From 1457c62e5a0eaed269c6592f143286d87120a1ac Mon Sep 17 00:00:00 2001 From: heguozi Date: Wed, 5 Feb 2020 12:14:56 +0800 Subject: [PATCH] HIVE-22830 Support ALL privilege in grant option and SQL authorization --- .../plugin/sqlstd/GrantPrivAuthUtils.java | 16 ++++++++++++++-- .../plugin/sqlstd/SQLAuthorizationUtils.java | 14 ++++++++++++-- 2 files changed, 26 insertions(+), 4 deletions(-) diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java index f77f60427e..dc390a0a4a 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java @@ -20,6 +20,7 @@ import java.util.ArrayList; import java.util.Collection; import java.util.List; +import java.util.Locale; import org.apache.hadoop.hive.metastore.IMetaStoreClient; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; @@ -35,6 +36,8 @@ */ public class GrantPrivAuthUtils { + private static final String ALL = "ALL"; + static void authorize(List hivePrincipals, List hivePrivileges, HivePrivilegeObject hivePrivObject, boolean grantOption, IMetaStoreClient metastoreClient, String userName, List curRoles, boolean isAdmin) @@ -75,8 +78,17 @@ private static void checkRequiredPrivileges( private static RequiredPrivileges getGrantRequiredPrivileges(List hivePrivileges) throws HiveAuthzPluginException { RequiredPrivileges reqPrivs = new RequiredPrivileges(); - for (HivePrivilege hivePriv : hivePrivileges) { - reqPrivs.addPrivilege(hivePriv.getName(), true /* grant priv required */); + if (hivePrivileges != null) { + for (HivePrivilege hivePriv : hivePrivileges) { + if (hivePriv.getName().equals(ALL)) { + // expand to all supported privileges + for (SQLPrivilegeType privType : SQLPrivilegeType.values()) { + reqPrivs.addPrivilege(privType.name(), true); + } + } else { + reqPrivs.addPrivilege(hivePriv.getName(), true /* grant priv required */); + } + } } return reqPrivs; } diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java index e78753812b..b319a0138e 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java @@ -66,6 +66,7 @@ public class SQLAuthorizationUtils { private static final String[] SUPPORTED_PRIVS = { "INSERT", "UPDATE", "DELETE", "SELECT" }; + private static final String ALL = "ALL"; private static final Set SUPPORTED_PRIVS_SET = new HashSet( Arrays.asList(SUPPORTED_PRIVS)); public static final Logger LOG = LoggerFactory.getLogger(SQLAuthorizationUtils.class); @@ -349,8 +350,17 @@ private static void addRequiredPrivs(RequiredPrivileges reqPrivs, } for (Map.Entry> userPriv : availPrivs.entrySet()) { List userPrivGInfos = userPriv.getValue(); - for (PrivilegeGrantInfo userPrivGInfo : userPrivGInfos) { - reqPrivs.addPrivilege(userPrivGInfo.getPrivilege(), userPrivGInfo.isGrantOption()); + if (userPrivGInfos != null) { + for (PrivilegeGrantInfo userPrivGInfo : userPrivGInfos) { + if (userPrivGInfo.getPrivilege().toUpperCase(Locale.US).equals(ALL)) { + // expand to all supported privileges + for (SQLPrivilegeType privType : SQLPrivilegeType.values()) { + reqPrivs.addPrivilege(privType.name(), true); + } + } else { + reqPrivs.addPrivilege(userPrivGInfo.getPrivilege(), userPrivGInfo.isGrantOption()); + } + } } } } -- 2.17.2 (Apple Git-113)