From 8e939483feac51e46adfd22ff591eae31bf94ba7 Mon Sep 17 00:00:00 2001 From: Sam An Date: Tue, 4 Jun 2019 11:15:49 -0700 Subject: [PATCH] HIVE-21833: Ranger Authorization in Hive based on object ownership (Sam An, reviewed by Daniel Dai) --- ql/src/java/org/apache/hadoop/hive/ql/Driver.java | 6 +++++- .../authorization/plugin/HivePrivilegeObject.java | 15 +++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java index 255c65aa73..d6f28270cd 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java @@ -63,6 +63,7 @@ import org.apache.hadoop.hive.metastore.api.FieldSchema; import org.apache.hadoop.hive.metastore.api.LockComponent; import org.apache.hadoop.hive.metastore.api.LockType; +import org.apache.hadoop.hive.metastore.api.PrincipalType; import org.apache.hadoop.hive.metastore.api.Schema; import org.apache.hadoop.hive.metastore.utils.MetaStoreUtils; import org.apache.hadoop.hive.ql.cache.results.CacheUsage; @@ -1395,15 +1396,18 @@ private static void doAuthorizationV2(SessionState ss, HiveOperation op, List partKeys = null; List columns = null; String className = null; + String ownerName = null; switch(privObject.getType()){ case DATABASE: dbname = privObject.getDatabase().getName(); + ownerName = privObject.getDatabase().getOwnerName(); break; case TABLE: dbname = privObject.getTable().getDbName(); objName = privObject.getTable().getTableName(); columns = tableName2Cols == null ? null : tableName2Cols.get(Table.getCompleteName(dbname, objName)); + ownerName = privObject.getTable().getOwner(); break; case DFS_DIR: case LOCAL_DIR: @@ -1428,7 +1432,7 @@ private static void doAuthorizationV2(SessionState ss, HiveOperation op, List o1, Collection o2) { private final List columns; private final HivePrivObjectActionType actionType; private final String className; + private final String ownerName; // cellValueTransformers is corresponding to the columns. // Its size should be the same as columns. // For example, if a table has two columns, "key" and "value" @@ -175,6 +176,20 @@ public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String o this.actionType = actionType; this.commandParams = commandParams; this.className = className; + this.ownerName = null; + } + public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String objectName, + List partKeys, List columns, HivePrivObjectActionType actionType, + List commandParams, String className, String ownerName) { + this.type = type; + this.dbname = dbname; + this.objectName = objectName; + this.partKeys = partKeys; + this.columns = columns; + this.actionType = actionType; + this.commandParams = commandParams; + this.className = className; + this.ownerName = ownerName; } public HivePrivilegeObjectType getType() { -- 2.20.1 From f184ab52f9b9a2a27215eb1df77b3e3d3424550d Mon Sep 17 00:00:00 2001 From: Sam An Date: Tue, 4 Jun 2019 14:15:05 -0700 Subject: [PATCH] add ownertype --- ql/src/java/org/apache/hadoop/hive/ql/Driver.java | 5 ++++- .../security/authorization/plugin/HivePrivilegeObject.java | 6 +++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java index d6f28270cd..18438aa592 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java @@ -1397,10 +1397,12 @@ private static void doAuthorizationV2(SessionState ss, HiveOperation op, List columns = null; String className = null; String ownerName = null; + PrincipalType ownerType = null; switch(privObject.getType()){ case DATABASE: dbname = privObject.getDatabase().getName(); ownerName = privObject.getDatabase().getOwnerName(); + ownerType = privObject.getDatabase().getOwnerType(); break; case TABLE: dbname = privObject.getTable().getDbName(); @@ -1408,6 +1410,7 @@ private static void doAuthorizationV2(SessionState ss, HiveOperation op, List o1, Collection o2) { private final HivePrivObjectActionType actionType; private final String className; private final String ownerName; + private final PrincipalType ownerType; // cellValueTransformers is corresponding to the columns. // Its size should be the same as columns. // For example, if a table has two columns, "key" and "value" @@ -177,10 +179,11 @@ public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String o this.commandParams = commandParams; this.className = className; this.ownerName = null; + this.ownerType = null; } public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String objectName, List partKeys, List columns, HivePrivObjectActionType actionType, - List commandParams, String className, String ownerName) { + List commandParams, String className, String ownerName, PrincipalType ownerType) { this.type = type; this.dbname = dbname; this.objectName = objectName; @@ -190,6 +193,7 @@ public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String o this.commandParams = commandParams; this.className = className; this.ownerName = ownerName; + this.ownerType = ownerType; } public HivePrivilegeObjectType getType() { -- 2.20.1 From f59e1ee3c9591198a198d6ee09cdd0742fde2b2f Mon Sep 17 00:00:00 2001 From: Sam An Date: Thu, 6 Jun 2019 15:27:21 -0700 Subject: [PATCH] Add unit test --- .../plugin/HivePrivilegeObject.java | 37 ++++---- .../plugin/DummyHiveAuthorizer.java | 88 +++++++++++++++++++ .../plugin/DummyHiveAuthorizerFactory.java | 41 +++++++++ .../authorization/plugin/TestOwnerName.java | 29 ++++++ .../hive/metastore/cache/CachedStore.java | 4 +- 5 files changed, 181 insertions(+), 18 deletions(-) create mode 100644 ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/DummyHiveAuthorizer.java create mode 100644 ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/DummyHiveAuthorizerFactory.java create mode 100644 ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestOwnerName.java diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java index 12085ac869..c29ef77d7f 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java @@ -167,23 +167,14 @@ public HivePrivilegeObject(String dbname, String objectName, List column this(HivePrivilegeObjectType.TABLE_OR_VIEW, dbname, objectName, null, columns, null); } - public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String objectName, - List partKeys, List columns, HivePrivObjectActionType actionType, - List commandParams, String className) { - this.type = type; - this.dbname = dbname; - this.objectName = objectName; - this.partKeys = partKeys; - this.columns = columns; - this.actionType = actionType; - this.commandParams = commandParams; - this.className = className; - this.ownerName = null; - this.ownerType = null; + public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String objectName, List partKeys, + List columns, HivePrivObjectActionType actionType, List commandParams, String className) { + this(type, dbname, objectName, partKeys, columns, actionType, commandParams, className, null, null); } - public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String objectName, - List partKeys, List columns, HivePrivObjectActionType actionType, - List commandParams, String className, String ownerName, PrincipalType ownerType) { + + public HivePrivilegeObject(HivePrivilegeObjectType type, String dbname, String objectName, List partKeys, + List columns, HivePrivObjectActionType actionType, List commandParams, String className, + String ownerName, PrincipalType ownerType) { this.type = type; this.dbname = dbname; this.objectName = objectName; @@ -294,6 +285,20 @@ public String toString() { return "Object [type=" + type + ", name=" + name + actionTypeStr + "]"; } + /** + * @return ownerName of the object + */ + public String getOwnerName() { + return this.ownerName; + } + + /** + * @return principal type of the owner + */ + public PrincipalType getOwnerType() { + return this.ownerType; + } + private String getDbObjectName(String dbname2, String objectName2) { return (dbname == null ? "" : dbname + ".") + objectName; } diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/DummyHiveAuthorizer.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/DummyHiveAuthorizer.java new file mode 100644 index 0000000000..8c4c0b6e89 --- /dev/null +++ b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/DummyHiveAuthorizer.java @@ -0,0 +1,88 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizer; +import org.apache.hadoop.security.UserGroupInformation; + +import java.util.Arrays; +import java.util.List; + +/** + * Test HiveAuthorizer for invoking checkPrivilege Methods for authorization call + * Authorizes user sam and rob. + */ +public class DummyHiveAuthorizer extends FallbackHiveAuthorizer { + + static final List allowedUsers = Arrays.asList("sam","rob"); + + public DummyHiveAuthorizer(HiveConf hiveConf, HiveAuthenticationProvider hiveAuthenticator, + HiveAuthzSessionContext ctx) { + super(hiveConf,hiveAuthenticator, ctx); + } + + @Override + public void checkPrivileges(HiveOperationType hiveOpType, List inputHObjs, + List outputHObjs, HiveAuthzContext context) throws + HiveAuthzPluginException, HiveAccessControlException { + + String user = null; + String errorMessage = ""; + try { + user = UserGroupInformation.getLoginUser().getShortUserName(); + } catch (Exception e) { + throw new HiveAuthzPluginException("Unable to get UserGroupInformation"); + } + boolean containsDBOwnerName = false; + boolean containsTblOwnerName = false; + for( HivePrivilegeObject hpo: inputHObjs){ + if ( hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.DATABASE && hpo.getOwnerName() != null){ + containsDBOwnerName = true; + } + if ( hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.TABLE_OR_VIEW && hpo.getOwnerName() != null){ + containsTblOwnerName = true; + } + } + for( HivePrivilegeObject hpo: outputHObjs){ + if ( hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.DATABASE && hpo.getOwnerName() != null){ + containsDBOwnerName = true; + } + if ( hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.TABLE_OR_VIEW && hpo.getOwnerName() != null){ + containsTblOwnerName = true; + } + } + if (!containsDBOwnerName || !containsTblOwnerName){ + errorMessage = "Ownername is not present in HivePrivilegeObject"; + throw new HiveAuthzPluginException(errorMessage); + } + + if (!isOperationAllowed(user)) { + errorMessage = "Operation type " + hiveOpType + " not allowed for user:" + user; + throw new HiveAuthzPluginException(errorMessage); + } + } + + private boolean isOperationAllowed(String user) { + return allowedUsers.contains(user); + } + +} diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/DummyHiveAuthorizerFactory.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/DummyHiveAuthorizerFactory.java new file mode 100644 index 0000000000..e7c281eee2 --- /dev/null +++ b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/DummyHiveAuthorizerFactory.java @@ -0,0 +1,41 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; +import org.apache.hadoop.hive.ql.security.authorization.plugin.DummyHiveAuthorizer; + +/* +Test DummyHiveAuthorizerFactory +*/ + +public class DummyHiveAuthorizerFactory implements HiveAuthorizerFactory { + @Override + public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, + HiveConf conf, HiveAuthenticationProvider hiveAuthenticator, HiveAuthzSessionContext ctx) + throws HiveAuthzPluginException { + return new DummyHiveAuthorizer(conf, hiveAuthenticator, ctx); + } +} diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestOwnerName.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestOwnerName.java new file mode 100644 index 0000000000..0bc46efe7a --- /dev/null +++ b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestOwnerName.java @@ -0,0 +1,29 @@ +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.Driver; +import org.apache.hadoop.hive.ql.session.SessionState; +import org.apache.hadoop.security.UserGroupInformation; +import org.junit.Assert; +import org.junit.Test; + +public class TestOwnerName { + private static final String authorizedUser = "sam"; + + @Test public void testDBAndTableOwner() throws Exception { + UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(authorizedUser)); + try { + HiveConf conf = new HiveConf(Driver.class); + HiveConf.setBoolVar(conf, HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS, false); + HiveConf.setVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER, DummyHiveAuthorizerFactory.class.getName()); + HiveConf.setBoolVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED, true); + + SessionState.start(conf); + Driver driver = new Driver(conf); + int errorcode = driver.compile("create table default.t1(name string)"); + Assert.assertEquals("Owner Name not present", 0, errorcode); + } catch (Exception e) { + throw e; + } + } +} diff --git a/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/cache/CachedStore.java b/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/cache/CachedStore.java index 1552ea0b8d..07f325d440 100644 --- a/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/cache/CachedStore.java +++ b/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/cache/CachedStore.java @@ -494,7 +494,7 @@ static void prewarm(RawStore rawStore) { AggrStats aggrStatsAllButDefaultPartition = null; if (!table.getPartitionKeys().isEmpty()) { Deadline.startTimer("getPartitions"); - partitions = rawStore.getPartitions(catName, dbName, tblName, Integer.MAX_VALUE); + partitions = rawStore.getPartitions(catName, dbName, tblName, -1); Deadline.stopTimer(); List partNames = new ArrayList<>(partitions.size()); for (Partition p : partitions) { @@ -862,7 +862,7 @@ private void updateTablePartitions(RawStore rawStore, String catName, String dbN dbName, tblName); try { Deadline.startTimer("getPartitions"); - List partitions = rawStore.getPartitions(catName, dbName, tblName, Integer.MAX_VALUE); + List partitions = rawStore.getPartitions(catName, dbName, tblName, -1); Deadline.stopTimer(); sharedCache.refreshPartitionsInCache(StringUtils.normalizeIdentifier(catName), StringUtils.normalizeIdentifier(dbName), StringUtils.normalizeIdentifier(tblName), partitions); -- 2.20.1 From 394bf4e2cfd6a1b4c8e0a3b3c0d4947e5ac784d3 Mon Sep 17 00:00:00 2001 From: Sam An Date: Thu, 6 Jun 2019 22:39:30 -0700 Subject: [PATCH] change unit test --- .../TestHiveAuthorizerCheckInvocation.java | 178 ++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java new file mode 100644 index 0000000000..5fef2186e1 --- /dev/null +++ b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java @@ -0,0 +1,178 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import org.apache.commons.lang3.tuple.ImmutablePair; +import org.apache.commons.lang3.tuple.Pair; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.conf.HiveConf.ConfVars; +import org.apache.hadoop.hive.ql.Driver; +import org.apache.hadoop.hive.ql.lockmgr.DbTxnManager; +import org.apache.hadoop.hive.ql.processors.CommandProcessorResponse; +import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator; +import org.apache.hadoop.hive.ql.session.SessionState; +import org.apache.hadoop.hive.ql.stats.StatsUtils; +import org.apache.hadoop.security.UserGroupInformation; +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.Test; +import org.mockito.ArgumentCaptor; +import org.mockito.Mockito; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.util.List; + +import static org.apache.hadoop.hive.metastore.ReplChangeManager.SOURCE_OF_REPLICATION; +import static org.junit.Assert.assertEquals; +import static org.mockito.Matchers.any; +import static org.mockito.Mockito.reset; +import static org.mockito.Mockito.verify; + +/** + * Test HiveAuthorizer api invocation + */ +public class TestHiveAuthorizerCheckInvocation { + private final Logger LOG = LoggerFactory.getLogger(this.getClass().getName());; + protected static HiveConf conf; + protected static Driver driver; + private static final String tableName = TestHiveAuthorizerCheckInvocation.class.getSimpleName() + + "Table"; + private static final String viewName = TestHiveAuthorizerCheckInvocation.class.getSimpleName() + + "View"; + private static final String inDbTableName = tableName + "_in_db"; + private static final String acidTableName = tableName + "_acid"; + private static final String dbName = TestHiveAuthorizerCheckInvocation.class.getSimpleName() + + "Db"; + private static final String fullInTableName = StatsUtils.getFullyQualifiedTableName(dbName, inDbTableName); + static HiveAuthorizer mockedAuthorizer; + + /** + * This factory creates a mocked HiveAuthorizer class. Use the mocked class to + * capture the argument passed to it in the test case. + */ + static class MockedHiveAuthorizerFactory implements HiveAuthorizerFactory { + @Override + public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, + HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) { + TestHiveAuthorizerCheckInvocation.mockedAuthorizer = Mockito.mock(HiveAuthorizer.class); + return TestHiveAuthorizerCheckInvocation.mockedAuthorizer; + } + + } + + @BeforeClass + public static void beforeTest() throws Exception { + UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser("hive")); + conf = new HiveConf(); + + // Turn on mocked authorization + conf.setVar(ConfVars.HIVE_AUTHORIZATION_MANAGER, MockedHiveAuthorizerFactory.class.getName()); + //conf.setVar(ConfVars.HIVE_AUTHENTICATOR_MANAGER, SessionStateUserAuthenticator.class.getName()); + conf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, true); + conf.setBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS, false); + conf.setBoolVar(ConfVars.HIVE_SUPPORT_CONCURRENCY, true); + conf.setVar(ConfVars.HIVE_TXN_MANAGER, DbTxnManager.class.getName()); + conf.setVar(ConfVars.HIVEMAPREDMODE, "nonstrict"); + + SessionState.start(conf); + driver = new Driver(conf); + runCmd("create table " + tableName + + " (i int, j int, k string) partitioned by (city string, `date` string) "); + runCmd("create view " + viewName + " as select * from " + tableName); + runCmd("create database " + dbName + " WITH DBPROPERTIES ( '" + + SOURCE_OF_REPLICATION + "' = '1,2,3')"); + runCmd("create table " + fullInTableName + "(i int)"); + // Need a separate table for ACID testing since it has to be bucketed and it has to be Acid + runCmd("create table " + acidTableName + " (i int, j int, k int) clustered by (k) into 2 buckets " + + "stored as orc TBLPROPERTIES ('transactional'='true')"); + } + + private static void runCmd(String cmd) throws Exception { + CommandProcessorResponse resp = driver.run(cmd); + assertEquals(0, resp.getResponseCode()); + } + + @AfterClass + public static void afterTests() throws Exception { + // Drop the tables when we're done. This makes the test work inside an IDE + runCmd("drop table if exists " + acidTableName); + runCmd("drop table if exists " + tableName); + runCmd("drop table if exists " + viewName); + runCmd("drop table if exists " + fullInTableName); + runCmd("drop database if exists " + dbName + " CASCADE"); + driver.close(); + } + + @Test + public void testOwnerNames() throws Exception { + reset(mockedAuthorizer); + + driver.compile("create table default.t1 (name string)"); + + Pair, List> io = getHivePrivilegeObjectInputs(); + boolean containsDBOwnerName = false; + boolean containsTblOwnerName = false; + for( HivePrivilegeObject hpo: io.getLeft()){ + if ( hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.DATABASE && hpo.getOwnerName() != null){ + containsDBOwnerName = true; + } + if ( hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.TABLE_OR_VIEW && hpo.getOwnerName() != null){ + containsTblOwnerName = true; + } + } + for( HivePrivilegeObject hpo: io.getRight()){ + if ( hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.DATABASE && hpo.getOwnerName() != null){ + containsDBOwnerName = true; + } + if ( hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.TABLE_OR_VIEW && hpo.getOwnerName() != null){ + containsTblOwnerName = true; + } + } + if (!containsTblOwnerName ||!containsDBOwnerName){ + String errorMessage = "Ownername is not present in HivePrivilegeObject"; + throw new HiveAuthzPluginException(errorMessage); + } + } + + /** + * @return pair with left value as inputs and right value as outputs, + * passed in current call to authorizer.checkPrivileges + * @throws HiveAuthzPluginException + * @throws HiveAccessControlException + */ + private Pair, List> getHivePrivilegeObjectInputs() throws HiveAuthzPluginException, + HiveAccessControlException { + // Create argument capturer + // a class variable cast to this generic of generic class + Class> class_listPrivObjects = (Class) List.class; + ArgumentCaptor> inputsCapturer = ArgumentCaptor + .forClass(class_listPrivObjects); + ArgumentCaptor> outputsCapturer = ArgumentCaptor + .forClass(class_listPrivObjects); + + verify(mockedAuthorizer).checkPrivileges(any(HiveOperationType.class), + inputsCapturer.capture(), outputsCapturer.capture(), + any(HiveAuthzContext.class)); + + return new ImmutablePair(inputsCapturer.getValue(), outputsCapturer.getValue()); + } + +} -- 2.20.1 From 46c5681bbc42082cab3b2e4833f768415ccbe6ce Mon Sep 17 00:00:00 2001 From: Sam An Date: Fri, 7 Jun 2019 09:12:38 -0700 Subject: [PATCH] remove original version of unit tests --- .../TestHiveAuthorizerCheckInvocation.java | 10 ++ .../plugin/DummyHiveAuthorizer.java | 88 ----------------- .../plugin/DummyHiveAuthorizerFactory.java | 41 -------- ...tHivePrivilegeObjectOwnerNameAndType.java} | 99 +++++++++---------- .../authorization/plugin/TestOwnerName.java | 29 ------ 5 files changed, 55 insertions(+), 212 deletions(-) delete mode 100644 ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/DummyHiveAuthorizer.java delete mode 100644 ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/DummyHiveAuthorizerFactory.java rename ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/{TestHiveAuthorizerCheckInvocation.java => TestHivePrivilegeObjectOwnerNameAndType.java} (60%) delete mode 100644 ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestOwnerName.java diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java index b9ef8b780e..24ead2ea3d 100644 --- a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java +++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java @@ -538,6 +538,16 @@ public void testShowTables() throws Exception { assertEquals(0, status); Pair, List> io = getHivePrivilegeObjectInputs(); + + } + + @Test + public void testOwnerNames() throws Exception { + reset(mockedAuthorizer); + int status = driver.compile("create table default.t1 (name string)"); + assertEquals(0, status); + + Pair, List> io = getHivePrivilegeObjectInputs(); List inputs = io.getLeft(); assertEquals(1, inputs.size()); HivePrivilegeObject dbObj = inputs.get(0); diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/DummyHiveAuthorizer.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/DummyHiveAuthorizer.java deleted file mode 100644 index 8c4c0b6e89..0000000000 --- a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/DummyHiveAuthorizer.java +++ /dev/null @@ -1,88 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.hadoop.hive.ql.security.authorization.plugin; - -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; -import org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizer; -import org.apache.hadoop.security.UserGroupInformation; - -import java.util.Arrays; -import java.util.List; - -/** - * Test HiveAuthorizer for invoking checkPrivilege Methods for authorization call - * Authorizes user sam and rob. - */ -public class DummyHiveAuthorizer extends FallbackHiveAuthorizer { - - static final List allowedUsers = Arrays.asList("sam","rob"); - - public DummyHiveAuthorizer(HiveConf hiveConf, HiveAuthenticationProvider hiveAuthenticator, - HiveAuthzSessionContext ctx) { - super(hiveConf,hiveAuthenticator, ctx); - } - - @Override - public void checkPrivileges(HiveOperationType hiveOpType, List inputHObjs, - List outputHObjs, HiveAuthzContext context) throws - HiveAuthzPluginException, HiveAccessControlException { - - String user = null; - String errorMessage = ""; - try { - user = UserGroupInformation.getLoginUser().getShortUserName(); - } catch (Exception e) { - throw new HiveAuthzPluginException("Unable to get UserGroupInformation"); - } - boolean containsDBOwnerName = false; - boolean containsTblOwnerName = false; - for( HivePrivilegeObject hpo: inputHObjs){ - if ( hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.DATABASE && hpo.getOwnerName() != null){ - containsDBOwnerName = true; - } - if ( hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.TABLE_OR_VIEW && hpo.getOwnerName() != null){ - containsTblOwnerName = true; - } - } - for( HivePrivilegeObject hpo: outputHObjs){ - if ( hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.DATABASE && hpo.getOwnerName() != null){ - containsDBOwnerName = true; - } - if ( hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.TABLE_OR_VIEW && hpo.getOwnerName() != null){ - containsTblOwnerName = true; - } - } - if (!containsDBOwnerName || !containsTblOwnerName){ - errorMessage = "Ownername is not present in HivePrivilegeObject"; - throw new HiveAuthzPluginException(errorMessage); - } - - if (!isOperationAllowed(user)) { - errorMessage = "Operation type " + hiveOpType + " not allowed for user:" + user; - throw new HiveAuthzPluginException(errorMessage); - } - } - - private boolean isOperationAllowed(String user) { - return allowedUsers.contains(user); - } - -} diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/DummyHiveAuthorizerFactory.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/DummyHiveAuthorizerFactory.java deleted file mode 100644 index e7c281eee2..0000000000 --- a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/DummyHiveAuthorizerFactory.java +++ /dev/null @@ -1,41 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.hadoop.hive.ql.security.authorization.plugin; - -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; -import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; -import org.apache.hadoop.hive.ql.security.authorization.plugin.DummyHiveAuthorizer; - -/* -Test DummyHiveAuthorizerFactory -*/ - -public class DummyHiveAuthorizerFactory implements HiveAuthorizerFactory { - @Override - public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, - HiveConf conf, HiveAuthenticationProvider hiveAuthenticator, HiveAuthzSessionContext ctx) - throws HiveAuthzPluginException { - return new DummyHiveAuthorizer(conf, hiveAuthenticator, ctx); - } -} diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHivePrivilegeObjectOwnerNameAndType.java similarity index 60% rename from ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java rename to ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHivePrivilegeObjectOwnerNameAndType.java index 5fef2186e1..99ea97ec0f 100644 --- a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java +++ b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHivePrivilegeObjectOwnerNameAndType.java @@ -26,11 +26,11 @@ import org.apache.hadoop.hive.ql.lockmgr.DbTxnManager; import org.apache.hadoop.hive.ql.processors.CommandProcessorResponse; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; -import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator; import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hadoop.hive.ql.stats.StatsUtils; import org.apache.hadoop.security.UserGroupInformation; import org.junit.AfterClass; +import org.junit.Assert; import org.junit.BeforeClass; import org.junit.Test; import org.mockito.ArgumentCaptor; @@ -40,7 +40,6 @@ import java.util.List; -import static org.apache.hadoop.hive.metastore.ReplChangeManager.SOURCE_OF_REPLICATION; import static org.junit.Assert.assertEquals; import static org.mockito.Matchers.any; import static org.mockito.Mockito.reset; @@ -49,19 +48,11 @@ /** * Test HiveAuthorizer api invocation */ -public class TestHiveAuthorizerCheckInvocation { - private final Logger LOG = LoggerFactory.getLogger(this.getClass().getName());; +public class TestHivePrivilegeObjectOwnerNameAndType { + private final Logger LOG = LoggerFactory.getLogger(this.getClass().getName()); protected static HiveConf conf; protected static Driver driver; - private static final String tableName = TestHiveAuthorizerCheckInvocation.class.getSimpleName() - + "Table"; - private static final String viewName = TestHiveAuthorizerCheckInvocation.class.getSimpleName() - + "View"; - private static final String inDbTableName = tableName + "_in_db"; - private static final String acidTableName = tableName + "_acid"; - private static final String dbName = TestHiveAuthorizerCheckInvocation.class.getSimpleName() - + "Db"; - private static final String fullInTableName = StatsUtils.getFullyQualifiedTableName(dbName, inDbTableName); + private static final String tableName = TestHivePrivilegeObjectOwnerNameAndType.class.getSimpleName() + "Table"; static HiveAuthorizer mockedAuthorizer; /** @@ -69,17 +60,15 @@ * capture the argument passed to it in the test case. */ static class MockedHiveAuthorizerFactory implements HiveAuthorizerFactory { - @Override - public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, + @Override public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) { - TestHiveAuthorizerCheckInvocation.mockedAuthorizer = Mockito.mock(HiveAuthorizer.class); - return TestHiveAuthorizerCheckInvocation.mockedAuthorizer; + TestHivePrivilegeObjectOwnerNameAndType.mockedAuthorizer = Mockito.mock(HiveAuthorizer.class); + return TestHivePrivilegeObjectOwnerNameAndType.mockedAuthorizer; } } - @BeforeClass - public static void beforeTest() throws Exception { + @BeforeClass public static void beforeTest() throws Exception { UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser("hive")); conf = new HiveConf(); @@ -94,15 +83,7 @@ public static void beforeTest() throws Exception { SessionState.start(conf); driver = new Driver(conf); - runCmd("create table " + tableName - + " (i int, j int, k string) partitioned by (city string, `date` string) "); - runCmd("create view " + viewName + " as select * from " + tableName); - runCmd("create database " + dbName + " WITH DBPROPERTIES ( '" + - SOURCE_OF_REPLICATION + "' = '1,2,3')"); - runCmd("create table " + fullInTableName + "(i int)"); - // Need a separate table for ACID testing since it has to be bucketed and it has to be Acid - runCmd("create table " + acidTableName + " (i int, j int, k int) clustered by (k) into 2 buckets " + - "stored as orc TBLPROPERTIES ('transactional'='true')"); + runCmd("create table " + tableName + " (i int, j int, k string) partitioned by (city string, `date` string) "); } private static void runCmd(String cmd) throws Exception { @@ -110,67 +91,77 @@ private static void runCmd(String cmd) throws Exception { assertEquals(0, resp.getResponseCode()); } - @AfterClass - public static void afterTests() throws Exception { + @AfterClass public static void afterTests() throws Exception { // Drop the tables when we're done. This makes the test work inside an IDE - runCmd("drop table if exists " + acidTableName); runCmd("drop table if exists " + tableName); - runCmd("drop table if exists " + viewName); - runCmd("drop table if exists " + fullInTableName); - runCmd("drop database if exists " + dbName + " CASCADE"); driver.close(); } - @Test - public void testOwnerNames() throws Exception { + @Test public void testOwnerNames() throws Exception { reset(mockedAuthorizer); - driver.compile("create table default.t1 (name string)"); Pair, List> io = getHivePrivilegeObjectInputs(); boolean containsDBOwnerName = false; boolean containsTblOwnerName = false; - for( HivePrivilegeObject hpo: io.getLeft()){ - if ( hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.DATABASE && hpo.getOwnerName() != null){ + for (HivePrivilegeObject hpo : io.getLeft()) { + if (hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.DATABASE && hpo.getOwnerName() != null) { containsDBOwnerName = true; } - if ( hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.TABLE_OR_VIEW && hpo.getOwnerName() != null){ + if (hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.TABLE_OR_VIEW && hpo.getOwnerName() != null) { containsTblOwnerName = true; } } - for( HivePrivilegeObject hpo: io.getRight()){ - if ( hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.DATABASE && hpo.getOwnerName() != null){ + for (HivePrivilegeObject hpo : io.getRight()) { + if (hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.DATABASE && hpo.getOwnerName() != null) { containsDBOwnerName = true; } - if ( hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.TABLE_OR_VIEW && hpo.getOwnerName() != null){ + if (hpo.getType() == HivePrivilegeObject.HivePrivilegeObjectType.TABLE_OR_VIEW && hpo.getOwnerName() != null) { containsTblOwnerName = true; } } - if (!containsTblOwnerName ||!containsDBOwnerName){ + if (!containsTblOwnerName || !containsDBOwnerName) { String errorMessage = "Ownername is not present in HivePrivilegeObject"; throw new HiveAuthzPluginException(errorMessage); } } + @Test public void testOwnerType() throws Exception { + reset(mockedAuthorizer); + driver.compile("create table default.t1 (name string)"); + + Pair, List> io = getHivePrivilegeObjectInputs(); + boolean containsOwnerType = false; + for (HivePrivilegeObject hpo : io.getLeft()) { + if (hpo.getOwnerType() != null) { + containsOwnerType = true; + } + } + for (HivePrivilegeObject hpo : io.getRight()) { + if (hpo.getOwnerType() != null) { + containsOwnerType = true; + } + } + Assert.assertTrue(containsOwnerType); + } + /** * @return pair with left value as inputs and right value as outputs, * passed in current call to authorizer.checkPrivileges * @throws HiveAuthzPluginException * @throws HiveAccessControlException */ - private Pair, List> getHivePrivilegeObjectInputs() throws HiveAuthzPluginException, - HiveAccessControlException { + private Pair, List> getHivePrivilegeObjectInputs() + throws HiveAuthzPluginException, HiveAccessControlException { // Create argument capturer // a class variable cast to this generic of generic class Class> class_listPrivObjects = (Class) List.class; - ArgumentCaptor> inputsCapturer = ArgumentCaptor - .forClass(class_listPrivObjects); - ArgumentCaptor> outputsCapturer = ArgumentCaptor - .forClass(class_listPrivObjects); - - verify(mockedAuthorizer).checkPrivileges(any(HiveOperationType.class), - inputsCapturer.capture(), outputsCapturer.capture(), - any(HiveAuthzContext.class)); + ArgumentCaptor> inputsCapturer = ArgumentCaptor.forClass(class_listPrivObjects); + ArgumentCaptor> outputsCapturer = ArgumentCaptor.forClass(class_listPrivObjects); + + verify(mockedAuthorizer) + .checkPrivileges(any(HiveOperationType.class), inputsCapturer.capture(), outputsCapturer.capture(), + any(HiveAuthzContext.class)); return new ImmutablePair(inputsCapturer.getValue(), outputsCapturer.getValue()); } diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestOwnerName.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestOwnerName.java deleted file mode 100644 index 0bc46efe7a..0000000000 --- a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestOwnerName.java +++ /dev/null @@ -1,29 +0,0 @@ -package org.apache.hadoop.hive.ql.security.authorization.plugin; - -import org.apache.hadoop.hive.conf.HiveConf; -import org.apache.hadoop.hive.ql.Driver; -import org.apache.hadoop.hive.ql.session.SessionState; -import org.apache.hadoop.security.UserGroupInformation; -import org.junit.Assert; -import org.junit.Test; - -public class TestOwnerName { - private static final String authorizedUser = "sam"; - - @Test public void testDBAndTableOwner() throws Exception { - UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(authorizedUser)); - try { - HiveConf conf = new HiveConf(Driver.class); - HiveConf.setBoolVar(conf, HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS, false); - HiveConf.setVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER, DummyHiveAuthorizerFactory.class.getName()); - HiveConf.setBoolVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED, true); - - SessionState.start(conf); - Driver driver = new Driver(conf); - int errorcode = driver.compile("create table default.t1(name string)"); - Assert.assertEquals("Owner Name not present", 0, errorcode); - } catch (Exception e) { - throw e; - } - } -} -- 2.20.1 From 65f05accc96ad2e39d45813763c5249957a8eb60 Mon Sep 17 00:00:00 2001 From: Sam An Date: Fri, 7 Jun 2019 09:28:31 -0700 Subject: [PATCH] reverse inadvertent change --- .../plugin/TestHiveAuthorizerCheckInvocation.java | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java index 24ead2ea3d..b9ef8b780e 100644 --- a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java +++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java @@ -538,16 +538,6 @@ public void testShowTables() throws Exception { assertEquals(0, status); Pair, List> io = getHivePrivilegeObjectInputs(); - - } - - @Test - public void testOwnerNames() throws Exception { - reset(mockedAuthorizer); - int status = driver.compile("create table default.t1 (name string)"); - assertEquals(0, status); - - Pair, List> io = getHivePrivilegeObjectInputs(); List inputs = io.getLeft(); assertEquals(1, inputs.size()); HivePrivilegeObject dbObj = inputs.get(0); -- 2.20.1 From 9bd90d5222493816a624ee5a4e60559bc90ea8d1 Mon Sep 17 00:00:00 2001 From: Sam An Date: Mon, 10 Jun 2019 13:38:57 -0700 Subject: [PATCH] address Daniel's comments --- .../plugin/HivePrivilegeObject.java | 22 +++++++++++-- ...stHivePrivilegeObjectOwnerNameAndType.java | 33 ++++++++++--------- 2 files changed, 37 insertions(+), 18 deletions(-) diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java index c29ef77d7f..5e82c5ba3a 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java @@ -66,6 +66,16 @@ public int compareTo(HivePrivilegeObject o) { (o.className != null ? className.compareTo(o.className) : 1) : (o.className != null ? -1 : 0); } + if (compare == 0) { + compare = ownerName != null? + (o.ownerName != null ? ownerName.compareTo(o.ownerName) : 1) : + (o.ownerName != null ? -1 : 0); + } + if (compare == 0) { + compare = ownerType != null? + (o.ownerType != null ? ownerType.compareTo(o.ownerType) : 1) : + (o.ownerType != null ? -1 : 0); + } return compare; } @@ -281,8 +291,16 @@ public String toString() { default: } } - - return "Object [type=" + type + ", name=" + name + actionTypeStr + "]"; + StringBuilder sb = new StringBuilder(); + sb.append("Object [type=" + type + ", name=" + name + actionTypeStr + ","); + if (ownerName != null){ + sb.append(" ownername=" + ownerName + ","); + } + if (ownerType != null){ + sb.append(" ownertype=" + ownerType); + } + sb.append("]"); + return sb.toString(); } /** diff --git a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHivePrivilegeObjectOwnerNameAndType.java b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHivePrivilegeObjectOwnerNameAndType.java index 99ea97ec0f..9b50a0d92a 100644 --- a/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHivePrivilegeObjectOwnerNameAndType.java +++ b/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHivePrivilegeObjectOwnerNameAndType.java @@ -27,7 +27,6 @@ import org.apache.hadoop.hive.ql.processors.CommandProcessorResponse; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.session.SessionState; -import org.apache.hadoop.hive.ql.stats.StatsUtils; import org.apache.hadoop.security.UserGroupInformation; import org.junit.AfterClass; import org.junit.Assert; @@ -35,8 +34,6 @@ import org.junit.Test; import org.mockito.ArgumentCaptor; import org.mockito.Mockito; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import java.util.List; @@ -46,13 +43,12 @@ import static org.mockito.Mockito.verify; /** - * Test HiveAuthorizer api invocation + * Test HiveAuthorizer api invocation. */ public class TestHivePrivilegeObjectOwnerNameAndType { - private final Logger LOG = LoggerFactory.getLogger(this.getClass().getName()); protected static HiveConf conf; protected static Driver driver; - private static final String tableName = TestHivePrivilegeObjectOwnerNameAndType.class.getSimpleName() + "Table"; + private static final String TABLE_NAME = TestHivePrivilegeObjectOwnerNameAndType.class.getSimpleName() + "Table"; static HiveAuthorizer mockedAuthorizer; /** @@ -60,7 +56,8 @@ * capture the argument passed to it in the test case. */ static class MockedHiveAuthorizerFactory implements HiveAuthorizerFactory { - @Override public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, + @Override + public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) { TestHivePrivilegeObjectOwnerNameAndType.mockedAuthorizer = Mockito.mock(HiveAuthorizer.class); return TestHivePrivilegeObjectOwnerNameAndType.mockedAuthorizer; @@ -68,7 +65,8 @@ } - @BeforeClass public static void beforeTest() throws Exception { + @BeforeClass + public static void beforeTest() throws Exception { UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser("hive")); conf = new HiveConf(); @@ -83,7 +81,7 @@ SessionState.start(conf); driver = new Driver(conf); - runCmd("create table " + tableName + " (i int, j int, k string) partitioned by (city string, `date` string) "); + runCmd("create table " + TABLE_NAME + " (i int, j int, k string) partitioned by (city string, `date` string) "); } private static void runCmd(String cmd) throws Exception { @@ -91,13 +89,15 @@ private static void runCmd(String cmd) throws Exception { assertEquals(0, resp.getResponseCode()); } - @AfterClass public static void afterTests() throws Exception { + @AfterClass + public static void afterTests() throws Exception { // Drop the tables when we're done. This makes the test work inside an IDE - runCmd("drop table if exists " + tableName); + runCmd("drop table if exists " + TABLE_NAME); driver.close(); } - @Test public void testOwnerNames() throws Exception { + @Test + public void testOwnerNames() throws Exception { reset(mockedAuthorizer); driver.compile("create table default.t1 (name string)"); @@ -126,7 +126,8 @@ private static void runCmd(String cmd) throws Exception { } } - @Test public void testOwnerType() throws Exception { + @Test + public void testOwnerType() throws Exception { reset(mockedAuthorizer); driver.compile("create table default.t1 (name string)"); @@ -155,9 +156,9 @@ private static void runCmd(String cmd) throws Exception { throws HiveAuthzPluginException, HiveAccessControlException { // Create argument capturer // a class variable cast to this generic of generic class - Class> class_listPrivObjects = (Class) List.class; - ArgumentCaptor> inputsCapturer = ArgumentCaptor.forClass(class_listPrivObjects); - ArgumentCaptor> outputsCapturer = ArgumentCaptor.forClass(class_listPrivObjects); + Class> classListPrivObjects = (Class) List.class; + ArgumentCaptor> inputsCapturer = ArgumentCaptor.forClass(classListPrivObjects); + ArgumentCaptor> outputsCapturer = ArgumentCaptor.forClass(classListPrivObjects); verify(mockedAuthorizer) .checkPrivileges(any(HiveOperationType.class), inputsCapturer.capture(), outputsCapturer.capture(), -- 2.20.1