Author: hashutosh
Date: Fri Feb 14 22:06:09 2014
New Revision: 1568535
URL: http://svn.apache.org/r1568535
Log:
HIVE-6415 : Disallow transform clause in sql std authorization mode (Ashutosh
Chauhan via Thejas Nair)
Added:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/DisallowTransformHook.java
hive/trunk/ql/src/test/queries/clientnegative/authorization_disallow_transform.q
hive/trunk/ql/src/test/results/clientnegative/authorization_disallow_transform.q.out
Modified:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java
Added:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/DisallowTransformHook.java
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/DisallowTransformHook.java?rev=1568535&view=auto
==============================================================================
---
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/DisallowTransformHook.java
(added)
+++
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/DisallowTransformHook.java
Fri Feb 14 22:06:09 2014
@@ -0,0 +1,38 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
+
+import org.apache.hadoop.hive.ql.hooks.ExecuteWithHookContext;
+import org.apache.hadoop.hive.ql.hooks.HookContext;
+import org.apache.hadoop.hive.ql.QueryProperties;
+
+public class DisallowTransformHook implements ExecuteWithHookContext {
+
+ @Override
+ public void run(HookContext hookContext) throws Exception {
+ QueryProperties qProps = hookContext.getQueryPlan().getQueryProperties();
+ if (null == qProps) {
+ return; // its a ddl query.
+ }
+ if (qProps.usesScript()) {
+ throw new HiveAccessControlException("Query with transform clause is
disallowed in"
+ + " current configuration.");
+ }
+ }
+}
Modified:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java?rev=1568535&r1=1568534&r2=1568535&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java
(original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java
Fri Feb 14 22:06:09 2014
@@ -56,6 +56,7 @@ import org.apache.hadoop.hive.ql.plan.Hi
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator;
import
org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider;
+import
org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
import
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
import
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactoryImpl;
@@ -370,6 +371,14 @@ public class SessionState {
getConf(), authenticator);
// grant all privileges for table to its owner
getConf().setVar(ConfVars.HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS,
"insert,select,update,delete");
+ String hooks = getConf().getVar(ConfVars.PREEXECHOOKS).trim();
+ if (hooks.isEmpty()) {
+ hooks = DisallowTransformHook.class.getName();
+ } else {
+ hooks = hooks + "," +DisallowTransformHook.class.getName();
+ }
+ LOG.debug("Configuring hooks : " + hooks);
+ getConf().setVar(ConfVars.PREEXECHOOKS, hooks);
}
createTableGrants = CreateTableAutomaticGrant.create(getConf());
Added:
hive/trunk/ql/src/test/queries/clientnegative/authorization_disallow_transform.q
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_disallow_transform.q?rev=1568535&view=auto
==============================================================================
---
hive/trunk/ql/src/test/queries/clientnegative/authorization_disallow_transform.q
(added)
+++
hive/trunk/ql/src/test/queries/clientnegative/authorization_disallow_transform.q
Fri Feb 14 22:06:09 2014
@@ -0,0 +1,3 @@
+set
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+set role NONE;
+SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM src;
Added:
hive/trunk/ql/src/test/results/clientnegative/authorization_disallow_transform.q.out
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_disallow_transform.q.out?rev=1568535&view=auto
==============================================================================
---
hive/trunk/ql/src/test/results/clientnegative/authorization_disallow_transform.q.out
(added)
+++
hive/trunk/ql/src/test/results/clientnegative/authorization_disallow_transform.q.out
Fri Feb 14 22:06:09 2014
@@ -0,0 +1,12 @@
+PREHOOK: query: set role NONE
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role NONE
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM src
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src
+#### A masked pattern was here ####
+FAILED: Hive Internal Error:
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException(Query
with transform clause is disallowed in current configuration.)
+org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
Query with transform clause is disallowed in current configuration.
+#### A masked pattern was here ####
+
