From eac40c40fbd18d722981afe8fe98623e8e967c16 Mon Sep 17 00:00:00 2001 From: rmani Date: Mon, 3 Jun 2019 22:11:19 -0700 Subject: [PATCH 1/1] HIVE-21829:HiveMetaStore authorization issue with AlterTable and DropTable events --- .../plugin/metastore/HiveMetaStoreAuthorizer.java | 4 ++-- .../metastore/TestHiveMetaStoreAuthorizer.java | 26 +++++++++++++++++++--- 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizer.java index 50c7fc6..434d1c9 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizer.java @@ -145,13 +145,13 @@ HiveMetaStoreAuthzInfo buildAuthzContext(PreEventContext preEventContext) throws } break; case ALTER_TABLE: - authzEvent = new CreateTableEvent(preEventContext); + authzEvent = new AlterTableEvent(preEventContext); if (isViewOperation(preEventContext) && (!isSuperUser(getCurrentUser(authzEvent)))) { throw new MetaException(getErrorMessage("ALTER_VIEW", getCurrentUser(authzEvent))); } break; case DROP_TABLE: - authzEvent = new CreateTableEvent(preEventContext); + authzEvent = new DropTableEvent(preEventContext); if (isViewOperation(preEventContext) && (!isSuperUser(getCurrentUser(authzEvent)))) { throw new MetaException(getErrorMessage("DROP_VIEW", getCurrentUser(authzEvent))); } diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/TestHiveMetaStoreAuthorizer.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/TestHiveMetaStoreAuthorizer.java index 9bbc70e..b9c0dcc 100644 --- a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/TestHiveMetaStoreAuthorizer.java +++ b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/TestHiveMetaStoreAuthorizer.java @@ -235,7 +235,27 @@ public void testI_CreateTable_authorizedUser() throws Exception { } @Test - public void testJ_DropTable_authorizedUser() throws Exception { + public void testJ_AlterTable_AuthorizedUser() throws Exception { + UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(authorizedUser)); + try { + Table table = new TableBuilder() + .setTableName(tblName) + .addCol("name", ColumnType.STRING_TYPE_NAME) + .setOwner(authorizedUser) + .build(conf); + hmsHandler.create_table(table); + + Table alteredTable = new TableBuilder() + .addCol("dep", ColumnType.STRING_TYPE_NAME) + .build(conf); + hmsHandler.alter_table("default",tblName,alteredTable); + } catch (Exception e) { + // No Exception for create table for authorized user + } + } + + @Test + public void testK_DropTable_authorizedUser() throws Exception { UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(authorizedUser)); try { hmsHandler.drop_table(dbName,tblName,true); @@ -245,7 +265,7 @@ public void testJ_DropTable_authorizedUser() throws Exception { } @Test - public void testK_DropDatabase_authorizedUser() throws Exception { + public void testL_DropDatabase_authorizedUser() throws Exception { UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(authorizedUser)); try { hmsHandler.drop_database(dbName,true,true); @@ -255,7 +275,7 @@ public void testK_DropDatabase_authorizedUser() throws Exception { } @Test - public void testL_DropCatalog_SuperUser() throws Exception { + public void testM_DropCatalog_SuperUser() throws Exception { UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(superUser)); try { hmsHandler.drop_catalog(new DropCatalogRequest(catalogName)); -- 2.6.4 (Apple Git-63)