diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchronizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchronizer.java index c7a4843..61714a4 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchronizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeSynchronizer.java @@ -17,6 +17,8 @@ */ package org.apache.hadoop.hive.ql.security.authorization; +import java.util.ArrayList; +import java.util.List; import java.util.Map; import java.util.concurrent.TimeUnit; @@ -108,7 +110,8 @@ private void addACLsToBag( } } - private HiveObjectRef getObjToRefresh(HiveObjectType type, String dbName, String tblName) throws Exception { + private HiveObjectRef getObjToRefresh(HiveObjectType type, String dbName, String tblName, String columnName) throws + Exception { HiveObjectRef objToRefresh = null; switch (type) { case DATABASE: @@ -118,7 +121,7 @@ private HiveObjectRef getObjToRefresh(HiveObjectType type, String dbName, String objToRefresh = new HiveObjectRef(HiveObjectType.TABLE, dbName, tblName, null, null); break; case COLUMN: - objToRefresh = new HiveObjectRef(HiveObjectType.COLUMN, dbName, tblName, null, null); + objToRefresh = new HiveObjectRef(HiveObjectType.COLUMN, dbName, tblName, null, columnName); break; default: throw new RuntimeException("Get unknown object type " + type); @@ -176,7 +179,7 @@ public void run() { int numDb = 0, numTbl = 0; for (String dbName : hiveClient.getAllDatabases()) { numDb++; - HiveObjectRef dbToRefresh = getObjToRefresh(HiveObjectType.DATABASE, dbName, null); + HiveObjectRef dbToRefresh = getObjToRefresh(HiveObjectType.DATABASE, dbName, null, null); PrivilegeBag grantDatabaseBag = new PrivilegeBag(); addGrantPrivilegesToBag(policyProvider, grantDatabaseBag, HiveObjectType.DATABASE, dbName, null, null, authorizer); @@ -186,26 +189,25 @@ public void run() { for (String tblName : hiveClient.getAllTables(dbName)) { numTbl++; LOG.debug("processing " + dbName + "." + tblName); - HiveObjectRef tableToRefresh = getObjToRefresh(HiveObjectType.TABLE, dbName, tblName); + HiveObjectRef tableToRefresh = getObjToRefresh(HiveObjectType.TABLE, dbName, tblName, null); PrivilegeBag grantTableBag = new PrivilegeBag(); addGrantPrivilegesToBag(policyProvider, grantTableBag, HiveObjectType.TABLE, dbName, tblName, null, authorizer); hiveClient.refresh_privileges(tableToRefresh, authorizer, grantTableBag); - HiveObjectRef tableOfColumnsToRefresh = getObjToRefresh(HiveObjectType.COLUMN, dbName, tblName); - PrivilegeBag grantColumnBag = new PrivilegeBag(); Table tbl = null; try { tbl = hiveClient.getTable(dbName, tblName); - for (FieldSchema fs : tbl.getPartitionKeys()) { + List fields = new ArrayList<>(); + fields.addAll(tbl.getPartitionKeys()); + fields.addAll(tbl.getSd().getCols()); + for (FieldSchema fs : fields) { + HiveObjectRef tableOfColumnsToRefresh = getObjToRefresh(HiveObjectType.COLUMN, dbName, tblName, fs.getName()); + PrivilegeBag grantColumnBag = new PrivilegeBag(); addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, dbName, tblName, fs.getName(), authorizer); + hiveClient.refresh_privileges(tableOfColumnsToRefresh, authorizer, grantColumnBag); } - for (FieldSchema fs : tbl.getSd().getCols()) { - addGrantPrivilegesToBag(policyProvider, grantColumnBag, HiveObjectType.COLUMN, - dbName, tblName, fs.getName(), authorizer); - } - hiveClient.refresh_privileges(tableOfColumnsToRefresh, authorizer, grantColumnBag); } catch (MetaException e) { LOG.debug("Unable to synchronize " + tblName + ":" + e.getMessage()); } diff --git a/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java b/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java index c0bae3b..9f1f779 100644 --- a/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java +++ b/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ObjectStore.java @@ -6454,9 +6454,8 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, String authorizer, grants = listTableGrantsAll(catName, objToRefresh.getDbName(), objToRefresh.getObjectName(), authorizer); break; case COLUMN: - Preconditions.checkArgument(objToRefresh.getColumnName()==null, "columnName must be null"); - grants = convertTableCols(listTableAllColumnGrants(catName, - objToRefresh.getDbName(), objToRefresh.getObjectName(), authorizer)); + grants = convertTableCols(listTableColumnGrants(catName, + objToRefresh.getDbName(), objToRefresh.getObjectName(), objToRefresh.getColumnName(), authorizer)); break; default: throw new MetaException("Unexpected object type " + objToRefresh.getObjectType()); @@ -6853,7 +6852,55 @@ public boolean refreshPrivileges(HiveObjectRef objToRefresh, String authorizer, private List listTableAllColumnGrants( String catName, String dbName, String tableName) { - return listTableAllColumnGrants(catName, dbName, tableName, null); + return listTableColumnGrants(catName, dbName, tableName, null, null); + } + + @SuppressWarnings("unchecked") + private List listTableColumnGrants( + String catName, String dbName, String tableName, String columnName, String authorizer) { + boolean success = false; + Query query = null; + List mTblColPrivilegeList = new ArrayList<>(); + tableName = normalizeIdentifier(tableName); + dbName = normalizeIdentifier(dbName); + catName = normalizeIdentifier(catName); + try { + LOG.debug("Executing listTableColumnGrants"); + + openTransaction(); + List mPrivs = null; + String queryStr = "table.tableName == t1 && table.database.name == t2 &&" + + "table.database.catalogName == t3"; + String paramsStr = "java.lang.String t1, java.lang.String t2, java.lang.String t3"; + if (columnName != null) { + queryStr += " && columnName == t4"; + paramsStr += ", java.lang.String t4"; + } + if (authorizer != null) { + queryStr += " && authorizer == t5"; + paramsStr += ", java.lang.String t5"; + } + query = pm.newQuery(MTableColumnPrivilege.class, queryStr); + query.declareParameters(paramsStr); + if (columnName != null && authorizer == null) { + mPrivs = (List) query.executeWithArray(tableName, dbName, catName, columnName); + } else if (columnName == null && authorizer != null) { + mPrivs = (List) query.executeWithArray(tableName, dbName, catName, authorizer); + } else if (columnName != null && authorizer != null) { + mPrivs = (List) query.executeWithArray(tableName, dbName, catName, columnName, authorizer); + } else { + mPrivs = (List) query.executeWithArray(tableName, dbName, catName); + } + pm.retrieveAll(mPrivs); + success = commitTransaction(); + + mTblColPrivilegeList.addAll(mPrivs); + + LOG.debug("Done retrieving all objects for listTableColumnGrants"); + } finally { + rollbackAndCleanup(success, query); + } + return mTblColPrivilegeList; } @SuppressWarnings("unchecked")