeSynchonizer: " + e.getMessage(), e); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java index b66d188..f074d39 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java @@ -45,6 +45,8 @@ import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.metadata.Partition; import org.apache.hadoop.hive.ql.metadata.Table; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; /** * StorageBasedAuthorizationProvider is an implementation of @@ -491,4 +493,9 @@ public void setHasDropPrivilege(boolean hasDropPrivilege) { } + @Override + public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException { + return new HDFSPermissionPolicyProvider(getConf()); + } + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java index 48798d8..ffa5cd1 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java @@ -47,6 +47,7 @@ public class HiveV1Authorizer extends AbstractHiveAuthorizer { private final HiveConf conf; + private final static String AUTHORIZER = "v1"; public HiveV1Authorizer(HiveConf conf) { this.conf = conf; @@ -77,7 +78,7 @@ public void grantPrivileges( HivePrincipal grantor, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { try { - PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption); + PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption, AUTHORIZER); grantOrRevokePrivs(principals, privBag, true, grantOption); } catch (Exception e) { throw new HiveAuthzPluginException(e); @@ -90,7 +91,7 @@ public void revokePrivileges( HivePrincipal grantor, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { try { - PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption); + PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption, AUTHORIZER); grantOrRevokePrivs(principals, privBag, false, grantOption); } catch (Exception e) { throw new HiveAuthzPluginException(e); @@ -115,7 +116,7 @@ private void grantOrRevokePrivs(List principals, PrivilegeBag pri } private PrivilegeBag toPrivilegeBag(List privileges, - HivePrivilegeObject privObject, HivePrincipal grantor, boolean grantOption) + HivePrivilegeObject privObject, HivePrincipal grantor, boolean grantOption, String authorizer) throws HiveException { PrivilegeBag privBag = new PrivilegeBag(); @@ -136,7 +137,7 @@ private PrivilegeBag toPrivilegeBag(List privileges, privBag.addToPrivileges(new HiveObjectPrivilege(new HiveObjectRef( HiveObjectType.GLOBAL, null, null, null, null), null, null, new PrivilegeGrantInfo(priv.getName(), 0, grantor.getName(), grantorType, - grantOption))); + grantOption), authorizer)); } return privBag; } @@ -186,23 +187,23 @@ private PrivilegeBag toPrivilegeBag(List privileges, privBag.addToPrivileges(new HiveObjectPrivilege( new HiveObjectRef(HiveObjectType.COLUMN, dbObj.getName(), tableObj.getTableName(), partValues, columns.get(i)), null, null, - new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption), authorizer)); } } else if (tableObj == null) { privBag.addToPrivileges(new HiveObjectPrivilege( new HiveObjectRef(HiveObjectType.DATABASE, dbObj.getName(), null, null, null), null, null, - new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption), authorizer)); } else if (partValues == null) { privBag.addToPrivileges(new HiveObjectPrivilege( new HiveObjectRef(HiveObjectType.TABLE, dbObj.getName(), tableObj.getTableName(), null, null), null, null, - new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption), authorizer)); } else { privBag.addToPrivileges(new HiveObjectPrivilege( new HiveObjectRef(HiveObjectType.PARTITION, dbObj.getName(), tableObj.getTableName(), partValues, null), null, null, - new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption), authorizer)); } } return privBag; diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java index 02ed7aa..e787538 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java @@ -99,7 +99,7 @@ static PrivilegeBag getThriftPrivilegesBag(List hivePrincipals, grantOption, 0 /*real grant time added by metastore*/); for (HivePrincipal principal : hivePrincipals) { HiveObjectPrivilege objPriv = new HiveObjectPrivilege(privObj, principal.getName(), - AuthorizationUtils.getThriftPrincipalType(principal.getType()), grantInfo); + AuthorizationUtils.getThriftPrincipalType(principal.getType()), grantInfo, "SQL"); privBag.addToPrivileges(objPriv); } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/udf/generic/GenericUDFCurrentAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/udf/generic/GenericUDFCurrentAuthorizer.java new file mode 100644 index 0000000..406089d --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/udf/generic/GenericUDFCurrentAuthorizer.java @@ -0,0 +1,119 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hive.ql.udf.generic; + +import java.util.List; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.metastore.conf.MetastoreConf; +import org.apache.hadoop.hive.ql.exec.Description; +import org.apache.hadoop.hive.ql.exec.UDFArgumentException; +import org.apache.hadoop.hive.ql.exec.UDFArgumentLengthException; +import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.metadata.HiveUtils; +import org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.session.SessionState; +import org.apache.hadoop.hive.ql.udf.UDFType; +import org.apache.hadoop.hive.serde2.objectinspector.ObjectInspector; +import org.apache.hadoop.hive.serde2.objectinspector.primitive.PrimitiveObjectInspectorFactory; +import org.apache.hadoop.io.Text; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * UDF to determine the current authorizer (class name of the authorizer) + * This is intended for internal usage only. This function is not a deterministic function, + * but a runtime constant. The return value is constant within a query but can be different between queries + */ +@UDFType(deterministic = false, runtimeConstant = true) +@Description(name = "current_authorizer", + value = "_FUNC_() - Returns the current authorizer (class name of the authorizer). ") +@NDV(maxNdv = 1) +public class GenericUDFCurrentAuthorizer extends GenericUDF { + private static final Logger LOG = LoggerFactory.getLogger(GenericUDFCurrentAuthorizer.class.getName()); + protected Text authorizer; + + @Override + public ObjectInspector initialize(ObjectInspector[] arguments) throws UDFArgumentException { + if (arguments.length != 0) { + throw new UDFArgumentLengthException( + "The function CurrentAuthorizer does not take any arguments, but found " + arguments.length); + } + + if (authorizer == null) { + + HiveConf hiveConf = SessionState.getSessionConf(); + HiveAuthorizer hiveAuthorizer = SessionState.get().getAuthorizerV2(); + try { + if (hiveAuthorizer.getHivePolicyProvider() != null) { + authorizer = new Text(hiveAuthorizer.getHivePolicyProvider().getClass().getSimpleName()); + } + } catch (HiveAuthzPluginException e) { + LOG.warn("Error getting HivePolicyProvider", e); + } + + if (authorizer == null) { + if (MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS) != null && + !MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS).isEmpty() && + HiveConf.getVar(hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER) != null) { + List authorizerProviders; + try { + authorizerProviders = HiveUtils.getMetaStoreAuthorizeProviderManagers( + hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER, + SessionState.get().getAuthenticator()); + for (HiveMetastoreAuthorizationProvider authProvider : authorizerProviders) { + if (authProvider.getHivePolicyProvider() != null) { + authorizer = new Text(authProvider.getHivePolicyProvider().getClass().getSimpleName()); + break; + } + } + } catch (HiveAuthzPluginException e) { + LOG.warn("Error getting HivePolicyProvider", e); + } catch (HiveException e) { + LOG.warn("Error instantiating hive.security.metastore.authorization.manager", e); + } + } + } + } + + return PrimitiveObjectInspectorFactory.writableStringObjectInspector; + } + + @Override + public Object evaluate(DeferredObject[] arguments) throws HiveException { + return authorizer; + } + + @Override + public String getDisplayString(String[] children) { + return "CURRENT_AUTHORIZER()"; + } + + @Override + public void copyToNewInstance(Object newInstance) throws UDFArgumentException { + super.copyToNewInstance(newInstance); + // Need to preserve authorizer flag + GenericUDFCurrentAuthorizer other = (GenericUDFCurrentAuthorizer) newInstance; + if (this.authorizer != null) { + other.authorizer = new Text(this.authorizer); + } + } +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/udf/generic/GenericUDFRestrictInformationSchema.java b/ql/src/java/org/apache/hadoop/hive/ql/udf/generic/GenericUDFRestrictInformationSchema.java index 3eb0914..fc47e43 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/udf/generic/GenericUDFRestrictInformationSchema.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/udf/generic/GenericUDFRestrictInformationSchema.java @@ -61,46 +61,50 @@ public ObjectInspector initialize(ObjectInspector[] arguments) throws UDFArgumen } if (enabled == null) { - boolean enableHS2PolicyProvider = false; - boolean enableMetastorePolicyProvider = false; - HiveConf hiveConf = SessionState.getSessionConf(); - HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); - try { - if (authorizer.getHivePolicyProvider() != null) { - enableHS2PolicyProvider = true; - } - } catch (HiveAuthzPluginException e) { - LOG.warn("Error getting HivePolicyProvider", e); - } + if (!hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) { + enabled = new BooleanWritable(false); + } else { + boolean enableHS2PolicyProvider = false; + boolean enableMetastorePolicyProvider = false; - if (!enableHS2PolicyProvider) { - if (MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS) != null && - !MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS).isEmpty() && - HiveConf.getVar(hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER) != null) { - List authorizerProviders; - try { - authorizerProviders = HiveUtils.getMetaStoreAuthorizeProviderManagers( - hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER, - SessionState.get().getAuthenticator()); - for (HiveMetastoreAuthorizationProvider authProvider : authorizerProviders) { - if (authProvider.getHivePolicyProvider() != null) { - enableMetastorePolicyProvider = true; - break; + HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); + try { + if (authorizer.getHivePolicyProvider() != null) { + enableHS2PolicyProvider = true; + } + } catch (HiveAuthzPluginException e) { + LOG.warn("Error getting HivePolicyProvider", e); + } + + if (!enableHS2PolicyProvider) { + if (MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS) != null && + !MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS).isEmpty() && + HiveConf.getVar(hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER) != null) { + List authorizerProviders; + try { + authorizerProviders = HiveUtils.getMetaStoreAuthorizeProviderManagers( + hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER, + SessionState.get().getAuthenticator()); + for (HiveMetastoreAuthorizationProvider authProvider : authorizerProviders) { + if (authProvider.getHivePolicyProvider() != null) { + enableMetastorePolicyProvider = true; + break; + } } + } catch (HiveAuthzPluginException e) { + LOG.warn("Error getting HivePolicyProvider", e); + } catch (HiveException e) { + LOG.warn("Error instantiating hive.security.metastore.authorization.manager", e); } - } catch (HiveAuthzPluginException e) { - LOG.warn("Error getting HivePolicyProvider", e); - } catch (HiveException e) { - LOG.warn("Error instantiating hive.security.metastore.authorization.manager", e); } } - } - if (enableHS2PolicyProvider || enableMetastorePolicyProvider) { - enabled = new BooleanWritable(true); - } else { - enabled = new BooleanWritable(false); + if (enableHS2PolicyProvider || enableMetastorePolicyProvider) { + enabled = new BooleanWritable(true); + } else { + enabled = new BooleanWritable(false); + } } } diff --git a/service/src/java/org/apache/hive/service/server/HiveServer2.java b/service/src/java/org/apache/hive/service/server/HiveServer2.java index 661beb5..6ef3410 100644 --- a/service/src/java/org/apache/hive/service/server/HiveServer2.java +++ b/service/src/java/org/apache/hive/service/server/HiveServer2.java @@ -71,6 +71,7 @@ import org.apache.hadoop.hive.metastore.api.WMFullResourcePlan; import org.apache.hadoop.hive.metastore.api.WMPool; import org.apache.hadoop.hive.metastore.api.WMResourcePlan; +import org.apache.hadoop.hive.metastore.conf.MetastoreConf; import org.apache.hadoop.hive.ql.cache.results.QueryResultsCache; import org.apache.hadoop.hive.ql.exec.spark.session.SparkSessionManagerImpl; import org.apache.hadoop.hive.ql.exec.tez.TezSessionPoolManager; @@ -78,8 +79,11 @@ import org.apache.hadoop.hive.ql.metadata.Hive; import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.metadata.HiveMaterializedViewsRegistry; +import org.apache.hadoop.hive.ql.metadata.HiveUtils; import org.apache.hadoop.hive.ql.metadata.events.NotificationEventPoll; import org.apache.hadoop.hive.ql.plan.mapper.StatsSources; +import org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider; +import org.apache.hadoop.hive.ql.security.authorization.PolicyProviderContainer; import org.apache.hadoop.hive.ql.security.authorization.PrivilegeSynchonizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.session.ClearDanglingScratchDir; @@ -980,16 +984,33 @@ public void startPrivilegeSynchonizer(HiveConf hiveConf) throws Exception { + ZooKeeperHiveHelper.ZOOKEEPER_PATH_SEPARATOR + "leader"; LeaderLatch privilegeSynchonizerLatch = new LeaderLatch(zKClientForPrivSync, path); privilegeSynchonizerLatch.start(); + PolicyProviderContainer policyContainer = new PolicyProviderContainer(); HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); - if (authorizer.getHivePolicyProvider() == null) { + if (authorizer.getHivePolicyProvider() != null) { + policyContainer.addAuthorizer(authorizer); + } + if (hiveConf.get(MetastoreConf.ConfVars.PRE_EVENT_LISTENERS.getVarname()) != null && + hiveConf.get(MetastoreConf.ConfVars.PRE_EVENT_LISTENERS.getVarname()).contains( + "org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener") && + hiveConf.get(MetastoreConf.ConfVars.HIVE_AUTHORIZATION_MANAGER.getVarname())!= null) { + List providers = HiveUtils.getMetaStoreAuthorizeProviderManagers( + hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER, SessionState.get().getAuthenticator()); + for (HiveMetastoreAuthorizationProvider provider : providers) { + if (provider.getHivePolicyProvider() != null) { + policyContainer.addAuthorizationProvider(provider); + } + } + } + + if (policyContainer.size() > 0) { + Thread privilegeSynchonizerThread = new Thread( + new PrivilegeSynchonizer(privilegeSynchonizerLatch, policyContainer, hiveConf), "PrivilegeSynchonizer"); + privilegeSynchonizerThread.start(); + } else { LOG.warn( - "Cannot start PrivilegeSynchonizer, policyProvider of " + authorizer.getClass().getName() + " is null"); + "No policy provider found, stop PrivilegeSynchonizer"); privilegeSynchonizerLatch.close(); - return; } - Thread privilegeSynchonizerThread = new Thread( - new PrivilegeSynchonizer(privilegeSynchonizerLatch, authorizer, hiveConf), "PrivilegeSynchonizer"); - privilegeSynchonizerThread.start(); } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java index a2b8743..8e8c305 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java @@ -809,7 +809,7 @@ private void createDefaultRoles_core() throws MetaException { PrivilegeBag privs = new PrivilegeBag(); privs.addToPrivileges(new HiveObjectPrivilege( new HiveObjectRef(HiveObjectType.GLOBAL, null, null, null, null), ADMIN, PrincipalType.ROLE, new PrivilegeGrantInfo("All", 0, ADMIN, - PrincipalType.ROLE, true))); + PrincipalType.ROLE, true), "SQL")); try { ms.grantPrivileges(privs); } catch (InvalidObjectException e) { @@ -6196,14 +6196,14 @@ public GrantRevokePrivilegeResponse grant_revoke_privileges(GrantRevokePrivilege } @Override - public GrantRevokePrivilegeResponse refresh_privileges(HiveObjectRef objToRefresh, + public GrantRevokePrivilegeResponse refresh_privileges(HiveObjectRef objToRefresh, String authorizer, GrantRevokePrivilegeRequest grantRequest) throws TException { incrementCounter("refresh_privileges"); firePreEvent(new PreAuthorizationCallEvent(this)); GrantRevokePrivilegeResponse response = new GrantRevokePrivilegeResponse(); try { - boolean result = getMS().refreshPrivileges(objToRefresh, grantRequest.getPrivileges()); + boolean result = getMS().refreshPrivileges(objToRefresh, authorizer, grantRequest.getPrivileges()); response.setSuccess(result); } catch (MetaException e) { throw e; diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java index 6af2aa5..fd7546e 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java @@ -2288,7 +2288,7 @@ public boolean revoke_privileges(PrivilegeBag privileges, boolean grantOption) t } @Override - public boolean refresh_privileges(HiveObjectRef objToRefresh, + public boolean refresh_privileges(HiveObjectRef objToRefresh, String authorizer, PrivilegeBag grantPrivileges) throws MetaException, TException { String defaultCat = getDefaultCatalog(conf); @@ -2305,7 +2305,7 @@ public boolean refresh_privileges(HiveObjectRef objToRefresh, grantReq.setRequestType(GrantRevokeType.GRANT); grantReq.setPrivileges(grantPrivileges); - GrantRevokePrivilegeResponse res = client.refresh_privileges(objToRefresh, grantReq); + GrantRevokePrivilegeResponse res = client.refresh_privileges(objToRefresh, authorizer, grantReq); if (!res.isSetSuccess()) { throw new MetaException("GrantRevokePrivilegeResponse missing success field"); } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java index 09f9bb1..7ba286a 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java @@ -2567,12 +2567,13 @@ boolean revoke_privileges(PrivilegeBag privileges, boolean grantOption) /** * @param revokePrivileges + * @param authorizer * @param objToRefresh * @return true on success * @throws MetaException * @throws TException */ - boolean refresh_privileges(HiveObjectRef objToRefresh, PrivilegeBag grantPrivileges) + boolean refresh_privileges(HiveObjectRef objToRefresh, String authorizer, PrivilegeBag grantPrivileges) throws MetaException, TException; /** diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java index b0a805f..81c0f74 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java @@ -1097,7 +1097,7 @@ public boolean dropDatabase(String catName, String dbname) MDatabase db = getMDatabase(catName, dbname); pm.retrieve(db); if (db != null) { - List dbGrants = this.listDatabaseGrants(catName, dbname, queryWrapper); + List dbGrants = this.listDatabaseGrants(catName, dbname, null, queryWrapper); if (CollectionUtils.isNotEmpty(dbGrants)) { pm.deletePersistentAll(dbGrants); } @@ -1314,13 +1314,13 @@ public void createTable(Table tbl) throws InvalidObjectException, MetaException int now = (int)(System.currentTimeMillis()/1000); Map> userPrivs = principalPrivs.getUserPrivileges(); - putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, userPrivs, PrincipalType.USER); + putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, userPrivs, PrincipalType.USER, "SQL"); Map> groupPrivs = principalPrivs.getGroupPrivileges(); - putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, groupPrivs, PrincipalType.GROUP); + putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, groupPrivs, PrincipalType.GROUP, "SQL"); Map> rolePrivs = principalPrivs.getRolePrivileges(); - putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, rolePrivs, PrincipalType.ROLE); + putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, rolePrivs, PrincipalType.ROLE, "SQL"); } pm.makePersistentAll(toPersistPrivObjs); commited = commitTransaction(); @@ -1350,7 +1350,7 @@ public void createTable(Table tbl) throws InvalidObjectException, MetaException * @param type */ private void putPersistentPrivObjects(MTable mtbl, List toPersistPrivObjs, - int now, Map> privMap, PrincipalType type) { + int now, Map> privMap, PrincipalType type, String authorizer) { if (privMap != null) { for (Map.Entry> entry : privMap .entrySet()) { @@ -1364,7 +1364,7 @@ private void putPersistentPrivObjects(MTable mtbl, List toPersistPrivObj MTablePrivilege mTblSec = new MTablePrivilege( principalName, type.toString(), mtbl, priv.getPrivilege(), now, priv.getGrantor(), priv.getGrantorType().toString(), priv - .isGrantOption()); + .isGrantOption(), authorizer); toPersistPrivObjs.add(mTblSec); } } @@ -2242,7 +2242,8 @@ public boolean addPartitions(String catName, String dbName, String tblName, List for (MTablePrivilege tab: tabGrants) { toPersist.add(new MPartitionPrivilege(tab.getPrincipalName(), tab.getPrincipalType(), mpart, tab.getPrivilege(), now, - tab.getGrantor(), tab.getGrantorType(), tab.getGrantOption())); + tab.getGrantor(), tab.getGrantorType(), tab.getGrantOption(), + tab.getAuthorizer())); } } @@ -2250,7 +2251,8 @@ public boolean addPartitions(String catName, String dbName, String tblName, List for (MTableColumnPrivilege col : tabColumnGrants) { toPersist.add(new MPartitionColumnPrivilege(col.getPrincipalName(), col.getPrincipalType(), mpart, col.getColumnName(), col.getPrivilege(), - now, col.getGrantor(), col.getGrantorType(), col.getGrantOption())); + now, col.getGrantor(), col.getGrantorType(), col.getGrantOption(), + col.getAuthorizer())); } } } @@ -2314,7 +2316,8 @@ public boolean addPartitions(String catName, String dbName, String tblName, for (MTablePrivilege tab : tabGrants) { pm.makePersistent(new MPartitionPrivilege(tab.getPrincipalName(), tab.getPrincipalType(), mpart, tab.getPrivilege(), now, - tab.getGrantor(), tab.getGrantorType(), tab.getGrantOption())); + tab.getGrantor(), tab.getGrantorType(), tab.getGrantOption(), + tab.getAuthorizer())); } } @@ -2322,7 +2325,8 @@ public boolean addPartitions(String catName, String dbName, String tblName, for (MTableColumnPrivilege col : tabColumnGrants) { pm.makePersistent(new MPartitionColumnPrivilege(col.getPrincipalName(), col.getPrincipalType(), mpart, col.getColumnName(), col.getPrivilege(), - now, col.getGrantor(), col.getGrantorType(), col.getGrantOption())); + now, col.getGrantor(), col.getGrantorType(), col.getGrantOption(), + col.getAuthorizer())); } } } @@ -2363,7 +2367,7 @@ public boolean addPartition(Partition part) throws InvalidObjectException, MPartitionPrivilege partGrant = new MPartitionPrivilege(tab .getPrincipalName(), tab.getPrincipalType(), mpart, tab.getPrivilege(), now, tab.getGrantor(), tab - .getGrantorType(), tab.getGrantOption()); + .getGrantorType(), tab.getGrantOption(), tab.getAuthorizer()); toPersist.add(partGrant); } } @@ -2373,7 +2377,7 @@ public boolean addPartition(Partition part) throws InvalidObjectException, MPartitionColumnPrivilege partColumn = new MPartitionColumnPrivilege(col .getPrincipalName(), col.getPrincipalType(), mpart, col .getColumnName(), col.getPrivilege(), now, col.getGrantor(), col - .getGrantorType(), col.getGrantOption()); + .getGrantorType(), col.getGrantOption(), col.getAuthorizer()); toPersist.add(partColumn); } @@ -5633,6 +5637,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce String privilegeStr = privDef.getGrantInfo().getPrivilege(); String[] privs = privilegeStr.split(","); String userName = privDef.getPrincipalName(); + String authorizer = privDef.getAuthorizer(); PrincipalType principalType = privDef.getPrincipalType(); String grantor = privDef.getGrantInfo().getGrantor(); String grantorType = privDef.getGrantInfo().getGrantorType().toString(); @@ -5647,7 +5652,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce getDefaultCatalog(conf); if (hiveObject.getObjectType() == HiveObjectType.GLOBAL) { List globalPrivs = this - .listPrincipalMGlobalGrants(userName, principalType); + .listPrincipalMGlobalGrants(userName, principalType, authorizer); if (globalPrivs != null) { for (MGlobalPrivilege priv : globalPrivs) { if (priv.getGrantor().equalsIgnoreCase(grantor)) { @@ -5661,14 +5666,15 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce + " is already granted by " + grantor); } MGlobalPrivilege mGlobalPrivs = new MGlobalPrivilege(userName, - principalType.toString(), privilege, now, grantor, grantorType, grantOption); + principalType.toString(), privilege, now, grantor, grantorType, grantOption, + authorizer); persistentObjs.add(mGlobalPrivs); } } else if (hiveObject.getObjectType() == HiveObjectType.DATABASE) { MDatabase dbObj = getMDatabase(catName, hiveObject.getDbName()); if (dbObj != null) { List dbPrivs = this.listPrincipalMDBGrants( - userName, principalType, catName, hiveObject.getDbName()); + userName, principalType, catName, hiveObject.getDbName(), authorizer); if (dbPrivs != null) { for (MDBPrivilege priv : dbPrivs) { if (priv.getGrantor().equalsIgnoreCase(grantor)) { @@ -5683,7 +5689,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce + hiveObject.getDbName() + " by " + grantor); } MDBPrivilege mDb = new MDBPrivilege(userName, principalType - .toString(), dbObj, privilege, now, grantor, grantorType, grantOption); + .toString(), dbObj, privilege, now, grantor, grantorType, grantOption, authorizer); persistentObjs.add(mDb); } } @@ -5693,7 +5699,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce if (tblObj != null) { List tablePrivs = this .listAllMTableGrants(userName, principalType, - catName, hiveObject.getDbName(), hiveObject.getObjectName()); + catName, hiveObject.getDbName(), hiveObject.getObjectName(), authorizer); if (tablePrivs != null) { for (MTablePrivilege priv : tablePrivs) { if (priv.getGrantor() != null @@ -5711,7 +5717,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce } MTablePrivilege mTab = new MTablePrivilege( userName, principalType.toString(), tblObj, - privilege, now, grantor, grantorType, grantOption); + privilege, now, grantor, grantorType, grantOption, authorizer); persistentObjs.add(mTab); } } @@ -5724,7 +5730,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce List partPrivs = this .listPrincipalMPartitionGrants(userName, principalType, catName, hiveObject.getDbName(), hiveObject - .getObjectName(), partObj.getPartitionName()); + .getObjectName(), partObj.getPartitionName(), authorizer); if (partPrivs != null) { for (MPartitionPrivilege priv : partPrivs) { if (priv.getGrantor().equalsIgnoreCase(grantor)) { @@ -5742,7 +5748,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce } MPartitionPrivilege mTab = new MPartitionPrivilege(userName, principalType.toString(), partObj, privilege, now, grantor, - grantorType, grantOption); + grantorType, grantOption, authorizer); persistentObjs.add(mTab); } } @@ -5761,7 +5767,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce colPrivs = this.listPrincipalMPartitionColumnGrants( userName, principalType, catName, hiveObject.getDbName(), hiveObject .getObjectName(), partObj.getPartitionName(), - hiveObject.getColumnName()); + hiveObject.getColumnName(), authorizer); if (colPrivs != null) { for (MPartitionColumnPrivilege priv : colPrivs) { @@ -5782,7 +5788,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce MPartitionColumnPrivilege mCol = new MPartitionColumnPrivilege(userName, principalType.toString(), partObj, hiveObject .getColumnName(), privilege, now, grantor, grantorType, - grantOption); + grantOption, authorizer); persistentObjs.add(mCol); } @@ -5790,7 +5796,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce List colPrivs = null; colPrivs = this.listPrincipalMTableColumnGrants( userName, principalType, catName, hiveObject.getDbName(), hiveObject - .getObjectName(), hiveObject.getColumnName()); + .getObjectName(), hiveObject.getColumnName(), authorizer); if (colPrivs != null) { for (MTableColumnPrivilege priv : colPrivs) { @@ -5810,7 +5816,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce MTableColumnPrivilege mCol = new MTableColumnPrivilege(userName, principalType.toString(), tblObj, hiveObject .getColumnName(), privilege, now, grantor, grantorType, - grantOption); + grantOption, authorizer); persistentObjs.add(mCol); } } @@ -6091,7 +6097,7 @@ public int compare(HiveObjectPrivilege o1, HiveObjectPrivilege o2) { } @Override - public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantPrivileges) + public boolean refreshPrivileges(HiveObjectRef objToRefresh, String authorizer, PrivilegeBag grantPrivileges) throws InvalidObjectException, MetaException, NoSuchObjectException { boolean committed = false; try { @@ -6106,15 +6112,15 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP getDefaultCatalog(conf); switch (objToRefresh.getObjectType()) { case DATABASE: - grants = this.listDBGrantsAll(catName, objToRefresh.getDbName()); + grants = this.listDBGrantsAll(catName, objToRefresh.getDbName(), authorizer); break; case TABLE: - grants = listTableGrantsAll(catName, objToRefresh.getDbName(), objToRefresh.getObjectName()); + grants = listTableGrantsAll(catName, objToRefresh.getDbName(), objToRefresh.getObjectName(), authorizer); break; case COLUMN: Preconditions.checkArgument(objToRefresh.getColumnName()==null, "columnName must be null"); grants = convertTableCols(listTableAllColumnGrants(catName, - objToRefresh.getDbName(), objToRefresh.getObjectName())); + objToRefresh.getDbName(), objToRefresh.getObjectName(), authorizer)); break; default: throw new MetaException("Unexpected object type " + objToRefresh.getObjectType()); @@ -6208,9 +6214,14 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP return rolePrinGrantList; } + private List listPrincipalMGlobalGrants(String principalName, + PrincipalType principalType) { + return listPrincipalMGlobalGrants(principalName, principalType, null); + } + @SuppressWarnings("unchecked") private List listPrincipalMGlobalGrants(String principalName, - PrincipalType principalType) { + PrincipalType principalType, String authorizer) { boolean commited = false; Query query = null; List userNameDbPriv = new ArrayList<>(); @@ -6218,10 +6229,18 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP List mPrivs = null; openTransaction(); if (principalName != null) { - query = pm.newQuery(MGlobalPrivilege.class, "principalName == t1 && principalType == t2 "); - query.declareParameters("java.lang.String t1, java.lang.String t2"); - mPrivs = (List) query - .executeWithArray(principalName, principalType.toString()); + if (authorizer != null) { + query = pm.newQuery(MGlobalPrivilege.class, "principalName == t1 && principalType == t2 " + + "&& authorizer == t3"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3"); + mPrivs = (List) query + .executeWithArray(principalName, principalType.toString(), authorizer); + } else { + query = pm.newQuery(MGlobalPrivilege.class, "principalName == t1 && principalType == t2 "); + query.declareParameters("java.lang.String t1, java.lang.String t2"); + mPrivs = (List) query + .executeWithArray(principalName, principalType.toString()); + } pm.retrieveAll(mPrivs); } commited = commitTransaction(); @@ -6251,7 +6270,8 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP objectRef, sUsr.getPrincipalName(), principalType, new PrivilegeGrantInfo(sUsr.getPrivilege(), sUsr .getCreateTime(), sUsr.getGrantor(), PrincipalType - .valueOf(sUsr.getGrantorType()), sUsr.getGrantOption())); + .valueOf(sUsr.getGrantorType()), sUsr.getGrantOption()), + sUsr.getAuthorizer()); result.add(secUser); } return result; @@ -6277,20 +6297,26 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP List result = new ArrayList<>(); for (MGlobalPrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); HiveObjectRef objectRef = new HiveObjectRef(HiveObjectType.GLOBAL, null, null, null, null); PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } - @SuppressWarnings("unchecked") private List listPrincipalMDBGrants(String principalName, PrincipalType principalType, String catName, String dbName) { + return listPrincipalMDBGrants(principalName, principalType, catName, dbName, null); + } + + @SuppressWarnings("unchecked") + private List listPrincipalMDBGrants(String principalName, + PrincipalType principalType, String catName, String dbName, String authorizer) { boolean success = false; Query query = null; List mSecurityDBList = new ArrayList<>(); @@ -6299,14 +6325,24 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP LOG.debug("Executing listPrincipalDBGrants"); openTransaction(); - query = - pm.newQuery(MDBPrivilege.class, - "principalName == t1 && principalType == t2 && database.name == t3 && database.catalogName == t4"); - query.declareParameters( - "java.lang.String t1, java.lang.String t2, java.lang.String t3, java.lang.String t4"); - List mPrivs = - (List) query.executeWithArray(principalName, principalType.toString(), - dbName, catName); + List mPrivs; + if (authorizer != null) { + query = pm.newQuery(MDBPrivilege.class, + "principalName == t1 && principalType == t2 && database.name == t3 && " + + "database.catalogName == t4 && authorizer == t5"); + query.declareParameters( + "java.lang.String t1, java.lang.String t2, java.lang.String t3, java.lang.String t4, " + + "java.lang.String t5"); + mPrivs = (List) query.executeWithArray(principalName, principalType.toString(), + dbName, catName, authorizer); + } else { + query = pm.newQuery(MDBPrivilege.class, + "principalName == t1 && principalType == t2 && database.name == t3 && database.catalogName == t4"); + query.declareParameters( + "java.lang.String t1, java.lang.String t2, java.lang.String t3, java.lang.String t4"); + mPrivs = (List) query.executeWithArray(principalName, principalType.toString(), + dbName, catName); + } pm.retrieveAll(mPrivs); success = commitTransaction(); @@ -6336,7 +6372,7 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP sDB.getPrincipalName(), principalType, new PrivilegeGrantInfo(sDB.getPrivilege(), sDB .getCreateTime(), sDB.getGrantor(), PrincipalType - .valueOf(sDB.getGrantorType()), sDB.getGrantOption())); + .valueOf(sDB.getGrantorType()), sDB.getGrantOption()), sDB.getAuthorizer()); result.add(secObj); } return result; @@ -6355,9 +6391,13 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP @Override public List listDBGrantsAll(String catName, String dbName) { + return listDBGrantsAll(catName, dbName, null); + } + + private List listDBGrantsAll(String catName, String dbName, String authorizer) { QueryWrapper queryWrapper = new QueryWrapper(); try { - return convertDB(listDatabaseGrants(catName, dbName, queryWrapper)); + return convertDB(listDatabaseGrants(catName, dbName, authorizer, queryWrapper)); } finally { queryWrapper.close(); } @@ -6367,6 +6407,7 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP List result = new ArrayList<>(); for (MDBPrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); String database = priv.getDatabase().getName(); @@ -6376,7 +6417,7 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } @@ -6474,9 +6515,14 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP return mSecurityTabPartList; } - @SuppressWarnings("unchecked") private List listTableAllColumnGrants( String catName, String dbName, String tableName) { + return listTableAllColumnGrants(catName, dbName, tableName, null); + } + + @SuppressWarnings("unchecked") + private List listTableAllColumnGrants( + String catName, String dbName, String tableName, String authorizer) { boolean success = false; Query query = null; List mTblColPrivilegeList = new ArrayList<>(); @@ -6487,12 +6533,21 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP LOG.debug("Executing listTableAllColumnGrants"); openTransaction(); - String queryStr = "table.tableName == t1 && table.database.name == t2 &&" + - "table.database.catalogName == t3"; - query = pm.newQuery(MTableColumnPrivilege.class, queryStr); - query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3"); - List mPrivs = - (List) query.executeWithArray(tableName, dbName, catName); + List mPrivs = null; + if (authorizer != null) { + String queryStr = "table.tableName == t1 && table.database.name == t2 &&" + + "table.database.catalogName == t3 && authorizer == t4"; + query = pm.newQuery(MTableColumnPrivilege.class, queryStr); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, " + + "java.lang.String t4"); + mPrivs = (List) query.executeWithArray(tableName, dbName, catName, authorizer); + } else { + String queryStr = "table.tableName == t1 && table.database.name == t2 &&" + + "table.database.catalogName == t3"; + query = pm.newQuery(MTableColumnPrivilege.class, queryStr); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3"); + mPrivs = (List) query.executeWithArray(tableName, dbName, catName); + } pm.retrieveAll(mPrivs); success = commitTransaction(); @@ -6574,7 +6629,8 @@ private void dropPartitionAllColumnGrantsNoTxn( } @SuppressWarnings("unchecked") - private List listDatabaseGrants(String catName, String dbName, QueryWrapper queryWrapper) { + private List listDatabaseGrants(String catName, String dbName, + String authorizer, QueryWrapper queryWrapper) { dbName = normalizeIdentifier(dbName); catName = normalizeIdentifier(catName); boolean success = false; @@ -6582,11 +6638,18 @@ private void dropPartitionAllColumnGrantsNoTxn( LOG.debug("Executing listDatabaseGrants"); openTransaction(); - Query query = queryWrapper.query = pm.newQuery(MDBPrivilege.class, - "database.name == t1 && database.catalogName == t2"); - query.declareParameters("java.lang.String t1, java.lang.String t2"); - List mSecurityDBList = - (List) query.executeWithArray(dbName, catName); + List mSecurityDBList = null; + if (authorizer != null) { + Query query = queryWrapper.query = pm.newQuery(MDBPrivilege.class, + "database.name == t1 && database.catalogName == t2 && authorizer == t3"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3"); + mSecurityDBList = (List) query.executeWithArray(dbName, catName, authorizer); + } else { + Query query = queryWrapper.query = pm.newQuery(MDBPrivilege.class, + "database.name == t1 && database.catalogName == t2"); + query.declareParameters("java.lang.String t1, java.lang.String t2"); + mSecurityDBList = (List) query.executeWithArray(dbName, catName); + } pm.retrieveAll(mSecurityDBList); success = commitTransaction(); LOG.debug("Done retrieving all objects for listDatabaseGrants"); @@ -6665,10 +6728,16 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl return new ObjectPair<>(query, params); } - @SuppressWarnings("unchecked") private List listAllMTableGrants( String principalName, PrincipalType principalType, String catName, String dbName, String tableName) { + return listAllMTableGrants(principalName, principalType, catName, dbName, tableName, null); + } + + @SuppressWarnings("unchecked") + private List listAllMTableGrants( + String principalName, PrincipalType principalType, String catName, String dbName, + String tableName, String authorizer) { tableName = normalizeIdentifier(tableName); dbName = normalizeIdentifier(dbName); catName = normalizeIdentifier(catName); @@ -6678,16 +6747,24 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl try { openTransaction(); LOG.debug("Executing listAllTableGrants"); - query = - pm.newQuery(MTablePrivilege.class, - "principalName == t1 && principalType == t2 && table.tableName == t3 &&" + - "table.database.name == t4 && table.database.catalogName == t5"); - query - .declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3," + - "java.lang.String t4, java.lang.String t5"); - List mPrivs = - (List) query.executeWithArray(principalName, principalType.toString(), - tableName, dbName, catName); + List mPrivs; + if (authorizer != null) { + query = pm.newQuery(MTablePrivilege.class, + "principalName == t1 && principalType == t2 && table.tableName == t3 &&" + + "table.database.name == t4 && table.database.catalogName == t5 && authorizer == t6"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3," + + "java.lang.String t4, java.lang.String t5, java.lang.String t6"); + mPrivs = (List) query.executeWithArray(principalName, principalType.toString(), + tableName, dbName, catName, authorizer); + } else { + query = pm.newQuery(MTablePrivilege.class, + "principalName == t1 && principalType == t2 && table.tableName == t3 &&" + + "table.database.name == t4 && table.database.catalogName == t5"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3," + + "java.lang.String t4, java.lang.String t5"); + mPrivs = (List) query.executeWithArray(principalName, principalType.toString(), + tableName, dbName, catName); + } pm.retrieveAll(mPrivs); success = commitTransaction(); @@ -6721,16 +6798,22 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl sTbl.getPrincipalName(), principalType, new PrivilegeGrantInfo(sTbl.getPrivilege(), sTbl.getCreateTime(), sTbl .getGrantor(), PrincipalType.valueOf(sTbl - .getGrantorType()), sTbl.getGrantOption())); + .getGrantorType()), sTbl.getGrantOption()), sTbl.getAuthorizer()); result.add(secObj); } return result; } - @SuppressWarnings("unchecked") private List listPrincipalMPartitionGrants( String principalName, PrincipalType principalType, String catName, String dbName, String tableName, String partName) { + return listPrincipalMPartitionGrants(principalName, principalType, catName, dbName, tableName, partName, null); + } + + @SuppressWarnings("unchecked") + private List listPrincipalMPartitionGrants( + String principalName, PrincipalType principalType, String catName, String dbName, + String tableName, String partName, String authorizer) { boolean success = false; Query query = null; tableName = normalizeIdentifier(tableName); @@ -6741,17 +6824,26 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl LOG.debug("Executing listPrincipalPartitionGrants"); openTransaction(); - query = - pm.newQuery(MPartitionPrivilege.class, - "principalName == t1 && principalType == t2 && partition.table.tableName == t3 " - + "&& partition.table.database.name == t4 && partition.table.database.catalogName == t5" - + "&& partition.partitionName == t6"); - query - .declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, java.lang.String t4, " - + "java.lang.String t5, java.lang.String t6"); - List mPrivs = - (List) query.executeWithArray(principalName, - principalType.toString(), tableName, dbName, catName, partName); + List mPrivs; + if (authorizer != null) { + query = pm.newQuery(MPartitionPrivilege.class, + "principalName == t1 && principalType == t2 && partition.table.tableName == t3 " + + "&& partition.table.database.name == t4 && partition.table.database.catalogName == t5" + + "&& partition.partitionName == t6 && authorizer == t7"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, java.lang.String t4, " + + "java.lang.String t5, java.lang.String t6, java.lang.String t7"); + mPrivs = (List) query.executeWithArray(principalName, + principalType.toString(), tableName, dbName, catName, partName, authorizer); + } else { + query = pm.newQuery(MPartitionPrivilege.class, + "principalName == t1 && principalType == t2 && partition.table.tableName == t3 " + + "&& partition.table.database.name == t4 && partition.table.database.catalogName == t5" + + "&& partition.partitionName == t6"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, java.lang.String t4, " + + "java.lang.String t5, java.lang.String t6"); + mPrivs = (List) query.executeWithArray(principalName, + principalType.toString(), tableName, dbName, catName, partName); + } pm.retrieveAll(mPrivs); success = commitTransaction(); @@ -6788,17 +6880,24 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl new PrivilegeGrantInfo(sPart.getPrivilege(), sPart .getCreateTime(), sPart.getGrantor(), PrincipalType .valueOf(sPart.getGrantorType()), sPart - .getGrantOption())); + .getGrantOption()), sPart.getAuthorizer()); result.add(secObj); } return result; } - @SuppressWarnings("unchecked") private List listPrincipalMTableColumnGrants( String principalName, PrincipalType principalType, String catName, String dbName, String tableName, String columnName) { + return listPrincipalMTableColumnGrants(principalName, principalType, catName, dbName, tableName, + columnName, null); + } + + @SuppressWarnings("unchecked") + private List listPrincipalMTableColumnGrants( + String principalName, PrincipalType principalType, String catName, String dbName, + String tableName, String columnName, String authorizer) { boolean success = false; Query query = null; tableName = normalizeIdentifier(tableName); @@ -6809,16 +6908,28 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl LOG.debug("Executing listPrincipalTableColumnGrants"); openTransaction(); - String queryStr = - "principalName == t1 && principalType == t2 && " - + "table.tableName == t3 && table.database.name == t4 && " + - "table.database.catalogName == t5 && columnName == t6 "; - query = pm.newQuery(MTableColumnPrivilege.class, queryStr); - query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, " - + "java.lang.String t4, java.lang.String t5, java.lang.String t6"); - List mPrivs = - (List) query.executeWithArray(principalName, - principalType.toString(), tableName, dbName, catName, columnName); + List mPrivs; + if (authorizer != null) { + String queryStr = + "principalName == t1 && principalType == t2 && " + + "table.tableName == t3 && table.database.name == t4 && " + + "table.database.catalogName == t5 && columnName == t6 && authorizer == t7"; + query = pm.newQuery(MTableColumnPrivilege.class, queryStr); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, " + + "java.lang.String t4, java.lang.String t5, java.lang.String t6, java.lang.String t7"); + mPrivs = (List) query.executeWithArray(principalName, + principalType.toString(), tableName, dbName, catName, columnName, authorizer); + } else { + String queryStr = + "principalName == t1 && principalType == t2 && " + + "table.tableName == t3 && table.database.name == t4 && " + + "table.database.catalogName == t5 && columnName == t6 "; + query = pm.newQuery(MTableColumnPrivilege.class, queryStr); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, " + + "java.lang.String t4, java.lang.String t5, java.lang.String t6"); + mPrivs = (List) query.executeWithArray(principalName, + principalType.toString(), tableName, dbName, catName, columnName); + } pm.retrieveAll(mPrivs); success = commitTransaction(); @@ -6854,16 +6965,23 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl new PrivilegeGrantInfo(sCol.getPrivilege(), sCol .getCreateTime(), sCol.getGrantor(), PrincipalType .valueOf(sCol.getGrantorType()), sCol - .getGrantOption())); + .getGrantOption()), sCol.getAuthorizer()); result.add(secObj); } return result; } - @SuppressWarnings("unchecked") private List listPrincipalMPartitionColumnGrants( String principalName, PrincipalType principalType, String catName, String dbName, String tableName, String partitionName, String columnName) { + return listPrincipalMPartitionColumnGrants(principalName, principalType, catName, dbName, + tableName, partitionName, columnName, null); + } + + @SuppressWarnings("unchecked") + private List listPrincipalMPartitionColumnGrants( + String principalName, PrincipalType principalType, String catName, String dbName, + String tableName, String partitionName, String columnName, String authorizer) { boolean success = false; Query query = null; tableName = normalizeIdentifier(tableName); @@ -6875,16 +6993,29 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl LOG.debug("Executing listPrincipalPartitionColumnGrants"); openTransaction(); - query = pm.newQuery( - MPartitionColumnPrivilege.class, - "principalName == t1 && principalType == t2 && partition.table.tableName == t3 " - + "&& partition.table.database.name == t4 && partition.table.database.catalogName == t5" + - " && partition.partitionName == t6 && columnName == t7"); - query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, " - + "java.lang.String t4, java.lang.String t5, java.lang.String t6, java.lang.String t7"); - List mPrivs = - (List) query.executeWithArray(principalName, - principalType.toString(), tableName, dbName, catName, partitionName, columnName); + List mPrivs; + if (authorizer != null) { + query = pm.newQuery( + MPartitionColumnPrivilege.class, + "principalName == t1 && principalType == t2 && partition.table.tableName == t3 " + + "&& partition.table.database.name == t4 && partition.table.database.catalogName == t5" + + " && partition.partitionName == t6 && columnName == t7 && authorizer == t8"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, " + + "java.lang.String t4, java.lang.String t5, java.lang.String t6, java.lang.String t7, " + + "java.lang.String t8"); + mPrivs = (List) query.executeWithArray(principalName, + principalType.toString(), tableName, dbName, catName, partitionName, columnName, authorizer); + } else { + query = pm.newQuery( + MPartitionColumnPrivilege.class, + "principalName == t1 && principalType == t2 && partition.table.tableName == t3 " + + "&& partition.table.database.name == t4 && partition.table.database.catalogName == t5" + + " && partition.partitionName == t6 && columnName == t7"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, " + + "java.lang.String t4, java.lang.String t5, java.lang.String t6, java.lang.String t7"); + mPrivs = (List) query.executeWithArray(principalName, + principalType.toString(), tableName, dbName, catName, partitionName, columnName); + } pm.retrieveAll(mPrivs); success = commitTransaction(); @@ -6922,7 +7053,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl sCol.getPrincipalName(), principalType, new PrivilegeGrantInfo(sCol.getPrivilege(), sCol .getCreateTime(), sCol.getGrantor(), PrincipalType - .valueOf(sCol.getGrantorType()), sCol.getGrantOption())); + .valueOf(sCol.getGrantorType()), sCol.getGrantOption()), sCol.getAuthorizer()); result.add(secObj); } return result; @@ -6993,6 +7124,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl List result = new ArrayList<>(); for (MPartitionColumnPrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); MPartition mpartition = priv.getPartition(); @@ -7005,7 +7137,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } @@ -7067,6 +7199,11 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl @Override public List listTableGrantsAll(String catName, String dbName, String tableName) { + return listTableGrantsAll(catName, dbName, tableName, null); + } + + private List listTableGrantsAll(String catName, String dbName, String tableName, + String authorizer) { boolean success = false; Query query = null; dbName = normalizeIdentifier(dbName); @@ -7074,12 +7211,20 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl try { openTransaction(); LOG.debug("Executing listTableGrantsAll"); - query = - pm.newQuery(MTablePrivilege.class, - "table.tableName == t1 && table.database.name == t2 && table.database.catalogName == t3"); - query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3"); - List mSecurityTabPartList = - (List) query.executeWithArray(tableName, dbName, catName); + List mSecurityTabPartList = null; + if (authorizer != null) { + query = pm.newQuery(MTablePrivilege.class, + "table.tableName == t1 && table.database.name == t2 && table.database.catalogName == t3" + + " && authorizer == t4"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, " + + "java.lang.String t4"); + mSecurityTabPartList = (List) query.executeWithArray(tableName, dbName, catName, authorizer); + } else { + query = pm.newQuery(MTablePrivilege.class, + "table.tableName == t1 && table.database.name == t2 && table.database.catalogName == t3"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3"); + mSecurityTabPartList = (List) query.executeWithArray(tableName, dbName, catName); + } LOG.debug("Done executing query for listTableGrantsAll"); pm.retrieveAll(mSecurityTabPartList); List result = convertTable(mSecurityTabPartList); @@ -7095,6 +7240,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl List result = new ArrayList<>(); for (MTablePrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); String table = priv.getTable().getTableName(); @@ -7106,7 +7252,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } @@ -7195,6 +7341,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl List result = new ArrayList<>(); for (MPartitionPrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); MPartition mpartition = priv.getPartition(); @@ -7207,7 +7354,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } @@ -7304,6 +7451,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl List result = new ArrayList<>(); for (MTableColumnPrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); MTable mtable = priv.getTable(); @@ -7315,7 +7463,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/RawStore.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/RawStore.java index ce7d286..283798c 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/RawStore.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/RawStore.java @@ -754,7 +754,7 @@ boolean grantPrivileges (PrivilegeBag privileges) boolean revokePrivileges(PrivilegeBag privileges, boolean grantOption) throws InvalidObjectException, MetaException, NoSuchObjectException; - boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantPrivileges) + boolean refreshPrivileges(HiveObjectRef objToRefresh, String authorizer, PrivilegeBag grantPrivileges) throws InvalidObjectException, MetaException, NoSuchObjectException; org.apache.hadoop.hive.metastore.api.Role getRole( diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/cache/CachedStore.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/cache/CachedStore.java index b223920..9da8d72 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/cache/CachedStore.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/cache/CachedStore.java @@ -1452,9 +1452,9 @@ public boolean revokePrivileges(PrivilegeBag privileges, boolean grantOption) } @Override - public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantPrivileges) + public boolean refreshPrivileges(HiveObjectRef objToRefresh, String authorizer, PrivilegeBag grantPrivileges) throws InvalidObjectException, MetaException, NoSuchObjectException { - return rawStore.refreshPrivileges(objToRefresh, grantPrivileges); + return rawStore.refreshPrivileges(objToRefresh, authorizer, grantPrivileges); } @Override diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/client/builder/HiveObjectPrivilegeBuilder.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/client/builder/HiveObjectPrivilegeBuilder.java index d802e1a..ed32f1c 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/client/builder/HiveObjectPrivilegeBuilder.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/client/builder/HiveObjectPrivilegeBuilder.java @@ -31,6 +31,7 @@ private String principleName; private PrincipalType principalType; private PrivilegeGrantInfo grantInfo; + private String authorizer; public HiveObjectPrivilegeBuilder setHiveObjectRef(HiveObjectRef hiveObjectRef) { this.hiveObjectRef = hiveObjectRef; @@ -52,12 +53,17 @@ public HiveObjectPrivilegeBuilder setGrantInfo(PrivilegeGrantInfo grantInfo) { return this; } + public HiveObjectPrivilegeBuilder setAuthorizer(String authorizer) { + this.authorizer = authorizer; + return this; + } + public HiveObjectPrivilege build() throws MetaException { if (hiveObjectRef == null || principleName == null || principalType == null || grantInfo == null) { throw new MetaException("hive object reference, principle name and type, and grant info " + "must all be provided"); } - return new HiveObjectPrivilege(hiveObjectRef, principleName, principalType, grantInfo); + return new HiveObjectPrivilege(hiveObjectRef, principleName, principalType, grantInfo, authorizer); } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MDBPrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MDBPrivilege.java index 3d8fa21..5f51692 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MDBPrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MDBPrivilege.java @@ -36,12 +36,14 @@ private boolean grantOption; + private String authorizer; + public MDBPrivilege() { } public MDBPrivilege(String principalName, String principalType, MDatabase database, String dbPrivileges, int createTime, String grantor, - String grantorType, boolean grantOption) { + String grantorType, boolean grantOption, String authorizer) { super(); this.principalName = principalName; this.principalType = principalType; @@ -51,6 +53,7 @@ public MDBPrivilege(String principalName, String principalType, this.grantorType = grantorType; this.grantOption = grantOption; this.grantor = grantor; + this.authorizer = authorizer; } /** @@ -129,4 +132,11 @@ public void setPrincipalType(String principalType) { this.principalType = principalType; } + public String getAuthorizer() { + return authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MGlobalPrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MGlobalPrivilege.java index 5b496e0..a6ce541 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MGlobalPrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MGlobalPrivilege.java @@ -38,13 +38,15 @@ private boolean grantOption; + private String authorizer; + public MGlobalPrivilege() { super(); } public MGlobalPrivilege(String userName, String principalType, String dbPrivilege, int createTime, String grantor, String grantorType, - boolean grantOption) { + boolean grantOption, String authorizer) { super(); this.principalName = userName; this.principalType = principalType; @@ -53,6 +55,7 @@ public MGlobalPrivilege(String userName, String principalType, this.grantor = grantor; this.grantorType = grantorType; this.grantOption = grantOption; + this.authorizer = authorizer; } /** @@ -117,4 +120,11 @@ public void setGrantorType(String grantorType) { this.grantorType = grantorType; } + public String getAuthorizer() { + return authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionColumnPrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionColumnPrivilege.java index ab50a92..cc87f75 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionColumnPrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionColumnPrivilege.java @@ -39,6 +39,8 @@ private boolean grantOption; + private String authorizer; + public MPartitionColumnPrivilege() { } @@ -52,10 +54,11 @@ public MPartitionColumnPrivilege() { * @param grantor * @param grantorType * @param grantOption + * @param authorizer */ public MPartitionColumnPrivilege(String principalName, String principalType, MPartition partition, String columnName, String privileges, int createTime, - String grantor, String grantorType, boolean grantOption) { + String grantor, String grantorType, boolean grantOption, String authorizer) { super(); this.principalName = principalName; this.principalType = principalType; @@ -66,6 +69,7 @@ public MPartitionColumnPrivilege(String principalName, String principalType, this.grantor = grantor; this.grantorType = grantorType; this.grantOption = grantOption; + this.authorizer = authorizer; } /** @@ -157,5 +161,11 @@ public String getPrincipalType() { public void setPrincipalType(String principalType) { this.principalType = principalType; } + public String getAuthorizer() { + return authorizer; + } + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionPrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionPrivilege.java index 3193bc1..b2ec5e1 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionPrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionPrivilege.java @@ -36,12 +36,14 @@ private boolean grantOption; + private String authorizer; + public MPartitionPrivilege() { } public MPartitionPrivilege(String principalName, String principalType, MPartition partition, String privilege, int createTime, - String grantor, String grantorType, boolean grantOption) { + String grantor, String grantorType, boolean grantOption, String authorizer) { super(); this.principalName = principalName; this.principalType = principalType; @@ -51,6 +53,7 @@ public MPartitionPrivilege(String principalName, String principalType, this.grantor = grantor; this.grantorType = grantorType; this.grantOption = grantOption; + this.authorizer = authorizer; } public String getPrincipalName() { @@ -136,4 +139,11 @@ public void setGrantorType(String grantorType) { this.grantorType = grantorType; } + public String getAuthorizer() { + return authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTableColumnPrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTableColumnPrivilege.java index ad7322f..e2cc0f1 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTableColumnPrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTableColumnPrivilege.java @@ -38,6 +38,8 @@ private boolean grantOption; + private String authorizer; + public MTableColumnPrivilege() { } @@ -54,7 +56,7 @@ public MTableColumnPrivilege() { */ public MTableColumnPrivilege(String principalName, String principalType, MTable table, String columnName, String privileges, int createTime, - String grantor, String grantorType, boolean grantOption) { + String grantor, String grantorType, boolean grantOption, String authorizer) { super(); this.principalName = principalName; this.principalType = principalType; @@ -65,6 +67,7 @@ public MTableColumnPrivilege(String principalName, String principalType, this.grantor = grantor; this.grantorType = grantorType; this.grantOption = grantOption; + this.authorizer = authorizer; } /** @@ -157,4 +160,11 @@ public void setPrincipalType(String principalType) { this.principalType = principalType; } + public String getAuthorizer() { + return authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTablePrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTablePrivilege.java index 6460400..f45576c 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTablePrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTablePrivilege.java @@ -36,12 +36,14 @@ private boolean grantOption; + private String authorizer; + public MTablePrivilege() { } public MTablePrivilege(String principalName, String principalType, MTable table, String privilege, int createTime, - String grantor, String grantorType, boolean grantOption) { + String grantor, String grantorType, boolean grantOption, String authorizer) { super(); this.principalName = principalName; this.principalType = principalType; @@ -51,6 +53,7 @@ public MTablePrivilege(String principalName, String principalType, this.grantor = grantor; this.grantorType = grantorType; this.grantOption = grantOption; + this.authorizer = authorizer; } public String getPrincipalName() { @@ -136,4 +139,11 @@ public void setGrantorType(String grantorType) { this.grantorType = grantorType; } + public String getAuthorizer() { + return authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/resources/package.jdo b/standalone-metastore/src/main/resources/package.jdo index 2d2cb19..1be3e98 100644 --- a/standalone-metastore/src/main/resources/package.jdo +++ b/standalone-metastore/src/main/resources/package.jdo @@ -598,6 +598,7 @@ + @@ -630,11 +631,15 @@ + + + + @@ -671,11 +676,15 @@ + + + + @@ -712,11 +721,15 @@ + + + + @@ -753,11 +766,15 @@ + + + + @@ -798,11 +815,15 @@ + + + + @@ -843,6 +864,9 @@ + + + diff --git a/standalone-metastore/src/main/sql/derby/hive-schema-3.0.0.derby.sql b/standalone-metastore/src/main/sql/derby/hive-schema-3.0.0.derby.sql index e818e1b..fb996ae 100644 --- a/standalone-metastore/src/main/sql/derby/hive-schema-3.0.0.derby.sql +++ b/standalone-metastore/src/main/sql/derby/hive-schema-3.0.0.derby.sql @@ -29,7 +29,7 @@ CREATE TABLE "APP"."TBL_PRIVS" ("TBL_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" IN CREATE TABLE "APP"."DATABASE_PARAMS" ("DB_ID" BIGINT NOT NULL, "PARAM_KEY" VARCHAR(180) NOT NULL, "PARAM_VALUE" VARCHAR(4000)); -CREATE TABLE "APP"."TBL_COL_PRIVS" ("TBL_COLUMN_GRANT_ID" BIGINT NOT NULL, "COLUMN_NAME" VARCHAR(767), "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "TBL_COL_PRIV" VARCHAR(128), "TBL_ID" BIGINT); +CREATE TABLE "APP"."TBL_COL_PRIVS" ("TBL_COLUMN_GRANT_ID" BIGINT NOT NULL, "COLUMN_NAME" VARCHAR(767), "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "TBL_COL_PRIV" VARCHAR(128), "TBL_ID" BIGINT, "AUTHORIZER" VARCHAR(128)); CREATE TABLE "APP"."SERDE_PARAMS" ("SERDE_ID" BIGINT NOT NULL, "PARAM_KEY" VARCHAR(256) NOT NULL, "PARAM_VALUE" CLOB); @@ -41,7 +41,7 @@ CREATE TABLE "APP"."CDS" ("CD_ID" BIGINT NOT NULL); CREATE TABLE "APP"."PARTITION_KEY_VALS" ("PART_ID" BIGINT NOT NULL, "PART_KEY_VAL" VARCHAR(256), "INTEGER_IDX" INTEGER NOT NULL); -CREATE TABLE "APP"."DB_PRIVS" ("DB_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "DB_ID" BIGINT, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "DB_PRIV" VARCHAR(128)); +CREATE TABLE "APP"."DB_PRIVS" ("DB_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "DB_ID" BIGINT, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "DB_PRIV" VARCHAR(128), "AUTHORIZER" VARCHAR(128)); CREATE TABLE "APP"."IDXS" ("INDEX_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "DEFERRED_REBUILD" CHAR(1) NOT NULL, "INDEX_HANDLER_CLASS" VARCHAR(4000), "INDEX_NAME" VARCHAR(128), "INDEX_TBL_ID" BIGINT, "LAST_ACCESS_TIME" INTEGER NOT NULL, "ORIG_TBL_ID" BIGINT, "SD_ID" BIGINT); @@ -51,13 +51,13 @@ CREATE TABLE "APP"."PARTITIONS" ("PART_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGE CREATE TABLE "APP"."SERDES" ("SERDE_ID" BIGINT NOT NULL, "NAME" VARCHAR(128), "SLIB" VARCHAR(4000), "DESCRIPTION" VARCHAR(4000), "SERIALIZER_CLASS" VARCHAR(4000), "DESERIALIZER_CLASS" VARCHAR(4000), SERDE_TYPE INTEGER); -CREATE TABLE "APP"."PART_PRIVS" ("PART_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PART_ID" BIGINT, "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "PART_PRIV" VARCHAR(128)); +CREATE TABLE "APP"."PART_PRIVS" ("PART_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PART_ID" BIGINT, "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "PART_PRIV" VARCHAR(128), "AUTHORIZER" VARCHAR(128)); CREATE TABLE "APP"."ROLE_MAP" ("ROLE_GRANT_ID" BIGINT NOT NULL, "ADD_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "ROLE_ID" BIGINT); CREATE TABLE "APP"."TYPES" ("TYPES_ID" BIGINT NOT NULL, "TYPE_NAME" VARCHAR(128), "TYPE1" VARCHAR(767), "TYPE2" VARCHAR(767)); -CREATE TABLE "APP"."GLOBAL_PRIVS" ("USER_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "USER_PRIV" VARCHAR(128)); +CREATE TABLE "APP"."GLOBAL_PRIVS" ("USER_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "USER_PRIV" VARCHAR(128), "AUTHORIZER" VARCHAR(128)); CREATE TABLE "APP"."PARTITION_PARAMS" ("PART_ID" BIGINT NOT NULL, "PARAM_KEY" VARCHAR(256) NOT NULL, "PARAM_VALUE" VARCHAR(4000)); @@ -79,7 +79,7 @@ CREATE TABLE "APP"."TBLS" ("TBL_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT N CREATE TABLE "APP"."PARTITION_KEYS" ("TBL_ID" BIGINT NOT NULL, "PKEY_COMMENT" VARCHAR(4000), "PKEY_NAME" VARCHAR(128) NOT NULL, "PKEY_TYPE" VARCHAR(767) NOT NULL, "INTEGER_IDX" INTEGER NOT NULL); -CREATE TABLE "APP"."PART_COL_PRIVS" ("PART_COLUMN_GRANT_ID" BIGINT NOT NULL, "COLUMN_NAME" VARCHAR(767), "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PART_ID" BIGINT, "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "PART_COL_PRIV" VARCHAR(128)); +CREATE TABLE "APP"."PART_COL_PRIVS" ("PART_COLUMN_GRANT_ID" BIGINT NOT NULL, "COLUMN_NAME" VARCHAR(767), "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PART_ID" BIGINT, "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "PART_COL_PRIV" VARCHAR(128), "AUTHORIZER" VARCHAR(128)); CREATE TABLE "APP"."SDS" ("SD_ID" BIGINT NOT NULL, "INPUT_FORMAT" VARCHAR(4000), "IS_COMPRESSED" CHAR(1) NOT NULL, "LOCATION" VARCHAR(4000), "NUM_BUCKETS" INTEGER NOT NULL, "OUTPUT_FORMAT" VARCHAR(4000), "SERDE_ID" BIGINT, "CD_ID" BIGINT, "IS_STOREDASSUBDIRECTORIES" CHAR(1) NOT NULL); @@ -225,17 +225,17 @@ INSERT INTO "APP"."SEQUENCE_TABLE" ("SEQUENCE_NAME", "NEXT_VAL") SELECT * FROM ( CREATE UNIQUE INDEX "APP"."UNIQUEINDEX" ON "APP"."IDXS" ("INDEX_NAME", "ORIG_TBL_ID"); -CREATE INDEX "APP"."TABLECOLUMNPRIVILEGEINDEX" ON "APP"."TBL_COL_PRIVS" ("TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "APP"."TABLECOLUMNPRIVILEGEINDEX" ON "APP"."TBL_COL_PRIVS" ("AUTHORIZER", "TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); -CREATE UNIQUE INDEX "APP"."DBPRIVILEGEINDEX" ON "APP"."DB_PRIVS" ("DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE UNIQUE INDEX "APP"."DBPRIVILEGEINDEX" ON "APP"."DB_PRIVS" ("AUTHORIZER", "DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); CREATE INDEX "APP"."PCS_STATS_IDX" ON "APP"."PART_COL_STATS" ("CAT_NAME", "DB_NAME","TABLE_NAME","COLUMN_NAME","PARTITION_NAME"); -CREATE INDEX "APP"."PARTPRIVILEGEINDEX" ON "APP"."PART_PRIVS" ("PART_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "APP"."PARTPRIVILEGEINDEX" ON "APP"."PART_PRIVS" ("AUTHORIZER", "PART_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_PRIV", "GRANTOR", "GRANTOR_TYPE"); CREATE UNIQUE INDEX "APP"."ROLEENTITYINDEX" ON "APP"."ROLES" ("ROLE_NAME"); -CREATE INDEX "APP"."TABLEPRIVILEGEINDEX" ON "APP"."TBL_PRIVS" ("TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "APP"."TABLEPRIVILEGEINDEX" ON "APP"."TBL_PRIVS" ("AUTHORIZER", "TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); CREATE UNIQUE INDEX "APP"."UNIQUETABLE" ON "APP"."TBLS" ("TBL_NAME", "DB_ID"); @@ -243,11 +243,11 @@ CREATE UNIQUE INDEX "APP"."UNIQUE_DATABASE" ON "APP"."DBS" ("NAME", "CTLG_NAME") CREATE UNIQUE INDEX "APP"."USERROLEMAPINDEX" ON "APP"."ROLE_MAP" ("PRINCIPAL_NAME", "ROLE_ID", "GRANTOR", "GRANTOR_TYPE"); -CREATE UNIQUE INDEX "APP"."GLOBALPRIVILEGEINDEX" ON "APP"."GLOBAL_PRIVS" ("PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE UNIQUE INDEX "APP"."GLOBALPRIVILEGEINDEX" ON "APP"."GLOBAL_PRIVS" ("AUTHORIZER", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); CREATE UNIQUE INDEX "APP"."UNIQUE_TYPE" ON "APP"."TYPES" ("TYPE_NAME"); -CREATE INDEX "APP"."PARTITIONCOLUMNPRIVILEGEINDEX" ON "APP"."PART_COL_PRIVS" ("PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "APP"."PARTITIONCOLUMNPRIVILEGEINDEX" ON "APP"."PART_COL_PRIVS" ("AUTHORIZER", "PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); CREATE UNIQUE INDEX "APP"."UNIQUEPARTITION" ON "APP"."PARTITIONS" ("PART_NAME", "TBL_ID"); diff --git a/standalone-metastore/src/main/sql/derby/upgrade-2.3.0-to-3.0.0.derby.sql b/standalone-metastore/src/main/sql/derby/upgrade-2.3.0-to-3.0.0.derby.sql index 7b7a8a2..4b91ce4 100644 --- a/standalone-metastore/src/main/sql/derby/upgrade-2.3.0-to-3.0.0.derby.sql +++ b/standalone-metastore/src/main/sql/derby/upgrade-2.3.0-to-3.0.0.derby.sql @@ -279,6 +279,31 @@ INSERT INTO TXN_TO_WRITE_ID (T2W_DATABASE, T2W_TABLE, T2W_TXNID, T2W_WRITEID) UPDATE TXN_COMPONENTS SET TC_WRITEID = TC_TXNID; UPDATE COMPLETED_TXN_COMPONENTS SET CTC_WRITEID = CTC_TXNID; +-- HIVE-19440 +ALTER TABLE "APP"."GLOBAL_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."GLOBALPRIVILEGEINDEX"; +CREATE UNIQUE INDEX "APP"."GLOBALPRIVILEGEINDEX" ON "APP"."GLOBAL_PRIVS" ("AUTHORIZER", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "APP"."DB_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."DBPRIVILEGEINDEX"; +CREATE UNIQUE INDEX "APP"."DBPRIVILEGEINDEX" ON "APP"."DB_PRIVS" ("AUTHORIZER", "DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "APP"."TBL_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."TABLEPRIVILEGEINDEX"; +CREATE INDEX "APP"."TABLEPRIVILEGEINDEX" ON "APP"."TBL_PRIVS" ("AUTHORIZER", "TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "APP"."PART_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."PARTPRIVILEGEINDEX"; +CREATE INDEX "APP"."PARTPRIVILEGEINDEX" ON "APP"."PART_PRIVS" ("AUTHORIZER", "PART_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "APP"."TBL_COL_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."TABLECOLUMNPRIVILEGEINDEX"; +CREATE INDEX "APP"."TABLECOLUMNPRIVILEGEINDEX" ON "APP"."TBL_COL_PRIVS" ("AUTHORIZER", "TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "APP"."PART_COL_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."PARTITIONCOLUMNPRIVILEGEINDEX"; +CREATE INDEX "APP"."PARTITIONCOLUMNPRIVILEGEINDEX" ON "APP"."PART_COL_PRIVS" ("AUTHORIZER", "PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + -- This needs to be the last thing done. Insert any changes above this line. UPDATE "APP".VERSION SET SCHEMA_VERSION='3.0.0', VERSION_COMMENT='Hive release version 3.0.0' where VER_ID=1; diff --git a/standalone-metastore/src/main/sql/mssql/hive-schema-3.0.0.mssql.sql b/standalone-metastore/src/main/sql/mssql/hive-schema-3.0.0.mssql.sql index c88fb18..5b52320 100644 --- a/standalone-metastore/src/main/sql/mssql/hive-schema-3.0.0.mssql.sql +++ b/standalone-metastore/src/main/sql/mssql/hive-schema-3.0.0.mssql.sql @@ -112,7 +112,8 @@ CREATE TABLE PART_PRIVS PART_ID bigint NULL, PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, - PART_PRIV nvarchar(128) NULL + PART_PRIV nvarchar(128) NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE PART_PRIVS ADD CONSTRAINT PART_PRIVS_PK PRIMARY KEY (PART_GRANT_ID); @@ -177,7 +178,8 @@ CREATE TABLE GLOBAL_PRIVS GRANTOR_TYPE nvarchar(128) NULL, PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, - USER_PRIV nvarchar(128) NULL + USER_PRIV nvarchar(128) NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE GLOBAL_PRIVS ADD CONSTRAINT GLOBAL_PRIVS_PK PRIMARY KEY (USER_GRANT_ID); @@ -194,7 +196,8 @@ CREATE TABLE PART_COL_PRIVS PART_ID bigint NULL, PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, - PART_COL_PRIV nvarchar(128) NULL + PART_COL_PRIV nvarchar(128) NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE PART_COL_PRIVS ADD CONSTRAINT PART_COL_PRIVS_PK PRIMARY KEY (PART_COLUMN_GRANT_ID); @@ -210,7 +213,8 @@ CREATE TABLE DB_PRIVS GRANTOR_TYPE nvarchar(128) NULL, PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, - DB_PRIV nvarchar(128) NULL + DB_PRIV nvarchar(128) NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE DB_PRIVS ADD CONSTRAINT DB_PRIVS_PK PRIMARY KEY (DB_GRANT_ID); @@ -265,7 +269,8 @@ CREATE TABLE TBL_PRIVS PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, TBL_PRIV nvarchar(128) NULL, - TBL_ID bigint NULL + TBL_ID bigint NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE TBL_PRIVS ADD CONSTRAINT TBL_PRIVS_PK PRIMARY KEY (TBL_GRANT_ID); @@ -296,7 +301,8 @@ CREATE TABLE TBL_COL_PRIVS PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, TBL_COL_PRIV nvarchar(128) NULL, - TBL_ID bigint NULL + TBL_ID bigint NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE TBL_COL_PRIVS ADD CONSTRAINT TBL_COL_PRIVS_PK PRIMARY KEY (TBL_COLUMN_GRANT_ID); @@ -721,7 +727,7 @@ CREATE INDEX PART_COL_STATS_N49 ON PART_COL_STATS (PART_ID); -- Constraints for table PART_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MPartitionPrivilege] ALTER TABLE PART_PRIVS ADD CONSTRAINT PART_PRIVS_FK1 FOREIGN KEY (PART_ID) REFERENCES PARTITIONS (PART_ID) ; -CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (AUTHORIZER,PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX PART_PRIVS_N49 ON PART_PRIVS (PART_ID); @@ -749,7 +755,7 @@ CREATE UNIQUE INDEX UNIQUEPARTITION ON PARTITIONS (PART_NAME,TBL_ID); -- Constraints for table VERSION for class(es) [org.apache.hadoop.hive.metastore.model.MVersionTable] -- Constraints for table GLOBAL_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MGlobalPrivilege] -CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (AUTHORIZER,PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table PART_COL_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MPartitionColumnPrivilege] @@ -757,13 +763,13 @@ ALTER TABLE PART_COL_PRIVS ADD CONSTRAINT PART_COL_PRIVS_FK1 FOREIGN KEY (PART_I CREATE INDEX PART_COL_PRIVS_N49 ON PART_COL_PRIVS (PART_ID); -CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (AUTHORIZE,PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table DB_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MDBPrivilege] ALTER TABLE DB_PRIVS ADD CONSTRAINT DB_PRIVS_FK1 FOREIGN KEY (DB_ID) REFERENCES DBS (DB_ID) ; -CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (AUTHORIZER,DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX DB_PRIVS_N49 ON DB_PRIVS (DB_ID); @@ -783,7 +789,7 @@ ALTER TABLE TBL_PRIVS ADD CONSTRAINT TBL_PRIVS_FK1 FOREIGN KEY (TBL_ID) REFERENC CREATE INDEX TBL_PRIVS_N49 ON TBL_PRIVS (TBL_ID); -CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (AUTHORIZER,TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table DBS for class(es) [org.apache.hadoop.hive.metastore.model.MDatabase] @@ -793,7 +799,7 @@ CREATE UNIQUE INDEX UNIQUEDATABASE ON DBS ("NAME", "CTLG_NAME"); -- Constraints for table TBL_COL_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MTableColumnPrivilege] ALTER TABLE TBL_COL_PRIVS ADD CONSTRAINT TBL_COL_PRIVS_FK1 FOREIGN KEY (TBL_ID) REFERENCES TBLS (TBL_ID) ; -CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (AUTHORIZER,TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX TBL_COL_PRIVS_N49 ON TBL_COL_PRIVS (TBL_ID); diff --git a/standalone-metastore/src/main/sql/mssql/upgrade-2.3.0-to-3.0.0.mssql.sql b/standalone-metastore/src/main/sql/mssql/upgrade-2.3.0-to-3.0.0.mssql.sql index 14c3deb..5d80f4a 100644 --- a/standalone-metastore/src/main/sql/mssql/upgrade-2.3.0-to-3.0.0.mssql.sql +++ b/standalone-metastore/src/main/sql/mssql/upgrade-2.3.0-to-3.0.0.mssql.sql @@ -346,6 +346,31 @@ INSERT INTO TXN_TO_WRITE_ID (T2W_DATABASE, T2W_TABLE, T2W_TXNID, T2W_WRITEID) UPDATE TXN_COMPONENTS SET TC_WRITEID = TC_TXNID; UPDATE COMPLETED_TXN_COMPONENTS SET CTC_WRITEID = CTC_TXNID; +-- HIVE-19440 +ALTER TABLE GLOBAL_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX GLOBAL_PRIVS.GLOBALPRIVILEGEINDEX; +CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (AUTHORIZER,PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE DB_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX DB_PRIVS.DBPRIVILEGEINDEX; +CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (AUTHORIZER,DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE TBL_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX TBL_PRIVS.TABLEPRIVILEGEINDEX; +CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (AUTHORIZER,TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE PART_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX PART_PRIVS.PARTPRIVILEGEINDEX; +CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (AUTHORIZER,PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE TBL_COL_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX TBL_COL_PRIVS.TABLECOLUMNPRIVILEGEINDEX; +CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (AUTHORIZER,TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE PART_COL_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX PART_COL_PRIVS.PARTITIONCOLUMNPRIVILEGEINDEX; +CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (AUTHORIZE,PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); + -- These lines need to be last. Insert any changes above. UPDATE VERSION SET SCHEMA_VERSION='3.0.0', VERSION_COMMENT='Hive release version 3.0.0' where VER_ID=1; SELECT 'Finished upgrading MetaStore schema from 2.3.0 to 3.0.0' AS MESSAGE; diff --git a/standalone-metastore/src/main/sql/mysql/hive-schema-3.0.0.mysql.sql b/standalone-metastore/src/main/sql/mysql/hive-schema-3.0.0.mysql.sql index c54df55..1cca25a 100644 --- a/standalone-metastore/src/main/sql/mysql/hive-schema-3.0.0.mysql.sql +++ b/standalone-metastore/src/main/sql/mysql/hive-schema-3.0.0.mysql.sql @@ -122,8 +122,9 @@ CREATE TABLE IF NOT EXISTS `DB_PRIVS` ( `PRINCIPAL_NAME` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `DB_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`DB_GRANT_ID`), - UNIQUE KEY `DBPRIVILEGEINDEX` (`DB_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`DB_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + UNIQUE KEY `DBPRIVILEGEINDEX` (`AUTHORIZER`,`DB_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`DB_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), KEY `DB_PRIVS_N49` (`DB_ID`), CONSTRAINT `DB_PRIVS_FK1` FOREIGN KEY (`DB_ID`) REFERENCES `DBS` (`DB_ID`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; @@ -144,8 +145,9 @@ CREATE TABLE IF NOT EXISTS `GLOBAL_PRIVS` ( `PRINCIPAL_NAME` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `USER_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`USER_GRANT_ID`), - UNIQUE KEY `GLOBALPRIVILEGEINDEX` (`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`USER_PRIV`,`GRANTOR`,`GRANTOR_TYPE`) + UNIQUE KEY `GLOBALPRIVILEGEINDEX` (`AUTHORIZER`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`USER_PRIV`,`GRANTOR`,`GRANTOR_TYPE`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; @@ -317,9 +319,10 @@ CREATE TABLE IF NOT EXISTS `PART_COL_PRIVS` ( `PRINCIPAL_NAME` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PART_COL_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`PART_COLUMN_GRANT_ID`), KEY `PART_COL_PRIVS_N49` (`PART_ID`), - KEY `PARTITIONCOLUMNPRIVILEGEINDEX` (`PART_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + KEY `PARTITIONCOLUMNPRIVILEGEINDEX` (`AUTHORIZER`,`PART_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), CONSTRAINT `PART_COL_PRIVS_FK1` FOREIGN KEY (`PART_ID`) REFERENCES `PARTITIONS` (`PART_ID`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; @@ -340,8 +343,9 @@ CREATE TABLE IF NOT EXISTS `PART_PRIVS` ( `PRINCIPAL_NAME` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PART_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`PART_GRANT_ID`), - KEY `PARTPRIVILEGEINDEX` (`PART_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + KEY `PARTPRIVILEGEINDEX` (`AUTHORIZER`,`PART_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), KEY `PART_PRIVS_N49` (`PART_ID`), CONSTRAINT `PART_PRIVS_FK1` FOREIGN KEY (`PART_ID`) REFERENCES `PARTITIONS` (`PART_ID`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; @@ -665,8 +669,9 @@ CREATE TABLE IF NOT EXISTS `TBL_COL_PRIVS` ( `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `TBL_COL_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `TBL_ID` bigint(20) DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`TBL_COLUMN_GRANT_ID`), - KEY `TABLECOLUMNPRIVILEGEINDEX` (`TBL_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + KEY `TABLECOLUMNPRIVILEGEINDEX` (`AUTHORIZER`,`TBL_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), KEY `TBL_COL_PRIVS_N49` (`TBL_ID`), CONSTRAINT `TBL_COL_PRIVS_FK1` FOREIGN KEY (`TBL_ID`) REFERENCES `TBLS` (`TBL_ID`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; @@ -688,9 +693,10 @@ CREATE TABLE IF NOT EXISTS `TBL_PRIVS` ( `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `TBL_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `TBL_ID` bigint(20) DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`TBL_GRANT_ID`), KEY `TBL_PRIVS_N49` (`TBL_ID`), - KEY `TABLEPRIVILEGEINDEX` (`TBL_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + KEY `TABLEPRIVILEGEINDEX` (`AUTHORIZER`,`TBL_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), CONSTRAINT `TBL_PRIVS_FK1` FOREIGN KEY (`TBL_ID`) REFERENCES `TBLS` (`TBL_ID`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; diff --git a/standalone-metastore/src/main/sql/mysql/upgrade-2.3.0-to-3.0.0.mysql.sql b/standalone-metastore/src/main/sql/mysql/upgrade-2.3.0-to-3.0.0.mysql.sql index 9b87563..6ce418c 100644 --- a/standalone-metastore/src/main/sql/mysql/upgrade-2.3.0-to-3.0.0.mysql.sql +++ b/standalone-metastore/src/main/sql/mysql/upgrade-2.3.0-to-3.0.0.mysql.sql @@ -319,8 +319,33 @@ UPDATE COMPLETED_TXN_COMPONENTS SET CTC_WRITEID = CTC_TXNID; ALTER TABLE TXN_COMPONENTS MODIFY COLUMN TC_TABLE varchar(128) NULL; +-- HIVE-19440 +ALTER TABLE `GLOBAL_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `GLOBAL_PRIVS` DROP INDEX `GLOBALPRIVILEGEINDEX`; +ALTER TABLE `GLOBAL_PRIVS` ADD CONSTRAINT `GLOBALPRIVILEGEINDEX` UNIQUE(`AUTHORIZER`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`USER_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + +ALTER TABLE `DB_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `DB_PRIVS` DROP INDEX `DBPRIVILEGEINDEX`; +ALTER TABLE `DB_PRIVS` ADD CONSTRAINT `DBPRIVILEGEINDEX` UNIQUE(`AUTHORIZER`,`DB_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`DB_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + +ALTER TABLE `TBL_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `TBL_PRIVS` DROP INDEX `TABLEPRIVILEGEINDEX`; +ALTER TABLE `TBL_PRIVS` ADD INDEX `TABLEPRIVILEGEINDEX` (`AUTHORIZER`,`TBL_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + +ALTER TABLE `PART_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `PART_PRIVS` DROP INDEX `PARTPRIVILEGEINDEX`; +ALTER TABLE `PART_PRIVS` ADD INDEX `PARTPRIVILEGEINDEX` (`AUTHORIZER`,`PART_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + +ALTER TABLE `TBL_COL_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `TBL_COL_PRIVS` DROP INDEX `TABLECOLUMNPRIVILEGEINDEX`; +ALTER TABLE `TBL_COL_PRIVS` ADD INDEX `TABLECOLUMNPRIVILEGEINDEX` (`AUTHORIZER`,`TBL_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + +ALTER TABLE `PART_COL_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `PART_COL_PRIVS` DROP INDEX `PARTITIONCOLUMNPRIVILEGEINDEX`; +ALTER TABLE `PART_COL_PRIVS` ADD INDEX `PARTITIONCOLUMNPRIVILEGEINDEX` (`AUTHORIZER`,`PART_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + -- These lines need to be last. Insert any changes above. UPDATE VERSION SET SCHEMA_VERSION='3.0.0', VERSION_COMMENT='Hive release version 3.0.0' where VER_ID=1; SELECT 'Finished upgrading MetaStore schema from 2.3.0 to 3.0.0' AS ' '; -ALTER TABLE `TBLS` ADD COLUMN `OWNER_TYPE` VARCHAR(10) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; \ No newline at end of file +ALTER TABLE `TBLS` ADD COLUMN `OWNER_TYPE` VARCHAR(10) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; diff --git a/standalone-metastore/src/main/sql/oracle/hive-schema-3.0.0.oracle.sql b/standalone-metastore/src/main/sql/oracle/hive-schema-3.0.0.oracle.sql index 63cc1f7..33ccace 100644 --- a/standalone-metastore/src/main/sql/oracle/hive-schema-3.0.0.oracle.sql +++ b/standalone-metastore/src/main/sql/oracle/hive-schema-3.0.0.oracle.sql @@ -39,7 +39,8 @@ CREATE TABLE PART_COL_PRIVS PART_ID NUMBER NULL, PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, - PART_COL_PRIV VARCHAR2(128) NULL + PART_COL_PRIV VARCHAR2(128) NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE PART_COL_PRIVS ADD CONSTRAINT PART_COL_PRIVS_PK PRIMARY KEY (PART_COLUMN_GRANT_ID); @@ -189,7 +190,8 @@ CREATE TABLE TBL_COL_PRIVS PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, TBL_COL_PRIV VARCHAR2(128) NULL, - TBL_ID NUMBER NULL + TBL_ID NUMBER NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE TBL_COL_PRIVS ADD CONSTRAINT TBL_COL_PRIVS_PK PRIMARY KEY (TBL_COLUMN_GRANT_ID); @@ -252,7 +254,8 @@ CREATE TABLE GLOBAL_PRIVS GRANTOR_TYPE VARCHAR2(128) NULL, PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, - USER_PRIV VARCHAR2(128) NULL + USER_PRIV VARCHAR2(128) NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE GLOBAL_PRIVS ADD CONSTRAINT GLOBAL_PRIVS_PK PRIMARY KEY (USER_GRANT_ID); @@ -305,7 +308,8 @@ CREATE TABLE TBL_PRIVS PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, TBL_PRIV VARCHAR2(128) NULL, - TBL_ID NUMBER NULL + TBL_ID NUMBER NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE TBL_PRIVS ADD CONSTRAINT TBL_PRIVS_PK PRIMARY KEY (TBL_GRANT_ID); @@ -356,7 +360,8 @@ CREATE TABLE PART_PRIVS PART_ID NUMBER NULL, PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, - PART_PRIV VARCHAR2(128) NULL + PART_PRIV VARCHAR2(128) NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE PART_PRIVS ADD CONSTRAINT PART_PRIVS_PK PRIMARY KEY (PART_GRANT_ID); @@ -372,7 +377,8 @@ CREATE TABLE DB_PRIVS GRANTOR_TYPE VARCHAR2(128) NULL, PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, - DB_PRIV VARCHAR2(128) NULL + DB_PRIV VARCHAR2(128) NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE DB_PRIVS ADD CONSTRAINT DB_PRIVS_PK PRIMARY KEY (DB_GRANT_ID); @@ -683,7 +689,7 @@ ALTER TABLE PART_COL_PRIVS ADD CONSTRAINT PART_COL_PRIVS_FK1 FOREIGN KEY (PART_I CREATE INDEX PART_COL_PRIVS_N49 ON PART_COL_PRIVS (PART_ID); -CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (AUTHORIZER,PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table COLUMNS_V2 @@ -745,7 +751,7 @@ CREATE INDEX INDEX_PARAMS_N49 ON INDEX_PARAMS (INDEX_ID); -- Constraints for table TBL_COL_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MTableColumnPrivilege] ALTER TABLE TBL_COL_PRIVS ADD CONSTRAINT TBL_COL_PRIVS_FK1 FOREIGN KEY (TBL_ID) REFERENCES TBLS (TBL_ID) INITIALLY DEFERRED ; -CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (AUTHORIZER,TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX TBL_COL_PRIVS_N49 ON TBL_COL_PRIVS (TBL_ID); @@ -785,7 +791,7 @@ CREATE INDEX SD_PARAMS_N49 ON SD_PARAMS (SD_ID); -- Constraints for table GLOBAL_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MGlobalPrivilege] -CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (AUTHORIZER,PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table SDS for class(es) [org.apache.hadoop.hive.metastore.model.MStorageDescriptor] @@ -813,7 +819,7 @@ ALTER TABLE TBL_PRIVS ADD CONSTRAINT TBL_PRIVS_FK1 FOREIGN KEY (TBL_ID) REFERENC CREATE INDEX TBL_PRIVS_N49 ON TBL_PRIVS (TBL_ID); -CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (AUTHORIZER,TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table DATABASE_PARAMS @@ -839,7 +845,7 @@ CREATE INDEX SERDE_PARAMS_N49 ON SERDE_PARAMS (SERDE_ID); -- Constraints for table PART_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MPartitionPrivilege] ALTER TABLE PART_PRIVS ADD CONSTRAINT PART_PRIVS_FK1 FOREIGN KEY (PART_ID) REFERENCES PARTITIONS (PART_ID) INITIALLY DEFERRED ; -CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (AUTHORIZER,PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX PART_PRIVS_N49 ON PART_PRIVS (PART_ID); @@ -847,7 +853,7 @@ CREATE INDEX PART_PRIVS_N49 ON PART_PRIVS (PART_ID); -- Constraints for table DB_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MDBPrivilege] ALTER TABLE DB_PRIVS ADD CONSTRAINT DB_PRIVS_FK1 FOREIGN KEY (DB_ID) REFERENCES DBS (DB_ID) INITIALLY DEFERRED ; -CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (AUTHORIZER,DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX DB_PRIVS_N49 ON DB_PRIVS (DB_ID); diff --git a/standalone-metastore/src/main/sql/oracle/upgrade-2.3.0-to-3.0.0.oracle.sql b/standalone-metastore/src/main/sql/oracle/upgrade-2.3.0-to-3.0.0.oracle.sql index ce3437f..d13226e 100644 --- a/standalone-metastore/src/main/sql/oracle/upgrade-2.3.0-to-3.0.0.oracle.sql +++ b/standalone-metastore/src/main/sql/oracle/upgrade-2.3.0-to-3.0.0.oracle.sql @@ -335,8 +335,34 @@ INSERT INTO TXN_TO_WRITE_ID (T2W_DATABASE, T2W_TABLE, T2W_TXNID, T2W_WRITEID) UPDATE TXN_COMPONENTS SET TC_WRITEID = TC_TXNID; UPDATE COMPLETED_TXN_COMPONENTS SET CTC_WRITEID = CTC_TXNID; +-- HIVE-19440 +ALTER TABLE GLOBAL_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX GLOBALPRIVILEGEINDEX; +CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (AUTHORIZER,PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE DB_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX DBPRIVILEGEINDEX; +CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (AUTHORIZER,DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE TBL_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX TABLEPRIVILEGEINDEX; +CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (AUTHORIZER,TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); + "GRANTOR_TYPE"); + +ALTER TABLE PART_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX PARTPRIVILEGEINDEX; +CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (AUTHORIZER,PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE);; + +ALTER TABLE TBL_COL_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX TABLECOLUMNPRIVILEGEINDEX; +CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (AUTHORIZER,TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE PART_COL_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX PARTITIONCOLUMNPRIVILEGEINDEX; +CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (AUTHORIZER,PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); + -- These lines need to be last. Insert any changes above. UPDATE VERSION SET SCHEMA_VERSION='3.0.0', VERSION_COMMENT='Hive release version 3.0.0' where VER_ID=1; SELECT 'Finished upgrading MetaStore schema from 2.3.0 to 3.0.0' AS Status from dual; -ALTER TABLE TBLS ADD OWNER_TYPE VARCHAR2(10) NULL; \ No newline at end of file +ALTER TABLE TBLS ADD OWNER_TYPE VARCHAR2(10) NULL; diff --git a/standalone-metastore/src/main/sql/postgres/hive-schema-3.0.0.postgres.sql b/standalone-metastore/src/main/sql/postgres/hive-schema-3.0.0.postgres.sql index d210a55..f6b641b 100644 --- a/standalone-metastore/src/main/sql/postgres/hive-schema-3.0.0.postgres.sql +++ b/standalone-metastore/src/main/sql/postgres/hive-schema-3.0.0.postgres.sql @@ -94,7 +94,8 @@ CREATE TABLE "DB_PRIVS" ( "GRANTOR_TYPE" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, - "DB_PRIV" character varying(128) DEFAULT NULL::character varying + "DB_PRIV" character varying(128) DEFAULT NULL::character varying, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying ); @@ -110,7 +111,8 @@ CREATE TABLE "GLOBAL_PRIVS" ( "GRANTOR_TYPE" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, - "USER_PRIV" character varying(128) DEFAULT NULL::character varying + "USER_PRIV" character varying(128) DEFAULT NULL::character varying, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying ); @@ -234,7 +236,8 @@ CREATE TABLE "PART_COL_PRIVS" ( "PART_ID" bigint, "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, - "PART_COL_PRIV" character varying(128) DEFAULT NULL::character varying + "PART_COL_PRIV" character varying(128) DEFAULT NULL::character varying, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying ); @@ -251,7 +254,8 @@ CREATE TABLE "PART_PRIVS" ( "PART_ID" bigint, "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, - "PART_PRIV" character varying(128) DEFAULT NULL::character varying + "PART_PRIV" character varying(128) DEFAULT NULL::character varying, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying ); @@ -426,7 +430,8 @@ CREATE TABLE "TBL_COL_PRIVS" ( "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, "TBL_COL_PRIV" character varying(128) DEFAULT NULL::character varying, - "TBL_ID" bigint + "TBL_ID" bigint, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying, ); @@ -443,7 +448,8 @@ CREATE TABLE "TBL_PRIVS" ( "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, "TBL_PRIV" character varying(128) DEFAULT NULL::character varying, - "TBL_ID" bigint + "TBL_ID" bigint, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying ); @@ -735,7 +741,7 @@ ALTER TABLE ONLY "DATABASE_PARAMS" -- ALTER TABLE ONLY "DB_PRIVS" - ADD CONSTRAINT "DBPRIVILEGEINDEX" UNIQUE ("DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); + ADD CONSTRAINT "DBPRIVILEGEINDEX" UNIQUE ("AUTHORIZER", "DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- @@ -759,7 +765,7 @@ ALTER TABLE ONLY "DB_PRIVS" -- ALTER TABLE ONLY "GLOBAL_PRIVS" - ADD CONSTRAINT "GLOBALPRIVILEGEINDEX" UNIQUE ("PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); + ADD CONSTRAINT "GLOBALPRIVILEGEINDEX" UNIQUE ("AUTHORIZER", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- @@ -1127,7 +1133,7 @@ CREATE INDEX "INDEX_PARAMS_N49" ON "INDEX_PARAMS" USING btree ("INDEX_ID"); -- Name: PARTITIONCOLUMNPRIVILEGEINDEX; Type: INDEX; Schema: public; Owner: hiveuser; Tablespace: -- -CREATE INDEX "PARTITIONCOLUMNPRIVILEGEINDEX" ON "PART_COL_PRIVS" USING btree ("PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "PARTITIONCOLUMNPRIVILEGEINDEX" ON "PART_COL_PRIVS" USING btree ("AUTHORIZER", "PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- @@ -1176,7 +1182,7 @@ CREATE INDEX "PARTITION_PARAMS_N49" ON "PARTITION_PARAMS" USING btree ("PART_ID" -- Name: PARTPRIVILEGEINDEX; Type: INDEX; Schema: public; Owner: hiveuser; Tablespace: -- -CREATE INDEX "PARTPRIVILEGEINDEX" ON "PART_PRIVS" USING btree ("PART_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "PARTPRIVILEGEINDEX" ON "PART_PRIVS" USING btree ("AUTHORIZER", "PART_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- @@ -1239,14 +1245,14 @@ CREATE INDEX "SORT_COLS_N49" ON "SORT_COLS" USING btree ("SD_ID"); -- Name: TABLECOLUMNPRIVILEGEINDEX; Type: INDEX; Schema: public; Owner: hiveuser; Tablespace: -- -CREATE INDEX "TABLECOLUMNPRIVILEGEINDEX" ON "TBL_COL_PRIVS" USING btree ("TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "TABLECOLUMNPRIVILEGEINDEX" ON "TBL_COL_PRIVS" USING btree ("AUTHORIZER", "TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- -- Name: TABLEPRIVILEGEINDEX; Type: INDEX; Schema: public; Owner: hiveuser; Tablespace: -- -CREATE INDEX "TABLEPRIVILEGEINDEX" ON "TBL_PRIVS" USING btree ("TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "TABLEPRIVILEGEINDEX" ON "TBL_PRIVS" USING btree ("AUTHORIZER", "TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- diff --git a/standalone-metastore/src/main/sql/postgres/upgrade-2.3.0-to-3.0.0.postgres.sql b/standalone-metastore/src/main/sql/postgres/upgrade-2.3.0-to-3.0.0.postgres.sql index f2571d8..ccf2b71 100644 --- a/standalone-metastore/src/main/sql/postgres/upgrade-2.3.0-to-3.0.0.postgres.sql +++ b/standalone-metastore/src/main/sql/postgres/upgrade-2.3.0-to-3.0.0.postgres.sql @@ -354,6 +354,34 @@ INSERT INTO TXN_TO_WRITE_ID (T2W_DATABASE, T2W_TABLE, T2W_TXNID, T2W_WRITEID) UPDATE TXN_COMPONENTS SET TC_WRITEID = TC_TXNID; UPDATE COMPLETED_TXN_COMPONENTS SET CTC_WRITEID = CTC_TXNID; +-- HIVE-19440 +ALTER TABLE "GLOBAL_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "GLOBAL_PRIVS" DROP CONSTRAINT "GLOBALPRIVILEGEINDEX"; +ALTER TABLE ONLY "GLOBAL_PRIVS" + ADD CONSTRAINT "GLOBALPRIVILEGEINDEX" UNIQUE ("AUTHORIZER", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "DB_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "DB_PRIVS" DROP CONSTRAINT "DBPRIVILEGEINDEX"; +ALTER TABLE ONLY "DB_PRIVS" + ADD CONSTRAINT "DBPRIVILEGEINDEX" UNIQUE ("AUTHORIZER", "DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "TBL_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "TBL_PRIVS" DROP CONSTRAINT "DBPRIVILEGEINDEX"; +ALTER TABLE ONLY "DB_PRIVS" + ADD CONSTRAINT "DBPRIVILEGEINDEX" UNIQUE ("AUTHORIZER", "DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "PART_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "PART_PRIVS" DROP CONSTRAINT "TABLEPRIVILEGEINDEX"; +CREATE INDEX "TABLEPRIVILEGEINDEX" ON "TBL_PRIVS" USING btree ("AUTHORIZER", "TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "TBL_COL_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "TBL_COL_PRIVS" DROP CONSTRAINT "TABLECOLUMNPRIVILEGEINDEX"; +CREATE INDEX "TABLECOLUMNPRIVILEGEINDEX" ON "TBL_COL_PRIVS" USING btree ("AUTHORIZER", "TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "PART_COL_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "PART_COL_PRIVS" DROP CONSTRAINT "PARTITIONCOLUMNPRIVILEGEINDEX"; +CREATE INDEX "PARTITIONCOLUMNPRIVILEGEINDEX" ON "PART_COL_PRIVS" USING btree ("AUTHORIZER", "PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + -- These lines need to be last. Insert any changes above. UPDATE "VERSION" SET "SCHEMA_VERSION"='3.0.0', "VERSION_COMMENT"='Hive release version 3.0.0' where "VER_ID"=1; SELECT 'Finished upgrading MetaStore schema from 2.3.0 to 3.0.0'; diff --git a/standalone-metastore/src/main/thrift/hive_metastore.thrift b/standalone-metastore/src/main/thrift/hive_metastore.thrift index 19d4433..3d85acf 100644 --- a/standalone-metastore/src/main/thrift/hive_metastore.thrift +++ b/standalone-metastore/src/main/thrift/hive_metastore.thrift @@ -255,6 +255,7 @@ struct HiveObjectPrivilege { 2: string principalName, 3: PrincipalType principalType, 4: PrivilegeGrantInfo grantInfo, + 5: string authorizer, } struct PrivilegeBag { @@ -2022,7 +2023,7 @@ service ThriftHiveMetastore extends fb303.FacebookService bool revoke_privileges(1:PrivilegeBag privileges) throws(1:MetaException o1) GrantRevokePrivilegeResponse grant_revoke_privileges(1:GrantRevokePrivilegeRequest request) throws(1:MetaException o1); // Revokes all privileges for the object and adds the newly granted privileges for it. - GrantRevokePrivilegeResponse refresh_privileges(1:HiveObjectRef objToRefresh, 2:GrantRevokePrivilegeRequest grantRequest) throws(1:MetaException o1); + GrantRevokePrivilegeResponse refresh_privileges(1:HiveObjectRef objToRefresh, 2:string authorizer, 3:GrantRevokePrivilegeRequest grantRequest) throws(1:MetaException o1); // this is used by metastore client to send UGI information to metastore server immediately // after setting up a connection. diff --git a/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/DummyRawStoreControlledCommit.java b/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/DummyRawStoreControlledCommit.java index f6899be..0461c4e 100644 --- a/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/DummyRawStoreControlledCommit.java +++ b/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/DummyRawStoreControlledCommit.java @@ -510,9 +510,9 @@ public boolean revokePrivileges(PrivilegeBag privileges, boolean grantOption) } @Override - public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantPrivileges) + public boolean refreshPrivileges(HiveObjectRef objToRefresh, String authorizer, PrivilegeBag grantPrivileges) throws InvalidObjectException, MetaException, NoSuchObjectException { - return objectStore.refreshPrivileges(objToRefresh, grantPrivileges); + return objectStore.refreshPrivileges(objToRefresh, authorizer, grantPrivileges); } @Override public Role getRole(String roleName) throws NoSuchObjectException { diff --git a/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/DummyRawStoreForJdoConnection.java b/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/DummyRawStoreForJdoConnection.java index 98a85cc..b71eda4 100644 --- a/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/DummyRawStoreForJdoConnection.java +++ b/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/DummyRawStoreForJdoConnection.java @@ -522,7 +522,7 @@ public boolean revokePrivileges(PrivilegeBag privileges, boolean grantOption) } @Override - public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantPrivileges) + public boolean refreshPrivileges(HiveObjectRef objToRefresh, String authorizer, PrivilegeBag grantPrivileges) throws InvalidObjectException, MetaException, NoSuchObjectException { return false; } diff --git a/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClientPreCatalog.java b/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClientPreCatalog.java index 7186add..bdb4b8b 100644 --- a/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClientPreCatalog.java +++ b/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClientPreCatalog.java @@ -2032,7 +2032,7 @@ public boolean revoke_privileges(PrivilegeBag privileges, boolean grantOption) t } @Override - public boolean refresh_privileges(HiveObjectRef objToRefresh, + public boolean refresh_privileges(HiveObjectRef objToRefresh, String authorizer, PrivilegeBag grantPrivileges) throws MetaException, TException { String defaultCat = getDefaultCatalog(conf); @@ -2049,7 +2049,7 @@ public boolean refresh_privileges(HiveObjectRef objToRefresh, grantReq.setRequestType(GrantRevokeType.GRANT); grantReq.setPrivileges(grantPrivileges); - GrantRevokePrivilegeResponse res = client.refresh_privileges(objToRefresh, grantReq); + GrantRevokePrivilegeResponse res = client.refresh_privileges(objToRefresh, authorizer, grantReq); if (!res.isSetSuccess()) { throw new MetaException("GrantRevokePrivilegeResponse missing success field"); }