commit 7c4fdc1a71c83652b379b14ee8d85e9504c9bf62 Author: Daniel Dai Date: Fri Aug 17 22:13:35 2018 -0700 HIVE-20420: Provide a fallback authorizer when no other authorizer is in use diff --git a/ql/pom.xml b/ql/pom.xml index a55cbe3..49e1089 100644 --- a/ql/pom.xml +++ b/ql/pom.xml @@ -899,6 +899,19 @@ core + + fallbackauthorizer-jar + package + + jar + + + fallbackauthorizer + + org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/*.class + + + diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java index 12be41c..861fcde 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java @@ -63,7 +63,7 @@ public static void setHiveConfWhiteList(HiveConf hiveConf) throws HiveAuthzPlugi // if admin has already customized this list, honor that String curBlackList = hiveConf.getVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST); if (curBlackList == null || curBlackList.trim().isEmpty()) { - hiveConf.setVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST, "reflect,reflect2,java_method"); + hiveConf.setVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST, "reflect,reflect2,java_method,in_file"); } } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java new file mode 100644 index 0000000..c788a5e --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java @@ -0,0 +1,264 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hive.ql.security.authorization.plugin.fallback; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.fs.Path; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.parse.SemanticException; +import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.AbstractHiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; +import org.apache.hadoop.hive.ql.security.authorization.plugin.SettableConfigUpdater; +import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.Operation2Privilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.RequiredPrivileges; +import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLAuthorizationUtils; +import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLPrivTypeGrant; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.List; + +public class FallbackHiveAuthorizer extends AbstractHiveAuthorizer { + private static final Log LOG = LogFactory.getLog(FallbackHiveAuthorizer.class); + + private final HiveAuthzSessionContext sessionCtx; + private final HiveAuthenticationProvider authenticator; + private final HiveConf conf; + private String[] admins = null; + + public FallbackHiveAuthorizer(HiveConf hiveConf, HiveAuthenticationProvider hiveAuthenticator, + HiveAuthzSessionContext ctx) { + this.authenticator = hiveAuthenticator; + this.sessionCtx = applyTestSettings(ctx, hiveConf); + this.conf = hiveConf; + String adminString = conf.getVar(HiveConf.ConfVars.USERS_IN_ADMIN_ROLE); + if (adminString != null) { + admins = conf.getVar(HiveConf.ConfVars.USERS_IN_ADMIN_ROLE).split(","); + } + } + + /** + * Change the session context based on configuration to aid in testing of sql + * std auth + * + * @param ctx + * @param conf + * @return + */ + static HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext ctx, HiveConf conf) { + if (conf.getBoolVar(HiveConf.ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE) + && ctx.getClientType() == HiveAuthzSessionContext.CLIENT_TYPE.HIVECLI) { + // create new session ctx object with HS2 as client type + HiveAuthzSessionContext.Builder ctxBuilder = new HiveAuthzSessionContext.Builder(ctx); + ctxBuilder.setClientType(HiveAuthzSessionContext.CLIENT_TYPE.HIVESERVER2); + return ctxBuilder.build(); + } + return ctx; + } + + @Override + public VERSION getVersion() { + return VERSION.V1; + } + + @Override + public void grantPrivileges(List hivePrincipals, List hivePrivileges, + HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean + grantOption) throws HiveAuthzPluginException, HiveAccessControlException { + throw new HiveAuthzPluginException("grantPrivileges not implemented in FallbackHiveAuthorizer"); + } + + @Override + public void revokePrivileges(List hivePrincipals, List hivePrivileges, + HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean + grantOption) throws HiveAuthzPluginException, HiveAccessControlException { + throw new HiveAuthzPluginException("revokePrivileges not implemented in FallbackHiveAuthorizer"); + } + + @Override + public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException, + HiveAccessControlException { + throw new HiveAuthzPluginException("createRole not implemented in FallbackHiveAuthorizer"); + } + + @Override + public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { + throw new HiveAuthzPluginException("dropRole not implemented in FallbackHiveAuthorizer"); + } + + @Override + public List getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, + HiveAccessControlException { + throw new HiveAuthzPluginException("getPrincipalGrantInfoForRole not implemented in FallbackHiveAuthorizer"); + } + + @Override + public List getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, + HiveAccessControlException { + throw new HiveAuthzPluginException("getRoleGrantInfoForPrincipal not implemented in FallbackHiveAuthorizer"); + } + + @Override + public void grantRole(List hivePrincipals, List roles, boolean grantOption, HivePrincipal + grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { + throw new HiveAuthzPluginException("grantRole not implemented in FallbackHiveAuthorizer"); + } + + @Override + public void revokeRole(List hivePrincipals, List roles, boolean grantOption, HivePrincipal + grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { + throw new HiveAuthzPluginException("revokeRole not implemented in FallbackHiveAuthorizer"); + } + + @Override + public void checkPrivileges(HiveOperationType hiveOpType, List inputHObjs, + List outputHObjs, HiveAuthzContext context) throws + HiveAuthzPluginException, HiveAccessControlException { + String userName = authenticator.getUserName(); + // check privileges on input and output objects + List deniedMessages = new ArrayList(); + checkPrivileges(hiveOpType, inputHObjs, userName, Operation2Privilege.IOType.INPUT, deniedMessages); + checkPrivileges(hiveOpType, outputHObjs, userName, Operation2Privilege.IOType.OUTPUT, deniedMessages); + + SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, + HivePrincipal.HivePrincipalType.USER), hiveOpType, deniedMessages); + } + + // Adapted from SQLStdHiveAuthorizationValidator, only check privileges for LOAD/ADD/DFS/COMPILE and admin privileges + private void checkPrivileges(HiveOperationType hiveOpType, List hiveObjects, + String userName, Operation2Privilege.IOType ioType, List deniedMessages) + throws HiveAuthzPluginException, HiveAccessControlException { + if (hiveObjects == null) { + return; + } + + boolean isAdmin = false; + if (admins != null && admins.length > 0) { + isAdmin = Arrays.asList(admins).contains(userName); + } + + if (isAdmin) { + return; // Skip rest of checks if user is admin + } + + // Special-casing for ADMIN-level operations that do not require object checking. + if (Operation2Privilege.isAdminPrivOperation(hiveOpType)) { + // Require ADMIN privilege + deniedMessages.add(SQLPrivTypeGrant.ADMIN_PRIV.toString() + " on " + ioType); + return; // Ignore object, fail if not admin, succeed if admin. + } + + boolean needAdmin = false; + for (HivePrivilegeObject hiveObj : hiveObjects) { + // If involving local file system + if (hiveObj.getType() == HivePrivilegeObject.HivePrivilegeObjectType.LOCAL_URI) { + needAdmin = true; + } + break; + } + switch (hiveOpType) { + case ADD: + case DFS: + case COMPILE: + needAdmin = true; + break; + default: + break; + } + if (needAdmin) { + deniedMessages.add("ADMIN"); + } + } + + @Override + public List filterListCmdObjects(List listObjs, HiveAuthzContext context) + throws HiveAuthzPluginException, HiveAccessControlException { + return listObjs; + } + + @Override + public List getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException { + throw new HiveAuthzPluginException("getAllRoles not implemented in FallbackHiveAuthorizer"); + } + + @Override + public List showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws + HiveAuthzPluginException, HiveAccessControlException { + throw new HiveAuthzPluginException("showPrivileges not implemented in FallbackHiveAuthorizer"); + } + + @Override + public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException { + throw new HiveAuthzPluginException("setCurrentRole not implemented in FallbackHiveAuthorizer"); + } + + @Override + public List getCurrentRoleNames() throws HiveAuthzPluginException { + throw new HiveAuthzPluginException("getCurrentRoleNames not implemented in FallbackHiveAuthorizer"); + } + + @Override + public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException { + // from SQLStdHiveAccessController.applyAuthorizationConfigPolicy() + if (sessionCtx.getClientType() == HiveAuthzSessionContext.CLIENT_TYPE.HIVESERVER2 + && hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) { + + // Configure PREEXECHOOKS with DisallowTransformHook to disallow transform queries + String hooks = hiveConf.getVar(HiveConf.ConfVars.PREEXECHOOKS).trim(); + if (hooks.isEmpty()) { + hooks = DisallowTransformHook.class.getName(); + } else { + hooks = hooks + "," + DisallowTransformHook.class.getName(); + } + LOG.debug("Configuring hooks : " + hooks); + hiveConf.setVar(HiveConf.ConfVars.PREEXECHOOKS, hooks); + + SettableConfigUpdater.setHiveConfWhiteList(hiveConf); + String curBlackList = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST); + if (curBlackList != null && curBlackList.trim().equals("reflect,reflect2,java_method")) { + hiveConf.setVar(HiveConf.ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST, "reflect,reflect2,java_method,in_file"); + } + + } + } + + @Override + public List applyRowFilterAndColumnMasking(HiveAuthzContext context, List + privObjs) throws SemanticException { + return privObjs; + } + + @Override + public boolean needTransform() { + return false; + } +} diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizerFactory.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizerFactory.java new file mode 100644 index 0000000..aacd541 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizerFactory.java @@ -0,0 +1,36 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hive.ql.security.authorization.plugin.fallback; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; + +public class FallbackHiveAuthorizerFactory implements HiveAuthorizerFactory { + @Override + public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, + HiveConf conf, HiveAuthenticationProvider authenticator, + HiveAuthzSessionContext ctx) throws HiveAuthzPluginException { + return new FallbackHiveAuthorizer(conf, authenticator, ctx); + } +} diff --git a/ql/src/test/queries/clientnegative/fallbackauth_addjar.q b/ql/src/test/queries/clientnegative/fallbackauth_addjar.q new file mode 100644 index 0000000..c91d28f --- /dev/null +++ b/ql/src/test/queries/clientnegative/fallbackauth_addjar.q @@ -0,0 +1,4 @@ +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory; + +add jar dummy.jar diff --git a/ql/src/test/queries/clientnegative/fallbackauth_compile.q b/ql/src/test/queries/clientnegative/fallbackauth_compile.q new file mode 100644 index 0000000..bf62264 --- /dev/null +++ b/ql/src/test/queries/clientnegative/fallbackauth_compile.q @@ -0,0 +1,9 @@ +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory; + +compile `import org.apache.hadoop.hive.ql.exec.UDF \; +public class Pyth extends UDF { + public double evaluate(double a, double b){ + return Math.sqrt((a*a) + (b*b)) \; + } +} ` AS GROOVY NAMED Pyth.groovy; diff --git a/ql/src/test/queries/clientnegative/fallbackauth_create_func1.q b/ql/src/test/queries/clientnegative/fallbackauth_create_func1.q new file mode 100644 index 0000000..7d4fd42 --- /dev/null +++ b/ql/src/test/queries/clientnegative/fallbackauth_create_func1.q @@ -0,0 +1,5 @@ +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory; + +-- permanent function creation should fail for non-admin roles +create function perm_fn as 'org.apache.hadoop.hive.ql.udf.UDFAscii'; diff --git a/ql/src/test/queries/clientnegative/fallbackauth_create_func2.q b/ql/src/test/queries/clientnegative/fallbackauth_create_func2.q new file mode 100644 index 0000000..fc371d9 --- /dev/null +++ b/ql/src/test/queries/clientnegative/fallbackauth_create_func2.q @@ -0,0 +1,6 @@ +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory; + +-- temp function creation should fail for non-admin roles +create temporary function temp_fn as 'org.apache.hadoop.hive.ql.udf.UDFAscii'; + diff --git a/ql/src/test/queries/clientnegative/fallbackauth_dfs.q b/ql/src/test/queries/clientnegative/fallbackauth_dfs.q new file mode 100644 index 0000000..da0ac80 --- /dev/null +++ b/ql/src/test/queries/clientnegative/fallbackauth_dfs.q @@ -0,0 +1,4 @@ +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory; + +dfs -ls; diff --git a/ql/src/test/queries/clientnegative/fallbackauth_disallow_transform.q b/ql/src/test/queries/clientnegative/fallbackauth_disallow_transform.q new file mode 100644 index 0000000..eb9f680 --- /dev/null +++ b/ql/src/test/queries/clientnegative/fallbackauth_disallow_transform.q @@ -0,0 +1,6 @@ +set hive.test.authz.sstd.hs2.mode=true; +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory; + +create table t1(i int); +SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM t1; diff --git a/ql/src/test/queries/clientnegative/fallbackauth_load.q b/ql/src/test/queries/clientnegative/fallbackauth_load.q new file mode 100644 index 0000000..10db24c --- /dev/null +++ b/ql/src/test/queries/clientnegative/fallbackauth_load.q @@ -0,0 +1,15 @@ +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory; + +!cp ../../data/files/kv1.txt .; + +create table fallbackauthload(c1 string, c2 string); + +!chmod 777 kv1.txt; +load data local inpath 'kv1.txt' into table fallbackauthload; + +!chmod 755 kv1.txt; +load data local inpath 'kv1.txt' into table fallbackauthload; + +!rm kv1.txt; +drop table fallbackauthload; diff --git a/ql/src/test/queries/clientnegative/fallbackauth_set_invalidconf.q b/ql/src/test/queries/clientnegative/fallbackauth_set_invalidconf.q new file mode 100644 index 0000000..4ebf276 --- /dev/null +++ b/ql/src/test/queries/clientnegative/fallbackauth_set_invalidconf.q @@ -0,0 +1,8 @@ +set hive.test.authz.sstd.hs2.mode=true; +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory; + +-- run a sql query to initialize authorization, then try setting a allowed config and then a disallowed config param +use default; +set hive.optimize.listbucketing=true; +set hive.security.authorization.enabled=true; diff --git a/ql/src/test/results/clientnegative/fallbackauth_addjar.q.out b/ql/src/test/results/clientnegative/fallbackauth_addjar.q.out new file mode 100644 index 0000000..2aae669 --- /dev/null +++ b/ql/src/test/results/clientnegative/fallbackauth_addjar.q.out @@ -0,0 +1 @@ +Query returned non-zero code: 1, cause: Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation ADD [ADMIN] diff --git a/ql/src/test/results/clientnegative/fallbackauth_compile.q.out b/ql/src/test/results/clientnegative/fallbackauth_compile.q.out new file mode 100644 index 0000000..5699efe --- /dev/null +++ b/ql/src/test/results/clientnegative/fallbackauth_compile.q.out @@ -0,0 +1 @@ +Query returned non-zero code: 1, cause: Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation COMPILE [ADMIN] diff --git a/ql/src/test/results/clientnegative/fallbackauth_create_func1.q.out b/ql/src/test/results/clientnegative/fallbackauth_create_func1.q.out new file mode 100644 index 0000000..b2532eb --- /dev/null +++ b/ql/src/test/results/clientnegative/fallbackauth_create_func1.q.out @@ -0,0 +1 @@ +FAILED: HiveAccessControlException Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation CREATEFUNCTION [ADMIN PRIVILEGE on INPUT, ADMIN PRIVILEGE on OUTPUT] diff --git a/ql/src/test/results/clientnegative/fallbackauth_create_func2.q.out b/ql/src/test/results/clientnegative/fallbackauth_create_func2.q.out new file mode 100644 index 0000000..b2532eb --- /dev/null +++ b/ql/src/test/results/clientnegative/fallbackauth_create_func2.q.out @@ -0,0 +1 @@ +FAILED: HiveAccessControlException Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation CREATEFUNCTION [ADMIN PRIVILEGE on INPUT, ADMIN PRIVILEGE on OUTPUT] diff --git a/ql/src/test/results/clientnegative/fallbackauth_dfs.q.out b/ql/src/test/results/clientnegative/fallbackauth_dfs.q.out new file mode 100644 index 0000000..9f4a71b --- /dev/null +++ b/ql/src/test/results/clientnegative/fallbackauth_dfs.q.out @@ -0,0 +1 @@ +Query returned non-zero code: 1, cause: Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation DFS [ADMIN] diff --git a/ql/src/test/results/clientnegative/fallbackauth_disallow_transform.q.out b/ql/src/test/results/clientnegative/fallbackauth_disallow_transform.q.out new file mode 100644 index 0000000..1ac04db --- /dev/null +++ b/ql/src/test/results/clientnegative/fallbackauth_disallow_transform.q.out @@ -0,0 +1,16 @@ +PREHOOK: query: create table t1(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +PREHOOK: Output: default@t1 +POSTHOOK: query: create table t1(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t1 +PREHOOK: query: SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM t1 +PREHOOK: type: QUERY +PREHOOK: Input: default@t1 +#### A masked pattern was here #### +FAILED: Hive Internal Error: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException(Query with transform clause is disallowed in current configuration.) +org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Query with transform clause is disallowed in current configuration. +#### A masked pattern was here #### + diff --git a/ql/src/test/results/clientnegative/fallbackauth_load.q.out b/ql/src/test/results/clientnegative/fallbackauth_load.q.out new file mode 100644 index 0000000..d2bcafc --- /dev/null +++ b/ql/src/test/results/clientnegative/fallbackauth_load.q.out @@ -0,0 +1,9 @@ +PREHOOK: query: create table fallbackauthload(c1 string, c2 string) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +PREHOOK: Output: default@fallbackauthload +POSTHOOK: query: create table fallbackauthload(c1 string, c2 string) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@fallbackauthload +FAILED: HiveAccessControlException Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation LOAD [ADMIN] diff --git a/ql/src/test/results/clientnegative/fallbackauth_set_invalidconf.q.out b/ql/src/test/results/clientnegative/fallbackauth_set_invalidconf.q.out new file mode 100644 index 0000000..dd6092b --- /dev/null +++ b/ql/src/test/results/clientnegative/fallbackauth_set_invalidconf.q.out @@ -0,0 +1,7 @@ +PREHOOK: query: use default +PREHOOK: type: SWITCHDATABASE +PREHOOK: Input: database:default +POSTHOOK: query: use default +POSTHOOK: type: SWITCHDATABASE +POSTHOOK: Input: database:default +Query returned non-zero code: 1, cause: Cannot modify hive.security.authorization.enabled at runtime. It is not in list of params that are allowed to be modified at runtime