Author: hashutosh
Date: Wed Feb 12 17:41:32 2014
New Revision: 1567697
URL: http://svn.apache.org/r1567697
Log:
HIVE-6254 : sql standard auth - use admin option specified in grant/revoke role
statement (Ashutosh Chauhan via Thejas Nair)
Modified:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestHiveAuthorizationTaskFactory.java
hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q
hive/trunk/ql/src/test/results/clientnegative/authorization_fail_7.q.out
hive/trunk/ql/src/test/results/clientpositive/authorization_1.q.out
hive/trunk/ql/src/test/results/clientpositive/authorization_5.q.out
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out
hive/trunk/ql/src/test/results/clientpositive/authorization_view.q.out
Modified:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java?rev=1567697&r1=1567696&r2=1567697&view=diff
==============================================================================
---
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java
(original)
+++
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java
Wed Feb 12 17:41:32 2014
@@ -236,9 +236,10 @@ public class HiveAuthorizationTaskFactor
//check if admin option has been specified
int rolesStartPos = 1;
ASTNode wAdminOption = (ASTNode) ast.getChild(1);
+ boolean isAdmin = false;
if(wAdminOption.getToken().getType() ==
HiveParser.TOK_GRANT_WITH_ADMIN_OPTION){
rolesStartPos = 2; //start reading role names from next postion
- //TODO: use the admin option
+ isAdmin = true;
}
List<String> roles = new ArrayList<String>();
@@ -253,7 +254,7 @@ public class HiveAuthorizationTaskFactor
}
//until change is made to use the admin option. Default to false with V2
authorization
- boolean isAdmin = SessionState.get().isAuthorizationModeV2() ? false :
true;
+
GrantRevokeRoleDDL grantRevokeRoleDDL = new GrantRevokeRoleDDL(isGrant,
roles, principalDesc, roleOwnerName, PrincipalType.USER, isAdmin);
Modified:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java?rev=1567697&r1=1567696&r2=1567697&view=diff
==============================================================================
---
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
(original)
+++
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
Wed Feb 12 17:41:32 2014
@@ -57,7 +57,6 @@ import org.apache.hadoop.hive.ql.securit
public class SQLStdHiveAccessController implements HiveAccessController {
private final HiveMetastoreClientFactory metastoreClientFactory;
- private final HiveConf conf;
private final HiveAuthenticationProvider authenticator;
private String currentUserName;
private List<HiveRole> currentRoles;
@@ -66,7 +65,6 @@ public class SQLStdHiveAccessController
SQLStdHiveAccessController(HiveMetastoreClientFactory
metastoreClientFactory, HiveConf conf,
HiveAuthenticationProvider authenticator) throws
HiveAuthzPluginException {
this.metastoreClientFactory = metastoreClientFactory;
- this.conf = conf;
this.authenticator = authenticator;
initUserRoles();
}
Modified:
hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestHiveAuthorizationTaskFactory.java
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestHiveAuthorizationTaskFactory.java?rev=1567697&r1=1567696&r2=1567697&view=diff
==============================================================================
---
hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestHiveAuthorizationTaskFactory.java
(original)
+++
hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestHiveAuthorizationTaskFactory.java
Wed Feb 12 17:41:32 2014
@@ -222,7 +222,7 @@ public class TestHiveAuthorizationTaskFa
GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL();
Assert.assertNotNull("Grant should not be null", grantDesc);
Assert.assertTrue("Expected grant ", grantDesc.getGrant());
- Assert.assertTrue("Grant option is always true ",
grantDesc.isGrantOption());
+ Assert.assertFalse("With admin option is not specified",
grantDesc.isGrantOption());
Assert.assertEquals(currentUser, grantDesc.getGrantor());
Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType());
for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) {
@@ -242,7 +242,7 @@ public class TestHiveAuthorizationTaskFa
GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL();
Assert.assertNotNull("Grant should not be null", grantDesc);
Assert.assertTrue("Expected grant ", grantDesc.getGrant());
- Assert.assertTrue("Grant option is always true ",
grantDesc.isGrantOption());
+ Assert.assertFalse("With admin option is not specified",
grantDesc.isGrantOption());
Assert.assertEquals(currentUser, grantDesc.getGrantor());
Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType());
for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) {
@@ -262,7 +262,7 @@ public class TestHiveAuthorizationTaskFa
GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL();
Assert.assertNotNull("Grant should not be null", grantDesc);
Assert.assertTrue("Expected grant ", grantDesc.getGrant());
- Assert.assertTrue("Grant option is always true ",
grantDesc.isGrantOption());
+ Assert.assertFalse("With admin option is not specified",
grantDesc.isGrantOption());
Assert.assertEquals(currentUser, grantDesc.getGrantor());
Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType());
for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) {
@@ -282,7 +282,7 @@ public class TestHiveAuthorizationTaskFa
GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL();
Assert.assertNotNull("Grant should not be null", grantDesc);
Assert.assertFalse("Did not expect grant ", grantDesc.getGrant());
- Assert.assertTrue("Grant option is always true ",
grantDesc.isGrantOption());
+ Assert.assertFalse("With admin option is not specified",
grantDesc.isGrantOption());
Assert.assertEquals(currentUser, grantDesc.getGrantor());
Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType());
for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) {
@@ -302,7 +302,7 @@ public class TestHiveAuthorizationTaskFa
GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL();
Assert.assertNotNull("Grant should not be null", grantDesc);
Assert.assertFalse("Did not expect grant ", grantDesc.getGrant());
- Assert.assertTrue("Grant option is always true ",
grantDesc.isGrantOption());
+ Assert.assertFalse("With admin option is not specified",
grantDesc.isGrantOption());
Assert.assertEquals(currentUser, grantDesc.getGrantor());
Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType());
for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) {
@@ -322,7 +322,7 @@ public class TestHiveAuthorizationTaskFa
GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL();
Assert.assertNotNull("Grant should not be null", grantDesc);
Assert.assertFalse("Did not expect grant ", grantDesc.getGrant());
- Assert.assertTrue("Grant option is always true ",
grantDesc.isGrantOption());
+ Assert.assertFalse("With admin option is not specified",
grantDesc.isGrantOption());
Assert.assertEquals(currentUser, grantDesc.getGrantor());
Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType());
for(String role : ListSizeMatcher.inList(grantDesc.getRoles()).ofSize(1)) {
Modified:
hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q?rev=1567697&r1=1567696&r2=1567697&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q
(original)
+++ hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q
Wed Feb 12 17:41:32 2014
@@ -25,7 +25,7 @@ grant src_role_wadmin to user user2 wit
show role grant user user2;
-- revoke role without role keyword
-revoke src_role_wadmin from user user2 with admin option;
+revoke src_role_wadmin from user user2;
show role grant user user2;
Modified:
hive/trunk/ql/src/test/results/clientnegative/authorization_fail_7.q.out
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_fail_7.q.out?rev=1567697&r1=1567696&r2=1567697&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_fail_7.q.out
(original)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_fail_7.q.out
Wed Feb 12 17:41:32 2014
@@ -25,7 +25,7 @@ PREHOOK: query: show role grant user hiv
PREHOOK: type: SHOW_ROLE_GRANT
POSTHOOK: query: show role grant user hive_test_user
POSTHOOK: type: SHOW_ROLE_GRANT
-hive_test_role_fail -1 hive_test_user USER true -1
hive_test_user
+hive_test_role_fail -1 hive_test_user USER false -1
hive_test_user
PUBLIC -1 false -1
PREHOOK: query: show grant role hive_test_role_fail on table authorization_fail
PREHOOK: type: SHOW_GRANT
Modified: hive/trunk/ql/src/test/results/clientpositive/authorization_1.q.out
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_1.q.out?rev=1567697&r1=1567696&r2=1567697&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientpositive/authorization_1.q.out
(original)
+++ hive/trunk/ql/src/test/results/clientpositive/authorization_1.q.out Wed Feb
12 17:41:32 2014
@@ -267,7 +267,7 @@ PREHOOK: query: show role grant user hiv
PREHOOK: type: SHOW_ROLE_GRANT
POSTHOOK: query: show role grant user hive_test_user
POSTHOOK: type: SHOW_ROLE_GRANT
-src_role -1 hive_test_user USER true -1 hive_test_user
+src_role -1 hive_test_user USER false -1 hive_test_user
PUBLIC -1 false -1
PREHOOK: query: --column grant to role
Modified: hive/trunk/ql/src/test/results/clientpositive/authorization_5.q.out
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_5.q.out?rev=1567697&r1=1567696&r2=1567697&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientpositive/authorization_5.q.out
(original)
+++ hive/trunk/ql/src/test/results/clientpositive/authorization_5.q.out Wed Feb
12 17:41:32 2014
@@ -38,7 +38,7 @@ PREHOOK: query: SHOW ROLE GRANT USER hiv
PREHOOK: type: SHOW_ROLE_GRANT
POSTHOOK: query: SHOW ROLE GRANT USER hive_test_user
POSTHOOK: type: SHOW_ROLE_GRANT
-db_test_role -1 hive_test_user USER true -1 hive_test_user
+db_test_role -1 hive_test_user USER false -1 hive_test_user
PUBLIC -1 false -1
PREHOOK: query: GRANT drop ON DATABASE test_db TO ROLE db_test_role
PREHOOK: type: GRANT_PRIVILEGE
Modified:
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out?rev=1567697&r1=1567696&r2=1567697&view=diff
==============================================================================
---
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out
(original)
+++
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out
Wed Feb 12 17:41:32 2014
@@ -67,13 +67,13 @@ PREHOOK: query: show role grant user use
PREHOOK: type: SHOW_ROLE_GRANT
POSTHOOK: query: show role grant user user2
POSTHOOK: type: SHOW_ROLE_GRANT
-src_role_wadmin -1 user2 USER false -1 hive_admin_user
+src_role_wadmin -1 user2 USER true -1 hive_admin_user
PUBLIC -1 false -1
PREHOOK: query: -- revoke role without role keyword
-revoke src_role_wadmin from user user2 with admin option
+revoke src_role_wadmin from user user2
PREHOOK: type: REVOKE_ROLE
POSTHOOK: query: -- revoke role without role keyword
-revoke src_role_wadmin from user user2 with admin option
+revoke src_role_wadmin from user user2
POSTHOOK: type: REVOKE_ROLE
PREHOOK: query: show role grant user user2
PREHOOK: type: SHOW_ROLE_GRANT
Modified: hive/trunk/ql/src/test/results/clientpositive/authorization_view.q.out
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_view.q.out?rev=1567697&r1=1567696&r2=1567697&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientpositive/authorization_view.q.out
(original)
+++ hive/trunk/ql/src/test/results/clientpositive/authorization_view.q.out Wed
Feb 12 17:41:32 2014
@@ -155,7 +155,7 @@ PREHOOK: query: show role grant user hiv
PREHOOK: type: SHOW_ROLE_GRANT
POSTHOOK: query: show role grant user hive_test_user
POSTHOOK: type: SHOW_ROLE_GRANT
-src_role -1 hive_test_user USER true -1 hive_test_user
+src_role -1 hive_test_user USER false -1 hive_test_user
PUBLIC -1 false -1
PREHOOK: query: --column grant to role
