commit 0e151e3bf671bedf2dd9dc819c3d4ff27896897c Author: Alan Gates Date: Tue May 15 10:46:51 2018 -0700 HIVE-19558 HiveAuthorizationProviderBase gets catalog name from config rather than db object diff --git ql/src/java/org/apache/hadoop/hive/ql/metadata/Hive.java ql/src/java/org/apache/hadoop/hive/ql/metadata/Hive.java index 107d032eb7..bdd60e3e6a 100644 --- ql/src/java/org/apache/hadoop/hive/ql/metadata/Hive.java +++ ql/src/java/org/apache/hadoop/hive/ql/metadata/Hive.java @@ -1608,6 +1608,23 @@ public Database getDatabase(String dbName) throws HiveException { } /** + * Get the database by name. + * @param catName catalog name + * @param dbName the name of the database. + * @return a Database object if this database exists, null otherwise. + * @throws HiveException + */ + public Database getDatabase(String catName, String dbName) throws HiveException { + try { + return getMSC().getDatabase(catName, dbName); + } catch (NoSuchObjectException e) { + return null; + } catch (Exception e) { + throw new HiveException(e); + } + } + + /** * Get the Database object for current database * @return a Database object if this database exists, null otherwise. * @throws HiveException diff --git ql/src/java/org/apache/hadoop/hive/ql/metadata/Table.java ql/src/java/org/apache/hadoop/hive/ql/metadata/Table.java index ba16f842d2..f0061c01f6 100644 --- ql/src/java/org/apache/hadoop/hive/ql/metadata/Table.java +++ ql/src/java/org/apache/hadoop/hive/ql/metadata/Table.java @@ -685,6 +685,10 @@ public void setPartCols(List partCols) { tTable.setPartitionKeys(partCols); } + public String getCatName() { + return tTable.getCatName(); + } + public String getDbName() { return tTable.getDbName(); } diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/BitSetCheckedAuthorizationProvider.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/BitSetCheckedAuthorizationProvider.java index 4e6e2b64f3..7c8affb3b5 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/BitSetCheckedAuthorizationProvider.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/BitSetCheckedAuthorizationProvider.java @@ -258,7 +258,7 @@ private boolean authorizeUserDBAndTable(Table table, Privilege[] inputRequiredPriv, Privilege[] outputRequiredPriv, boolean[] inputCheck, boolean[] outputCheck) throws HiveException { - if (authorizeUserAndDBPriv(hive_db.getDatabase(table.getDbName()), + if (authorizeUserAndDBPriv(hive_db.getDatabase(table.getCatName(), table.getDbName()), inputRequiredPriv, outputRequiredPriv, inputCheck, outputCheck)) { return true; } @@ -292,8 +292,8 @@ private boolean authorizeUserDbAndPartition(Partition part, boolean[] inputCheck, boolean[] outputCheck) throws HiveException { if (authorizeUserAndDBPriv( - hive_db.getDatabase(part.getTable().getDbName()), inputRequiredPriv, - outputRequiredPriv, inputCheck, outputCheck)) { + hive_db.getDatabase(part.getTable().getCatName(), part.getTable().getDbName()), + inputRequiredPriv, outputRequiredPriv, inputCheck, outputCheck)) { return true; } @@ -330,7 +330,6 @@ protected boolean authorizePrivileges(PrincipalPrivilegeSet privileges, /** * try to match an array of privileges from user/groups/roles grants. * - * @param container */ private boolean matchPrivs(Privilege[] inputPriv, PrincipalPrivilegeSet privileges, boolean[] check) { diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java index d3e13a5c6a..bd0d2063b2 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/HiveAuthorizationProviderBase.java @@ -88,12 +88,21 @@ public PrincipalPrivilegeSet get_privilege_set(HiveObjectType column, String dbN } } - public Database getDatabase(String dbName) throws HiveException { + /** + * Get the database object + * @param catName catalog name. If null, the default will be pulled from the conf. This + * means the caller does not have to check isCatNameSet() + * @param dbName database name. + * @return + * @throws HiveException + */ + public Database getDatabase(String catName, String dbName) throws HiveException { + catName = catName == null ? MetaStoreUtils.getDefaultCatalog(conf) : catName; if (!isRunFromMetaStore()) { - return Hive.getWithFastCheck(conf).getDatabase(dbName); + return Hive.getWithFastCheck(conf).getDatabase(catName, dbName); } else { try { - return handler.get_database_core(MetaStoreUtils.getDefaultCatalog(conf), dbName); + return handler.get_database_core(catName, dbName); } catch (NoSuchObjectException e) { throw new HiveException(e); } catch (MetaException e) { diff --git ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java index f074d39fc1..de5504498d 100644 --- ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java +++ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java @@ -173,7 +173,7 @@ public void authorize(Table table, Privilege[] readRequiredPriv, Privilege[] wri // the database directory if (privExtractor.hasDropPrivilege || requireCreatePrivilege(readRequiredPriv) || requireCreatePrivilege(writeRequiredPriv)) { - authorize(hive_db.getDatabase(table.getDbName()), new Privilege[] {}, + authorize(hive_db.getDatabase(table.getCatName(), table.getDbName()), new Privilege[] {}, new Privilege[] { Privilege.ALTER_DATA }); }