commit 65427a0392e1303cc8218ab39f46c48b64d898d1 Author: Daniel Dai Date: Mon May 14 13:57:37 2018 -0700 HIVE-19440: Make StorageBasedAuthorizer work with information schema diff --git a/hcatalog/core/src/main/java/org/apache/hive/hcatalog/storagehandler/DummyHCatAuthProvider.java b/hcatalog/core/src/main/java/org/apache/hive/hcatalog/storagehandler/DummyHCatAuthProvider.java index a53028f..86d9a18 100644 --- a/hcatalog/core/src/main/java/org/apache/hive/hcatalog/storagehandler/DummyHCatAuthProvider.java +++ b/hcatalog/core/src/main/java/org/apache/hive/hcatalog/storagehandler/DummyHCatAuthProvider.java @@ -30,6 +30,8 @@ import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider; import org.apache.hadoop.hive.ql.security.authorization.Privilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; /** * This class is a dummy implementation of HiveAuthorizationProvider to provide @@ -141,4 +143,9 @@ public void authorize(Table table, Partition part, List columns, throws HiveException, AuthorizationException { } + @Override + public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException { + return null; + } + } diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestHDFSPermissionPolicyProvider.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestHDFSPermissionPolicyProvider.java new file mode 100644 index 0000000..2497467 --- /dev/null +++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestHDFSPermissionPolicyProvider.java @@ -0,0 +1,174 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; + +import static org.junit.Assert.*; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.fs.Path; +import org.apache.hadoop.fs.permission.FsPermission; +import org.apache.hadoop.hdfs.MiniDFSCluster; +import org.apache.hadoop.hive.metastore.HiveMetaStoreClient; +import org.apache.hadoop.hive.metastore.TableType; +import org.apache.hadoop.hive.metastore.api.Database; +import org.apache.hadoop.hive.metastore.api.FieldSchema; +import org.apache.hadoop.hive.metastore.api.SerDeInfo; +import org.apache.hadoop.hive.metastore.api.StorageDescriptor; +import org.apache.hadoop.hive.metastore.api.Table; +import org.apache.hadoop.hive.metastore.conf.MetastoreConf; +import org.apache.hadoop.hive.ql.metadata.Hive; +import org.apache.hadoop.hive.ql.security.authorization.HDFSPermissionPolicyProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs; +import org.junit.BeforeClass; +import org.junit.Test; + +public class TestHDFSPermissionPolicyProvider { + private static MiniDFSCluster m_dfs; + private static HiveMetaStoreClient client; + private static Configuration conf; + private static String defaultTbl1Loc, defaultTbl2Loc, db1Loc, db1Tbl1Loc; + + @BeforeClass + public static void setup() throws Exception { + m_dfs = new MiniDFSCluster.Builder(new Configuration()).numDataNodes(1).format(true).build(); + conf = new Configuration(); + conf.set("fs.defaultFS", "hdfs://" + m_dfs.getNameNode().getHostAndPort()); + String warehouseLocation = "hdfs://" + m_dfs.getNameNode().getHostAndPort() + + MetastoreConf.ConfVars.WAREHOUSE.getDefaultVal(); + conf.set(MetastoreConf.ConfVars.WAREHOUSE.getVarname(), warehouseLocation); + conf.set(MetastoreConf.ConfVars.AUTO_CREATE_ALL.getVarname(), "true"); + conf.set(MetastoreConf.ConfVars.SCHEMA_VERIFICATION.getVarname(), "false"); + client = new HiveMetaStoreClient(conf); + Hive.get(conf, TestHDFSPermissionPolicyProvider.class); + + try {client.dropTable("default", "tbl1");} catch(Exception e) {}; + try {client.dropTable("default", "tbl2");} catch(Exception e) {}; + try {client.dropTable("db1", "tbl1");} catch(Exception e) {}; + try {client.dropDatabase("db1");} catch(Exception e) {}; + + defaultTbl1Loc = warehouseLocation + "/tbl1"; + defaultTbl2Loc = warehouseLocation + "/tbl2"; + db1Loc = warehouseLocation + "/db1"; + db1Tbl1Loc = warehouseLocation + "/db1/tbl1"; + + int now = (int)System.currentTimeMillis() / 1000; + FieldSchema col1 = new FieldSchema("col1", "int", "no comment"); + List cols = new ArrayList(); + cols.add(col1); + SerDeInfo serde = new SerDeInfo("serde", "seriallib", null); + StorageDescriptor sd = + new StorageDescriptor(cols, defaultTbl1Loc, "input", "output", false, 0, serde, null, null, + new HashMap()); + Table tbl = + new Table("tbl1", "default", "foo", now, now, 0, sd, null, + new HashMap(), null, null, TableType.MANAGED_TABLE.toString()); + client.createTable(tbl); + + sd = new StorageDescriptor(cols, defaultTbl2Loc, "input", "output", false, 0, serde, + null, null, new HashMap()); + tbl = new Table("tbl2", "default", "foo", now, now, 0, sd, null, + new HashMap(), null, null, TableType.MANAGED_TABLE.toString()); + client.createTable(tbl); + + Database db = new Database("db1", "no description", db1Loc, new HashMap()); + client.createDatabase(db); + + sd = new StorageDescriptor(cols, db1Tbl1Loc, "input", "output", false, 0, serde, null, null, + new HashMap()); + tbl = new Table("tbl1", "db1", "foo", now, now, 0, sd, null, + new HashMap(), null, null, TableType.MANAGED_TABLE.toString()); + client.createTable(tbl); + } + + @Test + public void testPolicyProvider() throws Exception { + HDFSPermissionPolicyProvider policyProvider = new HDFSPermissionPolicyProvider(conf); + FileSystem fs = FileSystem.get(conf); + fs.setOwner(new Path(defaultTbl1Loc), "user1", "group1"); + fs.setOwner(new Path(defaultTbl2Loc), "user1", "group1"); + fs.setOwner(new Path(db1Loc), "user1", "group1"); + fs.setOwner(new Path(db1Tbl1Loc), "user1", "group1"); + fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("444")); // r--r--r-- + HiveResourceACLs acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 2); + assertTrue(acls.getGroupPermissions().keySet().contains("group1")); + assertTrue(acls.getGroupPermissions().keySet().contains("public")); + + fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("440")); // r--r----- + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 1); + assertEquals(acls.getUserPermissions().keySet().iterator().next(), "user1"); + assertEquals(acls.getGroupPermissions().size(), 1); + assertTrue(acls.getGroupPermissions().keySet().contains("group1")); + + fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("404")); // r-----r-- + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 1); + assertTrue(acls.getGroupPermissions().keySet().contains("public")); + + fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("400")); // r-------- + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 0); + + fs.setPermission(new Path(defaultTbl1Loc), new FsPermission("004")); // ------r-- + fs.setPermission(new Path(defaultTbl2Loc), new FsPermission("777")); // rwxrwxrwx + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 0); + assertEquals(acls.getGroupPermissions().size(), 1); + assertTrue(acls.getGroupPermissions().keySet().contains("public")); + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "default", "tbl2")); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 2); + assertTrue(acls.getGroupPermissions().keySet().contains("group1")); + assertTrue(acls.getGroupPermissions().keySet().contains("public")); + + fs.setPermission(new Path(db1Loc), new FsPermission("400")); // ------r-- + fs.delete(new Path(db1Tbl1Loc), true); + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.DATABASE, "db1", null)); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 0); + acls = policyProvider.getResourceACLs( + new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW, "db1", "tbl1")); + assertEquals(acls.getUserPermissions().size(), 1); + assertTrue(acls.getUserPermissions().keySet().contains("user1")); + assertEquals(acls.getGroupPermissions().size(), 0); + + } +} diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java index 31e795c..3fdacac 100644 --- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java +++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyHiveMetastoreAuthorizationProvider.java @@ -32,6 +32,8 @@ import org.apache.hadoop.hive.ql.metadata.Table; import org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider; import org.apache.hadoop.hive.ql.security.authorization.Privilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; /** * Dummy implementation for use by unit tests. Tracks the context of calls made to @@ -211,6 +213,8 @@ public void authorizeAuthorizationApiInvocation() throws HiveException, Authoriz authCalls.add(new AuthCallContext(AuthCallContextType.AUTHORIZATION, null, null)); } - - + @Override + public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException { + return null; + } } diff --git a/metastore/scripts/upgrade/hive/hive-schema-3.0.0.hive.sql b/metastore/scripts/upgrade/hive/hive-schema-3.0.0.hive.sql index d9606d8..a3ecded 100644 --- a/metastore/scripts/upgrade/hive/hive-schema-3.0.0.hive.sql +++ b/metastore/scripts/upgrade/hive/hive-schema-3.0.0.hive.sql @@ -109,6 +109,7 @@ CREATE TABLE IF NOT EXISTS `DB_PRIVS` ( `PRINCIPAL_NAME` string, `PRINCIPAL_TYPE` string, `DB_PRIV` string, + `AUTHORIZER` string, CONSTRAINT `SYS_PK_DB_PRIVS` PRIMARY KEY (`DB_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -124,7 +125,8 @@ TBLPROPERTIES ( \"GRANTOR_TYPE\", \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", - \"DB_PRIV\" + \"DB_PRIV\", + \"AUTHORIZER\" FROM \"DB_PRIVS\"" ); @@ -138,6 +140,7 @@ CREATE TABLE IF NOT EXISTS `GLOBAL_PRIVS` ( `PRINCIPAL_NAME` string, `PRINCIPAL_TYPE` string, `USER_PRIV` string, + `AUTHORIZER` string, CONSTRAINT `SYS_PK_GLOBAL_PRIVS` PRIMARY KEY (`USER_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -152,7 +155,8 @@ TBLPROPERTIES ( \"GRANTOR_TYPE\", \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", - \"USER_PRIV\" + \"USER_PRIV\", + \"AUTHORIZER\" FROM \"GLOBAL_PRIVS\"" ); @@ -250,6 +254,7 @@ CREATE TABLE IF NOT EXISTS `PART_COL_PRIVS` ( `PRINCIPAL_NAME` string, `PRINCIPAL_TYPE` string, `PART_COL_PRIV` string, + `AUTHORIZER` string, CONSTRAINT `SYS_PK_PART_COL_PRIVS` PRIMARY KEY (`PART_COLUMN_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -266,7 +271,8 @@ TBLPROPERTIES ( \"PART_ID\", \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", - \"PART_COL_PRIV\" + \"PART_COL_PRIV\", + \"AUTHORIZER\" FROM \"PART_COL_PRIVS\"" ); @@ -281,6 +287,7 @@ CREATE TABLE IF NOT EXISTS `PART_PRIVS` ( `PRINCIPAL_NAME` string, `PRINCIPAL_TYPE` string, `PART_PRIV` string, + `AUTHORIZER` string, CONSTRAINT `SYS_PK_PART_PRIVS` PRIMARY KEY (`PART_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -296,7 +303,8 @@ TBLPROPERTIES ( \"PART_ID\", \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", - \"PART_PRIV\" + \"PART_PRIV\", + \"AUTHORIZER\" FROM \"PART_PRIVS\"" ); @@ -652,6 +660,7 @@ CREATE TABLE IF NOT EXISTS `TBL_COL_PRIVS` ( `PRINCIPAL_TYPE` string, `TBL_COL_PRIV` string, `TBL_ID` bigint, + `AUTHORIZER` string, CONSTRAINT `SYS_PK_TBL_COL_PRIVS` PRIMARY KEY (`TBL_COLUMN_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -668,7 +677,8 @@ TBLPROPERTIES ( \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", \"TBL_COL_PRIV\", - \"TBL_ID\" + \"TBL_ID\", + \"AUTHORIZER\" FROM \"TBL_COL_PRIVS\"" ); @@ -683,6 +693,7 @@ CREATE TABLE IF NOT EXISTS `TBL_PRIVS` ( `PRINCIPAL_TYPE` string, `TBL_PRIV` string, `TBL_ID` bigint, + `AUTHORIZER` string, CONSTRAINT `SYS_PK_TBL_PRIVS` PRIMARY KEY (`TBL_GRANT_ID`) DISABLE ) STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' @@ -698,7 +709,8 @@ TBLPROPERTIES ( \"PRINCIPAL_NAME\", \"PRINCIPAL_TYPE\", \"TBL_PRIV\", - \"TBL_ID\" + \"TBL_ID\", + \"AUTHORIZER\" FROM \"TBL_PRIVS\"" ); @@ -1082,7 +1094,8 @@ WHERE D.`DB_ID` = T.`DB_ID` AND T.`TBL_ID` = P.`TBL_ID` AND (P.`PRINCIPAL_NAME`=current_user() AND P.`PRINCIPAL_TYPE`='USER' - OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP')); + OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP')) + AND current_authorizer() = P.`AUTHORIZER`; CREATE VIEW IF NOT EXISTS `TABLES` ( @@ -1118,8 +1131,8 @@ WHERE D.`DB_ID` = T.`DB_ID` AND (NOT restrict_information_schema() OR T.`TBL_ID` = P.`TBL_ID` AND (P.`PRINCIPAL_NAME`=current_user() AND P.`PRINCIPAL_TYPE`='USER' - OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP')) - AND P.`TBL_PRIV`='SELECT'); + OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP'))) + AND P.`TBL_PRIV`='SELECT' AND P.`AUTHORIZER`=current_authorizer(); CREATE VIEW IF NOT EXISTS `TABLE_PRIVILEGES` ( @@ -1152,8 +1165,8 @@ WHERE AND (NOT restrict_information_schema() OR P.`TBL_ID` = P2.`TBL_ID` AND P.`PRINCIPAL_NAME` = P2.`PRINCIPAL_NAME` AND P.`PRINCIPAL_TYPE` = P2.`PRINCIPAL_TYPE` AND (P2.`PRINCIPAL_NAME`=current_user() AND P2.`PRINCIPAL_TYPE`='USER' - OR ((array_contains(current_groups(), P2.`PRINCIPAL_NAME`) OR P2.`PRINCIPAL_NAME` = 'public') AND P2.`PRINCIPAL_TYPE`='GROUP')) - AND P2.`TBL_PRIV`='SELECT'); + OR ((array_contains(current_groups(), P2.`PRINCIPAL_NAME`) OR P2.`PRINCIPAL_NAME` = 'public') AND P2.`PRINCIPAL_TYPE`='GROUP'))) + AND P2.`TBL_PRIV`='SELECT' AND P.`AUTHORIZER` = current_authorizer() AND P2.`AUTHORIZER` = current_authorizer(); CREATE VIEW IF NOT EXISTS `COLUMNS` ( @@ -1308,7 +1321,7 @@ WHERE AND C.`COLUMN_NAME` = P.`COLUMN_NAME` AND (P.`PRINCIPAL_NAME`=current_user() AND P.`PRINCIPAL_TYPE`='USER' OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP')) - AND P.`TBL_COL_PRIV`='SELECT'); + AND P.`TBL_COL_PRIV`='SELECT' AND P.`AUTHORIZER`=current_authorizer()); CREATE VIEW IF NOT EXISTS `COLUMN_PRIVILEGES` ( @@ -1344,7 +1357,7 @@ WHERE P.`TBL_ID` = P2.`TBL_ID` AND P.`PRINCIPAL_NAME` = P2.`PRINCIPAL_NAME` AND P.`PRINCIPAL_TYPE` = P2.`PRINCIPAL_TYPE` AND (P2.`PRINCIPAL_NAME`=current_user() AND P2.`PRINCIPAL_TYPE`='USER' OR ((array_contains(current_groups(), P2.`PRINCIPAL_NAME`) OR P2.`PRINCIPAL_NAME` = 'public') AND P2.`PRINCIPAL_TYPE`='GROUP')) - AND P2.`TBL_PRIV`='SELECT'); + AND P2.`TBL_PRIV`='SELECT' AND P.`AUTHORIZER`=current_authorizer() AND P2.`AUTHORIZER`=current_authorizer()); CREATE VIEW IF NOT EXISTS `VIEWS` ( @@ -1381,4 +1394,4 @@ WHERE T.`TBL_ID` = P.`TBL_ID` AND (P.`PRINCIPAL_NAME`=current_user() AND P.`PRINCIPAL_TYPE`='USER' OR ((array_contains(current_groups(), P.`PRINCIPAL_NAME`) OR P.`PRINCIPAL_NAME` = 'public') AND P.`PRINCIPAL_TYPE`='GROUP')) - AND P.`TBL_PRIV`='SELECT'); + AND P.`TBL_PRIV`='SELECT' AND P.`AUTHORIZER`=current_authorizer()); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/exec/FunctionRegistry.java b/ql/src/java/org/apache/hadoop/hive/ql/exec/FunctionRegistry.java index a1f549a..e77fe18 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/exec/FunctionRegistry.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/exec/FunctionRegistry.java @@ -359,6 +359,7 @@ system.registerGenericUDF("current_groups", GenericUDFCurrentGroups.class); system.registerGenericUDF("logged_in_user", GenericUDFLoggedInUser.class); system.registerGenericUDF("restrict_information_schema", GenericUDFRestrictInformationSchema.class); + system.registerGenericUDF("current_authorizer", GenericUDFCurrentAuthorizer.class); system.registerGenericUDF("isnull", GenericUDFOPNull.class); system.registerGenericUDF("isnotnull", GenericUDFOPNotNull.class); diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HDFSPermissionPolicyProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HDFSPermissionPolicyProvider.java new file mode 100644 index 0000000..27e4dba --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HDFSPermissionPolicyProvider.java @@ -0,0 +1,117 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization; + +import java.io.IOException; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.fs.FileStatus; +import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.fs.Path; +import org.apache.hadoop.fs.permission.FsAction; +import org.apache.hadoop.fs.permission.FsPermission; +import org.apache.hadoop.hive.common.FileUtils; +import org.apache.hadoop.hive.metastore.api.Database; +import org.apache.hadoop.hive.ql.metadata.Hive; +import org.apache.hadoop.hive.ql.metadata.Table; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyChangeListener; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLsImpl; + +public class HDFSPermissionPolicyProvider implements HivePolicyProvider { + + private Configuration conf; + + public HDFSPermissionPolicyProvider(Configuration conf) { + this.conf = conf; + } + + @Override + public HiveResourceACLs getResourceACLs(HivePrivilegeObject hiveObject) { + HiveResourceACLs acls = null; + try { + switch (hiveObject.getType()) { + case DATABASE: + Database db = Hive.get().getDatabase(hiveObject.getDbname()); + acls = getResourceACLs(new Path(db.getLocationUri())); + break; + case TABLE_OR_VIEW: + case COLUMN: + Table table = Hive.get().getTable(hiveObject.getDbname(), hiveObject.getObjectName()); + acls = getResourceACLs(new Path(table.getTTable().getSd().getLocation())); + break; + default: + // Shall never happen + throw new RuntimeException("Unknown request type:" + hiveObject.getType()); + } + } catch (Exception e) { + } + return acls; + } + + private HiveResourceACLs getResourceACLs(Path path) throws IOException { + if (path == null) { + throw new IllegalArgumentException("path is null"); + } + + final FileSystem fs = path.getFileSystem(conf); + + FileStatus pathStatus = FileUtils.getFileStatusOrNull(fs, path); + if (pathStatus != null) { + return getResourceACLs(fs, pathStatus); + } else if (path.getParent() != null) { + // find the ancestor which exists to check its permissions + Path par = path.getParent(); + FileStatus parStatus = null; + while (par != null) { + parStatus = FileUtils.getFileStatusOrNull(fs, par); + if (parStatus != null) { + break; + } + par = par.getParent(); + } + return getResourceACLs(fs, parStatus); + } + return null; + } + + private HiveResourceACLs getResourceACLs(final FileSystem fs, final FileStatus stat) { + String owner = stat.getOwner(); + String group = stat.getGroup(); + HiveResourceACLsImpl acls = new HiveResourceACLsImpl(); + FsPermission permission = stat.getPermission(); + if (permission.getUserAction().implies(FsAction.READ)) { + acls.addUserEntry(owner, HiveResourceACLs.Privilege.SELECT, HiveResourceACLs.AccessResult.ALLOWED); + } + if (permission.getGroupAction().implies(FsAction.READ)) { + acls.addGroupEntry(group, HiveResourceACLs.Privilege.SELECT, HiveResourceACLs.AccessResult.ALLOWED); + } + if (permission.getOtherAction().implies(FsAction.READ)) { + acls.addGroupEntry("public", HiveResourceACLs.Privilege.SELECT, HiveResourceACLs.AccessResult.ALLOWED); + } + return acls; + } + + @Override + public void registerHivePolicyChangeListener(HivePolicyChangeListener listener) { + // Not implemented + } + +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java index 8a7c06d..d3e13a5 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java @@ -36,6 +36,8 @@ import org.apache.hadoop.hive.ql.metadata.Hive; import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; import org.apache.thrift.TException; public abstract class HiveAuthorizationProviderBase implements @@ -133,4 +135,8 @@ public void setAuthenticator(HiveAuthenticationProvider authenticator) { this.authenticator = authenticator; } + @Override + public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException { + return null; + } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java index 0dab334..de9b8d1 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveMetastoreAuthorizationProvider.java @@ -21,6 +21,8 @@ import org.apache.hadoop.hive.metastore.IHMSHandler; import org.apache.hadoop.hive.ql.metadata.AuthorizationException; import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; /** * HiveMetastoreAuthorizationProvider : An extension of HiveAuthorizaytionProvider @@ -44,5 +46,10 @@ */ void authorizeAuthorizationApiInvocation() throws HiveException, AuthorizationException; + /** + * @return HivePolicyProvider instance (expected to be a singleton) + * @throws HiveAuthzPluginException + */ + HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException; } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PolicyProviderContainer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PolicyProviderContainer.java new file mode 100644 index 0000000..dfc6964 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PolicyProviderContainer.java @@ -0,0 +1,74 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization; + +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; + +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; + +public class PolicyProviderContainer implements Iterable { + List authorizers = new ArrayList(); + List authorizationProviders = new ArrayList(); + + public void addAuthorizer(HiveAuthorizer authorizer) { + authorizers.add(authorizer); + } + + public void addAuthorizationProvider(HiveMetastoreAuthorizationProvider authorizationProvider) { + authorizationProviders.add(authorizationProvider); + } + + public int size() { + return authorizers.size() + authorizationProviders.size(); + } + + @Override + public Iterator iterator() { + return new PolicyIterator(); + } + + class PolicyIterator implements Iterator { + int currentAuthorizerPosition = 0; + int AuthorizationProviderPosition = 0; + @Override + public boolean hasNext() { + if (currentAuthorizerPosition < authorizers.size() + || AuthorizationProviderPosition < authorizationProviders.size()) { + return true; + } + return false; + } + + @Override + public HivePolicyProvider next() { + try { + if (currentAuthorizerPosition < authorizers.size()) { + return authorizers.get(currentAuthorizerPosition++).getHivePolicyProvider(); + } else { + return authorizationProviders.get(AuthorizationProviderPosition++).getHivePolicyProvider(); + } + } catch (HiveAuthzPluginException e) { + throw new RuntimeException(e); + } + } + } +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java index 9b2e6cd..c9994df 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchonizer.java @@ -32,7 +32,6 @@ import org.apache.hadoop.hive.metastore.api.PrivilegeBag; import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo; import org.apache.hadoop.hive.metastore.api.Table; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactoryImpl; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; @@ -53,23 +52,24 @@ private IMetaStoreClient hiveClient; private LeaderLatch privilegeSynchonizerLatch; private HiveConf hiveConf; - private HiveAuthorizer authorizer; + private PolicyProviderContainer policyProviderContainer; - public PrivilegeSynchonizer(LeaderLatch privilegeSynchonizerLatch, HiveAuthorizer authorizer, HiveConf hiveConf) { + public PrivilegeSynchonizer(LeaderLatch privilegeSynchonizerLatch, + PolicyProviderContainer policyProviderContainer, HiveConf hiveConf) { try { hiveClient = new HiveMetastoreClientFactoryImpl().getHiveMetastoreClient(); } catch (HiveAuthzPluginException e) { throw new RuntimeException("Error creating getHiveMetastoreClient", e); } this.privilegeSynchonizerLatch = privilegeSynchonizerLatch; - this.authorizer = authorizer; + this.policyProviderContainer = policyProviderContainer; this.hiveConf = hiveConf; } private void addACLsToBag( Map> principalAclsMap, PrivilegeBag privBag, HiveObjectType objectType, String dbName, String tblName, String columnName, - PrincipalType principalType) { + PrincipalType principalType, String authorizer) { for (Map.Entry> principalAcls : principalAclsMap.entrySet()) { @@ -82,19 +82,19 @@ private void addACLsToBag( privBag.addToPrivileges( new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.DATABASE, dbName, null, null, null), principal, principalType, new PrivilegeGrantInfo(acl.getKey().toString(), - (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false))); + (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false), authorizer)); break; case TABLE: privBag.addToPrivileges( new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.TABLE, dbName, tblName, null, null), principal, principalType, new PrivilegeGrantInfo(acl.getKey().toString(), - (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false))); + (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false), authorizer)); break; case COLUMN: privBag.addToPrivileges( new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.COLUMN, dbName, tblName, null, columnName), principal, principalType, new PrivilegeGrantInfo(acl.getKey().toString(), - (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false))); + (int) (System.currentTimeMillis() / 1000), GRANTOR, PrincipalType.USER, false), authorizer)); break; default: throw new RuntimeException("Get unknown object type " + objectType); @@ -123,7 +123,7 @@ private HiveObjectRef getObjToRefresh(HiveObjectType type, String dbName, String } private void addGrantPrivilegesToBag(HivePolicyProvider policyProvider, PrivilegeBag privBag, HiveObjectType type, - String dbName, String tblName, String columnName) throws Exception { + String dbName, String tblName, String columnName, String authorizer) throws Exception { HiveResourceACLs objectAcls = null; @@ -151,51 +151,58 @@ private void addGrantPrivilegesToBag(HivePolicyProvider policyProvider, Privileg return; } - addACLsToBag(objectAcls.getUserPermissions(), privBag, type, dbName, tblName, columnName, PrincipalType.USER); - addACLsToBag(objectAcls.getGroupPermissions(), privBag, type, dbName, tblName, columnName, PrincipalType.GROUP); + addACLsToBag(objectAcls.getUserPermissions(), privBag, type, dbName, tblName, columnName, + PrincipalType.USER, authorizer); + addACLsToBag(objectAcls.getGroupPermissions(), privBag, type, dbName, tblName, columnName, + PrincipalType.GROUP, authorizer); } @Override public void run() { while (true) { + long interval = HiveConf.getTimeVar(hiveConf, ConfVars.HIVE_PRIVILEGE_SYNCHRONIZER_INTERVAL, TimeUnit.SECONDS); try { - HivePolicyProvider policyProvider = authorizer.getHivePolicyProvider(); - long interval = HiveConf.getTimeVar(hiveConf, ConfVars.HIVE_PRIVILEGE_SYNCHRONIZER_INTERVAL, TimeUnit.SECONDS); - if (hiveConf.getBoolVar(ConfVars.HIVE_PRIVILEGE_SYNCHRONIZER)) { - if (!privilegeSynchonizerLatch.await(interval, TimeUnit.SECONDS)) { - continue; - } - LOG.debug("Start synchonize privilege"); - for (String dbName : hiveClient.getAllDatabases()) { - HiveObjectRef dbToRefresh = getObjToRefresh(HiveObjectType.DATABASE, dbName, null); - PrivilegeBag grantDatabaseBag = new PrivilegeBag(); - addGrantPrivilegesToBag(policyProvider, grantDatabaseBag, HiveObjectType.DATABASE, dbName, null, null); - hiveClient.refresh_privileges(dbToRefresh, grantDatabaseBag); - - for (String tblName : hiveClient.getAllTables(dbName)) { - HiveObjectRef tableToRefresh = getObjToRefresh(HiveObjectType.TABLE, dbName, tblName); - PrivilegeBag grantTableBag = new PrivilegeBag(); - addGrantPrivilegesToBag(policyProvider, grantTableBag, HiveObjectType.TABLE, dbName, tblName, null); - hiveClient.refresh_privileges(tableToRefresh, grantTableBag); - - HiveObjectRef tableOfColumnsToRefresh = getObjToRefresh(HiveObjectType.COLUMN, dbName, tblName); - PrivilegeBag grantColumnBag = new PrivilegeBag(); - Table tbl = hiveClient.getTable(dbName, tblName); - for (FieldSchema fs : tbl.getPartitionKeys()) { - addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, dbName, tblName, - fs.getName()); - } - for (FieldSchema fs : tbl.getSd().getCols()) { - addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, dbName, tblName, - fs.getName()); + for (HivePolicyProvider policyProvider : policyProviderContainer) { + String authorizer = policyProvider.getClass().getSimpleName(); + if (hiveConf.getBoolVar(ConfVars.HIVE_PRIVILEGE_SYNCHRONIZER)) { + if (!privilegeSynchonizerLatch.await(interval, TimeUnit.SECONDS)) { + continue; + } + LOG.debug("Start synchonize privilege"); + for (String dbName : hiveClient.getAllDatabases()) { + HiveObjectRef dbToRefresh = getObjToRefresh(HiveObjectType.DATABASE, dbName, null); + PrivilegeBag grantDatabaseBag = new PrivilegeBag(); + addGrantPrivilegesToBag(policyProvider, grantDatabaseBag, HiveObjectType.DATABASE, + dbName, null, null, authorizer); + hiveClient.refresh_privileges(dbToRefresh, authorizer, grantDatabaseBag); + + for (String tblName : hiveClient.getAllTables(dbName)) { + HiveObjectRef tableToRefresh = getObjToRefresh(HiveObjectType.TABLE, dbName, tblName); + PrivilegeBag grantTableBag = new PrivilegeBag(); + addGrantPrivilegesToBag(policyProvider, grantTableBag, HiveObjectType.TABLE, + dbName, tblName, null, authorizer); + hiveClient.refresh_privileges(tableToRefresh, authorizer, grantTableBag); + + HiveObjectRef tableOfColumnsToRefresh = getObjToRefresh(HiveObjectType.COLUMN, dbName, tblName); + PrivilegeBag grantColumnBag = new PrivilegeBag(); + Table tbl = hiveClient.getTable(dbName, tblName); + for (FieldSchema fs : tbl.getPartitionKeys()) { + addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, + dbName, tblName, fs.getName(), authorizer); + } + for (FieldSchema fs : tbl.getSd().getCols()) { + addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, + dbName, tblName, fs.getName(), authorizer); + } + hiveClient.refresh_privileges(tableOfColumnsToRefresh, authorizer, grantColumnBag); } - hiveClient.refresh_privileges(tableOfColumnsToRefresh, grantColumnBag); } } + // Wait if no exception happens, otherwise, retry immediately } - // Wait if no exception happens, otherwise, retry immediately Thread.sleep(interval * 1000); LOG.debug("Success synchonize privilege"); + } catch (Exception e) { LOG.error("Error initializing PrivilegeSynchonizer: " + e.getMessage(), e); } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java index b66d188..f074d39 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java @@ -45,6 +45,8 @@ import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.metadata.Partition; import org.apache.hadoop.hive.ql.metadata.Table; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider; /** * StorageBasedAuthorizationProvider is an implementation of @@ -491,4 +493,9 @@ public void setHasDropPrivilege(boolean hasDropPrivilege) { } + @Override + public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException { + return new HDFSPermissionPolicyProvider(getConf()); + } + } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java index 48798d8..ffa5cd1 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.java @@ -47,6 +47,7 @@ public class HiveV1Authorizer extends AbstractHiveAuthorizer { private final HiveConf conf; + private final static String AUTHORIZER = "v1"; public HiveV1Authorizer(HiveConf conf) { this.conf = conf; @@ -77,7 +78,7 @@ public void grantPrivileges( HivePrincipal grantor, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { try { - PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption); + PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption, AUTHORIZER); grantOrRevokePrivs(principals, privBag, true, grantOption); } catch (Exception e) { throw new HiveAuthzPluginException(e); @@ -90,7 +91,7 @@ public void revokePrivileges( HivePrincipal grantor, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException { try { - PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption); + PrivilegeBag privBag = toPrivilegeBag(privileges, privObject, grantor, grantOption, AUTHORIZER); grantOrRevokePrivs(principals, privBag, false, grantOption); } catch (Exception e) { throw new HiveAuthzPluginException(e); @@ -115,7 +116,7 @@ private void grantOrRevokePrivs(List principals, PrivilegeBag pri } private PrivilegeBag toPrivilegeBag(List privileges, - HivePrivilegeObject privObject, HivePrincipal grantor, boolean grantOption) + HivePrivilegeObject privObject, HivePrincipal grantor, boolean grantOption, String authorizer) throws HiveException { PrivilegeBag privBag = new PrivilegeBag(); @@ -136,7 +137,7 @@ private PrivilegeBag toPrivilegeBag(List privileges, privBag.addToPrivileges(new HiveObjectPrivilege(new HiveObjectRef( HiveObjectType.GLOBAL, null, null, null, null), null, null, new PrivilegeGrantInfo(priv.getName(), 0, grantor.getName(), grantorType, - grantOption))); + grantOption), authorizer)); } return privBag; } @@ -186,23 +187,23 @@ private PrivilegeBag toPrivilegeBag(List privileges, privBag.addToPrivileges(new HiveObjectPrivilege( new HiveObjectRef(HiveObjectType.COLUMN, dbObj.getName(), tableObj.getTableName(), partValues, columns.get(i)), null, null, - new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption), authorizer)); } } else if (tableObj == null) { privBag.addToPrivileges(new HiveObjectPrivilege( new HiveObjectRef(HiveObjectType.DATABASE, dbObj.getName(), null, null, null), null, null, - new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption), authorizer)); } else if (partValues == null) { privBag.addToPrivileges(new HiveObjectPrivilege( new HiveObjectRef(HiveObjectType.TABLE, dbObj.getName(), tableObj.getTableName(), null, null), null, null, - new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption), authorizer)); } else { privBag.addToPrivileges(new HiveObjectPrivilege( new HiveObjectRef(HiveObjectType.PARTITION, dbObj.getName(), tableObj.getTableName(), partValues, null), null, null, - new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption))); + new PrivilegeGrantInfo(priv.getName(), 0, grantorName, grantorType, grantOption), authorizer)); } } return privBag; diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java index 02ed7aa..e787538 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java @@ -99,7 +99,7 @@ static PrivilegeBag getThriftPrivilegesBag(List hivePrincipals, grantOption, 0 /*real grant time added by metastore*/); for (HivePrincipal principal : hivePrincipals) { HiveObjectPrivilege objPriv = new HiveObjectPrivilege(privObj, principal.getName(), - AuthorizationUtils.getThriftPrincipalType(principal.getType()), grantInfo); + AuthorizationUtils.getThriftPrincipalType(principal.getType()), grantInfo, "SQL"); privBag.addToPrivileges(objPriv); } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/udf/generic/GenericUDFCurrentAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/udf/generic/GenericUDFCurrentAuthorizer.java new file mode 100644 index 0000000..406089d --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/udf/generic/GenericUDFCurrentAuthorizer.java @@ -0,0 +1,119 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hive.ql.udf.generic; + +import java.util.List; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.metastore.conf.MetastoreConf; +import org.apache.hadoop.hive.ql.exec.Description; +import org.apache.hadoop.hive.ql.exec.UDFArgumentException; +import org.apache.hadoop.hive.ql.exec.UDFArgumentLengthException; +import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.metadata.HiveUtils; +import org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.session.SessionState; +import org.apache.hadoop.hive.ql.udf.UDFType; +import org.apache.hadoop.hive.serde2.objectinspector.ObjectInspector; +import org.apache.hadoop.hive.serde2.objectinspector.primitive.PrimitiveObjectInspectorFactory; +import org.apache.hadoop.io.Text; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * UDF to determine the current authorizer (class name of the authorizer) + * This is intended for internal usage only. This function is not a deterministic function, + * but a runtime constant. The return value is constant within a query but can be different between queries + */ +@UDFType(deterministic = false, runtimeConstant = true) +@Description(name = "current_authorizer", + value = "_FUNC_() - Returns the current authorizer (class name of the authorizer). ") +@NDV(maxNdv = 1) +public class GenericUDFCurrentAuthorizer extends GenericUDF { + private static final Logger LOG = LoggerFactory.getLogger(GenericUDFCurrentAuthorizer.class.getName()); + protected Text authorizer; + + @Override + public ObjectInspector initialize(ObjectInspector[] arguments) throws UDFArgumentException { + if (arguments.length != 0) { + throw new UDFArgumentLengthException( + "The function CurrentAuthorizer does not take any arguments, but found " + arguments.length); + } + + if (authorizer == null) { + + HiveConf hiveConf = SessionState.getSessionConf(); + HiveAuthorizer hiveAuthorizer = SessionState.get().getAuthorizerV2(); + try { + if (hiveAuthorizer.getHivePolicyProvider() != null) { + authorizer = new Text(hiveAuthorizer.getHivePolicyProvider().getClass().getSimpleName()); + } + } catch (HiveAuthzPluginException e) { + LOG.warn("Error getting HivePolicyProvider", e); + } + + if (authorizer == null) { + if (MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS) != null && + !MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS).isEmpty() && + HiveConf.getVar(hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER) != null) { + List authorizerProviders; + try { + authorizerProviders = HiveUtils.getMetaStoreAuthorizeProviderManagers( + hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER, + SessionState.get().getAuthenticator()); + for (HiveMetastoreAuthorizationProvider authProvider : authorizerProviders) { + if (authProvider.getHivePolicyProvider() != null) { + authorizer = new Text(authProvider.getHivePolicyProvider().getClass().getSimpleName()); + break; + } + } + } catch (HiveAuthzPluginException e) { + LOG.warn("Error getting HivePolicyProvider", e); + } catch (HiveException e) { + LOG.warn("Error instantiating hive.security.metastore.authorization.manager", e); + } + } + } + } + + return PrimitiveObjectInspectorFactory.writableStringObjectInspector; + } + + @Override + public Object evaluate(DeferredObject[] arguments) throws HiveException { + return authorizer; + } + + @Override + public String getDisplayString(String[] children) { + return "CURRENT_AUTHORIZER()"; + } + + @Override + public void copyToNewInstance(Object newInstance) throws UDFArgumentException { + super.copyToNewInstance(newInstance); + // Need to preserve authorizer flag + GenericUDFCurrentAuthorizer other = (GenericUDFCurrentAuthorizer) newInstance; + if (this.authorizer != null) { + other.authorizer = new Text(this.authorizer); + } + } +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/udf/generic/GenericUDFRestrictInformationSchema.java b/ql/src/java/org/apache/hadoop/hive/ql/udf/generic/GenericUDFRestrictInformationSchema.java index 3eb0914..fc47e43 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/udf/generic/GenericUDFRestrictInformationSchema.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/udf/generic/GenericUDFRestrictInformationSchema.java @@ -61,46 +61,50 @@ public ObjectInspector initialize(ObjectInspector[] arguments) throws UDFArgumen } if (enabled == null) { - boolean enableHS2PolicyProvider = false; - boolean enableMetastorePolicyProvider = false; - HiveConf hiveConf = SessionState.getSessionConf(); - HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); - try { - if (authorizer.getHivePolicyProvider() != null) { - enableHS2PolicyProvider = true; - } - } catch (HiveAuthzPluginException e) { - LOG.warn("Error getting HivePolicyProvider", e); - } + if (!hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) { + enabled = new BooleanWritable(false); + } else { + boolean enableHS2PolicyProvider = false; + boolean enableMetastorePolicyProvider = false; - if (!enableHS2PolicyProvider) { - if (MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS) != null && - !MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS).isEmpty() && - HiveConf.getVar(hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER) != null) { - List authorizerProviders; - try { - authorizerProviders = HiveUtils.getMetaStoreAuthorizeProviderManagers( - hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER, - SessionState.get().getAuthenticator()); - for (HiveMetastoreAuthorizationProvider authProvider : authorizerProviders) { - if (authProvider.getHivePolicyProvider() != null) { - enableMetastorePolicyProvider = true; - break; + HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); + try { + if (authorizer.getHivePolicyProvider() != null) { + enableHS2PolicyProvider = true; + } + } catch (HiveAuthzPluginException e) { + LOG.warn("Error getting HivePolicyProvider", e); + } + + if (!enableHS2PolicyProvider) { + if (MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS) != null && + !MetastoreConf.getVar(hiveConf, MetastoreConf.ConfVars.PRE_EVENT_LISTENERS).isEmpty() && + HiveConf.getVar(hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER) != null) { + List authorizerProviders; + try { + authorizerProviders = HiveUtils.getMetaStoreAuthorizeProviderManagers( + hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER, + SessionState.get().getAuthenticator()); + for (HiveMetastoreAuthorizationProvider authProvider : authorizerProviders) { + if (authProvider.getHivePolicyProvider() != null) { + enableMetastorePolicyProvider = true; + break; + } } + } catch (HiveAuthzPluginException e) { + LOG.warn("Error getting HivePolicyProvider", e); + } catch (HiveException e) { + LOG.warn("Error instantiating hive.security.metastore.authorization.manager", e); } - } catch (HiveAuthzPluginException e) { - LOG.warn("Error getting HivePolicyProvider", e); - } catch (HiveException e) { - LOG.warn("Error instantiating hive.security.metastore.authorization.manager", e); } } - } - if (enableHS2PolicyProvider || enableMetastorePolicyProvider) { - enabled = new BooleanWritable(true); - } else { - enabled = new BooleanWritable(false); + if (enableHS2PolicyProvider || enableMetastorePolicyProvider) { + enabled = new BooleanWritable(true); + } else { + enabled = new BooleanWritable(false); + } } } diff --git a/service/src/java/org/apache/hive/service/server/HiveServer2.java b/service/src/java/org/apache/hive/service/server/HiveServer2.java index 661beb5..6ef3410 100644 --- a/service/src/java/org/apache/hive/service/server/HiveServer2.java +++ b/service/src/java/org/apache/hive/service/server/HiveServer2.java @@ -71,6 +71,7 @@ import org.apache.hadoop.hive.metastore.api.WMFullResourcePlan; import org.apache.hadoop.hive.metastore.api.WMPool; import org.apache.hadoop.hive.metastore.api.WMResourcePlan; +import org.apache.hadoop.hive.metastore.conf.MetastoreConf; import org.apache.hadoop.hive.ql.cache.results.QueryResultsCache; import org.apache.hadoop.hive.ql.exec.spark.session.SparkSessionManagerImpl; import org.apache.hadoop.hive.ql.exec.tez.TezSessionPoolManager; @@ -78,8 +79,11 @@ import org.apache.hadoop.hive.ql.metadata.Hive; import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.metadata.HiveMaterializedViewsRegistry; +import org.apache.hadoop.hive.ql.metadata.HiveUtils; import org.apache.hadoop.hive.ql.metadata.events.NotificationEventPoll; import org.apache.hadoop.hive.ql.plan.mapper.StatsSources; +import org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider; +import org.apache.hadoop.hive.ql.security.authorization.PolicyProviderContainer; import org.apache.hadoop.hive.ql.security.authorization.PrivilegeSynchonizer; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; import org.apache.hadoop.hive.ql.session.ClearDanglingScratchDir; @@ -980,16 +984,33 @@ public void startPrivilegeSynchonizer(HiveConf hiveConf) throws Exception { + ZooKeeperHiveHelper.ZOOKEEPER_PATH_SEPARATOR + "leader"; LeaderLatch privilegeSynchonizerLatch = new LeaderLatch(zKClientForPrivSync, path); privilegeSynchonizerLatch.start(); + PolicyProviderContainer policyContainer = new PolicyProviderContainer(); HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); - if (authorizer.getHivePolicyProvider() == null) { + if (authorizer.getHivePolicyProvider() != null) { + policyContainer.addAuthorizer(authorizer); + } + if (hiveConf.get(MetastoreConf.ConfVars.PRE_EVENT_LISTENERS.getVarname()) != null && + hiveConf.get(MetastoreConf.ConfVars.PRE_EVENT_LISTENERS.getVarname()).contains( + "org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener") && + hiveConf.get(MetastoreConf.ConfVars.HIVE_AUTHORIZATION_MANAGER.getVarname())!= null) { + List providers = HiveUtils.getMetaStoreAuthorizeProviderManagers( + hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER, SessionState.get().getAuthenticator()); + for (HiveMetastoreAuthorizationProvider provider : providers) { + if (provider.getHivePolicyProvider() != null) { + policyContainer.addAuthorizationProvider(provider); + } + } + } + + if (policyContainer.size() > 0) { + Thread privilegeSynchonizerThread = new Thread( + new PrivilegeSynchonizer(privilegeSynchonizerLatch, policyContainer, hiveConf), "PrivilegeSynchonizer"); + privilegeSynchonizerThread.start(); + } else { LOG.warn( - "Cannot start PrivilegeSynchonizer, policyProvider of " + authorizer.getClass().getName() + " is null"); + "No policy provider found, stop PrivilegeSynchonizer"); privilegeSynchonizerLatch.close(); - return; } - Thread privilegeSynchonizerThread = new Thread( - new PrivilegeSynchonizer(privilegeSynchonizerLatch, authorizer, hiveConf), "PrivilegeSynchonizer"); - privilegeSynchonizerThread.start(); } } diff --git a/standalone-metastore/src/gen/thrift/gen-cpp/ThriftHiveMetastore.cpp b/standalone-metastore/src/gen/thrift/gen-cpp/ThriftHiveMetastore.cpp index a25ebe5..ddb175e 100644 --- a/standalone-metastore/src/gen/thrift/gen-cpp/ThriftHiveMetastore.cpp +++ b/standalone-metastore/src/gen/thrift/gen-cpp/ThriftHiveMetastore.cpp @@ -33259,6 +33259,14 @@ uint32_t ThriftHiveMetastore_refresh_privileges_args::read(::apache::thrift::pro } break; case 2: + if (ftype == ::apache::thrift::protocol::T_STRING) { + xfer += iprot->readString(this->authorizer); + this->__isset.authorizer = true; + } else { + xfer += iprot->skip(ftype); + } + break; + case 3: if (ftype == ::apache::thrift::protocol::T_STRUCT) { xfer += this->grantRequest.read(iprot); this->__isset.grantRequest = true; @@ -33287,7 +33295,11 @@ uint32_t ThriftHiveMetastore_refresh_privileges_args::write(::apache::thrift::pr xfer += this->objToRefresh.write(oprot); xfer += oprot->writeFieldEnd(); - xfer += oprot->writeFieldBegin("grantRequest", ::apache::thrift::protocol::T_STRUCT, 2); + xfer += oprot->writeFieldBegin("authorizer", ::apache::thrift::protocol::T_STRING, 2); + xfer += oprot->writeString(this->authorizer); + xfer += oprot->writeFieldEnd(); + + xfer += oprot->writeFieldBegin("grantRequest", ::apache::thrift::protocol::T_STRUCT, 3); xfer += this->grantRequest.write(oprot); xfer += oprot->writeFieldEnd(); @@ -33310,7 +33322,11 @@ uint32_t ThriftHiveMetastore_refresh_privileges_pargs::write(::apache::thrift::p xfer += (*(this->objToRefresh)).write(oprot); xfer += oprot->writeFieldEnd(); - xfer += oprot->writeFieldBegin("grantRequest", ::apache::thrift::protocol::T_STRUCT, 2); + xfer += oprot->writeFieldBegin("authorizer", ::apache::thrift::protocol::T_STRING, 2); + xfer += oprot->writeString((*(this->authorizer))); + xfer += oprot->writeFieldEnd(); + + xfer += oprot->writeFieldBegin("grantRequest", ::apache::thrift::protocol::T_STRUCT, 3); xfer += (*(this->grantRequest)).write(oprot); xfer += oprot->writeFieldEnd(); @@ -58204,19 +58220,20 @@ void ThriftHiveMetastoreClient::recv_grant_revoke_privileges(GrantRevokePrivileg throw ::apache::thrift::TApplicationException(::apache::thrift::TApplicationException::MISSING_RESULT, "grant_revoke_privileges failed: unknown result"); } -void ThriftHiveMetastoreClient::refresh_privileges(GrantRevokePrivilegeResponse& _return, const HiveObjectRef& objToRefresh, const GrantRevokePrivilegeRequest& grantRequest) +void ThriftHiveMetastoreClient::refresh_privileges(GrantRevokePrivilegeResponse& _return, const HiveObjectRef& objToRefresh, const std::string& authorizer, const GrantRevokePrivilegeRequest& grantRequest) { - send_refresh_privileges(objToRefresh, grantRequest); + send_refresh_privileges(objToRefresh, authorizer, grantRequest); recv_refresh_privileges(_return); } -void ThriftHiveMetastoreClient::send_refresh_privileges(const HiveObjectRef& objToRefresh, const GrantRevokePrivilegeRequest& grantRequest) +void ThriftHiveMetastoreClient::send_refresh_privileges(const HiveObjectRef& objToRefresh, const std::string& authorizer, const GrantRevokePrivilegeRequest& grantRequest) { int32_t cseqid = 0; oprot_->writeMessageBegin("refresh_privileges", ::apache::thrift::protocol::T_CALL, cseqid); ThriftHiveMetastore_refresh_privileges_pargs args; args.objToRefresh = &objToRefresh; + args.authorizer = &authorizer; args.grantRequest = &grantRequest; args.write(oprot_); @@ -70714,7 +70731,7 @@ void ThriftHiveMetastoreProcessor::process_refresh_privileges(int32_t seqid, ::a ThriftHiveMetastore_refresh_privileges_result result; try { - iface_->refresh_privileges(result.success, args.objToRefresh, args.grantRequest); + iface_->refresh_privileges(result.success, args.objToRefresh, args.authorizer, args.grantRequest); result.__isset.success = true; } catch (MetaException &o1) { result.o1 = o1; @@ -87024,13 +87041,13 @@ void ThriftHiveMetastoreConcurrentClient::recv_grant_revoke_privileges(GrantRevo } // end while(true) } -void ThriftHiveMetastoreConcurrentClient::refresh_privileges(GrantRevokePrivilegeResponse& _return, const HiveObjectRef& objToRefresh, const GrantRevokePrivilegeRequest& grantRequest) +void ThriftHiveMetastoreConcurrentClient::refresh_privileges(GrantRevokePrivilegeResponse& _return, const HiveObjectRef& objToRefresh, const std::string& authorizer, const GrantRevokePrivilegeRequest& grantRequest) { - int32_t seqid = send_refresh_privileges(objToRefresh, grantRequest); + int32_t seqid = send_refresh_privileges(objToRefresh, authorizer, grantRequest); recv_refresh_privileges(_return, seqid); } -int32_t ThriftHiveMetastoreConcurrentClient::send_refresh_privileges(const HiveObjectRef& objToRefresh, const GrantRevokePrivilegeRequest& grantRequest) +int32_t ThriftHiveMetastoreConcurrentClient::send_refresh_privileges(const HiveObjectRef& objToRefresh, const std::string& authorizer, const GrantRevokePrivilegeRequest& grantRequest) { int32_t cseqid = this->sync_.generateSeqId(); ::apache::thrift::async::TConcurrentSendSentry sentry(&this->sync_); @@ -87038,6 +87055,7 @@ int32_t ThriftHiveMetastoreConcurrentClient::send_refresh_privileges(const HiveO ThriftHiveMetastore_refresh_privileges_pargs args; args.objToRefresh = &objToRefresh; + args.authorizer = &authorizer; args.grantRequest = &grantRequest; args.write(oprot_); diff --git a/standalone-metastore/src/gen/thrift/gen-cpp/ThriftHiveMetastore.h b/standalone-metastore/src/gen/thrift/gen-cpp/ThriftHiveMetastore.h index dac6983..b7987e3 100644 --- a/standalone-metastore/src/gen/thrift/gen-cpp/ThriftHiveMetastore.h +++ b/standalone-metastore/src/gen/thrift/gen-cpp/ThriftHiveMetastore.h @@ -149,7 +149,7 @@ class ThriftHiveMetastoreIf : virtual public ::facebook::fb303::FacebookService virtual bool grant_privileges(const PrivilegeBag& privileges) = 0; virtual bool revoke_privileges(const PrivilegeBag& privileges) = 0; virtual void grant_revoke_privileges(GrantRevokePrivilegeResponse& _return, const GrantRevokePrivilegeRequest& request) = 0; - virtual void refresh_privileges(GrantRevokePrivilegeResponse& _return, const HiveObjectRef& objToRefresh, const GrantRevokePrivilegeRequest& grantRequest) = 0; + virtual void refresh_privileges(GrantRevokePrivilegeResponse& _return, const HiveObjectRef& objToRefresh, const std::string& authorizer, const GrantRevokePrivilegeRequest& grantRequest) = 0; virtual void set_ugi(std::vector & _return, const std::string& user_name, const std::vector & group_names) = 0; virtual void get_delegation_token(std::string& _return, const std::string& token_owner, const std::string& renewer_kerberos_principal_name) = 0; virtual int64_t renew_delegation_token(const std::string& token_str_form) = 0; @@ -660,7 +660,7 @@ class ThriftHiveMetastoreNull : virtual public ThriftHiveMetastoreIf , virtual p void grant_revoke_privileges(GrantRevokePrivilegeResponse& /* _return */, const GrantRevokePrivilegeRequest& /* request */) { return; } - void refresh_privileges(GrantRevokePrivilegeResponse& /* _return */, const HiveObjectRef& /* objToRefresh */, const GrantRevokePrivilegeRequest& /* grantRequest */) { + void refresh_privileges(GrantRevokePrivilegeResponse& /* _return */, const HiveObjectRef& /* objToRefresh */, const std::string& /* authorizer */, const GrantRevokePrivilegeRequest& /* grantRequest */) { return; } void set_ugi(std::vector & /* _return */, const std::string& /* user_name */, const std::vector & /* group_names */) { @@ -17173,8 +17173,9 @@ class ThriftHiveMetastore_grant_revoke_privileges_presult { }; typedef struct _ThriftHiveMetastore_refresh_privileges_args__isset { - _ThriftHiveMetastore_refresh_privileges_args__isset() : objToRefresh(false), grantRequest(false) {} + _ThriftHiveMetastore_refresh_privileges_args__isset() : objToRefresh(false), authorizer(false), grantRequest(false) {} bool objToRefresh :1; + bool authorizer :1; bool grantRequest :1; } _ThriftHiveMetastore_refresh_privileges_args__isset; @@ -17183,23 +17184,28 @@ class ThriftHiveMetastore_refresh_privileges_args { ThriftHiveMetastore_refresh_privileges_args(const ThriftHiveMetastore_refresh_privileges_args&); ThriftHiveMetastore_refresh_privileges_args& operator=(const ThriftHiveMetastore_refresh_privileges_args&); - ThriftHiveMetastore_refresh_privileges_args() { + ThriftHiveMetastore_refresh_privileges_args() : authorizer() { } virtual ~ThriftHiveMetastore_refresh_privileges_args() throw(); HiveObjectRef objToRefresh; + std::string authorizer; GrantRevokePrivilegeRequest grantRequest; _ThriftHiveMetastore_refresh_privileges_args__isset __isset; void __set_objToRefresh(const HiveObjectRef& val); + void __set_authorizer(const std::string& val); + void __set_grantRequest(const GrantRevokePrivilegeRequest& val); bool operator == (const ThriftHiveMetastore_refresh_privileges_args & rhs) const { if (!(objToRefresh == rhs.objToRefresh)) return false; + if (!(authorizer == rhs.authorizer)) + return false; if (!(grantRequest == rhs.grantRequest)) return false; return true; @@ -17222,6 +17228,7 @@ class ThriftHiveMetastore_refresh_privileges_pargs { virtual ~ThriftHiveMetastore_refresh_privileges_pargs() throw(); const HiveObjectRef* objToRefresh; + const std::string* authorizer; const GrantRevokePrivilegeRequest* grantRequest; uint32_t write(::apache::thrift::protocol::TProtocol* oprot) const; @@ -26473,8 +26480,8 @@ class ThriftHiveMetastoreClient : virtual public ThriftHiveMetastoreIf, public void grant_revoke_privileges(GrantRevokePrivilegeResponse& _return, const GrantRevokePrivilegeRequest& request); void send_grant_revoke_privileges(const GrantRevokePrivilegeRequest& request); void recv_grant_revoke_privileges(GrantRevokePrivilegeResponse& _return); - void refresh_privileges(GrantRevokePrivilegeResponse& _return, const HiveObjectRef& objToRefresh, const GrantRevokePrivilegeRequest& grantRequest); - void send_refresh_privileges(const HiveObjectRef& objToRefresh, const GrantRevokePrivilegeRequest& grantRequest); + void refresh_privileges(GrantRevokePrivilegeResponse& _return, const HiveObjectRef& objToRefresh, const std::string& authorizer, const GrantRevokePrivilegeRequest& grantRequest); + void send_refresh_privileges(const HiveObjectRef& objToRefresh, const std::string& authorizer, const GrantRevokePrivilegeRequest& grantRequest); void recv_refresh_privileges(GrantRevokePrivilegeResponse& _return); void set_ugi(std::vector & _return, const std::string& user_name, const std::vector & group_names); void send_set_ugi(const std::string& user_name, const std::vector & group_names); @@ -28385,13 +28392,13 @@ class ThriftHiveMetastoreMultiface : virtual public ThriftHiveMetastoreIf, publi return; } - void refresh_privileges(GrantRevokePrivilegeResponse& _return, const HiveObjectRef& objToRefresh, const GrantRevokePrivilegeRequest& grantRequest) { + void refresh_privileges(GrantRevokePrivilegeResponse& _return, const HiveObjectRef& objToRefresh, const std::string& authorizer, const GrantRevokePrivilegeRequest& grantRequest) { size_t sz = ifaces_.size(); size_t i = 0; for (; i < (sz - 1); ++i) { - ifaces_[i]->refresh_privileges(_return, objToRefresh, grantRequest); + ifaces_[i]->refresh_privileges(_return, objToRefresh, authorizer, grantRequest); } - ifaces_[i]->refresh_privileges(_return, objToRefresh, grantRequest); + ifaces_[i]->refresh_privileges(_return, objToRefresh, authorizer, grantRequest); return; } @@ -29546,8 +29553,8 @@ class ThriftHiveMetastoreConcurrentClient : virtual public ThriftHiveMetastoreIf void grant_revoke_privileges(GrantRevokePrivilegeResponse& _return, const GrantRevokePrivilegeRequest& request); int32_t send_grant_revoke_privileges(const GrantRevokePrivilegeRequest& request); void recv_grant_revoke_privileges(GrantRevokePrivilegeResponse& _return, const int32_t seqid); - void refresh_privileges(GrantRevokePrivilegeResponse& _return, const HiveObjectRef& objToRefresh, const GrantRevokePrivilegeRequest& grantRequest); - int32_t send_refresh_privileges(const HiveObjectRef& objToRefresh, const GrantRevokePrivilegeRequest& grantRequest); + void refresh_privileges(GrantRevokePrivilegeResponse& _return, const HiveObjectRef& objToRefresh, const std::string& authorizer, const GrantRevokePrivilegeRequest& grantRequest); + int32_t send_refresh_privileges(const HiveObjectRef& objToRefresh, const std::string& authorizer, const GrantRevokePrivilegeRequest& grantRequest); void recv_refresh_privileges(GrantRevokePrivilegeResponse& _return, const int32_t seqid); void set_ugi(std::vector & _return, const std::string& user_name, const std::vector & group_names); int32_t send_set_ugi(const std::string& user_name, const std::vector & group_names); diff --git a/standalone-metastore/src/gen/thrift/gen-cpp/ThriftHiveMetastore_server.skeleton.cpp b/standalone-metastore/src/gen/thrift/gen-cpp/ThriftHiveMetastore_server.skeleton.cpp index c4a8baf..3d9d75e 100644 --- a/standalone-metastore/src/gen/thrift/gen-cpp/ThriftHiveMetastore_server.skeleton.cpp +++ b/standalone-metastore/src/gen/thrift/gen-cpp/ThriftHiveMetastore_server.skeleton.cpp @@ -657,7 +657,7 @@ class ThriftHiveMetastoreHandler : virtual public ThriftHiveMetastoreIf { printf("grant_revoke_privileges\n"); } - void refresh_privileges(GrantRevokePrivilegeResponse& _return, const HiveObjectRef& objToRefresh, const GrantRevokePrivilegeRequest& grantRequest) { + void refresh_privileges(GrantRevokePrivilegeResponse& _return, const HiveObjectRef& objToRefresh, const std::string& authorizer, const GrantRevokePrivilegeRequest& grantRequest) { // Your implementation goes here printf("refresh_privileges\n"); } diff --git a/standalone-metastore/src/gen/thrift/gen-cpp/hive_metastore_types.cpp b/standalone-metastore/src/gen/thrift/gen-cpp/hive_metastore_types.cpp index af975fc..8925fe2 100644 --- a/standalone-metastore/src/gen/thrift/gen-cpp/hive_metastore_types.cpp +++ b/standalone-metastore/src/gen/thrift/gen-cpp/hive_metastore_types.cpp @@ -2658,6 +2658,10 @@ void HiveObjectPrivilege::__set_grantInfo(const PrivilegeGrantInfo& val) { this->grantInfo = val; } +void HiveObjectPrivilege::__set_authorizer(const std::string& val) { + this->authorizer = val; +} + uint32_t HiveObjectPrivilege::read(::apache::thrift::protocol::TProtocol* iprot) { apache::thrift::protocol::TInputRecursionTracker tracker(*iprot); @@ -2713,6 +2717,14 @@ uint32_t HiveObjectPrivilege::read(::apache::thrift::protocol::TProtocol* iprot) xfer += iprot->skip(ftype); } break; + case 5: + if (ftype == ::apache::thrift::protocol::T_STRING) { + xfer += iprot->readString(this->authorizer); + this->__isset.authorizer = true; + } else { + xfer += iprot->skip(ftype); + } + break; default: xfer += iprot->skip(ftype); break; @@ -2746,6 +2758,10 @@ uint32_t HiveObjectPrivilege::write(::apache::thrift::protocol::TProtocol* oprot xfer += this->grantInfo.write(oprot); xfer += oprot->writeFieldEnd(); + xfer += oprot->writeFieldBegin("authorizer", ::apache::thrift::protocol::T_STRING, 5); + xfer += oprot->writeString(this->authorizer); + xfer += oprot->writeFieldEnd(); + xfer += oprot->writeFieldStop(); xfer += oprot->writeStructEnd(); return xfer; @@ -2757,6 +2773,7 @@ void swap(HiveObjectPrivilege &a, HiveObjectPrivilege &b) { swap(a.principalName, b.principalName); swap(a.principalType, b.principalType); swap(a.grantInfo, b.grantInfo); + swap(a.authorizer, b.authorizer); swap(a.__isset, b.__isset); } @@ -2765,6 +2782,7 @@ HiveObjectPrivilege::HiveObjectPrivilege(const HiveObjectPrivilege& other37) { principalName = other37.principalName; principalType = other37.principalType; grantInfo = other37.grantInfo; + authorizer = other37.authorizer; __isset = other37.__isset; } HiveObjectPrivilege& HiveObjectPrivilege::operator=(const HiveObjectPrivilege& other38) { @@ -2772,6 +2790,7 @@ HiveObjectPrivilege& HiveObjectPrivilege::operator=(const HiveObjectPrivilege& o principalName = other38.principalName; principalType = other38.principalType; grantInfo = other38.grantInfo; + authorizer = other38.authorizer; __isset = other38.__isset; return *this; } @@ -2782,6 +2801,7 @@ void HiveObjectPrivilege::printTo(std::ostream& out) const { out << ", " << "principalName=" << to_string(principalName); out << ", " << "principalType=" << to_string(principalType); out << ", " << "grantInfo=" << to_string(grantInfo); + out << ", " << "authorizer=" << to_string(authorizer); out << ")"; } diff --git a/standalone-metastore/src/gen/thrift/gen-cpp/hive_metastore_types.h b/standalone-metastore/src/gen/thrift/gen-cpp/hive_metastore_types.h index 7b42182..78656d9 100644 --- a/standalone-metastore/src/gen/thrift/gen-cpp/hive_metastore_types.h +++ b/standalone-metastore/src/gen/thrift/gen-cpp/hive_metastore_types.h @@ -1622,11 +1622,12 @@ inline std::ostream& operator<<(std::ostream& out, const PrivilegeGrantInfo& obj } typedef struct _HiveObjectPrivilege__isset { - _HiveObjectPrivilege__isset() : hiveObject(false), principalName(false), principalType(false), grantInfo(false) {} + _HiveObjectPrivilege__isset() : hiveObject(false), principalName(false), principalType(false), grantInfo(false), authorizer(false) {} bool hiveObject :1; bool principalName :1; bool principalType :1; bool grantInfo :1; + bool authorizer :1; } _HiveObjectPrivilege__isset; class HiveObjectPrivilege { @@ -1634,7 +1635,7 @@ class HiveObjectPrivilege { HiveObjectPrivilege(const HiveObjectPrivilege&); HiveObjectPrivilege& operator=(const HiveObjectPrivilege&); - HiveObjectPrivilege() : principalName(), principalType((PrincipalType::type)0) { + HiveObjectPrivilege() : principalName(), principalType((PrincipalType::type)0), authorizer() { } virtual ~HiveObjectPrivilege() throw(); @@ -1642,6 +1643,7 @@ class HiveObjectPrivilege { std::string principalName; PrincipalType::type principalType; PrivilegeGrantInfo grantInfo; + std::string authorizer; _HiveObjectPrivilege__isset __isset; @@ -1653,6 +1655,8 @@ class HiveObjectPrivilege { void __set_grantInfo(const PrivilegeGrantInfo& val); + void __set_authorizer(const std::string& val); + bool operator == (const HiveObjectPrivilege & rhs) const { if (!(hiveObject == rhs.hiveObject)) @@ -1663,6 +1667,8 @@ class HiveObjectPrivilege { return false; if (!(grantInfo == rhs.grantInfo)) return false; + if (!(authorizer == rhs.authorizer)) + return false; return true; } bool operator != (const HiveObjectPrivilege &rhs) const { diff --git a/standalone-metastore/src/gen/thrift/gen-javabean/org/apache/hadoop/hive/metastore/api/HiveObjectPrivilege.java b/standalone-metastore/src/gen/thrift/gen-javabean/org/apache/hadoop/hive/metastore/api/HiveObjectPrivilege.java index ef2e535..8b2817d 100644 --- a/standalone-metastore/src/gen/thrift/gen-javabean/org/apache/hadoop/hive/metastore/api/HiveObjectPrivilege.java +++ b/standalone-metastore/src/gen/thrift/gen-javabean/org/apache/hadoop/hive/metastore/api/HiveObjectPrivilege.java @@ -42,6 +42,7 @@ private static final org.apache.thrift.protocol.TField PRINCIPAL_NAME_FIELD_DESC = new org.apache.thrift.protocol.TField("principalName", org.apache.thrift.protocol.TType.STRING, (short)2); private static final org.apache.thrift.protocol.TField PRINCIPAL_TYPE_FIELD_DESC = new org.apache.thrift.protocol.TField("principalType", org.apache.thrift.protocol.TType.I32, (short)3); private static final org.apache.thrift.protocol.TField GRANT_INFO_FIELD_DESC = new org.apache.thrift.protocol.TField("grantInfo", org.apache.thrift.protocol.TType.STRUCT, (short)4); + private static final org.apache.thrift.protocol.TField AUTHORIZER_FIELD_DESC = new org.apache.thrift.protocol.TField("authorizer", org.apache.thrift.protocol.TType.STRING, (short)5); private static final Map, SchemeFactory> schemes = new HashMap, SchemeFactory>(); static { @@ -53,6 +54,7 @@ private String principalName; // required private PrincipalType principalType; // required private PrivilegeGrantInfo grantInfo; // required + private String authorizer; // required /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */ public enum _Fields implements org.apache.thrift.TFieldIdEnum { @@ -63,7 +65,8 @@ * @see PrincipalType */ PRINCIPAL_TYPE((short)3, "principalType"), - GRANT_INFO((short)4, "grantInfo"); + GRANT_INFO((short)4, "grantInfo"), + AUTHORIZER((short)5, "authorizer"); private static final Map byName = new HashMap(); @@ -86,6 +89,8 @@ public static _Fields findByThriftId(int fieldId) { return PRINCIPAL_TYPE; case 4: // GRANT_INFO return GRANT_INFO; + case 5: // AUTHORIZER + return AUTHORIZER; default: return null; } @@ -137,6 +142,8 @@ public String getFieldName() { new org.apache.thrift.meta_data.EnumMetaData(org.apache.thrift.protocol.TType.ENUM, PrincipalType.class))); tmpMap.put(_Fields.GRANT_INFO, new org.apache.thrift.meta_data.FieldMetaData("grantInfo", org.apache.thrift.TFieldRequirementType.DEFAULT, new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, PrivilegeGrantInfo.class))); + tmpMap.put(_Fields.AUTHORIZER, new org.apache.thrift.meta_data.FieldMetaData("authorizer", org.apache.thrift.TFieldRequirementType.DEFAULT, + new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); metaDataMap = Collections.unmodifiableMap(tmpMap); org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(HiveObjectPrivilege.class, metaDataMap); } @@ -148,13 +155,15 @@ public HiveObjectPrivilege( HiveObjectRef hiveObject, String principalName, PrincipalType principalType, - PrivilegeGrantInfo grantInfo) + PrivilegeGrantInfo grantInfo, + String authorizer) { this(); this.hiveObject = hiveObject; this.principalName = principalName; this.principalType = principalType; this.grantInfo = grantInfo; + this.authorizer = authorizer; } /** @@ -173,6 +182,9 @@ public HiveObjectPrivilege(HiveObjectPrivilege other) { if (other.isSetGrantInfo()) { this.grantInfo = new PrivilegeGrantInfo(other.grantInfo); } + if (other.isSetAuthorizer()) { + this.authorizer = other.authorizer; + } } public HiveObjectPrivilege deepCopy() { @@ -185,6 +197,7 @@ public void clear() { this.principalName = null; this.principalType = null; this.grantInfo = null; + this.authorizer = null; } public HiveObjectRef getHiveObject() { @@ -287,6 +300,29 @@ public void setGrantInfoIsSet(boolean value) { } } + public String getAuthorizer() { + return this.authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } + + public void unsetAuthorizer() { + this.authorizer = null; + } + + /** Returns true if field authorizer is set (has been assigned a value) and false otherwise */ + public boolean isSetAuthorizer() { + return this.authorizer != null; + } + + public void setAuthorizerIsSet(boolean value) { + if (!value) { + this.authorizer = null; + } + } + public void setFieldValue(_Fields field, Object value) { switch (field) { case HIVE_OBJECT: @@ -321,6 +357,14 @@ public void setFieldValue(_Fields field, Object value) { } break; + case AUTHORIZER: + if (value == null) { + unsetAuthorizer(); + } else { + setAuthorizer((String)value); + } + break; + } } @@ -338,6 +382,9 @@ public Object getFieldValue(_Fields field) { case GRANT_INFO: return getGrantInfo(); + case AUTHORIZER: + return getAuthorizer(); + } throw new IllegalStateException(); } @@ -357,6 +404,8 @@ public boolean isSet(_Fields field) { return isSetPrincipalType(); case GRANT_INFO: return isSetGrantInfo(); + case AUTHORIZER: + return isSetAuthorizer(); } throw new IllegalStateException(); } @@ -410,6 +459,15 @@ public boolean equals(HiveObjectPrivilege that) { return false; } + boolean this_present_authorizer = true && this.isSetAuthorizer(); + boolean that_present_authorizer = true && that.isSetAuthorizer(); + if (this_present_authorizer || that_present_authorizer) { + if (!(this_present_authorizer && that_present_authorizer)) + return false; + if (!this.authorizer.equals(that.authorizer)) + return false; + } + return true; } @@ -437,6 +495,11 @@ public int hashCode() { if (present_grantInfo) list.add(grantInfo); + boolean present_authorizer = true && (isSetAuthorizer()); + list.add(present_authorizer); + if (present_authorizer) + list.add(authorizer); + return list.hashCode(); } @@ -488,6 +551,16 @@ public int compareTo(HiveObjectPrivilege other) { return lastComparison; } } + lastComparison = Boolean.valueOf(isSetAuthorizer()).compareTo(other.isSetAuthorizer()); + if (lastComparison != 0) { + return lastComparison; + } + if (isSetAuthorizer()) { + lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.authorizer, other.authorizer); + if (lastComparison != 0) { + return lastComparison; + } + } return 0; } @@ -539,6 +612,14 @@ public String toString() { sb.append(this.grantInfo); } first = false; + if (!first) sb.append(", "); + sb.append("authorizer:"); + if (this.authorizer == null) { + sb.append("null"); + } else { + sb.append(this.authorizer); + } + first = false; sb.append(")"); return sb.toString(); } @@ -622,6 +703,14 @@ public void read(org.apache.thrift.protocol.TProtocol iprot, HiveObjectPrivilege org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } break; + case 5: // AUTHORIZER + if (schemeField.type == org.apache.thrift.protocol.TType.STRING) { + struct.authorizer = iprot.readString(); + struct.setAuthorizerIsSet(true); + } else { + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + break; default: org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } @@ -655,6 +744,11 @@ public void write(org.apache.thrift.protocol.TProtocol oprot, HiveObjectPrivileg struct.grantInfo.write(oprot); oprot.writeFieldEnd(); } + if (struct.authorizer != null) { + oprot.writeFieldBegin(AUTHORIZER_FIELD_DESC); + oprot.writeString(struct.authorizer); + oprot.writeFieldEnd(); + } oprot.writeFieldStop(); oprot.writeStructEnd(); } @@ -685,7 +779,10 @@ public void write(org.apache.thrift.protocol.TProtocol prot, HiveObjectPrivilege if (struct.isSetGrantInfo()) { optionals.set(3); } - oprot.writeBitSet(optionals, 4); + if (struct.isSetAuthorizer()) { + optionals.set(4); + } + oprot.writeBitSet(optionals, 5); if (struct.isSetHiveObject()) { struct.hiveObject.write(oprot); } @@ -698,12 +795,15 @@ public void write(org.apache.thrift.protocol.TProtocol prot, HiveObjectPrivilege if (struct.isSetGrantInfo()) { struct.grantInfo.write(oprot); } + if (struct.isSetAuthorizer()) { + oprot.writeString(struct.authorizer); + } } @Override public void read(org.apache.thrift.protocol.TProtocol prot, HiveObjectPrivilege struct) throws org.apache.thrift.TException { TTupleProtocol iprot = (TTupleProtocol) prot; - BitSet incoming = iprot.readBitSet(4); + BitSet incoming = iprot.readBitSet(5); if (incoming.get(0)) { struct.hiveObject = new HiveObjectRef(); struct.hiveObject.read(iprot); @@ -722,6 +822,10 @@ public void read(org.apache.thrift.protocol.TProtocol prot, HiveObjectPrivilege struct.grantInfo.read(iprot); struct.setGrantInfoIsSet(true); } + if (incoming.get(4)) { + struct.authorizer = iprot.readString(); + struct.setAuthorizerIsSet(true); + } } } diff --git a/standalone-metastore/src/gen/thrift/gen-javabean/org/apache/hadoop/hive/metastore/api/ThriftHiveMetastore.java b/standalone-metastore/src/gen/thrift/gen-javabean/org/apache/hadoop/hive/metastore/api/ThriftHiveMetastore.java index 3139058..929f328 100644 --- a/standalone-metastore/src/gen/thrift/gen-javabean/org/apache/hadoop/hive/metastore/api/ThriftHiveMetastore.java +++ b/standalone-metastore/src/gen/thrift/gen-javabean/org/apache/hadoop/hive/metastore/api/ThriftHiveMetastore.java @@ -296,7 +296,7 @@ public GrantRevokePrivilegeResponse grant_revoke_privileges(GrantRevokePrivilegeRequest request) throws MetaException, org.apache.thrift.TException; - public GrantRevokePrivilegeResponse refresh_privileges(HiveObjectRef objToRefresh, GrantRevokePrivilegeRequest grantRequest) throws MetaException, org.apache.thrift.TException; + public GrantRevokePrivilegeResponse refresh_privileges(HiveObjectRef objToRefresh, String authorizer, GrantRevokePrivilegeRequest grantRequest) throws MetaException, org.apache.thrift.TException; public List set_ugi(String user_name, List group_names) throws MetaException, org.apache.thrift.TException; @@ -712,7 +712,7 @@ public void grant_revoke_privileges(GrantRevokePrivilegeRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException; - public void refresh_privileges(HiveObjectRef objToRefresh, GrantRevokePrivilegeRequest grantRequest, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException; + public void refresh_privileges(HiveObjectRef objToRefresh, String authorizer, GrantRevokePrivilegeRequest grantRequest, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException; public void set_ugi(String user_name, List group_names, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException; @@ -4706,16 +4706,17 @@ public GrantRevokePrivilegeResponse recv_grant_revoke_privileges() throws MetaEx throw new org.apache.thrift.TApplicationException(org.apache.thrift.TApplicationException.MISSING_RESULT, "grant_revoke_privileges failed: unknown result"); } - public GrantRevokePrivilegeResponse refresh_privileges(HiveObjectRef objToRefresh, GrantRevokePrivilegeRequest grantRequest) throws MetaException, org.apache.thrift.TException + public GrantRevokePrivilegeResponse refresh_privileges(HiveObjectRef objToRefresh, String authorizer, GrantRevokePrivilegeRequest grantRequest) throws MetaException, org.apache.thrift.TException { - send_refresh_privileges(objToRefresh, grantRequest); + send_refresh_privileges(objToRefresh, authorizer, grantRequest); return recv_refresh_privileges(); } - public void send_refresh_privileges(HiveObjectRef objToRefresh, GrantRevokePrivilegeRequest grantRequest) throws org.apache.thrift.TException + public void send_refresh_privileges(HiveObjectRef objToRefresh, String authorizer, GrantRevokePrivilegeRequest grantRequest) throws org.apache.thrift.TException { refresh_privileges_args args = new refresh_privileges_args(); args.setObjToRefresh(objToRefresh); + args.setAuthorizer(authorizer); args.setGrantRequest(grantRequest); sendBase("refresh_privileges", args); } @@ -11369,19 +11370,21 @@ public GrantRevokePrivilegeResponse getResult() throws MetaException, org.apache } } - public void refresh_privileges(HiveObjectRef objToRefresh, GrantRevokePrivilegeRequest grantRequest, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException { + public void refresh_privileges(HiveObjectRef objToRefresh, String authorizer, GrantRevokePrivilegeRequest grantRequest, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException { checkReady(); - refresh_privileges_call method_call = new refresh_privileges_call(objToRefresh, grantRequest, resultHandler, this, ___protocolFactory, ___transport); + refresh_privileges_call method_call = new refresh_privileges_call(objToRefresh, authorizer, grantRequest, resultHandler, this, ___protocolFactory, ___transport); this.___currentMethod = method_call; ___manager.call(method_call); } @org.apache.hadoop.classification.InterfaceAudience.Public @org.apache.hadoop.classification.InterfaceStability.Stable public static class refresh_privileges_call extends org.apache.thrift.async.TAsyncMethodCall { private HiveObjectRef objToRefresh; + private String authorizer; private GrantRevokePrivilegeRequest grantRequest; - public refresh_privileges_call(HiveObjectRef objToRefresh, GrantRevokePrivilegeRequest grantRequest, org.apache.thrift.async.AsyncMethodCallback resultHandler, org.apache.thrift.async.TAsyncClient client, org.apache.thrift.protocol.TProtocolFactory protocolFactory, org.apache.thrift.transport.TNonblockingTransport transport) throws org.apache.thrift.TException { + public refresh_privileges_call(HiveObjectRef objToRefresh, String authorizer, GrantRevokePrivilegeRequest grantRequest, org.apache.thrift.async.AsyncMethodCallback resultHandler, org.apache.thrift.async.TAsyncClient client, org.apache.thrift.protocol.TProtocolFactory protocolFactory, org.apache.thrift.transport.TNonblockingTransport transport) throws org.apache.thrift.TException { super(client, protocolFactory, transport, resultHandler, false); this.objToRefresh = objToRefresh; + this.authorizer = authorizer; this.grantRequest = grantRequest; } @@ -11389,6 +11392,7 @@ public void write_args(org.apache.thrift.protocol.TProtocol prot) throws org.apa prot.writeMessageBegin(new org.apache.thrift.protocol.TMessage("refresh_privileges", org.apache.thrift.protocol.TMessageType.CALL, 0)); refresh_privileges_args args = new refresh_privileges_args(); args.setObjToRefresh(objToRefresh); + args.setAuthorizer(authorizer); args.setGrantRequest(grantRequest); args.write(prot); prot.writeMessageEnd(); @@ -17507,7 +17511,7 @@ protected boolean isOneway() { public refresh_privileges_result getResult(I iface, refresh_privileges_args args) throws org.apache.thrift.TException { refresh_privileges_result result = new refresh_privileges_result(); try { - result.success = iface.refresh_privileges(args.objToRefresh, args.grantRequest); + result.success = iface.refresh_privileges(args.objToRefresh, args.authorizer, args.grantRequest); } catch (MetaException o1) { result.o1 = o1; } @@ -27655,7 +27659,7 @@ protected boolean isOneway() { } public void start(I iface, refresh_privileges_args args, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws TException { - iface.refresh_privileges(args.objToRefresh, args.grantRequest,resultHandler); + iface.refresh_privileges(args.objToRefresh, args.authorizer, args.grantRequest,resultHandler); } } @@ -169811,7 +169815,8 @@ public void read(org.apache.thrift.protocol.TProtocol prot, grant_revoke_privile private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("refresh_privileges_args"); private static final org.apache.thrift.protocol.TField OBJ_TO_REFRESH_FIELD_DESC = new org.apache.thrift.protocol.TField("objToRefresh", org.apache.thrift.protocol.TType.STRUCT, (short)1); - private static final org.apache.thrift.protocol.TField GRANT_REQUEST_FIELD_DESC = new org.apache.thrift.protocol.TField("grantRequest", org.apache.thrift.protocol.TType.STRUCT, (short)2); + private static final org.apache.thrift.protocol.TField AUTHORIZER_FIELD_DESC = new org.apache.thrift.protocol.TField("authorizer", org.apache.thrift.protocol.TType.STRING, (short)2); + private static final org.apache.thrift.protocol.TField GRANT_REQUEST_FIELD_DESC = new org.apache.thrift.protocol.TField("grantRequest", org.apache.thrift.protocol.TType.STRUCT, (short)3); private static final Map, SchemeFactory> schemes = new HashMap, SchemeFactory>(); static { @@ -169820,12 +169825,14 @@ public void read(org.apache.thrift.protocol.TProtocol prot, grant_revoke_privile } private HiveObjectRef objToRefresh; // required + private String authorizer; // required private GrantRevokePrivilegeRequest grantRequest; // required /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */ public enum _Fields implements org.apache.thrift.TFieldIdEnum { OBJ_TO_REFRESH((short)1, "objToRefresh"), - GRANT_REQUEST((short)2, "grantRequest"); + AUTHORIZER((short)2, "authorizer"), + GRANT_REQUEST((short)3, "grantRequest"); private static final Map byName = new HashMap(); @@ -169842,7 +169849,9 @@ public static _Fields findByThriftId(int fieldId) { switch(fieldId) { case 1: // OBJ_TO_REFRESH return OBJ_TO_REFRESH; - case 2: // GRANT_REQUEST + case 2: // AUTHORIZER + return AUTHORIZER; + case 3: // GRANT_REQUEST return GRANT_REQUEST; default: return null; @@ -169889,6 +169898,8 @@ public String getFieldName() { Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class); tmpMap.put(_Fields.OBJ_TO_REFRESH, new org.apache.thrift.meta_data.FieldMetaData("objToRefresh", org.apache.thrift.TFieldRequirementType.DEFAULT, new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, HiveObjectRef.class))); + tmpMap.put(_Fields.AUTHORIZER, new org.apache.thrift.meta_data.FieldMetaData("authorizer", org.apache.thrift.TFieldRequirementType.DEFAULT, + new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING))); tmpMap.put(_Fields.GRANT_REQUEST, new org.apache.thrift.meta_data.FieldMetaData("grantRequest", org.apache.thrift.TFieldRequirementType.DEFAULT, new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, GrantRevokePrivilegeRequest.class))); metaDataMap = Collections.unmodifiableMap(tmpMap); @@ -169900,10 +169911,12 @@ public refresh_privileges_args() { public refresh_privileges_args( HiveObjectRef objToRefresh, + String authorizer, GrantRevokePrivilegeRequest grantRequest) { this(); this.objToRefresh = objToRefresh; + this.authorizer = authorizer; this.grantRequest = grantRequest; } @@ -169914,6 +169927,9 @@ public refresh_privileges_args(refresh_privileges_args other) { if (other.isSetObjToRefresh()) { this.objToRefresh = new HiveObjectRef(other.objToRefresh); } + if (other.isSetAuthorizer()) { + this.authorizer = other.authorizer; + } if (other.isSetGrantRequest()) { this.grantRequest = new GrantRevokePrivilegeRequest(other.grantRequest); } @@ -169926,6 +169942,7 @@ public refresh_privileges_args deepCopy() { @Override public void clear() { this.objToRefresh = null; + this.authorizer = null; this.grantRequest = null; } @@ -169952,6 +169969,29 @@ public void setObjToRefreshIsSet(boolean value) { } } + public String getAuthorizer() { + return this.authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } + + public void unsetAuthorizer() { + this.authorizer = null; + } + + /** Returns true if field authorizer is set (has been assigned a value) and false otherwise */ + public boolean isSetAuthorizer() { + return this.authorizer != null; + } + + public void setAuthorizerIsSet(boolean value) { + if (!value) { + this.authorizer = null; + } + } + public GrantRevokePrivilegeRequest getGrantRequest() { return this.grantRequest; } @@ -169985,6 +170025,14 @@ public void setFieldValue(_Fields field, Object value) { } break; + case AUTHORIZER: + if (value == null) { + unsetAuthorizer(); + } else { + setAuthorizer((String)value); + } + break; + case GRANT_REQUEST: if (value == null) { unsetGrantRequest(); @@ -170001,6 +170049,9 @@ public Object getFieldValue(_Fields field) { case OBJ_TO_REFRESH: return getObjToRefresh(); + case AUTHORIZER: + return getAuthorizer(); + case GRANT_REQUEST: return getGrantRequest(); @@ -170017,6 +170068,8 @@ public boolean isSet(_Fields field) { switch (field) { case OBJ_TO_REFRESH: return isSetObjToRefresh(); + case AUTHORIZER: + return isSetAuthorizer(); case GRANT_REQUEST: return isSetGrantRequest(); } @@ -170045,6 +170098,15 @@ public boolean equals(refresh_privileges_args that) { return false; } + boolean this_present_authorizer = true && this.isSetAuthorizer(); + boolean that_present_authorizer = true && that.isSetAuthorizer(); + if (this_present_authorizer || that_present_authorizer) { + if (!(this_present_authorizer && that_present_authorizer)) + return false; + if (!this.authorizer.equals(that.authorizer)) + return false; + } + boolean this_present_grantRequest = true && this.isSetGrantRequest(); boolean that_present_grantRequest = true && that.isSetGrantRequest(); if (this_present_grantRequest || that_present_grantRequest) { @@ -170066,6 +170128,11 @@ public int hashCode() { if (present_objToRefresh) list.add(objToRefresh); + boolean present_authorizer = true && (isSetAuthorizer()); + list.add(present_authorizer); + if (present_authorizer) + list.add(authorizer); + boolean present_grantRequest = true && (isSetGrantRequest()); list.add(present_grantRequest); if (present_grantRequest) @@ -170092,6 +170159,16 @@ public int compareTo(refresh_privileges_args other) { return lastComparison; } } + lastComparison = Boolean.valueOf(isSetAuthorizer()).compareTo(other.isSetAuthorizer()); + if (lastComparison != 0) { + return lastComparison; + } + if (isSetAuthorizer()) { + lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.authorizer, other.authorizer); + if (lastComparison != 0) { + return lastComparison; + } + } lastComparison = Boolean.valueOf(isSetGrantRequest()).compareTo(other.isSetGrantRequest()); if (lastComparison != 0) { return lastComparison; @@ -170130,6 +170207,14 @@ public String toString() { } first = false; if (!first) sb.append(", "); + sb.append("authorizer:"); + if (this.authorizer == null) { + sb.append("null"); + } else { + sb.append(this.authorizer); + } + first = false; + if (!first) sb.append(", "); sb.append("grantRequest:"); if (this.grantRequest == null) { sb.append("null"); @@ -170195,7 +170280,15 @@ public void read(org.apache.thrift.protocol.TProtocol iprot, refresh_privileges_ org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); } break; - case 2: // GRANT_REQUEST + case 2: // AUTHORIZER + if (schemeField.type == org.apache.thrift.protocol.TType.STRING) { + struct.authorizer = iprot.readString(); + struct.setAuthorizerIsSet(true); + } else { + org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type); + } + break; + case 3: // GRANT_REQUEST if (schemeField.type == org.apache.thrift.protocol.TType.STRUCT) { struct.grantRequest = new GrantRevokePrivilegeRequest(); struct.grantRequest.read(iprot); @@ -170222,6 +170315,11 @@ public void write(org.apache.thrift.protocol.TProtocol oprot, refresh_privileges struct.objToRefresh.write(oprot); oprot.writeFieldEnd(); } + if (struct.authorizer != null) { + oprot.writeFieldBegin(AUTHORIZER_FIELD_DESC); + oprot.writeString(struct.authorizer); + oprot.writeFieldEnd(); + } if (struct.grantRequest != null) { oprot.writeFieldBegin(GRANT_REQUEST_FIELD_DESC); struct.grantRequest.write(oprot); @@ -170248,13 +170346,19 @@ public void write(org.apache.thrift.protocol.TProtocol prot, refresh_privileges_ if (struct.isSetObjToRefresh()) { optionals.set(0); } - if (struct.isSetGrantRequest()) { + if (struct.isSetAuthorizer()) { optionals.set(1); } - oprot.writeBitSet(optionals, 2); + if (struct.isSetGrantRequest()) { + optionals.set(2); + } + oprot.writeBitSet(optionals, 3); if (struct.isSetObjToRefresh()) { struct.objToRefresh.write(oprot); } + if (struct.isSetAuthorizer()) { + oprot.writeString(struct.authorizer); + } if (struct.isSetGrantRequest()) { struct.grantRequest.write(oprot); } @@ -170263,13 +170367,17 @@ public void write(org.apache.thrift.protocol.TProtocol prot, refresh_privileges_ @Override public void read(org.apache.thrift.protocol.TProtocol prot, refresh_privileges_args struct) throws org.apache.thrift.TException { TTupleProtocol iprot = (TTupleProtocol) prot; - BitSet incoming = iprot.readBitSet(2); + BitSet incoming = iprot.readBitSet(3); if (incoming.get(0)) { struct.objToRefresh = new HiveObjectRef(); struct.objToRefresh.read(iprot); struct.setObjToRefreshIsSet(true); } if (incoming.get(1)) { + struct.authorizer = iprot.readString(); + struct.setAuthorizerIsSet(true); + } + if (incoming.get(2)) { struct.grantRequest = new GrantRevokePrivilegeRequest(); struct.grantRequest.read(iprot); struct.setGrantRequestIsSet(true); diff --git a/standalone-metastore/src/gen/thrift/gen-php/metastore/ThriftHiveMetastore.php b/standalone-metastore/src/gen/thrift/gen-php/metastore/ThriftHiveMetastore.php index 250d990..4a37568 100644 --- a/standalone-metastore/src/gen/thrift/gen-php/metastore/ThriftHiveMetastore.php +++ b/standalone-metastore/src/gen/thrift/gen-php/metastore/ThriftHiveMetastore.php @@ -1062,11 +1062,12 @@ interface ThriftHiveMetastoreIf extends \FacebookServiceIf { public function grant_revoke_privileges(\metastore\GrantRevokePrivilegeRequest $request); /** * @param \metastore\HiveObjectRef $objToRefresh + * @param string $authorizer * @param \metastore\GrantRevokePrivilegeRequest $grantRequest * @return \metastore\GrantRevokePrivilegeResponse * @throws \metastore\MetaException */ - public function refresh_privileges(\metastore\HiveObjectRef $objToRefresh, \metastore\GrantRevokePrivilegeRequest $grantRequest); + public function refresh_privileges(\metastore\HiveObjectRef $objToRefresh, $authorizer, \metastore\GrantRevokePrivilegeRequest $grantRequest); /** * @param string $user_name * @param string[] $group_names @@ -8927,16 +8928,17 @@ class ThriftHiveMetastoreClient extends \FacebookServiceClient implements \metas throw new \Exception("grant_revoke_privileges failed: unknown result"); } - public function refresh_privileges(\metastore\HiveObjectRef $objToRefresh, \metastore\GrantRevokePrivilegeRequest $grantRequest) + public function refresh_privileges(\metastore\HiveObjectRef $objToRefresh, $authorizer, \metastore\GrantRevokePrivilegeRequest $grantRequest) { - $this->send_refresh_privileges($objToRefresh, $grantRequest); + $this->send_refresh_privileges($objToRefresh, $authorizer, $grantRequest); return $this->recv_refresh_privileges(); } - public function send_refresh_privileges(\metastore\HiveObjectRef $objToRefresh, \metastore\GrantRevokePrivilegeRequest $grantRequest) + public function send_refresh_privileges(\metastore\HiveObjectRef $objToRefresh, $authorizer, \metastore\GrantRevokePrivilegeRequest $grantRequest) { $args = new \metastore\ThriftHiveMetastore_refresh_privileges_args(); $args->objToRefresh = $objToRefresh; + $args->authorizer = $authorizer; $args->grantRequest = $grantRequest; $bin_accel = ($this->output_ instanceof TBinaryProtocolAccelerated) && function_exists('thrift_protocol_write_binary'); if ($bin_accel) @@ -44513,6 +44515,10 @@ class ThriftHiveMetastore_refresh_privileges_args { */ public $objToRefresh = null; /** + * @var string + */ + public $authorizer = null; + /** * @var \metastore\GrantRevokePrivilegeRequest */ public $grantRequest = null; @@ -44526,6 +44532,10 @@ class ThriftHiveMetastore_refresh_privileges_args { 'class' => '\metastore\HiveObjectRef', ), 2 => array( + 'var' => 'authorizer', + 'type' => TType::STRING, + ), + 3 => array( 'var' => 'grantRequest', 'type' => TType::STRUCT, 'class' => '\metastore\GrantRevokePrivilegeRequest', @@ -44536,6 +44546,9 @@ class ThriftHiveMetastore_refresh_privileges_args { if (isset($vals['objToRefresh'])) { $this->objToRefresh = $vals['objToRefresh']; } + if (isset($vals['authorizer'])) { + $this->authorizer = $vals['authorizer']; + } if (isset($vals['grantRequest'])) { $this->grantRequest = $vals['grantRequest']; } @@ -44570,6 +44583,13 @@ class ThriftHiveMetastore_refresh_privileges_args { } break; case 2: + if ($ftype == TType::STRING) { + $xfer += $input->readString($this->authorizer); + } else { + $xfer += $input->skip($ftype); + } + break; + case 3: if ($ftype == TType::STRUCT) { $this->grantRequest = new \metastore\GrantRevokePrivilegeRequest(); $xfer += $this->grantRequest->read($input); @@ -44598,11 +44618,16 @@ class ThriftHiveMetastore_refresh_privileges_args { $xfer += $this->objToRefresh->write($output); $xfer += $output->writeFieldEnd(); } + if ($this->authorizer !== null) { + $xfer += $output->writeFieldBegin('authorizer', TType::STRING, 2); + $xfer += $output->writeString($this->authorizer); + $xfer += $output->writeFieldEnd(); + } if ($this->grantRequest !== null) { if (!is_object($this->grantRequest)) { throw new TProtocolException('Bad type in structure.', TProtocolException::INVALID_DATA); } - $xfer += $output->writeFieldBegin('grantRequest', TType::STRUCT, 2); + $xfer += $output->writeFieldBegin('grantRequest', TType::STRUCT, 3); $xfer += $this->grantRequest->write($output); $xfer += $output->writeFieldEnd(); } diff --git a/standalone-metastore/src/gen/thrift/gen-php/metastore/Types.php b/standalone-metastore/src/gen/thrift/gen-php/metastore/Types.php index 353c0de..fe54515 100644 --- a/standalone-metastore/src/gen/thrift/gen-php/metastore/Types.php +++ b/standalone-metastore/src/gen/thrift/gen-php/metastore/Types.php @@ -2719,6 +2719,10 @@ class HiveObjectPrivilege { * @var \metastore\PrivilegeGrantInfo */ public $grantInfo = null; + /** + * @var string + */ + public $authorizer = null; public function __construct($vals=null) { if (!isset(self::$_TSPEC)) { @@ -2741,6 +2745,10 @@ class HiveObjectPrivilege { 'type' => TType::STRUCT, 'class' => '\metastore\PrivilegeGrantInfo', ), + 5 => array( + 'var' => 'authorizer', + 'type' => TType::STRING, + ), ); } if (is_array($vals)) { @@ -2756,6 +2764,9 @@ class HiveObjectPrivilege { if (isset($vals['grantInfo'])) { $this->grantInfo = $vals['grantInfo']; } + if (isset($vals['authorizer'])) { + $this->authorizer = $vals['authorizer']; + } } } @@ -2808,6 +2819,13 @@ class HiveObjectPrivilege { $xfer += $input->skip($ftype); } break; + case 5: + if ($ftype == TType::STRING) { + $xfer += $input->readString($this->authorizer); + } else { + $xfer += $input->skip($ftype); + } + break; default: $xfer += $input->skip($ftype); break; @@ -2847,6 +2865,11 @@ class HiveObjectPrivilege { $xfer += $this->grantInfo->write($output); $xfer += $output->writeFieldEnd(); } + if ($this->authorizer !== null) { + $xfer += $output->writeFieldBegin('authorizer', TType::STRING, 5); + $xfer += $output->writeString($this->authorizer); + $xfer += $output->writeFieldEnd(); + } $xfer += $output->writeFieldStop(); $xfer += $output->writeStructEnd(); return $xfer; diff --git a/standalone-metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore-remote b/standalone-metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore-remote index 58afb24..8fa5fe4 100755 --- a/standalone-metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore-remote +++ b/standalone-metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore-remote @@ -151,7 +151,7 @@ if len(sys.argv) <= 1 or sys.argv[1] == '--help': print(' bool grant_privileges(PrivilegeBag privileges)') print(' bool revoke_privileges(PrivilegeBag privileges)') print(' GrantRevokePrivilegeResponse grant_revoke_privileges(GrantRevokePrivilegeRequest request)') - print(' GrantRevokePrivilegeResponse refresh_privileges(HiveObjectRef objToRefresh, GrantRevokePrivilegeRequest grantRequest)') + print(' GrantRevokePrivilegeResponse refresh_privileges(HiveObjectRef objToRefresh, string authorizer, GrantRevokePrivilegeRequest grantRequest)') print(' set_ugi(string user_name, group_names)') print(' string get_delegation_token(string token_owner, string renewer_kerberos_principal_name)') print(' i64 renew_delegation_token(string token_str_form)') @@ -1062,10 +1062,10 @@ elif cmd == 'grant_revoke_privileges': pp.pprint(client.grant_revoke_privileges(eval(args[0]),)) elif cmd == 'refresh_privileges': - if len(args) != 2: - print('refresh_privileges requires 2 args') + if len(args) != 3: + print('refresh_privileges requires 3 args') sys.exit(1) - pp.pprint(client.refresh_privileges(eval(args[0]),eval(args[1]),)) + pp.pprint(client.refresh_privileges(eval(args[0]),args[1],eval(args[2]),)) elif cmd == 'set_ugi': if len(args) != 2: diff --git a/standalone-metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore.py b/standalone-metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore.py index 768c0e3..11881d3 100644 --- a/standalone-metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore.py +++ b/standalone-metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore.py @@ -1061,10 +1061,11 @@ def grant_revoke_privileges(self, request): """ pass - def refresh_privileges(self, objToRefresh, grantRequest): + def refresh_privileges(self, objToRefresh, authorizer, grantRequest): """ Parameters: - objToRefresh + - authorizer - grantRequest """ pass @@ -6338,19 +6339,21 @@ def recv_grant_revoke_privileges(self): raise result.o1 raise TApplicationException(TApplicationException.MISSING_RESULT, "grant_revoke_privileges failed: unknown result") - def refresh_privileges(self, objToRefresh, grantRequest): + def refresh_privileges(self, objToRefresh, authorizer, grantRequest): """ Parameters: - objToRefresh + - authorizer - grantRequest """ - self.send_refresh_privileges(objToRefresh, grantRequest) + self.send_refresh_privileges(objToRefresh, authorizer, grantRequest) return self.recv_refresh_privileges() - def send_refresh_privileges(self, objToRefresh, grantRequest): + def send_refresh_privileges(self, objToRefresh, authorizer, grantRequest): self._oprot.writeMessageBegin('refresh_privileges', TMessageType.CALL, self._seqid) args = refresh_privileges_args() args.objToRefresh = objToRefresh + args.authorizer = authorizer args.grantRequest = grantRequest args.write(self._oprot) self._oprot.writeMessageEnd() @@ -12429,7 +12432,7 @@ def process_refresh_privileges(self, seqid, iprot, oprot): iprot.readMessageEnd() result = refresh_privileges_result() try: - result.success = self._handler.refresh_privileges(args.objToRefresh, args.grantRequest) + result.success = self._handler.refresh_privileges(args.objToRefresh, args.authorizer, args.grantRequest) msg_type = TMessageType.REPLY except (TTransport.TTransportException, KeyboardInterrupt, SystemExit): raise @@ -36878,17 +36881,20 @@ class refresh_privileges_args: """ Attributes: - objToRefresh + - authorizer - grantRequest """ thrift_spec = ( None, # 0 (1, TType.STRUCT, 'objToRefresh', (HiveObjectRef, HiveObjectRef.thrift_spec), None, ), # 1 - (2, TType.STRUCT, 'grantRequest', (GrantRevokePrivilegeRequest, GrantRevokePrivilegeRequest.thrift_spec), None, ), # 2 + (2, TType.STRING, 'authorizer', None, None, ), # 2 + (3, TType.STRUCT, 'grantRequest', (GrantRevokePrivilegeRequest, GrantRevokePrivilegeRequest.thrift_spec), None, ), # 3 ) - def __init__(self, objToRefresh=None, grantRequest=None,): + def __init__(self, objToRefresh=None, authorizer=None, grantRequest=None,): self.objToRefresh = objToRefresh + self.authorizer = authorizer self.grantRequest = grantRequest def read(self, iprot): @@ -36907,6 +36913,11 @@ def read(self, iprot): else: iprot.skip(ftype) elif fid == 2: + if ftype == TType.STRING: + self.authorizer = iprot.readString() + else: + iprot.skip(ftype) + elif fid == 3: if ftype == TType.STRUCT: self.grantRequest = GrantRevokePrivilegeRequest() self.grantRequest.read(iprot) @@ -36926,8 +36937,12 @@ def write(self, oprot): oprot.writeFieldBegin('objToRefresh', TType.STRUCT, 1) self.objToRefresh.write(oprot) oprot.writeFieldEnd() + if self.authorizer is not None: + oprot.writeFieldBegin('authorizer', TType.STRING, 2) + oprot.writeString(self.authorizer) + oprot.writeFieldEnd() if self.grantRequest is not None: - oprot.writeFieldBegin('grantRequest', TType.STRUCT, 2) + oprot.writeFieldBegin('grantRequest', TType.STRUCT, 3) self.grantRequest.write(oprot) oprot.writeFieldEnd() oprot.writeFieldStop() @@ -36940,6 +36955,7 @@ def validate(self): def __hash__(self): value = 17 value = (value * 31) ^ hash(self.objToRefresh) + value = (value * 31) ^ hash(self.authorizer) value = (value * 31) ^ hash(self.grantRequest) return value diff --git a/standalone-metastore/src/gen/thrift/gen-py/hive_metastore/ttypes.py b/standalone-metastore/src/gen/thrift/gen-py/hive_metastore/ttypes.py index fdec32e..786c8c5 100644 --- a/standalone-metastore/src/gen/thrift/gen-py/hive_metastore/ttypes.py +++ b/standalone-metastore/src/gen/thrift/gen-py/hive_metastore/ttypes.py @@ -2013,6 +2013,7 @@ class HiveObjectPrivilege: - principalName - principalType - grantInfo + - authorizer """ thrift_spec = ( @@ -2021,13 +2022,15 @@ class HiveObjectPrivilege: (2, TType.STRING, 'principalName', None, None, ), # 2 (3, TType.I32, 'principalType', None, None, ), # 3 (4, TType.STRUCT, 'grantInfo', (PrivilegeGrantInfo, PrivilegeGrantInfo.thrift_spec), None, ), # 4 + (5, TType.STRING, 'authorizer', None, None, ), # 5 ) - def __init__(self, hiveObject=None, principalName=None, principalType=None, grantInfo=None,): + def __init__(self, hiveObject=None, principalName=None, principalType=None, grantInfo=None, authorizer=None,): self.hiveObject = hiveObject self.principalName = principalName self.principalType = principalType self.grantInfo = grantInfo + self.authorizer = authorizer def read(self, iprot): if iprot.__class__ == TBinaryProtocol.TBinaryProtocolAccelerated and isinstance(iprot.trans, TTransport.CReadableTransport) and self.thrift_spec is not None and fastbinary is not None: @@ -2060,6 +2063,11 @@ def read(self, iprot): self.grantInfo.read(iprot) else: iprot.skip(ftype) + elif fid == 5: + if ftype == TType.STRING: + self.authorizer = iprot.readString() + else: + iprot.skip(ftype) else: iprot.skip(ftype) iprot.readFieldEnd() @@ -2086,6 +2094,10 @@ def write(self, oprot): oprot.writeFieldBegin('grantInfo', TType.STRUCT, 4) self.grantInfo.write(oprot) oprot.writeFieldEnd() + if self.authorizer is not None: + oprot.writeFieldBegin('authorizer', TType.STRING, 5) + oprot.writeString(self.authorizer) + oprot.writeFieldEnd() oprot.writeFieldStop() oprot.writeStructEnd() @@ -2099,6 +2111,7 @@ def __hash__(self): value = (value * 31) ^ hash(self.principalName) value = (value * 31) ^ hash(self.principalType) value = (value * 31) ^ hash(self.grantInfo) + value = (value * 31) ^ hash(self.authorizer) return value def __repr__(self): diff --git a/standalone-metastore/src/gen/thrift/gen-rb/hive_metastore_types.rb b/standalone-metastore/src/gen/thrift/gen-rb/hive_metastore_types.rb index fb73b28..9174596 100644 --- a/standalone-metastore/src/gen/thrift/gen-rb/hive_metastore_types.rb +++ b/standalone-metastore/src/gen/thrift/gen-rb/hive_metastore_types.rb @@ -507,12 +507,14 @@ class HiveObjectPrivilege PRINCIPALNAME = 2 PRINCIPALTYPE = 3 GRANTINFO = 4 + AUTHORIZER = 5 FIELDS = { HIVEOBJECT => {:type => ::Thrift::Types::STRUCT, :name => 'hiveObject', :class => ::HiveObjectRef}, PRINCIPALNAME => {:type => ::Thrift::Types::STRING, :name => 'principalName'}, PRINCIPALTYPE => {:type => ::Thrift::Types::I32, :name => 'principalType', :enum_class => ::PrincipalType}, - GRANTINFO => {:type => ::Thrift::Types::STRUCT, :name => 'grantInfo', :class => ::PrivilegeGrantInfo} + GRANTINFO => {:type => ::Thrift::Types::STRUCT, :name => 'grantInfo', :class => ::PrivilegeGrantInfo}, + AUTHORIZER => {:type => ::Thrift::Types::STRING, :name => 'authorizer'} } def struct_fields; FIELDS; end diff --git a/standalone-metastore/src/gen/thrift/gen-rb/thrift_hive_metastore.rb b/standalone-metastore/src/gen/thrift/gen-rb/thrift_hive_metastore.rb index d394f72..4ef99bd 100644 --- a/standalone-metastore/src/gen/thrift/gen-rb/thrift_hive_metastore.rb +++ b/standalone-metastore/src/gen/thrift/gen-rb/thrift_hive_metastore.rb @@ -2161,13 +2161,13 @@ module ThriftHiveMetastore raise ::Thrift::ApplicationException.new(::Thrift::ApplicationException::MISSING_RESULT, 'grant_revoke_privileges failed: unknown result') end - def refresh_privileges(objToRefresh, grantRequest) - send_refresh_privileges(objToRefresh, grantRequest) + def refresh_privileges(objToRefresh, authorizer, grantRequest) + send_refresh_privileges(objToRefresh, authorizer, grantRequest) return recv_refresh_privileges() end - def send_refresh_privileges(objToRefresh, grantRequest) - send_message('refresh_privileges', Refresh_privileges_args, :objToRefresh => objToRefresh, :grantRequest => grantRequest) + def send_refresh_privileges(objToRefresh, authorizer, grantRequest) + send_message('refresh_privileges', Refresh_privileges_args, :objToRefresh => objToRefresh, :authorizer => authorizer, :grantRequest => grantRequest) end def recv_refresh_privileges() @@ -5141,7 +5141,7 @@ module ThriftHiveMetastore args = read_args(iprot, Refresh_privileges_args) result = Refresh_privileges_result.new() begin - result.success = @handler.refresh_privileges(args.objToRefresh, args.grantRequest) + result.success = @handler.refresh_privileges(args.objToRefresh, args.authorizer, args.grantRequest) rescue ::MetaException => o1 result.o1 = o1 end @@ -10926,10 +10926,12 @@ module ThriftHiveMetastore class Refresh_privileges_args include ::Thrift::Struct, ::Thrift::Struct_Union OBJTOREFRESH = 1 - GRANTREQUEST = 2 + AUTHORIZER = 2 + GRANTREQUEST = 3 FIELDS = { OBJTOREFRESH => {:type => ::Thrift::Types::STRUCT, :name => 'objToRefresh', :class => ::HiveObjectRef}, + AUTHORIZER => {:type => ::Thrift::Types::STRING, :name => 'authorizer'}, GRANTREQUEST => {:type => ::Thrift::Types::STRUCT, :name => 'grantRequest', :class => ::GrantRevokePrivilegeRequest} } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java index 92d2e3f..fbd60f2 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java @@ -813,7 +813,7 @@ private void createDefaultRoles_core() throws MetaException { PrivilegeBag privs = new PrivilegeBag(); privs.addToPrivileges(new HiveObjectPrivilege( new HiveObjectRef(HiveObjectType.GLOBAL, null, null, null, null), ADMIN, PrincipalType.ROLE, new PrivilegeGrantInfo("All", 0, ADMIN, - PrincipalType.ROLE, true))); + PrincipalType.ROLE, true), "SQL")); try { ms.grantPrivileges(privs); } catch (InvalidObjectException e) { @@ -6200,14 +6200,14 @@ public GrantRevokePrivilegeResponse grant_revoke_privileges(GrantRevokePrivilege } @Override - public GrantRevokePrivilegeResponse refresh_privileges(HiveObjectRef objToRefresh, + public GrantRevokePrivilegeResponse refresh_privileges(HiveObjectRef objToRefresh, String authorizer, GrantRevokePrivilegeRequest grantRequest) throws TException { incrementCounter("refresh_privileges"); firePreEvent(new PreAuthorizationCallEvent(this)); GrantRevokePrivilegeResponse response = new GrantRevokePrivilegeResponse(); try { - boolean result = getMS().refreshPrivileges(objToRefresh, grantRequest.getPrivileges()); + boolean result = getMS().refreshPrivileges(objToRefresh, authorizer, grantRequest.getPrivileges()); response.setSuccess(result); } catch (MetaException e) { throw e; diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java index 6af2aa5..fd7546e 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java @@ -2288,7 +2288,7 @@ public boolean revoke_privileges(PrivilegeBag privileges, boolean grantOption) t } @Override - public boolean refresh_privileges(HiveObjectRef objToRefresh, + public boolean refresh_privileges(HiveObjectRef objToRefresh, String authorizer, PrivilegeBag grantPrivileges) throws MetaException, TException { String defaultCat = getDefaultCatalog(conf); @@ -2305,7 +2305,7 @@ public boolean refresh_privileges(HiveObjectRef objToRefresh, grantReq.setRequestType(GrantRevokeType.GRANT); grantReq.setPrivileges(grantPrivileges); - GrantRevokePrivilegeResponse res = client.refresh_privileges(objToRefresh, grantReq); + GrantRevokePrivilegeResponse res = client.refresh_privileges(objToRefresh, authorizer, grantReq); if (!res.isSetSuccess()) { throw new MetaException("GrantRevokePrivilegeResponse missing success field"); } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java index 09f9bb1..7ba286a 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java @@ -2567,12 +2567,13 @@ boolean revoke_privileges(PrivilegeBag privileges, boolean grantOption) /** * @param revokePrivileges + * @param authorizer * @param objToRefresh * @return true on success * @throws MetaException * @throws TException */ - boolean refresh_privileges(HiveObjectRef objToRefresh, PrivilegeBag grantPrivileges) + boolean refresh_privileges(HiveObjectRef objToRefresh, String authorizer, PrivilegeBag grantPrivileges) throws MetaException, TException; /** diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java index 264fdb9..aafdbff 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java @@ -1097,7 +1097,7 @@ public boolean dropDatabase(String catName, String dbname) MDatabase db = getMDatabase(catName, dbname); pm.retrieve(db); if (db != null) { - List dbGrants = this.listDatabaseGrants(catName, dbname, queryWrapper); + List dbGrants = this.listDatabaseGrants(catName, dbname, null, queryWrapper); if (CollectionUtils.isNotEmpty(dbGrants)) { pm.deletePersistentAll(dbGrants); } @@ -1314,13 +1314,13 @@ public void createTable(Table tbl) throws InvalidObjectException, MetaException int now = (int)(System.currentTimeMillis()/1000); Map> userPrivs = principalPrivs.getUserPrivileges(); - putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, userPrivs, PrincipalType.USER); + putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, userPrivs, PrincipalType.USER, "SQL"); Map> groupPrivs = principalPrivs.getGroupPrivileges(); - putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, groupPrivs, PrincipalType.GROUP); + putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, groupPrivs, PrincipalType.GROUP, "SQL"); Map> rolePrivs = principalPrivs.getRolePrivileges(); - putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, rolePrivs, PrincipalType.ROLE); + putPersistentPrivObjects(mtbl, toPersistPrivObjs, now, rolePrivs, PrincipalType.ROLE, "SQL"); } pm.makePersistentAll(toPersistPrivObjs); commited = commitTransaction(); @@ -1350,7 +1350,7 @@ public void createTable(Table tbl) throws InvalidObjectException, MetaException * @param type */ private void putPersistentPrivObjects(MTable mtbl, List toPersistPrivObjs, - int now, Map> privMap, PrincipalType type) { + int now, Map> privMap, PrincipalType type, String authorizer) { if (privMap != null) { for (Map.Entry> entry : privMap .entrySet()) { @@ -1364,7 +1364,7 @@ private void putPersistentPrivObjects(MTable mtbl, List toPersistPrivObj MTablePrivilege mTblSec = new MTablePrivilege( principalName, type.toString(), mtbl, priv.getPrivilege(), now, priv.getGrantor(), priv.getGrantorType().toString(), priv - .isGrantOption()); + .isGrantOption(), authorizer); toPersistPrivObjs.add(mTblSec); } } @@ -2242,7 +2242,8 @@ public boolean addPartitions(String catName, String dbName, String tblName, List for (MTablePrivilege tab: tabGrants) { toPersist.add(new MPartitionPrivilege(tab.getPrincipalName(), tab.getPrincipalType(), mpart, tab.getPrivilege(), now, - tab.getGrantor(), tab.getGrantorType(), tab.getGrantOption())); + tab.getGrantor(), tab.getGrantorType(), tab.getGrantOption(), + tab.getAuthorizer())); } } @@ -2250,7 +2251,8 @@ public boolean addPartitions(String catName, String dbName, String tblName, List for (MTableColumnPrivilege col : tabColumnGrants) { toPersist.add(new MPartitionColumnPrivilege(col.getPrincipalName(), col.getPrincipalType(), mpart, col.getColumnName(), col.getPrivilege(), - now, col.getGrantor(), col.getGrantorType(), col.getGrantOption())); + now, col.getGrantor(), col.getGrantorType(), col.getGrantOption(), + col.getAuthorizer())); } } } @@ -2314,7 +2316,8 @@ public boolean addPartitions(String catName, String dbName, String tblName, for (MTablePrivilege tab : tabGrants) { pm.makePersistent(new MPartitionPrivilege(tab.getPrincipalName(), tab.getPrincipalType(), mpart, tab.getPrivilege(), now, - tab.getGrantor(), tab.getGrantorType(), tab.getGrantOption())); + tab.getGrantor(), tab.getGrantorType(), tab.getGrantOption(), + tab.getAuthorizer())); } } @@ -2322,7 +2325,8 @@ public boolean addPartitions(String catName, String dbName, String tblName, for (MTableColumnPrivilege col : tabColumnGrants) { pm.makePersistent(new MPartitionColumnPrivilege(col.getPrincipalName(), col.getPrincipalType(), mpart, col.getColumnName(), col.getPrivilege(), - now, col.getGrantor(), col.getGrantorType(), col.getGrantOption())); + now, col.getGrantor(), col.getGrantorType(), col.getGrantOption(), + col.getAuthorizer())); } } } @@ -2363,7 +2367,7 @@ public boolean addPartition(Partition part) throws InvalidObjectException, MPartitionPrivilege partGrant = new MPartitionPrivilege(tab .getPrincipalName(), tab.getPrincipalType(), mpart, tab.getPrivilege(), now, tab.getGrantor(), tab - .getGrantorType(), tab.getGrantOption()); + .getGrantorType(), tab.getGrantOption(), tab.getAuthorizer()); toPersist.add(partGrant); } } @@ -2373,7 +2377,7 @@ public boolean addPartition(Partition part) throws InvalidObjectException, MPartitionColumnPrivilege partColumn = new MPartitionColumnPrivilege(col .getPrincipalName(), col.getPrincipalType(), mpart, col .getColumnName(), col.getPrivilege(), now, col.getGrantor(), col - .getGrantorType(), col.getGrantOption()); + .getGrantorType(), col.getGrantOption(), col.getAuthorizer()); toPersist.add(partColumn); } @@ -5635,6 +5639,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce String privilegeStr = privDef.getGrantInfo().getPrivilege(); String[] privs = privilegeStr.split(","); String userName = privDef.getPrincipalName(); + String authorizer = privDef.getAuthorizer(); PrincipalType principalType = privDef.getPrincipalType(); String grantor = privDef.getGrantInfo().getGrantor(); String grantorType = privDef.getGrantInfo().getGrantorType().toString(); @@ -5649,7 +5654,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce getDefaultCatalog(conf); if (hiveObject.getObjectType() == HiveObjectType.GLOBAL) { List globalPrivs = this - .listPrincipalMGlobalGrants(userName, principalType); + .listPrincipalMGlobalGrants(userName, principalType, authorizer); if (globalPrivs != null) { for (MGlobalPrivilege priv : globalPrivs) { if (priv.getGrantor().equalsIgnoreCase(grantor)) { @@ -5663,14 +5668,15 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce + " is already granted by " + grantor); } MGlobalPrivilege mGlobalPrivs = new MGlobalPrivilege(userName, - principalType.toString(), privilege, now, grantor, grantorType, grantOption); + principalType.toString(), privilege, now, grantor, grantorType, grantOption, + authorizer); persistentObjs.add(mGlobalPrivs); } } else if (hiveObject.getObjectType() == HiveObjectType.DATABASE) { MDatabase dbObj = getMDatabase(catName, hiveObject.getDbName()); if (dbObj != null) { List dbPrivs = this.listPrincipalMDBGrants( - userName, principalType, catName, hiveObject.getDbName()); + userName, principalType, catName, hiveObject.getDbName(), authorizer); if (dbPrivs != null) { for (MDBPrivilege priv : dbPrivs) { if (priv.getGrantor().equalsIgnoreCase(grantor)) { @@ -5685,7 +5691,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce + hiveObject.getDbName() + " by " + grantor); } MDBPrivilege mDb = new MDBPrivilege(userName, principalType - .toString(), dbObj, privilege, now, grantor, grantorType, grantOption); + .toString(), dbObj, privilege, now, grantor, grantorType, grantOption, authorizer); persistentObjs.add(mDb); } } @@ -5695,7 +5701,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce if (tblObj != null) { List tablePrivs = this .listAllMTableGrants(userName, principalType, - catName, hiveObject.getDbName(), hiveObject.getObjectName()); + catName, hiveObject.getDbName(), hiveObject.getObjectName(), authorizer); if (tablePrivs != null) { for (MTablePrivilege priv : tablePrivs) { if (priv.getGrantor() != null @@ -5713,7 +5719,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce } MTablePrivilege mTab = new MTablePrivilege( userName, principalType.toString(), tblObj, - privilege, now, grantor, grantorType, grantOption); + privilege, now, grantor, grantorType, grantOption, authorizer); persistentObjs.add(mTab); } } @@ -5726,7 +5732,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce List partPrivs = this .listPrincipalMPartitionGrants(userName, principalType, catName, hiveObject.getDbName(), hiveObject - .getObjectName(), partObj.getPartitionName()); + .getObjectName(), partObj.getPartitionName(), authorizer); if (partPrivs != null) { for (MPartitionPrivilege priv : partPrivs) { if (priv.getGrantor().equalsIgnoreCase(grantor)) { @@ -5744,7 +5750,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce } MPartitionPrivilege mTab = new MPartitionPrivilege(userName, principalType.toString(), partObj, privilege, now, grantor, - grantorType, grantOption); + grantorType, grantOption, authorizer); persistentObjs.add(mTab); } } @@ -5763,7 +5769,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce colPrivs = this.listPrincipalMPartitionColumnGrants( userName, principalType, catName, hiveObject.getDbName(), hiveObject .getObjectName(), partObj.getPartitionName(), - hiveObject.getColumnName()); + hiveObject.getColumnName(), authorizer); if (colPrivs != null) { for (MPartitionColumnPrivilege priv : colPrivs) { @@ -5784,7 +5790,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce MPartitionColumnPrivilege mCol = new MPartitionColumnPrivilege(userName, principalType.toString(), partObj, hiveObject .getColumnName(), privilege, now, grantor, grantorType, - grantOption); + grantOption, authorizer); persistentObjs.add(mCol); } @@ -5792,7 +5798,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce List colPrivs = null; colPrivs = this.listPrincipalMTableColumnGrants( userName, principalType, catName, hiveObject.getDbName(), hiveObject - .getObjectName(), hiveObject.getColumnName()); + .getObjectName(), hiveObject.getColumnName(), authorizer); if (colPrivs != null) { for (MTableColumnPrivilege priv : colPrivs) { @@ -5812,7 +5818,7 @@ public boolean grantPrivileges(PrivilegeBag privileges) throws InvalidObjectExce MTableColumnPrivilege mCol = new MTableColumnPrivilege(userName, principalType.toString(), tblObj, hiveObject .getColumnName(), privilege, now, grantor, grantorType, - grantOption); + grantOption, authorizer); persistentObjs.add(mCol); } } @@ -6093,7 +6099,7 @@ public int compare(HiveObjectPrivilege o1, HiveObjectPrivilege o2) { } @Override - public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantPrivileges) + public boolean refreshPrivileges(HiveObjectRef objToRefresh, String authorizer, PrivilegeBag grantPrivileges) throws InvalidObjectException, MetaException, NoSuchObjectException { boolean committed = false; try { @@ -6108,15 +6114,15 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP getDefaultCatalog(conf); switch (objToRefresh.getObjectType()) { case DATABASE: - grants = this.listDBGrantsAll(catName, objToRefresh.getDbName()); + grants = this.listDBGrantsAll(catName, objToRefresh.getDbName(), authorizer); break; case TABLE: - grants = listTableGrantsAll(catName, objToRefresh.getDbName(), objToRefresh.getObjectName()); + grants = listTableGrantsAll(catName, objToRefresh.getDbName(), objToRefresh.getObjectName(), authorizer); break; case COLUMN: Preconditions.checkArgument(objToRefresh.getColumnName()==null, "columnName must be null"); grants = convertTableCols(listTableAllColumnGrants(catName, - objToRefresh.getDbName(), objToRefresh.getObjectName())); + objToRefresh.getDbName(), objToRefresh.getObjectName(), authorizer)); break; default: throw new MetaException("Unexpected object type " + objToRefresh.getObjectType()); @@ -6210,9 +6216,14 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP return rolePrinGrantList; } + private List listPrincipalMGlobalGrants(String principalName, + PrincipalType principalType) { + return listPrincipalMGlobalGrants(principalName, principalType, null); + } + @SuppressWarnings("unchecked") private List listPrincipalMGlobalGrants(String principalName, - PrincipalType principalType) { + PrincipalType principalType, String authorizer) { boolean commited = false; Query query = null; List userNameDbPriv = new ArrayList<>(); @@ -6220,10 +6231,18 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP List mPrivs = null; openTransaction(); if (principalName != null) { - query = pm.newQuery(MGlobalPrivilege.class, "principalName == t1 && principalType == t2 "); - query.declareParameters("java.lang.String t1, java.lang.String t2"); - mPrivs = (List) query - .executeWithArray(principalName, principalType.toString()); + if (authorizer != null) { + query = pm.newQuery(MGlobalPrivilege.class, "principalName == t1 && principalType == t2 " + + "&& authorizer == t3"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3"); + mPrivs = (List) query + .executeWithArray(principalName, principalType.toString(), authorizer); + } else { + query = pm.newQuery(MGlobalPrivilege.class, "principalName == t1 && principalType == t2 "); + query.declareParameters("java.lang.String t1, java.lang.String t2"); + mPrivs = (List) query + .executeWithArray(principalName, principalType.toString()); + } pm.retrieveAll(mPrivs); } commited = commitTransaction(); @@ -6253,7 +6272,8 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP objectRef, sUsr.getPrincipalName(), principalType, new PrivilegeGrantInfo(sUsr.getPrivilege(), sUsr .getCreateTime(), sUsr.getGrantor(), PrincipalType - .valueOf(sUsr.getGrantorType()), sUsr.getGrantOption())); + .valueOf(sUsr.getGrantorType()), sUsr.getGrantOption()), + sUsr.getAuthorizer()); result.add(secUser); } return result; @@ -6279,20 +6299,26 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP List result = new ArrayList<>(); for (MGlobalPrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); HiveObjectRef objectRef = new HiveObjectRef(HiveObjectType.GLOBAL, null, null, null, null); PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } - @SuppressWarnings("unchecked") private List listPrincipalMDBGrants(String principalName, PrincipalType principalType, String catName, String dbName) { + return listPrincipalMDBGrants(principalName, principalType, catName, dbName, null); + } + + @SuppressWarnings("unchecked") + private List listPrincipalMDBGrants(String principalName, + PrincipalType principalType, String catName, String dbName, String authorizer) { boolean success = false; Query query = null; List mSecurityDBList = new ArrayList<>(); @@ -6301,14 +6327,24 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP LOG.debug("Executing listPrincipalDBGrants"); openTransaction(); - query = - pm.newQuery(MDBPrivilege.class, - "principalName == t1 && principalType == t2 && database.name == t3 && database.catalogName == t4"); - query.declareParameters( - "java.lang.String t1, java.lang.String t2, java.lang.String t3, java.lang.String t4"); - List mPrivs = - (List) query.executeWithArray(principalName, principalType.toString(), - dbName, catName); + List mPrivs; + if (authorizer != null) { + query = pm.newQuery(MDBPrivilege.class, + "principalName == t1 && principalType == t2 && database.name == t3 && " + + "database.catalogName == t4 && authorizer == t5"); + query.declareParameters( + "java.lang.String t1, java.lang.String t2, java.lang.String t3, java.lang.String t4, " + + "java.lang.String t5"); + mPrivs = (List) query.executeWithArray(principalName, principalType.toString(), + dbName, catName, authorizer); + } else { + query = pm.newQuery(MDBPrivilege.class, + "principalName == t1 && principalType == t2 && database.name == t3 && database.catalogName == t4"); + query.declareParameters( + "java.lang.String t1, java.lang.String t2, java.lang.String t3, java.lang.String t4"); + mPrivs = (List) query.executeWithArray(principalName, principalType.toString(), + dbName, catName); + } pm.retrieveAll(mPrivs); success = commitTransaction(); @@ -6338,7 +6374,7 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP sDB.getPrincipalName(), principalType, new PrivilegeGrantInfo(sDB.getPrivilege(), sDB .getCreateTime(), sDB.getGrantor(), PrincipalType - .valueOf(sDB.getGrantorType()), sDB.getGrantOption())); + .valueOf(sDB.getGrantorType()), sDB.getGrantOption()), sDB.getAuthorizer()); result.add(secObj); } return result; @@ -6357,9 +6393,13 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP @Override public List listDBGrantsAll(String catName, String dbName) { + return listDBGrantsAll(catName, dbName, null); + } + + private List listDBGrantsAll(String catName, String dbName, String authorizer) { QueryWrapper queryWrapper = new QueryWrapper(); try { - return convertDB(listDatabaseGrants(catName, dbName, queryWrapper)); + return convertDB(listDatabaseGrants(catName, dbName, authorizer, queryWrapper)); } finally { queryWrapper.close(); } @@ -6369,6 +6409,7 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP List result = new ArrayList<>(); for (MDBPrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); String database = priv.getDatabase().getName(); @@ -6378,7 +6419,7 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } @@ -6476,9 +6517,14 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP return mSecurityTabPartList; } - @SuppressWarnings("unchecked") private List listTableAllColumnGrants( String catName, String dbName, String tableName) { + return listTableAllColumnGrants(catName, dbName, tableName, null); + } + + @SuppressWarnings("unchecked") + private List listTableAllColumnGrants( + String catName, String dbName, String tableName, String authorizer) { boolean success = false; Query query = null; List mTblColPrivilegeList = new ArrayList<>(); @@ -6489,12 +6535,21 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantP LOG.debug("Executing listTableAllColumnGrants"); openTransaction(); - String queryStr = "table.tableName == t1 && table.database.name == t2 &&" + - "table.database.catalogName == t3"; - query = pm.newQuery(MTableColumnPrivilege.class, queryStr); - query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3"); - List mPrivs = - (List) query.executeWithArray(tableName, dbName, catName); + List mPrivs = null; + if (authorizer != null) { + String queryStr = "table.tableName == t1 && table.database.name == t2 &&" + + "table.database.catalogName == t3 && authorizer == t4"; + query = pm.newQuery(MTableColumnPrivilege.class, queryStr); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, " + + "java.lang.String t4"); + mPrivs = (List) query.executeWithArray(tableName, dbName, catName, authorizer); + } else { + String queryStr = "table.tableName == t1 && table.database.name == t2 &&" + + "table.database.catalogName == t3"; + query = pm.newQuery(MTableColumnPrivilege.class, queryStr); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3"); + mPrivs = (List) query.executeWithArray(tableName, dbName, catName); + } pm.retrieveAll(mPrivs); success = commitTransaction(); @@ -6576,7 +6631,8 @@ private void dropPartitionAllColumnGrantsNoTxn( } @SuppressWarnings("unchecked") - private List listDatabaseGrants(String catName, String dbName, QueryWrapper queryWrapper) { + private List listDatabaseGrants(String catName, String dbName, + String authorizer, QueryWrapper queryWrapper) { dbName = normalizeIdentifier(dbName); catName = normalizeIdentifier(catName); boolean success = false; @@ -6584,11 +6640,18 @@ private void dropPartitionAllColumnGrantsNoTxn( LOG.debug("Executing listDatabaseGrants"); openTransaction(); - Query query = queryWrapper.query = pm.newQuery(MDBPrivilege.class, - "database.name == t1 && database.catalogName == t2"); - query.declareParameters("java.lang.String t1, java.lang.String t2"); - List mSecurityDBList = - (List) query.executeWithArray(dbName, catName); + List mSecurityDBList = null; + if (authorizer != null) { + Query query = queryWrapper.query = pm.newQuery(MDBPrivilege.class, + "database.name == t1 && database.catalogName == t2 && authorizer == t3"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3"); + mSecurityDBList = (List) query.executeWithArray(dbName, catName, authorizer); + } else { + Query query = queryWrapper.query = pm.newQuery(MDBPrivilege.class, + "database.name == t1 && database.catalogName == t2"); + query.declareParameters("java.lang.String t1, java.lang.String t2"); + mSecurityDBList = (List) query.executeWithArray(dbName, catName); + } pm.retrieveAll(mSecurityDBList); success = commitTransaction(); LOG.debug("Done retrieving all objects for listDatabaseGrants"); @@ -6667,10 +6730,16 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl return new ObjectPair<>(query, params); } - @SuppressWarnings("unchecked") private List listAllMTableGrants( String principalName, PrincipalType principalType, String catName, String dbName, String tableName) { + return listAllMTableGrants(principalName, principalType, catName, dbName, tableName, null); + } + + @SuppressWarnings("unchecked") + private List listAllMTableGrants( + String principalName, PrincipalType principalType, String catName, String dbName, + String tableName, String authorizer) { tableName = normalizeIdentifier(tableName); dbName = normalizeIdentifier(dbName); catName = normalizeIdentifier(catName); @@ -6680,16 +6749,24 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl try { openTransaction(); LOG.debug("Executing listAllTableGrants"); - query = - pm.newQuery(MTablePrivilege.class, - "principalName == t1 && principalType == t2 && table.tableName == t3 &&" + - "table.database.name == t4 && table.database.catalogName == t5"); - query - .declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3," + - "java.lang.String t4, java.lang.String t5"); - List mPrivs = - (List) query.executeWithArray(principalName, principalType.toString(), - tableName, dbName, catName); + List mPrivs; + if (authorizer != null) { + query = pm.newQuery(MTablePrivilege.class, + "principalName == t1 && principalType == t2 && table.tableName == t3 &&" + + "table.database.name == t4 && table.database.catalogName == t5 && authorizer == t6"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3," + + "java.lang.String t4, java.lang.String t5, java.lang.String t6"); + mPrivs = (List) query.executeWithArray(principalName, principalType.toString(), + tableName, dbName, catName, authorizer); + } else { + query = pm.newQuery(MTablePrivilege.class, + "principalName == t1 && principalType == t2 && table.tableName == t3 &&" + + "table.database.name == t4 && table.database.catalogName == t5"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3," + + "java.lang.String t4, java.lang.String t5"); + mPrivs = (List) query.executeWithArray(principalName, principalType.toString(), + tableName, dbName, catName); + } pm.retrieveAll(mPrivs); success = commitTransaction(); @@ -6723,16 +6800,22 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl sTbl.getPrincipalName(), principalType, new PrivilegeGrantInfo(sTbl.getPrivilege(), sTbl.getCreateTime(), sTbl .getGrantor(), PrincipalType.valueOf(sTbl - .getGrantorType()), sTbl.getGrantOption())); + .getGrantorType()), sTbl.getGrantOption()), sTbl.getAuthorizer()); result.add(secObj); } return result; } - @SuppressWarnings("unchecked") private List listPrincipalMPartitionGrants( String principalName, PrincipalType principalType, String catName, String dbName, String tableName, String partName) { + return listPrincipalMPartitionGrants(principalName, principalType, catName, dbName, tableName, partName, null); + } + + @SuppressWarnings("unchecked") + private List listPrincipalMPartitionGrants( + String principalName, PrincipalType principalType, String catName, String dbName, + String tableName, String partName, String authorizer) { boolean success = false; Query query = null; tableName = normalizeIdentifier(tableName); @@ -6743,17 +6826,26 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl LOG.debug("Executing listPrincipalPartitionGrants"); openTransaction(); - query = - pm.newQuery(MPartitionPrivilege.class, - "principalName == t1 && principalType == t2 && partition.table.tableName == t3 " - + "&& partition.table.database.name == t4 && partition.table.database.catalogName == t5" - + "&& partition.partitionName == t6"); - query - .declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, java.lang.String t4, " - + "java.lang.String t5, java.lang.String t6"); - List mPrivs = - (List) query.executeWithArray(principalName, - principalType.toString(), tableName, dbName, catName, partName); + List mPrivs; + if (authorizer != null) { + query = pm.newQuery(MPartitionPrivilege.class, + "principalName == t1 && principalType == t2 && partition.table.tableName == t3 " + + "&& partition.table.database.name == t4 && partition.table.database.catalogName == t5" + + "&& partition.partitionName == t6 && authorizer == t7"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, java.lang.String t4, " + + "java.lang.String t5, java.lang.String t6, java.lang.String t7"); + mPrivs = (List) query.executeWithArray(principalName, + principalType.toString(), tableName, dbName, catName, partName, authorizer); + } else { + query = pm.newQuery(MPartitionPrivilege.class, + "principalName == t1 && principalType == t2 && partition.table.tableName == t3 " + + "&& partition.table.database.name == t4 && partition.table.database.catalogName == t5" + + "&& partition.partitionName == t6"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, java.lang.String t4, " + + "java.lang.String t5, java.lang.String t6"); + mPrivs = (List) query.executeWithArray(principalName, + principalType.toString(), tableName, dbName, catName, partName); + } pm.retrieveAll(mPrivs); success = commitTransaction(); @@ -6790,17 +6882,24 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl new PrivilegeGrantInfo(sPart.getPrivilege(), sPart .getCreateTime(), sPart.getGrantor(), PrincipalType .valueOf(sPart.getGrantorType()), sPart - .getGrantOption())); + .getGrantOption()), sPart.getAuthorizer()); result.add(secObj); } return result; } - @SuppressWarnings("unchecked") private List listPrincipalMTableColumnGrants( String principalName, PrincipalType principalType, String catName, String dbName, String tableName, String columnName) { + return listPrincipalMTableColumnGrants(principalName, principalType, catName, dbName, tableName, + columnName, null); + } + + @SuppressWarnings("unchecked") + private List listPrincipalMTableColumnGrants( + String principalName, PrincipalType principalType, String catName, String dbName, + String tableName, String columnName, String authorizer) { boolean success = false; Query query = null; tableName = normalizeIdentifier(tableName); @@ -6811,16 +6910,28 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl LOG.debug("Executing listPrincipalTableColumnGrants"); openTransaction(); - String queryStr = - "principalName == t1 && principalType == t2 && " - + "table.tableName == t3 && table.database.name == t4 && " + - "table.database.catalogName == t5 && columnName == t6 "; - query = pm.newQuery(MTableColumnPrivilege.class, queryStr); - query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, " - + "java.lang.String t4, java.lang.String t5, java.lang.String t6"); - List mPrivs = - (List) query.executeWithArray(principalName, - principalType.toString(), tableName, dbName, catName, columnName); + List mPrivs; + if (authorizer != null) { + String queryStr = + "principalName == t1 && principalType == t2 && " + + "table.tableName == t3 && table.database.name == t4 && " + + "table.database.catalogName == t5 && columnName == t6 && authorizer == t7"; + query = pm.newQuery(MTableColumnPrivilege.class, queryStr); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, " + + "java.lang.String t4, java.lang.String t5, java.lang.String t6, java.lang.String t7"); + mPrivs = (List) query.executeWithArray(principalName, + principalType.toString(), tableName, dbName, catName, columnName, authorizer); + } else { + String queryStr = + "principalName == t1 && principalType == t2 && " + + "table.tableName == t3 && table.database.name == t4 && " + + "table.database.catalogName == t5 && columnName == t6 "; + query = pm.newQuery(MTableColumnPrivilege.class, queryStr); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, " + + "java.lang.String t4, java.lang.String t5, java.lang.String t6"); + mPrivs = (List) query.executeWithArray(principalName, + principalType.toString(), tableName, dbName, catName, columnName); + } pm.retrieveAll(mPrivs); success = commitTransaction(); @@ -6856,16 +6967,23 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl new PrivilegeGrantInfo(sCol.getPrivilege(), sCol .getCreateTime(), sCol.getGrantor(), PrincipalType .valueOf(sCol.getGrantorType()), sCol - .getGrantOption())); + .getGrantOption()), sCol.getAuthorizer()); result.add(secObj); } return result; } - @SuppressWarnings("unchecked") private List listPrincipalMPartitionColumnGrants( String principalName, PrincipalType principalType, String catName, String dbName, String tableName, String partitionName, String columnName) { + return listPrincipalMPartitionColumnGrants(principalName, principalType, catName, dbName, + tableName, partitionName, columnName, null); + } + + @SuppressWarnings("unchecked") + private List listPrincipalMPartitionColumnGrants( + String principalName, PrincipalType principalType, String catName, String dbName, + String tableName, String partitionName, String columnName, String authorizer) { boolean success = false; Query query = null; tableName = normalizeIdentifier(tableName); @@ -6877,16 +6995,29 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl LOG.debug("Executing listPrincipalPartitionColumnGrants"); openTransaction(); - query = pm.newQuery( - MPartitionColumnPrivilege.class, - "principalName == t1 && principalType == t2 && partition.table.tableName == t3 " - + "&& partition.table.database.name == t4 && partition.table.database.catalogName == t5" + - " && partition.partitionName == t6 && columnName == t7"); - query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, " - + "java.lang.String t4, java.lang.String t5, java.lang.String t6, java.lang.String t7"); - List mPrivs = - (List) query.executeWithArray(principalName, - principalType.toString(), tableName, dbName, catName, partitionName, columnName); + List mPrivs; + if (authorizer != null) { + query = pm.newQuery( + MPartitionColumnPrivilege.class, + "principalName == t1 && principalType == t2 && partition.table.tableName == t3 " + + "&& partition.table.database.name == t4 && partition.table.database.catalogName == t5" + + " && partition.partitionName == t6 && columnName == t7 && authorizer == t8"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, " + + "java.lang.String t4, java.lang.String t5, java.lang.String t6, java.lang.String t7, " + + "java.lang.String t8"); + mPrivs = (List) query.executeWithArray(principalName, + principalType.toString(), tableName, dbName, catName, partitionName, columnName, authorizer); + } else { + query = pm.newQuery( + MPartitionColumnPrivilege.class, + "principalName == t1 && principalType == t2 && partition.table.tableName == t3 " + + "&& partition.table.database.name == t4 && partition.table.database.catalogName == t5" + + " && partition.partitionName == t6 && columnName == t7"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, " + + "java.lang.String t4, java.lang.String t5, java.lang.String t6, java.lang.String t7"); + mPrivs = (List) query.executeWithArray(principalName, + principalType.toString(), tableName, dbName, catName, partitionName, columnName); + } pm.retrieveAll(mPrivs); success = commitTransaction(); @@ -6924,7 +7055,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl sCol.getPrincipalName(), principalType, new PrivilegeGrantInfo(sCol.getPrivilege(), sCol .getCreateTime(), sCol.getGrantor(), PrincipalType - .valueOf(sCol.getGrantorType()), sCol.getGrantOption())); + .valueOf(sCol.getGrantorType()), sCol.getGrantOption()), sCol.getAuthorizer()); result.add(secObj); } return result; @@ -6995,6 +7126,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl List result = new ArrayList<>(); for (MPartitionColumnPrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); MPartition mpartition = priv.getPartition(); @@ -7007,7 +7139,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } @@ -7069,6 +7201,11 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl @Override public List listTableGrantsAll(String catName, String dbName, String tableName) { + return listTableGrantsAll(catName, dbName, tableName, null); + } + + private List listTableGrantsAll(String catName, String dbName, String tableName, + String authorizer) { boolean success = false; Query query = null; dbName = normalizeIdentifier(dbName); @@ -7076,12 +7213,20 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl try { openTransaction(); LOG.debug("Executing listTableGrantsAll"); - query = - pm.newQuery(MTablePrivilege.class, - "table.tableName == t1 && table.database.name == t2 && table.database.catalogName == t3"); - query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3"); - List mSecurityTabPartList = - (List) query.executeWithArray(tableName, dbName, catName); + List mSecurityTabPartList = null; + if (authorizer != null) { + query = pm.newQuery(MTablePrivilege.class, + "table.tableName == t1 && table.database.name == t2 && table.database.catalogName == t3" + + " && authorizer == t4"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3, " + + "java.lang.String t4"); + mSecurityTabPartList = (List) query.executeWithArray(tableName, dbName, catName, authorizer); + } else { + query = pm.newQuery(MTablePrivilege.class, + "table.tableName == t1 && table.database.name == t2 && table.database.catalogName == t3"); + query.declareParameters("java.lang.String t1, java.lang.String t2, java.lang.String t3"); + mSecurityTabPartList = (List) query.executeWithArray(tableName, dbName, catName); + } LOG.debug("Done executing query for listTableGrantsAll"); pm.retrieveAll(mSecurityTabPartList); List result = convertTable(mSecurityTabPartList); @@ -7097,6 +7242,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl List result = new ArrayList<>(); for (MTablePrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); String table = priv.getTable().getTableName(); @@ -7108,7 +7254,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } @@ -7197,6 +7343,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl List result = new ArrayList<>(); for (MPartitionPrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); MPartition mpartition = priv.getPartition(); @@ -7209,7 +7356,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } @@ -7306,6 +7453,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl List result = new ArrayList<>(); for (MTableColumnPrivilege priv : privs) { String pname = priv.getPrincipalName(); + String authorizer = priv.getAuthorizer(); PrincipalType ptype = PrincipalType.valueOf(priv.getPrincipalType()); MTable mtable = priv.getTable(); @@ -7317,7 +7465,7 @@ private void dropPartitionGrantsNoTxn(String catName, String dbName, String tabl PrivilegeGrantInfo grantor = new PrivilegeGrantInfo(priv.getPrivilege(), priv.getCreateTime(), priv.getGrantor(), PrincipalType.valueOf(priv.getGrantorType()), priv.getGrantOption()); - result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor)); + result.add(new HiveObjectPrivilege(objectRef, pname, ptype, grantor, authorizer)); } return result; } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/RawStore.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/RawStore.java index ce7d286..283798c 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/RawStore.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/RawStore.java @@ -754,7 +754,7 @@ boolean grantPrivileges (PrivilegeBag privileges) boolean revokePrivileges(PrivilegeBag privileges, boolean grantOption) throws InvalidObjectException, MetaException, NoSuchObjectException; - boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantPrivileges) + boolean refreshPrivileges(HiveObjectRef objToRefresh, String authorizer, PrivilegeBag grantPrivileges) throws InvalidObjectException, MetaException, NoSuchObjectException; org.apache.hadoop.hive.metastore.api.Role getRole( diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/cache/CachedStore.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/cache/CachedStore.java index b223920..9da8d72 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/cache/CachedStore.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/cache/CachedStore.java @@ -1452,9 +1452,9 @@ public boolean revokePrivileges(PrivilegeBag privileges, boolean grantOption) } @Override - public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantPrivileges) + public boolean refreshPrivileges(HiveObjectRef objToRefresh, String authorizer, PrivilegeBag grantPrivileges) throws InvalidObjectException, MetaException, NoSuchObjectException { - return rawStore.refreshPrivileges(objToRefresh, grantPrivileges); + return rawStore.refreshPrivileges(objToRefresh, authorizer, grantPrivileges); } @Override diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/client/builder/HiveObjectPrivilegeBuilder.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/client/builder/HiveObjectPrivilegeBuilder.java index d802e1a..ed32f1c 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/client/builder/HiveObjectPrivilegeBuilder.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/client/builder/HiveObjectPrivilegeBuilder.java @@ -31,6 +31,7 @@ private String principleName; private PrincipalType principalType; private PrivilegeGrantInfo grantInfo; + private String authorizer; public HiveObjectPrivilegeBuilder setHiveObjectRef(HiveObjectRef hiveObjectRef) { this.hiveObjectRef = hiveObjectRef; @@ -52,12 +53,17 @@ public HiveObjectPrivilegeBuilder setGrantInfo(PrivilegeGrantInfo grantInfo) { return this; } + public HiveObjectPrivilegeBuilder setAuthorizer(String authorizer) { + this.authorizer = authorizer; + return this; + } + public HiveObjectPrivilege build() throws MetaException { if (hiveObjectRef == null || principleName == null || principalType == null || grantInfo == null) { throw new MetaException("hive object reference, principle name and type, and grant info " + "must all be provided"); } - return new HiveObjectPrivilege(hiveObjectRef, principleName, principalType, grantInfo); + return new HiveObjectPrivilege(hiveObjectRef, principleName, principalType, grantInfo, authorizer); } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MDBPrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MDBPrivilege.java index 3d8fa21..5f51692 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MDBPrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MDBPrivilege.java @@ -36,12 +36,14 @@ private boolean grantOption; + private String authorizer; + public MDBPrivilege() { } public MDBPrivilege(String principalName, String principalType, MDatabase database, String dbPrivileges, int createTime, String grantor, - String grantorType, boolean grantOption) { + String grantorType, boolean grantOption, String authorizer) { super(); this.principalName = principalName; this.principalType = principalType; @@ -51,6 +53,7 @@ public MDBPrivilege(String principalName, String principalType, this.grantorType = grantorType; this.grantOption = grantOption; this.grantor = grantor; + this.authorizer = authorizer; } /** @@ -129,4 +132,11 @@ public void setPrincipalType(String principalType) { this.principalType = principalType; } + public String getAuthorizer() { + return authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MGlobalPrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MGlobalPrivilege.java index 5b496e0..a6ce541 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MGlobalPrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MGlobalPrivilege.java @@ -38,13 +38,15 @@ private boolean grantOption; + private String authorizer; + public MGlobalPrivilege() { super(); } public MGlobalPrivilege(String userName, String principalType, String dbPrivilege, int createTime, String grantor, String grantorType, - boolean grantOption) { + boolean grantOption, String authorizer) { super(); this.principalName = userName; this.principalType = principalType; @@ -53,6 +55,7 @@ public MGlobalPrivilege(String userName, String principalType, this.grantor = grantor; this.grantorType = grantorType; this.grantOption = grantOption; + this.authorizer = authorizer; } /** @@ -117,4 +120,11 @@ public void setGrantorType(String grantorType) { this.grantorType = grantorType; } + public String getAuthorizer() { + return authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionColumnPrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionColumnPrivilege.java index ab50a92..cc87f75 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionColumnPrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionColumnPrivilege.java @@ -39,6 +39,8 @@ private boolean grantOption; + private String authorizer; + public MPartitionColumnPrivilege() { } @@ -52,10 +54,11 @@ public MPartitionColumnPrivilege() { * @param grantor * @param grantorType * @param grantOption + * @param authorizer */ public MPartitionColumnPrivilege(String principalName, String principalType, MPartition partition, String columnName, String privileges, int createTime, - String grantor, String grantorType, boolean grantOption) { + String grantor, String grantorType, boolean grantOption, String authorizer) { super(); this.principalName = principalName; this.principalType = principalType; @@ -66,6 +69,7 @@ public MPartitionColumnPrivilege(String principalName, String principalType, this.grantor = grantor; this.grantorType = grantorType; this.grantOption = grantOption; + this.authorizer = authorizer; } /** @@ -157,5 +161,11 @@ public String getPrincipalType() { public void setPrincipalType(String principalType) { this.principalType = principalType; } + public String getAuthorizer() { + return authorizer; + } + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionPrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionPrivilege.java index 3193bc1..b2ec5e1 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionPrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MPartitionPrivilege.java @@ -36,12 +36,14 @@ private boolean grantOption; + private String authorizer; + public MPartitionPrivilege() { } public MPartitionPrivilege(String principalName, String principalType, MPartition partition, String privilege, int createTime, - String grantor, String grantorType, boolean grantOption) { + String grantor, String grantorType, boolean grantOption, String authorizer) { super(); this.principalName = principalName; this.principalType = principalType; @@ -51,6 +53,7 @@ public MPartitionPrivilege(String principalName, String principalType, this.grantor = grantor; this.grantorType = grantorType; this.grantOption = grantOption; + this.authorizer = authorizer; } public String getPrincipalName() { @@ -136,4 +139,11 @@ public void setGrantorType(String grantorType) { this.grantorType = grantorType; } + public String getAuthorizer() { + return authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTableColumnPrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTableColumnPrivilege.java index ad7322f..e2cc0f1 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTableColumnPrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTableColumnPrivilege.java @@ -38,6 +38,8 @@ private boolean grantOption; + private String authorizer; + public MTableColumnPrivilege() { } @@ -54,7 +56,7 @@ public MTableColumnPrivilege() { */ public MTableColumnPrivilege(String principalName, String principalType, MTable table, String columnName, String privileges, int createTime, - String grantor, String grantorType, boolean grantOption) { + String grantor, String grantorType, boolean grantOption, String authorizer) { super(); this.principalName = principalName; this.principalType = principalType; @@ -65,6 +67,7 @@ public MTableColumnPrivilege(String principalName, String principalType, this.grantor = grantor; this.grantorType = grantorType; this.grantOption = grantOption; + this.authorizer = authorizer; } /** @@ -157,4 +160,11 @@ public void setPrincipalType(String principalType) { this.principalType = principalType; } + public String getAuthorizer() { + return authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTablePrivilege.java b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTablePrivilege.java index 6460400..f45576c 100644 --- a/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTablePrivilege.java +++ b/standalone-metastore/src/main/java/org/apache/hadoop/hive/metastore/model/MTablePrivilege.java @@ -36,12 +36,14 @@ private boolean grantOption; + private String authorizer; + public MTablePrivilege() { } public MTablePrivilege(String principalName, String principalType, MTable table, String privilege, int createTime, - String grantor, String grantorType, boolean grantOption) { + String grantor, String grantorType, boolean grantOption, String authorizer) { super(); this.principalName = principalName; this.principalType = principalType; @@ -51,6 +53,7 @@ public MTablePrivilege(String principalName, String principalType, this.grantor = grantor; this.grantorType = grantorType; this.grantOption = grantOption; + this.authorizer = authorizer; } public String getPrincipalName() { @@ -136,4 +139,11 @@ public void setGrantorType(String grantorType) { this.grantorType = grantorType; } + public String getAuthorizer() { + return authorizer; + } + + public void setAuthorizer(String authorizer) { + this.authorizer = authorizer; + } } diff --git a/standalone-metastore/src/main/resources/package.jdo b/standalone-metastore/src/main/resources/package.jdo index 2d2cb19..1be3e98 100644 --- a/standalone-metastore/src/main/resources/package.jdo +++ b/standalone-metastore/src/main/resources/package.jdo @@ -598,6 +598,7 @@ + @@ -630,11 +631,15 @@ + + + + @@ -671,11 +676,15 @@ + + + + @@ -712,11 +721,15 @@ + + + + @@ -753,11 +766,15 @@ + + + + @@ -798,11 +815,15 @@ + + + + @@ -843,6 +864,9 @@ + + + diff --git a/standalone-metastore/src/main/sql/derby/hive-schema-3.0.0.derby.sql b/standalone-metastore/src/main/sql/derby/hive-schema-3.0.0.derby.sql index e818e1b..fb996ae 100644 --- a/standalone-metastore/src/main/sql/derby/hive-schema-3.0.0.derby.sql +++ b/standalone-metastore/src/main/sql/derby/hive-schema-3.0.0.derby.sql @@ -29,7 +29,7 @@ CREATE TABLE "APP"."TBL_PRIVS" ("TBL_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" IN CREATE TABLE "APP"."DATABASE_PARAMS" ("DB_ID" BIGINT NOT NULL, "PARAM_KEY" VARCHAR(180) NOT NULL, "PARAM_VALUE" VARCHAR(4000)); -CREATE TABLE "APP"."TBL_COL_PRIVS" ("TBL_COLUMN_GRANT_ID" BIGINT NOT NULL, "COLUMN_NAME" VARCHAR(767), "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "TBL_COL_PRIV" VARCHAR(128), "TBL_ID" BIGINT); +CREATE TABLE "APP"."TBL_COL_PRIVS" ("TBL_COLUMN_GRANT_ID" BIGINT NOT NULL, "COLUMN_NAME" VARCHAR(767), "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "TBL_COL_PRIV" VARCHAR(128), "TBL_ID" BIGINT, "AUTHORIZER" VARCHAR(128)); CREATE TABLE "APP"."SERDE_PARAMS" ("SERDE_ID" BIGINT NOT NULL, "PARAM_KEY" VARCHAR(256) NOT NULL, "PARAM_VALUE" CLOB); @@ -41,7 +41,7 @@ CREATE TABLE "APP"."CDS" ("CD_ID" BIGINT NOT NULL); CREATE TABLE "APP"."PARTITION_KEY_VALS" ("PART_ID" BIGINT NOT NULL, "PART_KEY_VAL" VARCHAR(256), "INTEGER_IDX" INTEGER NOT NULL); -CREATE TABLE "APP"."DB_PRIVS" ("DB_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "DB_ID" BIGINT, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "DB_PRIV" VARCHAR(128)); +CREATE TABLE "APP"."DB_PRIVS" ("DB_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "DB_ID" BIGINT, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "DB_PRIV" VARCHAR(128), "AUTHORIZER" VARCHAR(128)); CREATE TABLE "APP"."IDXS" ("INDEX_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "DEFERRED_REBUILD" CHAR(1) NOT NULL, "INDEX_HANDLER_CLASS" VARCHAR(4000), "INDEX_NAME" VARCHAR(128), "INDEX_TBL_ID" BIGINT, "LAST_ACCESS_TIME" INTEGER NOT NULL, "ORIG_TBL_ID" BIGINT, "SD_ID" BIGINT); @@ -51,13 +51,13 @@ CREATE TABLE "APP"."PARTITIONS" ("PART_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGE CREATE TABLE "APP"."SERDES" ("SERDE_ID" BIGINT NOT NULL, "NAME" VARCHAR(128), "SLIB" VARCHAR(4000), "DESCRIPTION" VARCHAR(4000), "SERIALIZER_CLASS" VARCHAR(4000), "DESERIALIZER_CLASS" VARCHAR(4000), SERDE_TYPE INTEGER); -CREATE TABLE "APP"."PART_PRIVS" ("PART_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PART_ID" BIGINT, "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "PART_PRIV" VARCHAR(128)); +CREATE TABLE "APP"."PART_PRIVS" ("PART_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PART_ID" BIGINT, "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "PART_PRIV" VARCHAR(128), "AUTHORIZER" VARCHAR(128)); CREATE TABLE "APP"."ROLE_MAP" ("ROLE_GRANT_ID" BIGINT NOT NULL, "ADD_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "ROLE_ID" BIGINT); CREATE TABLE "APP"."TYPES" ("TYPES_ID" BIGINT NOT NULL, "TYPE_NAME" VARCHAR(128), "TYPE1" VARCHAR(767), "TYPE2" VARCHAR(767)); -CREATE TABLE "APP"."GLOBAL_PRIVS" ("USER_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "USER_PRIV" VARCHAR(128)); +CREATE TABLE "APP"."GLOBAL_PRIVS" ("USER_GRANT_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "USER_PRIV" VARCHAR(128), "AUTHORIZER" VARCHAR(128)); CREATE TABLE "APP"."PARTITION_PARAMS" ("PART_ID" BIGINT NOT NULL, "PARAM_KEY" VARCHAR(256) NOT NULL, "PARAM_VALUE" VARCHAR(4000)); @@ -79,7 +79,7 @@ CREATE TABLE "APP"."TBLS" ("TBL_ID" BIGINT NOT NULL, "CREATE_TIME" INTEGER NOT N CREATE TABLE "APP"."PARTITION_KEYS" ("TBL_ID" BIGINT NOT NULL, "PKEY_COMMENT" VARCHAR(4000), "PKEY_NAME" VARCHAR(128) NOT NULL, "PKEY_TYPE" VARCHAR(767) NOT NULL, "INTEGER_IDX" INTEGER NOT NULL); -CREATE TABLE "APP"."PART_COL_PRIVS" ("PART_COLUMN_GRANT_ID" BIGINT NOT NULL, "COLUMN_NAME" VARCHAR(767), "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PART_ID" BIGINT, "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "PART_COL_PRIV" VARCHAR(128)); +CREATE TABLE "APP"."PART_COL_PRIVS" ("PART_COLUMN_GRANT_ID" BIGINT NOT NULL, "COLUMN_NAME" VARCHAR(767), "CREATE_TIME" INTEGER NOT NULL, "GRANT_OPTION" SMALLINT NOT NULL, "GRANTOR" VARCHAR(128), "GRANTOR_TYPE" VARCHAR(128), "PART_ID" BIGINT, "PRINCIPAL_NAME" VARCHAR(128), "PRINCIPAL_TYPE" VARCHAR(128), "PART_COL_PRIV" VARCHAR(128), "AUTHORIZER" VARCHAR(128)); CREATE TABLE "APP"."SDS" ("SD_ID" BIGINT NOT NULL, "INPUT_FORMAT" VARCHAR(4000), "IS_COMPRESSED" CHAR(1) NOT NULL, "LOCATION" VARCHAR(4000), "NUM_BUCKETS" INTEGER NOT NULL, "OUTPUT_FORMAT" VARCHAR(4000), "SERDE_ID" BIGINT, "CD_ID" BIGINT, "IS_STOREDASSUBDIRECTORIES" CHAR(1) NOT NULL); @@ -225,17 +225,17 @@ INSERT INTO "APP"."SEQUENCE_TABLE" ("SEQUENCE_NAME", "NEXT_VAL") SELECT * FROM ( CREATE UNIQUE INDEX "APP"."UNIQUEINDEX" ON "APP"."IDXS" ("INDEX_NAME", "ORIG_TBL_ID"); -CREATE INDEX "APP"."TABLECOLUMNPRIVILEGEINDEX" ON "APP"."TBL_COL_PRIVS" ("TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "APP"."TABLECOLUMNPRIVILEGEINDEX" ON "APP"."TBL_COL_PRIVS" ("AUTHORIZER", "TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); -CREATE UNIQUE INDEX "APP"."DBPRIVILEGEINDEX" ON "APP"."DB_PRIVS" ("DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE UNIQUE INDEX "APP"."DBPRIVILEGEINDEX" ON "APP"."DB_PRIVS" ("AUTHORIZER", "DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); CREATE INDEX "APP"."PCS_STATS_IDX" ON "APP"."PART_COL_STATS" ("CAT_NAME", "DB_NAME","TABLE_NAME","COLUMN_NAME","PARTITION_NAME"); -CREATE INDEX "APP"."PARTPRIVILEGEINDEX" ON "APP"."PART_PRIVS" ("PART_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "APP"."PARTPRIVILEGEINDEX" ON "APP"."PART_PRIVS" ("AUTHORIZER", "PART_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_PRIV", "GRANTOR", "GRANTOR_TYPE"); CREATE UNIQUE INDEX "APP"."ROLEENTITYINDEX" ON "APP"."ROLES" ("ROLE_NAME"); -CREATE INDEX "APP"."TABLEPRIVILEGEINDEX" ON "APP"."TBL_PRIVS" ("TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "APP"."TABLEPRIVILEGEINDEX" ON "APP"."TBL_PRIVS" ("AUTHORIZER", "TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); CREATE UNIQUE INDEX "APP"."UNIQUETABLE" ON "APP"."TBLS" ("TBL_NAME", "DB_ID"); @@ -243,11 +243,11 @@ CREATE UNIQUE INDEX "APP"."UNIQUE_DATABASE" ON "APP"."DBS" ("NAME", "CTLG_NAME") CREATE UNIQUE INDEX "APP"."USERROLEMAPINDEX" ON "APP"."ROLE_MAP" ("PRINCIPAL_NAME", "ROLE_ID", "GRANTOR", "GRANTOR_TYPE"); -CREATE UNIQUE INDEX "APP"."GLOBALPRIVILEGEINDEX" ON "APP"."GLOBAL_PRIVS" ("PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE UNIQUE INDEX "APP"."GLOBALPRIVILEGEINDEX" ON "APP"."GLOBAL_PRIVS" ("AUTHORIZER", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); CREATE UNIQUE INDEX "APP"."UNIQUE_TYPE" ON "APP"."TYPES" ("TYPE_NAME"); -CREATE INDEX "APP"."PARTITIONCOLUMNPRIVILEGEINDEX" ON "APP"."PART_COL_PRIVS" ("PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "APP"."PARTITIONCOLUMNPRIVILEGEINDEX" ON "APP"."PART_COL_PRIVS" ("AUTHORIZER", "PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); CREATE UNIQUE INDEX "APP"."UNIQUEPARTITION" ON "APP"."PARTITIONS" ("PART_NAME", "TBL_ID"); diff --git a/standalone-metastore/src/main/sql/derby/upgrade-2.3.0-to-3.0.0.derby.sql b/standalone-metastore/src/main/sql/derby/upgrade-2.3.0-to-3.0.0.derby.sql index 7b7a8a2..4b91ce4 100644 --- a/standalone-metastore/src/main/sql/derby/upgrade-2.3.0-to-3.0.0.derby.sql +++ b/standalone-metastore/src/main/sql/derby/upgrade-2.3.0-to-3.0.0.derby.sql @@ -279,6 +279,31 @@ INSERT INTO TXN_TO_WRITE_ID (T2W_DATABASE, T2W_TABLE, T2W_TXNID, T2W_WRITEID) UPDATE TXN_COMPONENTS SET TC_WRITEID = TC_TXNID; UPDATE COMPLETED_TXN_COMPONENTS SET CTC_WRITEID = CTC_TXNID; +-- HIVE-19440 +ALTER TABLE "APP"."GLOBAL_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."GLOBALPRIVILEGEINDEX"; +CREATE UNIQUE INDEX "APP"."GLOBALPRIVILEGEINDEX" ON "APP"."GLOBAL_PRIVS" ("AUTHORIZER", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "APP"."DB_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."DBPRIVILEGEINDEX"; +CREATE UNIQUE INDEX "APP"."DBPRIVILEGEINDEX" ON "APP"."DB_PRIVS" ("AUTHORIZER", "DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "APP"."TBL_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."TABLEPRIVILEGEINDEX"; +CREATE INDEX "APP"."TABLEPRIVILEGEINDEX" ON "APP"."TBL_PRIVS" ("AUTHORIZER", "TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "APP"."PART_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."PARTPRIVILEGEINDEX"; +CREATE INDEX "APP"."PARTPRIVILEGEINDEX" ON "APP"."PART_PRIVS" ("AUTHORIZER", "PART_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "APP"."TBL_COL_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."TABLECOLUMNPRIVILEGEINDEX"; +CREATE INDEX "APP"."TABLECOLUMNPRIVILEGEINDEX" ON "APP"."TBL_COL_PRIVS" ("AUTHORIZER", "TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "APP"."PART_COL_PRIVS" ADD "AUTHORIZER" VARCHAR(128); +DROP INDEX "APP"."PARTITIONCOLUMNPRIVILEGEINDEX"; +CREATE INDEX "APP"."PARTITIONCOLUMNPRIVILEGEINDEX" ON "APP"."PART_COL_PRIVS" ("AUTHORIZER", "PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + -- This needs to be the last thing done. Insert any changes above this line. UPDATE "APP".VERSION SET SCHEMA_VERSION='3.0.0', VERSION_COMMENT='Hive release version 3.0.0' where VER_ID=1; diff --git a/standalone-metastore/src/main/sql/mssql/hive-schema-3.0.0.mssql.sql b/standalone-metastore/src/main/sql/mssql/hive-schema-3.0.0.mssql.sql index c88fb18..5b52320 100644 --- a/standalone-metastore/src/main/sql/mssql/hive-schema-3.0.0.mssql.sql +++ b/standalone-metastore/src/main/sql/mssql/hive-schema-3.0.0.mssql.sql @@ -112,7 +112,8 @@ CREATE TABLE PART_PRIVS PART_ID bigint NULL, PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, - PART_PRIV nvarchar(128) NULL + PART_PRIV nvarchar(128) NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE PART_PRIVS ADD CONSTRAINT PART_PRIVS_PK PRIMARY KEY (PART_GRANT_ID); @@ -177,7 +178,8 @@ CREATE TABLE GLOBAL_PRIVS GRANTOR_TYPE nvarchar(128) NULL, PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, - USER_PRIV nvarchar(128) NULL + USER_PRIV nvarchar(128) NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE GLOBAL_PRIVS ADD CONSTRAINT GLOBAL_PRIVS_PK PRIMARY KEY (USER_GRANT_ID); @@ -194,7 +196,8 @@ CREATE TABLE PART_COL_PRIVS PART_ID bigint NULL, PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, - PART_COL_PRIV nvarchar(128) NULL + PART_COL_PRIV nvarchar(128) NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE PART_COL_PRIVS ADD CONSTRAINT PART_COL_PRIVS_PK PRIMARY KEY (PART_COLUMN_GRANT_ID); @@ -210,7 +213,8 @@ CREATE TABLE DB_PRIVS GRANTOR_TYPE nvarchar(128) NULL, PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, - DB_PRIV nvarchar(128) NULL + DB_PRIV nvarchar(128) NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE DB_PRIVS ADD CONSTRAINT DB_PRIVS_PK PRIMARY KEY (DB_GRANT_ID); @@ -265,7 +269,8 @@ CREATE TABLE TBL_PRIVS PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, TBL_PRIV nvarchar(128) NULL, - TBL_ID bigint NULL + TBL_ID bigint NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE TBL_PRIVS ADD CONSTRAINT TBL_PRIVS_PK PRIMARY KEY (TBL_GRANT_ID); @@ -296,7 +301,8 @@ CREATE TABLE TBL_COL_PRIVS PRINCIPAL_NAME nvarchar(128) NULL, PRINCIPAL_TYPE nvarchar(128) NULL, TBL_COL_PRIV nvarchar(128) NULL, - TBL_ID bigint NULL + TBL_ID bigint NULL, + AUTHORIZER nvarchar(128) NULL ); ALTER TABLE TBL_COL_PRIVS ADD CONSTRAINT TBL_COL_PRIVS_PK PRIMARY KEY (TBL_COLUMN_GRANT_ID); @@ -721,7 +727,7 @@ CREATE INDEX PART_COL_STATS_N49 ON PART_COL_STATS (PART_ID); -- Constraints for table PART_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MPartitionPrivilege] ALTER TABLE PART_PRIVS ADD CONSTRAINT PART_PRIVS_FK1 FOREIGN KEY (PART_ID) REFERENCES PARTITIONS (PART_ID) ; -CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (AUTHORIZER,PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX PART_PRIVS_N49 ON PART_PRIVS (PART_ID); @@ -749,7 +755,7 @@ CREATE UNIQUE INDEX UNIQUEPARTITION ON PARTITIONS (PART_NAME,TBL_ID); -- Constraints for table VERSION for class(es) [org.apache.hadoop.hive.metastore.model.MVersionTable] -- Constraints for table GLOBAL_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MGlobalPrivilege] -CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (AUTHORIZER,PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table PART_COL_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MPartitionColumnPrivilege] @@ -757,13 +763,13 @@ ALTER TABLE PART_COL_PRIVS ADD CONSTRAINT PART_COL_PRIVS_FK1 FOREIGN KEY (PART_I CREATE INDEX PART_COL_PRIVS_N49 ON PART_COL_PRIVS (PART_ID); -CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (AUTHORIZE,PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table DB_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MDBPrivilege] ALTER TABLE DB_PRIVS ADD CONSTRAINT DB_PRIVS_FK1 FOREIGN KEY (DB_ID) REFERENCES DBS (DB_ID) ; -CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (AUTHORIZER,DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX DB_PRIVS_N49 ON DB_PRIVS (DB_ID); @@ -783,7 +789,7 @@ ALTER TABLE TBL_PRIVS ADD CONSTRAINT TBL_PRIVS_FK1 FOREIGN KEY (TBL_ID) REFERENC CREATE INDEX TBL_PRIVS_N49 ON TBL_PRIVS (TBL_ID); -CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (AUTHORIZER,TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table DBS for class(es) [org.apache.hadoop.hive.metastore.model.MDatabase] @@ -793,7 +799,7 @@ CREATE UNIQUE INDEX UNIQUEDATABASE ON DBS ("NAME", "CTLG_NAME"); -- Constraints for table TBL_COL_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MTableColumnPrivilege] ALTER TABLE TBL_COL_PRIVS ADD CONSTRAINT TBL_COL_PRIVS_FK1 FOREIGN KEY (TBL_ID) REFERENCES TBLS (TBL_ID) ; -CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (AUTHORIZER,TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX TBL_COL_PRIVS_N49 ON TBL_COL_PRIVS (TBL_ID); diff --git a/standalone-metastore/src/main/sql/mssql/upgrade-2.3.0-to-3.0.0.mssql.sql b/standalone-metastore/src/main/sql/mssql/upgrade-2.3.0-to-3.0.0.mssql.sql index 14c3deb..5d80f4a 100644 --- a/standalone-metastore/src/main/sql/mssql/upgrade-2.3.0-to-3.0.0.mssql.sql +++ b/standalone-metastore/src/main/sql/mssql/upgrade-2.3.0-to-3.0.0.mssql.sql @@ -346,6 +346,31 @@ INSERT INTO TXN_TO_WRITE_ID (T2W_DATABASE, T2W_TABLE, T2W_TXNID, T2W_WRITEID) UPDATE TXN_COMPONENTS SET TC_WRITEID = TC_TXNID; UPDATE COMPLETED_TXN_COMPONENTS SET CTC_WRITEID = CTC_TXNID; +-- HIVE-19440 +ALTER TABLE GLOBAL_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX GLOBAL_PRIVS.GLOBALPRIVILEGEINDEX; +CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (AUTHORIZER,PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE DB_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX DB_PRIVS.DBPRIVILEGEINDEX; +CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (AUTHORIZER,DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE TBL_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX TBL_PRIVS.TABLEPRIVILEGEINDEX; +CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (AUTHORIZER,TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE PART_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX PART_PRIVS.PARTPRIVILEGEINDEX; +CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (AUTHORIZER,PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE TBL_COL_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX TBL_COL_PRIVS.TABLECOLUMNPRIVILEGEINDEX; +CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (AUTHORIZER,TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE PART_COL_PRIVS ADD AUTHORIZER nvarchar(128) NULL; +DROP INDEX PART_COL_PRIVS.PARTITIONCOLUMNPRIVILEGEINDEX; +CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (AUTHORIZE,PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); + -- These lines need to be last. Insert any changes above. UPDATE VERSION SET SCHEMA_VERSION='3.0.0', VERSION_COMMENT='Hive release version 3.0.0' where VER_ID=1; SELECT 'Finished upgrading MetaStore schema from 2.3.0 to 3.0.0' AS MESSAGE; diff --git a/standalone-metastore/src/main/sql/mysql/hive-schema-3.0.0.mysql.sql b/standalone-metastore/src/main/sql/mysql/hive-schema-3.0.0.mysql.sql index c54df55..1cca25a 100644 --- a/standalone-metastore/src/main/sql/mysql/hive-schema-3.0.0.mysql.sql +++ b/standalone-metastore/src/main/sql/mysql/hive-schema-3.0.0.mysql.sql @@ -122,8 +122,9 @@ CREATE TABLE IF NOT EXISTS `DB_PRIVS` ( `PRINCIPAL_NAME` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `DB_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`DB_GRANT_ID`), - UNIQUE KEY `DBPRIVILEGEINDEX` (`DB_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`DB_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + UNIQUE KEY `DBPRIVILEGEINDEX` (`AUTHORIZER`,`DB_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`DB_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), KEY `DB_PRIVS_N49` (`DB_ID`), CONSTRAINT `DB_PRIVS_FK1` FOREIGN KEY (`DB_ID`) REFERENCES `DBS` (`DB_ID`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; @@ -144,8 +145,9 @@ CREATE TABLE IF NOT EXISTS `GLOBAL_PRIVS` ( `PRINCIPAL_NAME` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `USER_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`USER_GRANT_ID`), - UNIQUE KEY `GLOBALPRIVILEGEINDEX` (`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`USER_PRIV`,`GRANTOR`,`GRANTOR_TYPE`) + UNIQUE KEY `GLOBALPRIVILEGEINDEX` (`AUTHORIZER`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`USER_PRIV`,`GRANTOR`,`GRANTOR_TYPE`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; @@ -317,9 +319,10 @@ CREATE TABLE IF NOT EXISTS `PART_COL_PRIVS` ( `PRINCIPAL_NAME` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PART_COL_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`PART_COLUMN_GRANT_ID`), KEY `PART_COL_PRIVS_N49` (`PART_ID`), - KEY `PARTITIONCOLUMNPRIVILEGEINDEX` (`PART_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + KEY `PARTITIONCOLUMNPRIVILEGEINDEX` (`AUTHORIZER`,`PART_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), CONSTRAINT `PART_COL_PRIVS_FK1` FOREIGN KEY (`PART_ID`) REFERENCES `PARTITIONS` (`PART_ID`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; @@ -340,8 +343,9 @@ CREATE TABLE IF NOT EXISTS `PART_PRIVS` ( `PRINCIPAL_NAME` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `PART_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`PART_GRANT_ID`), - KEY `PARTPRIVILEGEINDEX` (`PART_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + KEY `PARTPRIVILEGEINDEX` (`AUTHORIZER`,`PART_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), KEY `PART_PRIVS_N49` (`PART_ID`), CONSTRAINT `PART_PRIVS_FK1` FOREIGN KEY (`PART_ID`) REFERENCES `PARTITIONS` (`PART_ID`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; @@ -665,8 +669,9 @@ CREATE TABLE IF NOT EXISTS `TBL_COL_PRIVS` ( `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `TBL_COL_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `TBL_ID` bigint(20) DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`TBL_COLUMN_GRANT_ID`), - KEY `TABLECOLUMNPRIVILEGEINDEX` (`TBL_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + KEY `TABLECOLUMNPRIVILEGEINDEX` (`AUTHORIZER`,`TBL_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), KEY `TBL_COL_PRIVS_N49` (`TBL_ID`), CONSTRAINT `TBL_COL_PRIVS_FK1` FOREIGN KEY (`TBL_ID`) REFERENCES `TBLS` (`TBL_ID`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; @@ -688,9 +693,10 @@ CREATE TABLE IF NOT EXISTS `TBL_PRIVS` ( `PRINCIPAL_TYPE` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `TBL_PRIV` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, `TBL_ID` bigint(20) DEFAULT NULL, + `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL, PRIMARY KEY (`TBL_GRANT_ID`), KEY `TBL_PRIVS_N49` (`TBL_ID`), - KEY `TABLEPRIVILEGEINDEX` (`TBL_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), + KEY `TABLEPRIVILEGEINDEX` (`AUTHORIZER`,`TBL_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`), CONSTRAINT `TBL_PRIVS_FK1` FOREIGN KEY (`TBL_ID`) REFERENCES `TBLS` (`TBL_ID`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1; /*!40101 SET character_set_client = @saved_cs_client */; diff --git a/standalone-metastore/src/main/sql/mysql/upgrade-2.3.0-to-3.0.0.mysql.sql b/standalone-metastore/src/main/sql/mysql/upgrade-2.3.0-to-3.0.0.mysql.sql index 9b87563..6ce418c 100644 --- a/standalone-metastore/src/main/sql/mysql/upgrade-2.3.0-to-3.0.0.mysql.sql +++ b/standalone-metastore/src/main/sql/mysql/upgrade-2.3.0-to-3.0.0.mysql.sql @@ -319,8 +319,33 @@ UPDATE COMPLETED_TXN_COMPONENTS SET CTC_WRITEID = CTC_TXNID; ALTER TABLE TXN_COMPONENTS MODIFY COLUMN TC_TABLE varchar(128) NULL; +-- HIVE-19440 +ALTER TABLE `GLOBAL_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `GLOBAL_PRIVS` DROP INDEX `GLOBALPRIVILEGEINDEX`; +ALTER TABLE `GLOBAL_PRIVS` ADD CONSTRAINT `GLOBALPRIVILEGEINDEX` UNIQUE(`AUTHORIZER`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`USER_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + +ALTER TABLE `DB_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `DB_PRIVS` DROP INDEX `DBPRIVILEGEINDEX`; +ALTER TABLE `DB_PRIVS` ADD CONSTRAINT `DBPRIVILEGEINDEX` UNIQUE(`AUTHORIZER`,`DB_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`DB_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + +ALTER TABLE `TBL_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `TBL_PRIVS` DROP INDEX `TABLEPRIVILEGEINDEX`; +ALTER TABLE `TBL_PRIVS` ADD INDEX `TABLEPRIVILEGEINDEX` (`AUTHORIZER`,`TBL_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + +ALTER TABLE `PART_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `PART_PRIVS` DROP INDEX `PARTPRIVILEGEINDEX`; +ALTER TABLE `PART_PRIVS` ADD INDEX `PARTPRIVILEGEINDEX` (`AUTHORIZER`,`PART_ID`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + +ALTER TABLE `TBL_COL_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `TBL_COL_PRIVS` DROP INDEX `TABLECOLUMNPRIVILEGEINDEX`; +ALTER TABLE `TBL_COL_PRIVS` ADD INDEX `TABLECOLUMNPRIVILEGEINDEX` (`AUTHORIZER`,`TBL_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`TBL_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + +ALTER TABLE `PART_COL_PRIVS` ADD `AUTHORIZER` varchar(128) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; +ALTER TABLE `PART_COL_PRIVS` DROP INDEX `PARTITIONCOLUMNPRIVILEGEINDEX`; +ALTER TABLE `PART_COL_PRIVS` ADD INDEX `PARTITIONCOLUMNPRIVILEGEINDEX` (`AUTHORIZER`,`PART_ID`,`COLUMN_NAME`,`PRINCIPAL_NAME`,`PRINCIPAL_TYPE`,`PART_COL_PRIV`,`GRANTOR`,`GRANTOR_TYPE`); + -- These lines need to be last. Insert any changes above. UPDATE VERSION SET SCHEMA_VERSION='3.0.0', VERSION_COMMENT='Hive release version 3.0.0' where VER_ID=1; SELECT 'Finished upgrading MetaStore schema from 2.3.0 to 3.0.0' AS ' '; -ALTER TABLE `TBLS` ADD COLUMN `OWNER_TYPE` VARCHAR(10) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; \ No newline at end of file +ALTER TABLE `TBLS` ADD COLUMN `OWNER_TYPE` VARCHAR(10) CHARACTER SET latin1 COLLATE latin1_bin DEFAULT NULL; diff --git a/standalone-metastore/src/main/sql/oracle/hive-schema-3.0.0.oracle.sql b/standalone-metastore/src/main/sql/oracle/hive-schema-3.0.0.oracle.sql index 63cc1f7..33ccace 100644 --- a/standalone-metastore/src/main/sql/oracle/hive-schema-3.0.0.oracle.sql +++ b/standalone-metastore/src/main/sql/oracle/hive-schema-3.0.0.oracle.sql @@ -39,7 +39,8 @@ CREATE TABLE PART_COL_PRIVS PART_ID NUMBER NULL, PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, - PART_COL_PRIV VARCHAR2(128) NULL + PART_COL_PRIV VARCHAR2(128) NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE PART_COL_PRIVS ADD CONSTRAINT PART_COL_PRIVS_PK PRIMARY KEY (PART_COLUMN_GRANT_ID); @@ -189,7 +190,8 @@ CREATE TABLE TBL_COL_PRIVS PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, TBL_COL_PRIV VARCHAR2(128) NULL, - TBL_ID NUMBER NULL + TBL_ID NUMBER NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE TBL_COL_PRIVS ADD CONSTRAINT TBL_COL_PRIVS_PK PRIMARY KEY (TBL_COLUMN_GRANT_ID); @@ -252,7 +254,8 @@ CREATE TABLE GLOBAL_PRIVS GRANTOR_TYPE VARCHAR2(128) NULL, PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, - USER_PRIV VARCHAR2(128) NULL + USER_PRIV VARCHAR2(128) NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE GLOBAL_PRIVS ADD CONSTRAINT GLOBAL_PRIVS_PK PRIMARY KEY (USER_GRANT_ID); @@ -305,7 +308,8 @@ CREATE TABLE TBL_PRIVS PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, TBL_PRIV VARCHAR2(128) NULL, - TBL_ID NUMBER NULL + TBL_ID NUMBER NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE TBL_PRIVS ADD CONSTRAINT TBL_PRIVS_PK PRIMARY KEY (TBL_GRANT_ID); @@ -356,7 +360,8 @@ CREATE TABLE PART_PRIVS PART_ID NUMBER NULL, PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, - PART_PRIV VARCHAR2(128) NULL + PART_PRIV VARCHAR2(128) NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE PART_PRIVS ADD CONSTRAINT PART_PRIVS_PK PRIMARY KEY (PART_GRANT_ID); @@ -372,7 +377,8 @@ CREATE TABLE DB_PRIVS GRANTOR_TYPE VARCHAR2(128) NULL, PRINCIPAL_NAME VARCHAR2(128) NULL, PRINCIPAL_TYPE VARCHAR2(128) NULL, - DB_PRIV VARCHAR2(128) NULL + DB_PRIV VARCHAR2(128) NULL, + AUTHORIZER VARCHAR2(128) NULL ); ALTER TABLE DB_PRIVS ADD CONSTRAINT DB_PRIVS_PK PRIMARY KEY (DB_GRANT_ID); @@ -683,7 +689,7 @@ ALTER TABLE PART_COL_PRIVS ADD CONSTRAINT PART_COL_PRIVS_FK1 FOREIGN KEY (PART_I CREATE INDEX PART_COL_PRIVS_N49 ON PART_COL_PRIVS (PART_ID); -CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (AUTHORIZER,PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table COLUMNS_V2 @@ -745,7 +751,7 @@ CREATE INDEX INDEX_PARAMS_N49 ON INDEX_PARAMS (INDEX_ID); -- Constraints for table TBL_COL_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MTableColumnPrivilege] ALTER TABLE TBL_COL_PRIVS ADD CONSTRAINT TBL_COL_PRIVS_FK1 FOREIGN KEY (TBL_ID) REFERENCES TBLS (TBL_ID) INITIALLY DEFERRED ; -CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (AUTHORIZER,TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX TBL_COL_PRIVS_N49 ON TBL_COL_PRIVS (TBL_ID); @@ -785,7 +791,7 @@ CREATE INDEX SD_PARAMS_N49 ON SD_PARAMS (SD_ID); -- Constraints for table GLOBAL_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MGlobalPrivilege] -CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (AUTHORIZER,PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table SDS for class(es) [org.apache.hadoop.hive.metastore.model.MStorageDescriptor] @@ -813,7 +819,7 @@ ALTER TABLE TBL_PRIVS ADD CONSTRAINT TBL_PRIVS_FK1 FOREIGN KEY (TBL_ID) REFERENC CREATE INDEX TBL_PRIVS_N49 ON TBL_PRIVS (TBL_ID); -CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (AUTHORIZER,TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); -- Constraints for table DATABASE_PARAMS @@ -839,7 +845,7 @@ CREATE INDEX SERDE_PARAMS_N49 ON SERDE_PARAMS (SERDE_ID); -- Constraints for table PART_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MPartitionPrivilege] ALTER TABLE PART_PRIVS ADD CONSTRAINT PART_PRIVS_FK1 FOREIGN KEY (PART_ID) REFERENCES PARTITIONS (PART_ID) INITIALLY DEFERRED ; -CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (AUTHORIZER,PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX PART_PRIVS_N49 ON PART_PRIVS (PART_ID); @@ -847,7 +853,7 @@ CREATE INDEX PART_PRIVS_N49 ON PART_PRIVS (PART_ID); -- Constraints for table DB_PRIVS for class(es) [org.apache.hadoop.hive.metastore.model.MDBPrivilege] ALTER TABLE DB_PRIVS ADD CONSTRAINT DB_PRIVS_FK1 FOREIGN KEY (DB_ID) REFERENCES DBS (DB_ID) INITIALLY DEFERRED ; -CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); +CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (AUTHORIZER,DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); CREATE INDEX DB_PRIVS_N49 ON DB_PRIVS (DB_ID); diff --git a/standalone-metastore/src/main/sql/oracle/upgrade-2.3.0-to-3.0.0.oracle.sql b/standalone-metastore/src/main/sql/oracle/upgrade-2.3.0-to-3.0.0.oracle.sql index ce3437f..d13226e 100644 --- a/standalone-metastore/src/main/sql/oracle/upgrade-2.3.0-to-3.0.0.oracle.sql +++ b/standalone-metastore/src/main/sql/oracle/upgrade-2.3.0-to-3.0.0.oracle.sql @@ -335,8 +335,34 @@ INSERT INTO TXN_TO_WRITE_ID (T2W_DATABASE, T2W_TABLE, T2W_TXNID, T2W_WRITEID) UPDATE TXN_COMPONENTS SET TC_WRITEID = TC_TXNID; UPDATE COMPLETED_TXN_COMPONENTS SET CTC_WRITEID = CTC_TXNID; +-- HIVE-19440 +ALTER TABLE GLOBAL_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX GLOBALPRIVILEGEINDEX; +CREATE UNIQUE INDEX GLOBALPRIVILEGEINDEX ON GLOBAL_PRIVS (AUTHORIZER,PRINCIPAL_NAME,PRINCIPAL_TYPE,USER_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE DB_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX DBPRIVILEGEINDEX; +CREATE UNIQUE INDEX DBPRIVILEGEINDEX ON DB_PRIVS (AUTHORIZER,DB_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,DB_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE TBL_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX TABLEPRIVILEGEINDEX; +CREATE INDEX TABLEPRIVILEGEINDEX ON TBL_PRIVS (AUTHORIZER,TBL_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_PRIV,GRANTOR,GRANTOR_TYPE); + "GRANTOR_TYPE"); + +ALTER TABLE PART_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX PARTPRIVILEGEINDEX; +CREATE INDEX PARTPRIVILEGEINDEX ON PART_PRIVS (AUTHORIZER,PART_ID,PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_PRIV,GRANTOR,GRANTOR_TYPE);; + +ALTER TABLE TBL_COL_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX TABLECOLUMNPRIVILEGEINDEX; +CREATE INDEX TABLECOLUMNPRIVILEGEINDEX ON TBL_COL_PRIVS (AUTHORIZER,TBL_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,TBL_COL_PRIV,GRANTOR,GRANTOR_TYPE); + +ALTER TABLE PART_COL_PRIVS ADD AUTHORIZER VARCHAR2(128) NULL; +DROP INDEX PARTITIONCOLUMNPRIVILEGEINDEX; +CREATE INDEX PARTITIONCOLUMNPRIVILEGEINDEX ON PART_COL_PRIVS (AUTHORIZER,PART_ID,"COLUMN_NAME",PRINCIPAL_NAME,PRINCIPAL_TYPE,PART_COL_PRIV,GRANTOR,GRANTOR_TYPE); + -- These lines need to be last. Insert any changes above. UPDATE VERSION SET SCHEMA_VERSION='3.0.0', VERSION_COMMENT='Hive release version 3.0.0' where VER_ID=1; SELECT 'Finished upgrading MetaStore schema from 2.3.0 to 3.0.0' AS Status from dual; -ALTER TABLE TBLS ADD OWNER_TYPE VARCHAR2(10) NULL; \ No newline at end of file +ALTER TABLE TBLS ADD OWNER_TYPE VARCHAR2(10) NULL; diff --git a/standalone-metastore/src/main/sql/postgres/hive-schema-3.0.0.postgres.sql b/standalone-metastore/src/main/sql/postgres/hive-schema-3.0.0.postgres.sql index d210a55..f6b641b 100644 --- a/standalone-metastore/src/main/sql/postgres/hive-schema-3.0.0.postgres.sql +++ b/standalone-metastore/src/main/sql/postgres/hive-schema-3.0.0.postgres.sql @@ -94,7 +94,8 @@ CREATE TABLE "DB_PRIVS" ( "GRANTOR_TYPE" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, - "DB_PRIV" character varying(128) DEFAULT NULL::character varying + "DB_PRIV" character varying(128) DEFAULT NULL::character varying, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying ); @@ -110,7 +111,8 @@ CREATE TABLE "GLOBAL_PRIVS" ( "GRANTOR_TYPE" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, - "USER_PRIV" character varying(128) DEFAULT NULL::character varying + "USER_PRIV" character varying(128) DEFAULT NULL::character varying, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying ); @@ -234,7 +236,8 @@ CREATE TABLE "PART_COL_PRIVS" ( "PART_ID" bigint, "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, - "PART_COL_PRIV" character varying(128) DEFAULT NULL::character varying + "PART_COL_PRIV" character varying(128) DEFAULT NULL::character varying, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying ); @@ -251,7 +254,8 @@ CREATE TABLE "PART_PRIVS" ( "PART_ID" bigint, "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, - "PART_PRIV" character varying(128) DEFAULT NULL::character varying + "PART_PRIV" character varying(128) DEFAULT NULL::character varying, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying ); @@ -426,7 +430,8 @@ CREATE TABLE "TBL_COL_PRIVS" ( "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, "TBL_COL_PRIV" character varying(128) DEFAULT NULL::character varying, - "TBL_ID" bigint + "TBL_ID" bigint, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying, ); @@ -443,7 +448,8 @@ CREATE TABLE "TBL_PRIVS" ( "PRINCIPAL_NAME" character varying(128) DEFAULT NULL::character varying, "PRINCIPAL_TYPE" character varying(128) DEFAULT NULL::character varying, "TBL_PRIV" character varying(128) DEFAULT NULL::character varying, - "TBL_ID" bigint + "TBL_ID" bigint, + "AUTHORIZER" character varying(128) DEFAULT NULL::character varying ); @@ -735,7 +741,7 @@ ALTER TABLE ONLY "DATABASE_PARAMS" -- ALTER TABLE ONLY "DB_PRIVS" - ADD CONSTRAINT "DBPRIVILEGEINDEX" UNIQUE ("DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); + ADD CONSTRAINT "DBPRIVILEGEINDEX" UNIQUE ("AUTHORIZER", "DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- @@ -759,7 +765,7 @@ ALTER TABLE ONLY "DB_PRIVS" -- ALTER TABLE ONLY "GLOBAL_PRIVS" - ADD CONSTRAINT "GLOBALPRIVILEGEINDEX" UNIQUE ("PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); + ADD CONSTRAINT "GLOBALPRIVILEGEINDEX" UNIQUE ("AUTHORIZER", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- @@ -1127,7 +1133,7 @@ CREATE INDEX "INDEX_PARAMS_N49" ON "INDEX_PARAMS" USING btree ("INDEX_ID"); -- Name: PARTITIONCOLUMNPRIVILEGEINDEX; Type: INDEX; Schema: public; Owner: hiveuser; Tablespace: -- -CREATE INDEX "PARTITIONCOLUMNPRIVILEGEINDEX" ON "PART_COL_PRIVS" USING btree ("PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "PARTITIONCOLUMNPRIVILEGEINDEX" ON "PART_COL_PRIVS" USING btree ("AUTHORIZER", "PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- @@ -1176,7 +1182,7 @@ CREATE INDEX "PARTITION_PARAMS_N49" ON "PARTITION_PARAMS" USING btree ("PART_ID" -- Name: PARTPRIVILEGEINDEX; Type: INDEX; Schema: public; Owner: hiveuser; Tablespace: -- -CREATE INDEX "PARTPRIVILEGEINDEX" ON "PART_PRIVS" USING btree ("PART_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "PARTPRIVILEGEINDEX" ON "PART_PRIVS" USING btree ("AUTHORIZER", "PART_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- @@ -1239,14 +1245,14 @@ CREATE INDEX "SORT_COLS_N49" ON "SORT_COLS" USING btree ("SD_ID"); -- Name: TABLECOLUMNPRIVILEGEINDEX; Type: INDEX; Schema: public; Owner: hiveuser; Tablespace: -- -CREATE INDEX "TABLECOLUMNPRIVILEGEINDEX" ON "TBL_COL_PRIVS" USING btree ("TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "TABLECOLUMNPRIVILEGEINDEX" ON "TBL_COL_PRIVS" USING btree ("AUTHORIZER", "TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- -- Name: TABLEPRIVILEGEINDEX; Type: INDEX; Schema: public; Owner: hiveuser; Tablespace: -- -CREATE INDEX "TABLEPRIVILEGEINDEX" ON "TBL_PRIVS" USING btree ("TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); +CREATE INDEX "TABLEPRIVILEGEINDEX" ON "TBL_PRIVS" USING btree ("AUTHORIZER", "TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); -- diff --git a/standalone-metastore/src/main/sql/postgres/upgrade-2.3.0-to-3.0.0.postgres.sql b/standalone-metastore/src/main/sql/postgres/upgrade-2.3.0-to-3.0.0.postgres.sql index f2571d8..ccf2b71 100644 --- a/standalone-metastore/src/main/sql/postgres/upgrade-2.3.0-to-3.0.0.postgres.sql +++ b/standalone-metastore/src/main/sql/postgres/upgrade-2.3.0-to-3.0.0.postgres.sql @@ -354,6 +354,34 @@ INSERT INTO TXN_TO_WRITE_ID (T2W_DATABASE, T2W_TABLE, T2W_TXNID, T2W_WRITEID) UPDATE TXN_COMPONENTS SET TC_WRITEID = TC_TXNID; UPDATE COMPLETED_TXN_COMPONENTS SET CTC_WRITEID = CTC_TXNID; +-- HIVE-19440 +ALTER TABLE "GLOBAL_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "GLOBAL_PRIVS" DROP CONSTRAINT "GLOBALPRIVILEGEINDEX"; +ALTER TABLE ONLY "GLOBAL_PRIVS" + ADD CONSTRAINT "GLOBALPRIVILEGEINDEX" UNIQUE ("AUTHORIZER", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "USER_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "DB_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "DB_PRIVS" DROP CONSTRAINT "DBPRIVILEGEINDEX"; +ALTER TABLE ONLY "DB_PRIVS" + ADD CONSTRAINT "DBPRIVILEGEINDEX" UNIQUE ("AUTHORIZER", "DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "TBL_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "TBL_PRIVS" DROP CONSTRAINT "DBPRIVILEGEINDEX"; +ALTER TABLE ONLY "DB_PRIVS" + ADD CONSTRAINT "DBPRIVILEGEINDEX" UNIQUE ("AUTHORIZER", "DB_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "DB_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "PART_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "PART_PRIVS" DROP CONSTRAINT "TABLEPRIVILEGEINDEX"; +CREATE INDEX "TABLEPRIVILEGEINDEX" ON "TBL_PRIVS" USING btree ("AUTHORIZER", "TBL_ID", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "TBL_COL_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "TBL_COL_PRIVS" DROP CONSTRAINT "TABLECOLUMNPRIVILEGEINDEX"; +CREATE INDEX "TABLECOLUMNPRIVILEGEINDEX" ON "TBL_COL_PRIVS" USING btree ("AUTHORIZER", "TBL_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "TBL_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + +ALTER TABLE "PART_COL_PRIVS" ADD COLUMN "AUTHORIZER" character varying(128) DEFAULT NULL::character varying; +ALTER TABLE "PART_COL_PRIVS" DROP CONSTRAINT "PARTITIONCOLUMNPRIVILEGEINDEX"; +CREATE INDEX "PARTITIONCOLUMNPRIVILEGEINDEX" ON "PART_COL_PRIVS" USING btree ("AUTHORIZER", "PART_ID", "COLUMN_NAME", "PRINCIPAL_NAME", "PRINCIPAL_TYPE", "PART_COL_PRIV", "GRANTOR", "GRANTOR_TYPE"); + -- These lines need to be last. Insert any changes above. UPDATE "VERSION" SET "SCHEMA_VERSION"='3.0.0', "VERSION_COMMENT"='Hive release version 3.0.0' where "VER_ID"=1; SELECT 'Finished upgrading MetaStore schema from 2.3.0 to 3.0.0'; diff --git a/standalone-metastore/src/main/thrift/hive_metastore.thrift b/standalone-metastore/src/main/thrift/hive_metastore.thrift index 19d4433..3d85acf 100644 --- a/standalone-metastore/src/main/thrift/hive_metastore.thrift +++ b/standalone-metastore/src/main/thrift/hive_metastore.thrift @@ -255,6 +255,7 @@ struct HiveObjectPrivilege { 2: string principalName, 3: PrincipalType principalType, 4: PrivilegeGrantInfo grantInfo, + 5: string authorizer, } struct PrivilegeBag { @@ -2022,7 +2023,7 @@ service ThriftHiveMetastore extends fb303.FacebookService bool revoke_privileges(1:PrivilegeBag privileges) throws(1:MetaException o1) GrantRevokePrivilegeResponse grant_revoke_privileges(1:GrantRevokePrivilegeRequest request) throws(1:MetaException o1); // Revokes all privileges for the object and adds the newly granted privileges for it. - GrantRevokePrivilegeResponse refresh_privileges(1:HiveObjectRef objToRefresh, 2:GrantRevokePrivilegeRequest grantRequest) throws(1:MetaException o1); + GrantRevokePrivilegeResponse refresh_privileges(1:HiveObjectRef objToRefresh, 2:string authorizer, 3:GrantRevokePrivilegeRequest grantRequest) throws(1:MetaException o1); // this is used by metastore client to send UGI information to metastore server immediately // after setting up a connection. diff --git a/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/DummyRawStoreControlledCommit.java b/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/DummyRawStoreControlledCommit.java index f6899be..0461c4e 100644 --- a/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/DummyRawStoreControlledCommit.java +++ b/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/DummyRawStoreControlledCommit.java @@ -510,9 +510,9 @@ public boolean revokePrivileges(PrivilegeBag privileges, boolean grantOption) } @Override - public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantPrivileges) + public boolean refreshPrivileges(HiveObjectRef objToRefresh, String authorizer, PrivilegeBag grantPrivileges) throws InvalidObjectException, MetaException, NoSuchObjectException { - return objectStore.refreshPrivileges(objToRefresh, grantPrivileges); + return objectStore.refreshPrivileges(objToRefresh, authorizer, grantPrivileges); } @Override public Role getRole(String roleName) throws NoSuchObjectException { diff --git a/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/DummyRawStoreForJdoConnection.java b/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/DummyRawStoreForJdoConnection.java index 98a85cc..b71eda4 100644 --- a/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/DummyRawStoreForJdoConnection.java +++ b/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/DummyRawStoreForJdoConnection.java @@ -522,7 +522,7 @@ public boolean revokePrivileges(PrivilegeBag privileges, boolean grantOption) } @Override - public boolean refreshPrivileges(HiveObjectRef objToRefresh, PrivilegeBag grantPrivileges) + public boolean refreshPrivileges(HiveObjectRef objToRefresh, String authorizer, PrivilegeBag grantPrivileges) throws InvalidObjectException, MetaException, NoSuchObjectException { return false; } diff --git a/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClientPreCatalog.java b/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClientPreCatalog.java index 7186add..bdb4b8b 100644 --- a/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClientPreCatalog.java +++ b/standalone-metastore/src/test/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClientPreCatalog.java @@ -2032,7 +2032,7 @@ public boolean revoke_privileges(PrivilegeBag privileges, boolean grantOption) t } @Override - public boolean refresh_privileges(HiveObjectRef objToRefresh, + public boolean refresh_privileges(HiveObjectRef objToRefresh, String authorizer, PrivilegeBag grantPrivileges) throws MetaException, TException { String defaultCat = getDefaultCatalog(conf); @@ -2049,7 +2049,7 @@ public boolean refresh_privileges(HiveObjectRef objToRefresh, grantReq.setRequestType(GrantRevokeType.GRANT); grantReq.setPrivileges(grantPrivileges); - GrantRevokePrivilegeResponse res = client.refresh_privileges(objToRefresh, grantReq); + GrantRevokePrivilegeResponse res = client.refresh_privileges(objToRefresh, authorizer, grantReq); if (!res.isSetSuccess()) { throw new MetaException("GrantRevokePrivilegeResponse missing success field"); }