svn commit: r1563453 - in /hive/trunk: metastore/src/java/org/apache/hadoop/hive/metastore/ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/ ql/src/test/queries/clientnegative/ ql/src/test/results/clientnegative/

thejas Sat, 01 Feb 2014 11:00:14 -0800

Author: thejas
Date: Sat Feb  1 18:59:22 2014
New Revision: 1563453

URL: http://svn.apache.org/r1563453
Log:
HIVE-6258 : sql std auth - disallow cycles between roles (Thejas Nair, reviewed 
by Ashutosh Chauhan)


Added:
    hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles1.q
    hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles2.q
    
hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out
    
hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out
Modified:
    
hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
    
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java

Modified: 
hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
URL: 
http://svn.apache.org/viewvc/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java?rev=1563453&r1=1563452&r2=1563453&view=diff
==============================================================================
--- 
hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
 (original)
+++ 
hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
 Sat Feb  1 18:59:22 2014
@@ -2444,7 +2444,7 @@ public class HiveMetaStore extends Thrif
         for (Partition tmpPart : new_parts) {
           Partition oldTmpPart = null;
           if (olditr.hasNext()) {
-            oldTmpPart = (Partition) olditr.next();
+            oldTmpPart = olditr.next();
           }
           else {
             throw new InvalidOperationException("failed to alterpartitions");
@@ -3670,7 +3670,7 @@ public class HiveMetaStore extends Thrif
 
     @Override
     public boolean grant_role(final String roleName,
-        final String userName, final PrincipalType principalType,
+        final String principalName, final PrincipalType principalType,
         final String grantor, final PrincipalType grantorType, final boolean 
grantOption)
         throws MetaException, TException {
       incrementCounter("add_role_member");
@@ -3679,7 +3679,15 @@ public class HiveMetaStore extends Thrif
       try {
         RawStore ms = getMS();
         Role role = ms.getRole(roleName);
-        ret = ms.grantRole(role, userName, principalType, grantor, 
grantorType, grantOption);
+        if(principalType == PrincipalType.ROLE){
+          //check if this grant statement will end up creating a cycle
+          if(isNewRoleAParent(principalName, roleName)){
+            throw new MetaException("Cannot grant role " + principalName + " 
to " + roleName +
+                " as " + roleName + " already belongs to the role " + 
principalName +
+                ". (no cycles allowed)");
+          }
+        }
+        ret = ms.grantRole(role, principalName, principalType, grantor, 
grantorType, grantOption);
       } catch (MetaException e) {
         throw e;
       } catch (Exception e) {
@@ -3688,6 +3696,29 @@ public class HiveMetaStore extends Thrif
       return ret;
     }
 
+
+
+    /**
+     * Check if newRole is in parent hierarchy of curRole
+     * @param newRole
+     * @param curRole
+     * @return true if newRole is curRole or present in its hierarchy
+     * @throws MetaException
+     */
+    private boolean isNewRoleAParent(String newRole, String curRole) throws 
MetaException {
+      if(newRole.equals(curRole)){
+        return true;
+      }
+      //do this check recursively on all the parent roles of curRole
+      List<MRoleMap> parentRoleMaps = getMS().listRoles(curRole, 
PrincipalType.ROLE);
+      for(MRoleMap parentRole : parentRoleMaps){
+        if(isNewRoleAParent(newRole, parentRole.getRole().getRoleName())){
+          return true;
+        }
+      }
+      return false;
+    }
+
     public List<Role> list_roles(final String principalName,
         final PrincipalType principalType) throws MetaException, TException {
       incrementCounter("list_roles");

Modified: 
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
URL: 
http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java?rev=1563453&r1=1563452&r2=1563453&view=diff
==============================================================================
--- 
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
 (original)
+++ 
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
 Sat Feb  1 18:59:22 2014
@@ -30,6 +30,7 @@ import org.apache.hadoop.hive.metastore.
 import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege;
 import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
 import org.apache.hadoop.hive.metastore.api.HiveObjectType;
+import org.apache.hadoop.hive.metastore.api.MetaException;
 import org.apache.hadoop.hive.metastore.api.PrivilegeBag;
 import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo;
 import org.apache.hadoop.hive.metastore.api.Role;
@@ -202,9 +203,11 @@ public class SQLStdHiveAccessController 
               
AuthorizationUtils.getThriftPrincipalType(grantorPrinc.getType()),
               grantOption
               );
-        }  catch (Exception e) {
-          String msg = "Error granting roles for " + hivePrincipal.getName() + 
 " to role " + roleName
-              + hivePrincipal.getName();
+        } catch (MetaException e) {
+          throw new HiveAuthorizationPluginException(e.getMessage(), e);
+        } catch (Exception e) {
+          String msg = "Error granting roles for " + hivePrincipal.getName() + 
 " to role "
+              + roleName + ": " + e.getMessage();
           throw new HiveAuthorizationPluginException(msg, e);
         }
       }

Added: 
hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles1.q
URL: 
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles1.q?rev=1563453&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles1.q 
(added)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles1.q 
Sat Feb  1 18:59:22 2014
@@ -0,0 +1,8 @@
+set 
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+-- this is applicable to any security mode as check is in metastore
+create role role1;
+create role role2;
+grant role role1 to role role2;
+
+-- this will create a cycle
+grant role role2 to role role1;
\ No newline at end of file

Added: 
hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles2.q
URL: 
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles2.q?rev=1563453&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles2.q 
(added)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles2.q 
Sat Feb  1 18:59:22 2014
@@ -0,0 +1,19 @@
+set 
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+-- this is applicable to any security mode as check is in metastore
+
+create role role1;
+
+create role role2;
+grant role role2 to role role1;
+
+create role role3;
+grant role role3 to role role2;
+
+create role role4;
+grant role role4 to role role3;
+
+create role role5;
+grant role role5 to role role4;
+
+-- this will create a cycle in middle of the hierarchy
+grant role role2 to role role4;

Added: 
hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out
URL: 
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out?rev=1563453&view=auto
==============================================================================
--- 
hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out 
(added)
+++ 
hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out 
Sat Feb  1 18:59:22 2014
@@ -0,0 +1,18 @@
+PREHOOK: query: -- this is applicable to any security mode as check is in 
metastore
+create role role1
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: -- this is applicable to any security mode as check is in 
metastore
+create role role1
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: create role role2
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: create role role2
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: grant role role1 to role role2
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant role role1 to role role2
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: -- this will create a cycle
+grant role role2 to role role1
+PREHOOK: type: GRANT_ROLE
+FAILED: Execution Error, return code 1 from 
org.apache.hadoop.hive.ql.exec.DDLTask. 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationPluginException:
 Cannot grant role role1 to role2 as role2 already belongs to the role role1. 
(no cycles allowed)

Added: 
hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out
URL: 
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out?rev=1563453&view=auto
==============================================================================
--- 
hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out 
(added)
+++ 
hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out 
Sat Feb  1 18:59:22 2014
@@ -0,0 +1,44 @@
+PREHOOK: query: -- this is applicable to any security mode as check is in 
metastore
+
+create role role1
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: -- this is applicable to any security mode as check is in 
metastore
+
+create role role1
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: create role role2
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: create role role2
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: grant role role2 to role role1
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant role role2 to role role1
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: create role role3
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: create role role3
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: grant role role3 to role role2
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant role role3 to role role2
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: create role role4
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: create role role4
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: grant role role4 to role role3
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant role role4 to role role3
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: create role role5
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: create role role5
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: grant role role5 to role role4
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant role role5 to role role4
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: -- this will create a cycle in middle of the hierarchy
+grant role role2 to role role4
+PREHOOK: type: GRANT_ROLE
+FAILED: Execution Error, return code 1 from 
org.apache.hadoop.hive.ql.exec.DDLTask. 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationPluginException:
 Cannot grant role role4 to role2 as role2 already belongs to the role role4. 
(no cycles allowed)

svn commit: r1563453 - in /hive/trunk: metastore/src/java/org/apache/hadoop/hive/metastore/ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/ ql/src/test/queries/clientnegative/ ql/src/test/results/clientnegative/

Reply via email to