Author: hashutosh
Date: Fri Feb 21 00:46:53 2014
New Revision: 1570405
URL: http://svn.apache.org/r1570405
Log:
HIVE-6433 : SQL std auth - allow grant/revoke roles if user has ADMIN OPTION
(Ashutosh Chauhan via Thejas Nair)
Added:
hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q
hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant.q.out
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out
Modified:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
hive/trunk/ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out
Modified:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java?rev=1570405&r1=1570404&r2=1570405&view=diff
==============================================================================
---
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
(original)
+++
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
Fri Feb 21 00:46:53 2014
@@ -62,6 +62,8 @@ public class SQLStdHiveAccessController
private HiveRole adminRole;
private final String ADMIN_ONLY_MSG = "User has to belong to ADMIN role and "
+ "have it as current role, for this action.";
+ private final String HAS_ADMIN_PRIV_MSG = "grantor need to have ADMIN
privileges on role being"
+ + " granted and have it as a current role for this action.";
SQLStdHiveAccessController(HiveMetastoreClientFactory
metastoreClientFactory, HiveConf conf,
HiveAuthenticationProvider authenticator) throws
HiveAuthzPluginException {
@@ -275,9 +277,9 @@ public class SQLStdHiveAccessController
public void grantRole(List<HivePrincipal> hivePrincipals, List<String>
roleNames,
boolean grantOption, HivePrincipal grantorPrinc) throws
HiveAuthzPluginException,
HiveAccessControlException {
- if (!isUserAdmin()) {
+ if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) {
throw new HiveAccessControlException("Current user : " +
currentUserName+ " is not"
- + " allowed to grant role. Currently " + ADMIN_ONLY_MSG);
+ + " allowed to grant role. " + ADMIN_ONLY_MSG + " Otherwise, " +
HAS_ADMIN_PRIV_MSG);
}
for (HivePrincipal hivePrincipal : hivePrincipals) {
for (String roleName : roleNames) {
@@ -307,9 +309,9 @@ public class SQLStdHiveAccessController
throw new HiveAuthzPluginException("Revoking only the admin privileges
on "
+ "role is not currently supported");
}
- if (!isUserAdmin()) {
+ if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) {
throw new HiveAccessControlException("Current user : " +
currentUserName+ " is not"
- + " allowed to revoke role. " + ADMIN_ONLY_MSG);
+ + " allowed to revoke role. " + ADMIN_ONLY_MSG + " Otherwise, " +
HAS_ADMIN_PRIV_MSG);
}
for (HivePrincipal hivePrincipal : hivePrincipals) {
for (String roleName : roleNames) {
@@ -404,6 +406,7 @@ public class SQLStdHiveAccessController
public void setCurrentRole(String roleName) throws
HiveAccessControlException,
HiveAuthzPluginException {
+ initUserRoles();
if ("NONE".equalsIgnoreCase(roleName)) {
// for set role NONE, reset roles to default roles.
currentRoles.clear();
@@ -453,4 +456,30 @@ public class SQLStdHiveAccessController
}
return false;
}
+
+ private boolean doesUserHasAdminOption(List<String> roleNames) throws
HiveAuthzPluginException {
+ List<HiveRole> currentRoles;
+ try {
+ currentRoles = getCurrentRoles();
+ } catch (Exception e) {
+ throw new HiveAuthzPluginException(e);
+ }
+ for (String roleName : roleNames) {
+ boolean roleFound = false;
+ for (HiveRole currentRole : currentRoles) {
+ if (roleName.equalsIgnoreCase(currentRole.getRoleName())) {
+ roleFound = true;
+ if (!currentRole.isGrantOption()) {
+ return false;
+ } else {
+ break;
+ }
+ }
+ }
+ if (!roleFound) {
+ return false;
+ }
+ }
+ return true;
+ }
}
Added: hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant.q
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant.q?rev=1570405&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant.q
(added)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant.q
Fri Feb 21 00:46:53 2014
@@ -0,0 +1,22 @@
+set hive.users.in.admin.role=hive_admin_user;
+set
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+set
hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
+
+set role ADMIN;
+
+----------------------------------------
+-- role granting with admin option
+-- since user2 doesn't have admin option for role_noadmin, last grant should
fail
+----------------------------------------
+
+create role role_noadmin;
+create role src_role_wadmin;
+grant src_role_wadmin to user user2 with admin option;
+grant role_noadmin to user user2;
+show role grant user user2;
+
+
+set user.name=user2;
+set role role_noadmin;
+grant src_role_wadmin to user user3;
Added: hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q?rev=1570405&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q
(added)
+++ hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q
Fri Feb 21 00:46:53 2014
@@ -0,0 +1,21 @@
+set hive.users.in.admin.role=hive_admin_user;
+set
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+set
hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
+
+set role ADMIN;
+
+----------------------------------------
+-- role granting with admin option
+----------------------------------------
+
+create role src_role_wadmin;
+grant src_role_wadmin to user user2 with admin option;
+show role grant user user2;
+
+set user.name=user2;
+set role src_role_wadmin;
+grant src_role_wadmin to user user3;
+show role grant user user3;
+revoke src_role_wadmin from user user3;
+show role grant user user3;
Added:
hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant.q.out
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant.q.out?rev=1570405&view=auto
==============================================================================
---
hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant.q.out
(added)
+++
hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant.q.out
Fri Feb 21 00:46:53 2014
@@ -0,0 +1,44 @@
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: ----------------------------------------
+-- role granting with admin option
+-- since user2 doesn't have admin option for role_noadmin, last grant should
fail
+----------------------------------------
+
+create role role_noadmin
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: ----------------------------------------
+-- role granting with admin option
+-- since user2 doesn't have admin option for role_noadmin, last grant should
fail
+----------------------------------------
+
+create role role_noadmin
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: create role src_role_wadmin
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: create role src_role_wadmin
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: grant src_role_wadmin to user user2 with admin option
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant src_role_wadmin to user user2 with admin option
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: grant role_noadmin to user user2
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant role_noadmin to user user2
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: show role grant user user2
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user user2
+POSTHOOK: type: SHOW_ROLE_GRANT
+PUBLIC -1 false -1
+role_noadmin -1 user2 USER false -1 hive_admin_user
+src_role_wadmin -1 user2 USER true -1 hive_admin_user
+PREHOOK: query: set role role_noadmin
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role role_noadmin
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: grant src_role_wadmin to user user3
+PREHOOK: type: GRANT_ROLE
+FAILED: Execution Error, return code 1 from
org.apache.hadoop.hive.ql.exec.DDLTask.
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
Current user : user2 is not allowed to grant role. User has to belong to ADMIN
role and have it as current role, for this action. Otherwise, grantor need to
have ADMIN privileges on role being granted and have it as a current role for
this action.
Modified:
hive/trunk/ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out?rev=1570405&r1=1570404&r2=1570405&view=diff
==============================================================================
---
hive/trunk/ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out
(original)
+++
hive/trunk/ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out
Fri Feb 21 00:46:53 2014
@@ -16,4 +16,12 @@ POSTHOOK: query: grant role rset_role_ne
POSTHOOK: type: GRANT_ROLE
PREHOOK: query: set role rset_role_neg
PREHOOK: type: SHOW_ROLES
-FAILED: Execution Error, return code 1 from
org.apache.hadoop.hive.ql.exec.DDLTask. hive_admin_user doesn't belong to role
rset_role_neg
+POSTHOOK: query: set role rset_role_neg
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: set role public
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role public
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: set role nosuchroleexists
+PREHOOK: type: SHOW_ROLES
+FAILED: Execution Error, return code 1 from
org.apache.hadoop.hive.ql.exec.DDLTask. user2 doesn't belong to role
nosuchroleexists
Added:
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out?rev=1570405&view=auto
==============================================================================
---
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out
(added)
+++
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out
Fri Feb 21 00:46:53 2014
@@ -0,0 +1,49 @@
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: ----------------------------------------
+-- role granting with admin option
+----------------------------------------
+
+create role src_role_wadmin
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: ----------------------------------------
+-- role granting with admin option
+----------------------------------------
+
+create role src_role_wadmin
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: grant src_role_wadmin to user user2 with admin option
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant src_role_wadmin to user user2 with admin option
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: show role grant user user2
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user user2
+POSTHOOK: type: SHOW_ROLE_GRANT
+PUBLIC -1 false -1
+src_role_wadmin -1 user2 USER true -1 hive_admin_user
+PREHOOK: query: set role src_role_wadmin
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role src_role_wadmin
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: grant src_role_wadmin to user user3
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant src_role_wadmin to user user3
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: show role grant user user3
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user user3
+POSTHOOK: type: SHOW_ROLE_GRANT
+PUBLIC -1 false -1
+src_role_wadmin -1 user3 USER false -1 user2
+PREHOOK: query: revoke src_role_wadmin from user user3
+PREHOOK: type: REVOKE_ROLE
+POSTHOOK: query: revoke src_role_wadmin from user user3
+POSTHOOK: type: REVOKE_ROLE
+PREHOOK: query: show role grant user user3
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user user3
+POSTHOOK: type: SHOW_ROLE_GRANT
+PUBLIC -1 false -1
