Modified: hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java (original) +++ hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java Wed Mar 12 09:50:31 2014 @@ -3105,7 +3105,7 @@ public class ObjectStore implements RawS if (mRol != null) { // first remove all the membership, the membership that this role has // been granted - List<MRoleMap> roleMap = listRoleMembers(mRol); + List<MRoleMap> roleMap = listRoleMembers(mRol.getRoleName()); if (roleMap.size() > 0) { pm.deletePersistentAll(roleMap); } @@ -4053,8 +4053,8 @@ public class ObjectStore implements RawS } @SuppressWarnings("unchecked") - private List<MRoleMap> listRoleMembers( - MRole mRol) { + @Override + public List<MRoleMap> listRoleMembers(String roleName) { boolean success = false; List<MRoleMap> mRoleMemeberList = null; try { @@ -4065,7 +4065,7 @@ public class ObjectStore implements RawS query.declareParameters("java.lang.String t1"); query.setUnique(false); mRoleMemeberList = (List<MRoleMap>) query.execute( - mRol.getRoleName()); + roleName); LOG.debug("Done executing query for listMSecurityUserRoleMember"); pm.retrieveAll(mRoleMemeberList); success = commitTransaction();
Modified: hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/RawStore.java URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/RawStore.java?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/RawStore.java (original) +++ hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/RawStore.java Wed Mar 12 09:50:31 2014 @@ -24,7 +24,6 @@ import java.lang.annotation.RetentionPol import java.lang.annotation.Target; import java.util.List; import java.util.Map; -import java.util.Set; import org.apache.hadoop.conf.Configurable; import org.apache.hadoop.hive.metastore.api.ColumnStatistics; @@ -285,6 +284,15 @@ public interface RawStore extends Config public List<MRoleMap> listRoles(String principalName, PrincipalType principalType); + + /** + * Get the role to principal grant mapping for given role + * @param roleName + * @return + */ + public List<MRoleMap> listRoleMembers(String roleName); + + public abstract Partition getPartitionWithAuth(String dbName, String tblName, List<String> partVals, String user_name, List<String> group_names) throws MetaException, NoSuchObjectException, InvalidObjectException; Modified: hive/trunk/metastore/src/test/org/apache/hadoop/hive/metastore/DummyRawStoreControlledCommit.java URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/test/org/apache/hadoop/hive/metastore/DummyRawStoreControlledCommit.java?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/metastore/src/test/org/apache/hadoop/hive/metastore/DummyRawStoreControlledCommit.java (original) +++ hive/trunk/metastore/src/test/org/apache/hadoop/hive/metastore/DummyRawStoreControlledCommit.java Wed Mar 12 09:50:31 2014 @@ -21,7 +21,6 @@ package org.apache.hadoop.hive.metastore import java.util.ArrayList; import java.util.List; import java.util.Map; -import java.util.Set; import org.apache.hadoop.conf.Configurable; import org.apache.hadoop.conf.Configuration; @@ -459,6 +458,11 @@ public class DummyRawStoreControlledComm } @Override + public List<MRoleMap> listRoleMembers(String roleName) { + return objectStore.listRoleMembers(roleName); + } + + @Override public Partition getPartitionWithAuth(String dbName, String tblName, List<String> partVals, String userName, List<String> groupNames) throws MetaException, NoSuchObjectException, InvalidObjectException { @@ -571,6 +575,7 @@ public class DummyRawStoreControlledComm return objectStore.deleteTableColumnStatistics(dbName, tableName, colName); } + @Override public boolean deletePartitionColumnStatistics(String dbName, String tableName, String partName, List<String> partVals, String colName) throws NoSuchObjectException, MetaException, InvalidObjectException, @@ -586,6 +591,7 @@ public class DummyRawStoreControlledComm return objectStore.updateTableColumnStatistics(statsObj); } + @Override public boolean updatePartitionColumnStatistics(ColumnStatistics statsObj, List<String> partVals) throws NoSuchObjectException, MetaException, InvalidObjectException, @@ -593,33 +599,41 @@ public class DummyRawStoreControlledComm return objectStore.updatePartitionColumnStatistics(statsObj, partVals); } + @Override public boolean addToken(String tokenIdentifier, String delegationToken) { return false; } + @Override public boolean removeToken(String tokenIdentifier) { return false; } + @Override public String getToken(String tokenIdentifier) { return ""; } + @Override public List<String> getAllTokenIdentifiers() { return new ArrayList<String>(); } + @Override public int addMasterKey(String key) throws MetaException { return -1; } + @Override public void updateMasterKey(Integer seqNo, String key) throws NoSuchObjectException, MetaException {} + @Override public boolean removeMasterKey(Integer keySeq) { return false; } + @Override public String[] getMasterKeys() { return new String[0]; } @@ -664,6 +678,7 @@ public class DummyRawStoreControlledComm objectStore.dropPartitions(dbName, tblName, partNames); } + @Override public void createFunction(Function func) throws InvalidObjectException, MetaException { objectStore.createFunction(func); @@ -694,4 +709,5 @@ public class DummyRawStoreControlledComm return objectStore.getFunctions(dbName, pattern); } + } Modified: hive/trunk/metastore/src/test/org/apache/hadoop/hive/metastore/DummyRawStoreForJdoConnection.java URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/test/org/apache/hadoop/hive/metastore/DummyRawStoreForJdoConnection.java?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/metastore/src/test/org/apache/hadoop/hive/metastore/DummyRawStoreForJdoConnection.java (original) +++ hive/trunk/metastore/src/test/org/apache/hadoop/hive/metastore/DummyRawStoreForJdoConnection.java Wed Mar 12 09:50:31 2014 @@ -20,7 +20,6 @@ package org.apache.hadoop.hive.metastore import java.util.List; import java.util.Map; -import java.util.Set; import junit.framework.Assert; @@ -488,6 +487,11 @@ public class DummyRawStoreForJdoConnecti } @Override + public List<MRoleMap> listRoleMembers(String roleName) { + return null; + } + + @Override public Partition getPartitionWithAuth(String dbName, String tblName, List<String> partVals, String user_name, List<String> group_names) throws MetaException, NoSuchObjectException, InvalidObjectException { @@ -637,6 +641,7 @@ public class DummyRawStoreForJdoConnecti } + @Override public boolean deletePartitionColumnStatistics(String dbName, String tableName, String partName, List<String> partVals, String colName) throws NoSuchObjectException, MetaException, InvalidObjectException, @@ -651,6 +656,7 @@ public class DummyRawStoreForJdoConnecti return false; } + @Override public boolean updatePartitionColumnStatistics(ColumnStatistics statsObj,List<String> partVals) throws NoSuchObjectException, MetaException, InvalidObjectException { return false; @@ -692,6 +698,7 @@ public class DummyRawStoreForJdoConnecti public void dropPartitions(String dbName, String tblName, List<String> partNames) { } + @Override public void createFunction(Function func) throws InvalidObjectException, MetaException { } @@ -718,6 +725,8 @@ public class DummyRawStoreForJdoConnecti throws MetaException { return null; } + + } Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java (original) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java Wed Mar 12 09:50:31 2014 @@ -47,8 +47,11 @@ import org.apache.commons.lang.StringEsc import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.apache.hadoop.fs.*; +import org.apache.hadoop.fs.FSDataOutputStream; +import org.apache.hadoop.fs.FileStatus; import org.apache.hadoop.fs.FileSystem; +import org.apache.hadoop.fs.FsShell; +import org.apache.hadoop.fs.Path; import org.apache.hadoop.hive.common.type.HiveDecimal; import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; @@ -56,7 +59,26 @@ import org.apache.hadoop.hive.metastore. import org.apache.hadoop.hive.metastore.ProtectMode; import org.apache.hadoop.hive.metastore.TableType; import org.apache.hadoop.hive.metastore.Warehouse; -import org.apache.hadoop.hive.metastore.api.*; +import org.apache.hadoop.hive.metastore.api.AlreadyExistsException; +import org.apache.hadoop.hive.metastore.api.Database; +import org.apache.hadoop.hive.metastore.api.FieldSchema; +import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege; +import org.apache.hadoop.hive.metastore.api.HiveObjectRef; +import org.apache.hadoop.hive.metastore.api.HiveObjectType; +import org.apache.hadoop.hive.metastore.api.Index; +import org.apache.hadoop.hive.metastore.api.InvalidOperationException; +import org.apache.hadoop.hive.metastore.api.MetaException; +import org.apache.hadoop.hive.metastore.api.NoSuchObjectException; +import org.apache.hadoop.hive.metastore.api.Order; +import org.apache.hadoop.hive.metastore.api.PrincipalType; +import org.apache.hadoop.hive.metastore.api.PrivilegeBag; +import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo; +import org.apache.hadoop.hive.metastore.api.Role; +import org.apache.hadoop.hive.metastore.api.SerDeInfo; +import org.apache.hadoop.hive.metastore.api.ShowLocksResponse; +import org.apache.hadoop.hive.metastore.api.ShowLocksResponseElement; +import org.apache.hadoop.hive.metastore.api.SkewedInfo; +import org.apache.hadoop.hive.metastore.api.StorageDescriptor; import org.apache.hadoop.hive.ql.Context; import org.apache.hadoop.hive.ql.DriverContext; import org.apache.hadoop.hive.ql.ErrorMsg; @@ -68,16 +90,31 @@ import org.apache.hadoop.hive.ql.io.rcfi import org.apache.hadoop.hive.ql.io.rcfile.merge.MergeWork; import org.apache.hadoop.hive.ql.io.rcfile.truncate.ColumnTruncateTask; import org.apache.hadoop.hive.ql.io.rcfile.truncate.ColumnTruncateWork; -import org.apache.hadoop.hive.ql.lockmgr.*; +import org.apache.hadoop.hive.ql.lockmgr.DbLockManager; +import org.apache.hadoop.hive.ql.lockmgr.HiveLock; +import org.apache.hadoop.hive.ql.lockmgr.HiveLockManager; +import org.apache.hadoop.hive.ql.lockmgr.HiveLockMode; +import org.apache.hadoop.hive.ql.lockmgr.HiveLockObject; import org.apache.hadoop.hive.ql.lockmgr.HiveLockObject.HiveLockObjectData; -import org.apache.hadoop.hive.ql.metadata.*; +import org.apache.hadoop.hive.ql.lockmgr.HiveTxnManager; +import org.apache.hadoop.hive.ql.metadata.CheckResult; +import org.apache.hadoop.hive.ql.metadata.Hive; +import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.metadata.HiveMetaStoreChecker; +import org.apache.hadoop.hive.ql.metadata.HiveStorageHandler; +import org.apache.hadoop.hive.ql.metadata.HiveUtils; +import org.apache.hadoop.hive.ql.metadata.InvalidTableException; import org.apache.hadoop.hive.ql.metadata.Partition; import org.apache.hadoop.hive.ql.metadata.Table; import org.apache.hadoop.hive.ql.metadata.formatting.MetaDataFormatUtils; import org.apache.hadoop.hive.ql.metadata.formatting.MetaDataFormatter; import org.apache.hadoop.hive.ql.parse.AlterTablePartMergeFilesDesc; import org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer; -import org.apache.hadoop.hive.ql.plan.*; +import org.apache.hadoop.hive.ql.plan.AddPartitionDesc; +import org.apache.hadoop.hive.ql.plan.AlterDatabaseDesc; +import org.apache.hadoop.hive.ql.plan.AlterIndexDesc; +import org.apache.hadoop.hive.ql.plan.AlterTableAlterPartDesc; +import org.apache.hadoop.hive.ql.plan.AlterTableDesc; import org.apache.hadoop.hive.ql.plan.AlterTableDesc.AlterTableTypes; import org.apache.hadoop.hive.ql.plan.AlterTableExchangePartition; import org.apache.hadoop.hive.ql.plan.AlterTableSimpleDesc; @@ -130,6 +167,7 @@ import org.apache.hadoop.hive.ql.securit import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRole; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hadoop.hive.serde.serdeConstants; import org.apache.hadoop.hive.serde2.Deserializer; @@ -897,7 +935,11 @@ public class DDLTask extends Task<DDLWor } outStream.close(); outStream = null; - } else { + } else if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLE_PRINCIPALS)) { + throw new HiveException("Show role principals is not currently supported in " + + "authorization mode V1"); + } + else { throw new HiveException("Unkown role operation " + operation.getOperationName()); } @@ -948,6 +990,11 @@ public class DDLTask extends Task<DDLWor case SET_ROLE: authorizer.setCurrentRole(roleDDLDesc.getName()); break; + case SHOW_ROLE_PRINCIPALS: + testMode = conf.getBoolVar(HiveConf.ConfVars.HIVE_IN_TEST); + List<HiveRoleGrant> roleGrants = authorizer.getPrincipalsInRoleInfo(roleDDLDesc.getName()); + writeToFile(writeHiveRoleGrantInfo(roleGrants, testMode), roleDDLDesc.getResFile()); + break; default: throw new HiveException("Unkown role operation " + operation.getOperationName()); @@ -956,6 +1003,26 @@ public class DDLTask extends Task<DDLWor return 0; } + private String writeHiveRoleGrantInfo(List<HiveRoleGrant> roleGrants, boolean testMode) { + if (roleGrants == null || roleGrants.isEmpty()) { + return ""; + } + StringBuilder builder = new StringBuilder(); + // sort the list to get sorted (deterministic) output (for ease of testing) + Collections.sort(roleGrants); + for (HiveRoleGrant roleGrant : roleGrants) { + // schema: + // principal_name,principal_type,grant_option,grantor,grantor_type,grant_time + appendNonNull(builder, roleGrant.getPrincipalName(), true); + appendNonNull(builder, roleGrant.getPrincipalType()); + appendNonNull(builder, roleGrant.isGrantOption()); + appendNonNull(builder, roleGrant.getGrantor()); + appendNonNull(builder, roleGrant.getGrantorType()); + appendNonNull(builder, testMode ? -1 : roleGrant.getGrantTime() * 1000L); + } + return builder.toString(); + } + /** * Write list of string entries into given file * @param entries @@ -2652,7 +2719,7 @@ public class DDLTask extends Task<DDLWor } catch (Exception e) { throw new HiveException(e.toString()); } finally { - IOUtils.closeStream((FSDataOutputStream) os); + IOUtils.closeStream(os); } return 0; } Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java (original) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/DDLSemanticAnalyzer.java Wed Mar 12 09:50:31 2014 @@ -70,10 +70,9 @@ import org.apache.hadoop.hive.ql.index.H import org.apache.hadoop.hive.ql.io.IgnoreKeyTextOutputFormat; import org.apache.hadoop.hive.ql.io.RCFileInputFormat; import org.apache.hadoop.hive.ql.lib.Node; -import org.apache.hadoop.hive.ql.lockmgr.HiveTxnManager; -import org.apache.hadoop.hive.ql.lockmgr.LockException; -import org.apache.hadoop.hive.ql.lockmgr.TxnManagerFactory; -import org.apache.hadoop.hive.ql.metadata.*; +import org.apache.hadoop.hive.ql.metadata.Hive; +import org.apache.hadoop.hive.ql.metadata.HiveException; +import org.apache.hadoop.hive.ql.metadata.HiveUtils; import org.apache.hadoop.hive.ql.metadata.Partition; import org.apache.hadoop.hive.ql.metadata.Table; import org.apache.hadoop.hive.ql.parse.authorization.AuthorizationParseUtils; @@ -442,6 +441,10 @@ public class DDLSemanticAnalyzer extends ctx.setResFile(ctx.getLocalTmpPath()); analyzeShowRoleGrant(ast); break; + case HiveParser.TOK_SHOW_ROLE_PRINCIPALS: + ctx.setResFile(ctx.getLocalTmpPath()); + analyzeShowRolePrincipals(ast); + break; case HiveParser.TOK_SHOW_ROLES: ctx.setResFile(ctx.getLocalTmpPath()); analyzeShowRoles(ast); @@ -553,7 +556,17 @@ public class DDLSemanticAnalyzer extends createShowRoleGrantTask(ast, ctx.getResFile(), getInputs(), getOutputs()); if(task != null) { rootTasks.add(task); - setFetchTask(createFetchTask(RoleDDLDesc.getRoleDescSchema())); + setFetchTask(createFetchTask(RoleDDLDesc.getRoleShowGrantSchema())); + } + } + + private void analyzeShowRolePrincipals(ASTNode ast) throws SemanticException { + Task<DDLWork> roleDDLTask = (Task<DDLWork>) hiveAuthorizationTaskFactory + .createShowRolePrincipalsTask(ast, ctx.getResFile(), getInputs(), getOutputs()); + + if (roleDDLTask != null) { + rootTasks.add(roleDDLTask); + setFetchTask(createFetchTask(RoleDDLDesc.getShowRolePrincipalsSchema())); } } Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveLexer.g URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveLexer.g?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveLexer.g (original) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveLexer.g Wed Mar 12 09:50:31 2014 @@ -288,6 +288,8 @@ KW_INNER: 'INNER'; KW_EXCHANGE: 'EXCHANGE'; KW_ADMIN: 'ADMIN'; KW_OWNER: 'OWNER'; +KW_PRINCIPALS: 'PRINCIPALS'; + // Operators // NOTE: if you add a new function/operator, add it to sysFuncNames so that describe function _FUNC_ will work. Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g (original) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g Wed Mar 12 09:50:31 2014 @@ -284,6 +284,7 @@ TOK_REVOKE_ROLE; TOK_SHOW_ROLE_GRANT; TOK_SHOW_ROLES; TOK_SHOW_SET_ROLE; +TOK_SHOW_ROLE_PRINCIPALS; TOK_SHOWINDEXES; TOK_SHOWDBLOCKS; TOK_INDEXCOMMENT; @@ -677,6 +678,7 @@ ddlStatement | revokePrivileges | showGrants | showRoleGrants + | showRolePrincipals | showRoles | grantRole | revokeRole @@ -1389,6 +1391,7 @@ showRoleGrants -> ^(TOK_SHOW_ROLE_GRANT principalName) ; + showRoles @init {pushMsg("show roles", state);} @after {popMsg(state);} @@ -1417,6 +1420,14 @@ showGrants -> ^(TOK_SHOW_GRANT principalName? privilegeIncludeColObject?) ; +showRolePrincipals +@init {pushMsg("show role principals", state);} +@after {popMsg(state);} + : KW_SHOW KW_PRINCIPALS roleName=identifier + -> ^(TOK_SHOW_ROLE_PRINCIPALS $roleName) + ; + + privilegeIncludeColObject @init {pushMsg("privilege object including columns", state);} @after {popMsg(state);} Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g (original) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g Wed Mar 12 09:50:31 2014 @@ -538,5 +538,5 @@ functionIdentifier nonReserved : - KW_TRUE | KW_FALSE | KW_LIKE | KW_EXISTS | KW_ASC | KW_DESC | KW_ORDER | KW_GROUP | KW_BY | KW_AS | KW_INSERT | KW_OVERWRITE | KW_OUTER | KW_LEFT | KW_RIGHT | KW_FULL | KW_PARTITION | KW_PARTITIONS | KW_TABLE | KW_TABLES | KW_COLUMNS | KW_INDEX | KW_INDEXES | KW_REBUILD | KW_FUNCTIONS | KW_SHOW | KW_MSCK | KW_REPAIR | KW_DIRECTORY | KW_LOCAL | KW_USING | KW_CLUSTER | KW_DISTRIBUTE | KW_SORT | KW_UNION | KW_LOAD | KW_EXPORT | KW_IMPORT | KW_DATA | KW_INPATH | KW_IS | KW_NULL | KW_CREATE | KW_EXTERNAL | KW_ALTER | KW_CHANGE | KW_FIRST | KW_AFTER | KW_DESCRIBE | KW_DROP | KW_RENAME | KW_IGNORE | KW_PROTECTION | KW_TO | KW_COMMENT | KW_BOOLEAN | KW_TINYINT | KW_SMALLINT | KW_INT | KW_BIGINT | KW_FLOAT | KW_DOUBLE | KW_DATE | KW_DATETIME | KW_TIMESTAMP | KW_DECIMAL | KW_STRING | KW_ARRAY | KW_STRUCT | KW_UNIONTYPE | KW_PARTITIONED | KW_CLUSTERED | KW_SORTED | KW_INTO | KW_BUCKETS | KW_ROW | KW_ROWS | KW_FORMAT | KW_DELIMITED | KW_FIELDS | KW_TERMINATED | KW_ESCAPED | KW_COLLECTION | KW_ITEMS | KW_KEYS | KW_KEY_TYPE | KW_LINES | KW_STORED | KW_FILEFORMAT | KW_SEQUENCEFILE | KW_TEXTFILE | KW_RCFILE | KW_ORCFILE | KW_PARQUETFILE | KW_INPUTFORMAT | KW_OUTPUTFORMAT | KW_INPUTDRIVER | KW_OUTPUTDRIVER | KW_OFFLINE | KW_ENABLE | KW_DISABLE | KW_READONLY | KW_NO_DROP | KW_LOCATION | KW_BUCKET | KW_OUT | KW_OF | KW_PERCENT | KW_ADD | KW_REPLACE | KW_RLIKE | KW_REGEXP | KW_TEMPORARY | KW_EXPLAIN | KW_FORMATTED | KW_PRETTY | KW_DEPENDENCY | KW_LOGICAL | KW_SERDE | KW_WITH | KW_DEFERRED | KW_SERDEPROPERTIES | KW_DBPROPERTIES | KW_LIMIT | KW_SET | KW_UNSET | KW_TBLPROPERTIES | KW_IDXPROPERTIES | KW_VALUE_TYPE | KW_ELEM_TYPE | KW_MAPJOIN | KW_STREAMTABLE | KW_HOLD_DDLTIME | KW_CLUSTERSTATUS | KW_UTC | KW_UTCTIMESTAMP | KW_LONG | KW_DELETE | KW_PLUS | KW_MINUS | KW_FETCH | KW_INTERSECT | KW_VIEW | KW_IN | KW_DATABASES | KW_MATERIALIZED | KW_SCHEMA | KW_SCHEMAS | KW_GRANT | KW_REVOKE | KW_SSL | KW_UNDO | KW_LOCK | KW_LOCKS | KW_UNLOCK | KW_SHARED | KW_EXCLUSIVE | KW_PROCEDURE | KW_UNSIGNED | KW_WHILE | KW_READ | KW_READS | KW_PURGE | KW_RANGE | KW_ANALYZE | KW_BEFORE | KW_BETWEEN | KW_BOTH | KW_BINARY | KW_CONTINUE | KW_CURSOR | KW_TRIGGER | KW_RECORDREADER | KW_RECORDWRITER | KW_SEMI | KW_LATERAL | KW_TOUCH | KW_ARCHIVE | KW_UNARCHIVE | KW_COMPUTE | KW_STATISTICS | KW_USE | KW_OPTION | KW_CONCATENATE | KW_SHOW_DATABASE | KW_UPDATE | KW_RESTRICT | KW_CASCADE | KW_SKEWED | KW_ROLLUP | KW_CUBE | KW_DIRECTORIES | KW_FOR | KW_GROUPING | KW_SETS | KW_TRUNCATE | KW_NOSCAN | KW_USER | KW_ROLE | KW_ROLES | KW_INNER | KW_DEFINED | KW_ADMIN | KW_JAR | KW_FILE | KW_OWNER + KW_TRUE | KW_FALSE | KW_LIKE | KW_EXISTS | KW_ASC | KW_DESC | KW_ORDER | KW_GROUP | KW_BY | KW_AS | KW_INSERT | KW_OVERWRITE | KW_OUTER | KW_LEFT | KW_RIGHT | KW_FULL | KW_PARTITION | KW_PARTITIONS | KW_TABLE | KW_TABLES | KW_COLUMNS | KW_INDEX | KW_INDEXES | KW_REBUILD | KW_FUNCTIONS | KW_SHOW | KW_MSCK | KW_REPAIR | KW_DIRECTORY | KW_LOCAL | KW_USING | KW_CLUSTER | KW_DISTRIBUTE | KW_SORT | KW_UNION | KW_LOAD | KW_EXPORT | KW_IMPORT | KW_DATA | KW_INPATH | KW_IS | KW_NULL | KW_CREATE | KW_EXTERNAL | KW_ALTER | KW_CHANGE | KW_FIRST | KW_AFTER | KW_DESCRIBE | KW_DROP | KW_RENAME | KW_IGNORE | KW_PROTECTION | KW_TO | KW_COMMENT | KW_BOOLEAN | KW_TINYINT | KW_SMALLINT | KW_INT | KW_BIGINT | KW_FLOAT | KW_DOUBLE | KW_DATE | KW_DATETIME | KW_TIMESTAMP | KW_DECIMAL | KW_STRING | KW_ARRAY | KW_STRUCT | KW_UNIONTYPE | KW_PARTITIONED | KW_CLUSTERED | KW_SORTED | KW_INTO | KW_BUCKETS | KW_ROW | KW_ROWS | KW_FORMAT | KW_DELIMITED | KW_FIELDS | KW_TERMINATED | KW_ESCAPED | KW_COLLECTION | KW_ITEMS | KW_KEYS | KW_KEY_TYPE | KW_LINES | KW_STORED | KW_FILEFORMAT | KW_SEQUENCEFILE | KW_TEXTFILE | KW_RCFILE | KW_ORCFILE | KW_PARQUETFILE | KW_INPUTFORMAT | KW_OUTPUTFORMAT | KW_INPUTDRIVER | KW_OUTPUTDRIVER | KW_OFFLINE | KW_ENABLE | KW_DISABLE | KW_READONLY | KW_NO_DROP | KW_LOCATION | KW_BUCKET | KW_OUT | KW_OF | KW_PERCENT | KW_ADD | KW_REPLACE | KW_RLIKE | KW_REGEXP | KW_TEMPORARY | KW_EXPLAIN | KW_FORMATTED | KW_PRETTY | KW_DEPENDENCY | KW_LOGICAL | KW_SERDE | KW_WITH | KW_DEFERRED | KW_SERDEPROPERTIES | KW_DBPROPERTIES | KW_LIMIT | KW_SET | KW_UNSET | KW_TBLPROPERTIES | KW_IDXPROPERTIES | KW_VALUE_TYPE | KW_ELEM_TYPE | KW_MAPJOIN | KW_STREAMTABLE | KW_HOLD_DDLTIME | KW_CLUSTERSTATUS | KW_UTC | KW_UTCTIMESTAMP | KW_LONG | KW_DELETE | KW_PLUS | KW_MINUS | KW_FETCH | KW_INTERSECT | KW_VIEW | KW_IN | KW_DATABASES | KW_MATERIALIZED | KW_SCHEMA | KW_SCHEMAS | KW_GRANT | KW_REVOKE | KW_SSL | KW_UNDO | KW_LOCK | KW_LOCKS | KW_UNLOCK | KW_SHARED | KW_EXCLUSIVE | KW_PROCEDURE | KW_UNSIGNED | KW_WHILE | KW_READ | KW_READS | KW_PURGE | KW_RANGE | KW_ANALYZE | KW_BEFORE | KW_BETWEEN | KW_BOTH | KW_BINARY | KW_CONTINUE | KW_CURSOR | KW_TRIGGER | KW_RECORDREADER | KW_RECORDWRITER | KW_SEMI | KW_LATERAL | KW_TOUCH | KW_ARCHIVE | KW_UNARCHIVE | KW_COMPUTE | KW_STATISTICS | KW_USE | KW_OPTION | KW_CONCATENATE | KW_SHOW_DATABASE | KW_UPDATE | KW_RESTRICT | KW_CASCADE | KW_SKEWED | KW_ROLLUP | KW_CUBE | KW_DIRECTORIES | KW_FOR | KW_GROUPING | KW_SETS | KW_TRUNCATE | KW_NOSCAN | KW_USER | KW_ROLE | KW_ROLES | KW_INNER | KW_DEFINED | KW_ADMIN | KW_JAR | KW_FILE | KW_OWNER | KW_PRINCIPALS ; Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzerFactory.java URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzerFactory.java?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzerFactory.java (original) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzerFactory.java Wed Mar 12 09:50:31 2014 @@ -97,6 +97,7 @@ public final class SemanticAnalyzerFacto commandType.put(HiveParser.TOK_REVOKE_ROLE, HiveOperation.REVOKE_ROLE); commandType.put(HiveParser.TOK_SHOW_ROLES, HiveOperation.SHOW_ROLES); commandType.put(HiveParser.TOK_SHOW_SET_ROLE, HiveOperation.SHOW_ROLES); + commandType.put(HiveParser.TOK_SHOW_ROLE_PRINCIPALS, HiveOperation.SHOW_ROLE_PRINCIPALS); commandType.put(HiveParser.TOK_SHOW_ROLE_GRANT, HiveOperation.SHOW_ROLE_GRANT); commandType.put(HiveParser.TOK_ALTERDATABASE_PROPERTIES, HiveOperation.ALTERDATABASE); commandType.put(HiveParser.TOK_ALTERDATABASE_OWNER, HiveOperation.ALTERDATABASE_OWNER); @@ -212,6 +213,7 @@ public final class SemanticAnalyzerFacto case HiveParser.TOK_GRANT_ROLE: case HiveParser.TOK_REVOKE_ROLE: case HiveParser.TOK_SHOW_ROLE_GRANT: + case HiveParser.TOK_SHOW_ROLE_PRINCIPALS: case HiveParser.TOK_SHOW_ROLES: case HiveParser.TOK_ALTERDATABASE_PROPERTIES: case HiveParser.TOK_ALTERDATABASE_OWNER: @@ -219,6 +221,7 @@ public final class SemanticAnalyzerFacto case HiveParser.TOK_TRUNCATETABLE: case HiveParser.TOK_EXCHANGEPARTITION: case HiveParser.TOK_SHOW_SET_ROLE: + return new DDLSemanticAnalyzer(conf); case HiveParser.TOK_ALTERTABLE_PARTITION: HiveOperation commandType = null; Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactory.java URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactory.java?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactory.java (original) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactory.java Wed Mar 12 09:50:31 2014 @@ -62,4 +62,7 @@ public interface HiveAuthorizationTaskFa public Task<? extends Serializable> createShowCurrentRoleTask(HashSet<ReadEntity> inputs, HashSet<WriteEntity> outputs, Path resFile) throws SemanticException; + + public Task<? extends Serializable> createShowRolePrincipalsTask(ASTNode ast, Path resFile, + HashSet<ReadEntity> inputs, HashSet<WriteEntity> outputs) throws SemanticException; } Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java (original) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java Wed Mar 12 09:50:31 2014 @@ -48,6 +48,7 @@ import org.apache.hadoop.hive.ql.plan.Pr import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc; import org.apache.hadoop.hive.ql.plan.RevokeDesc; import org.apache.hadoop.hive.ql.plan.RoleDDLDesc; +import org.apache.hadoop.hive.ql.plan.RoleDDLDesc.RoleOperation; import org.apache.hadoop.hive.ql.plan.ShowGrantDesc; import org.apache.hadoop.hive.ql.security.authorization.Privilege; import org.apache.hadoop.hive.ql.security.authorization.PrivilegeRegistry; @@ -130,6 +131,7 @@ public class HiveAuthorizationTaskFactor principalDesc, userName, PrincipalType.USER, grantOption); return TaskFactory.get(new DDLWork(inputs, outputs, grantDesc), conf); } + @Override public Task<? extends Serializable> createRevokeTask(ASTNode ast, HashSet<ReadEntity> inputs, HashSet<WriteEntity> outputs) throws SemanticException { @@ -334,4 +336,21 @@ public class HiveAuthorizationTaskFactor ddlDesc.setResFile(resFile.toString()); return TaskFactory.get(new DDLWork(inputs, outputs, ddlDesc), conf); } + + @Override + public Task<? extends Serializable> createShowRolePrincipalsTask(ASTNode ast, Path resFile, + HashSet<ReadEntity> inputs, HashSet<WriteEntity> outputs) throws SemanticException { + String roleName; + + if (ast.getChildCount() == 1) { + roleName = ast.getChild(0).getText(); + } else { + // the parser should not allow this + throw new AssertionError("Unexpected Tokens in SHOW ROLE PRINCIPALS"); + } + + RoleDDLDesc roleDDLDesc = new RoleDDLDesc(roleName, RoleOperation.SHOW_ROLE_PRINCIPALS); + roleDDLDesc.setResFile(resFile.toString()); + return TaskFactory.get(new DDLWork(inputs, outputs, roleDDLDesc), conf); + } } Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/plan/HiveOperation.java URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/plan/HiveOperation.java?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/plan/HiveOperation.java (original) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/plan/HiveOperation.java Wed Mar 12 09:50:31 2014 @@ -88,6 +88,7 @@ public enum HiveOperation { GRANT_ROLE("GRANT_ROLE", null, null), REVOKE_ROLE("REVOKE_ROLE", null, null), SHOW_ROLES("SHOW_ROLES", null, null), + SHOW_ROLE_PRINCIPALS("SHOW_ROLE_PRINCIPALS", null, null), SHOW_ROLE_GRANT("SHOW_ROLE_GRANT", null, null), ALTERTABLE_PROTECTMODE("ALTERTABLE_PROTECTMODE", new Privilege[]{Privilege.ALTER_METADATA}, null), ALTERPARTITION_PROTECTMODE("ALTERPARTITION_PROTECTMODE", new Privilege[]{Privilege.ALTER_METADATA}, null), Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/plan/RoleDDLDesc.java URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/plan/RoleDDLDesc.java?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/plan/RoleDDLDesc.java (original) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/plan/RoleDDLDesc.java Wed Mar 12 09:50:31 2014 @@ -45,23 +45,35 @@ public class RoleDDLDesc extends DDLDesc private static final String roleNameSchema = "role#string"; /** - * thrift ddl for the result of show role. + * thrift ddl for the result of show role grant principalName */ - private static final String roleDescSchema = + private static final String roleShowGrantSchema = "role,create_time,principal_name,principal_type,grant_option,grant_time,grantor#" + "string:bigint:string:string:boolean:bigint:string"; + /** + * thrift ddl for the result of describe role roleName + */ + private static final String roleShowRolePrincipals = + "principal_name,principal_type,grant_option,grantor,grantor_type,grant_time#" + + "string:string:boolean:string:string:bigint"; + public static String getRoleNameSchema() { return roleNameSchema; } - public static String getRoleDescSchema() { - return roleDescSchema; + public static String getRoleShowGrantSchema() { + return roleShowGrantSchema; + } + + public static String getShowRolePrincipalsSchema() { + return roleShowRolePrincipals; } public static enum RoleOperation { DROP_ROLE("drop_role"), CREATE_ROLE("create_role"), SHOW_ROLE_GRANT("show_role_grant"), - SHOW_ROLES("show_roles"), SET_ROLE("set_role"), SHOW_CURRENT_ROLE("show_current_role"); + SHOW_ROLES("show_roles"), SET_ROLE("set_role"), SHOW_CURRENT_ROLE("show_current_role"), + SHOW_ROLE_PRINCIPALS("show_role_principals"); private String operationName; private RoleOperation() { Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java (original) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java Wed Mar 12 09:50:31 2014 @@ -65,4 +65,6 @@ public interface HiveAccessController { void setCurrentRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException; List<HiveRole> getCurrentRoles() throws HiveAuthzPluginException; + + List<HiveRoleGrant> getPrincipalsInRoleInfo(String roleName) throws HiveAuthzPluginException, HiveAccessControlException; } Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java (original) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java Wed Mar 12 09:50:31 2014 @@ -102,6 +102,18 @@ public interface HiveAuthorizer { List<HiveRole> getRoles(HivePrincipal hivePrincipal) throws HiveAuthzPluginException, HiveAccessControlException; + + /** + * Get the grant information for principals granted the given role + * @param roleName + * @return + * @throws HiveAuthzPluginException + * @throws HiveAccessControlException + */ + List<HiveRoleGrant> getPrincipalsInRoleInfo(String roleName) + throws HiveAuthzPluginException, HiveAccessControlException; + + /** * Grant roles in given roles list to principals in given hivePrincipals list * @param hivePrincipals Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java (original) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java Wed Mar 12 09:50:31 2014 @@ -113,8 +113,10 @@ public class HiveAuthorizerImpl implemen public List<HiveRole> getCurrentRoles() throws HiveAuthzPluginException { return accessController.getCurrentRoles(); } - // other access control functions -// void validateAuthority(HiveAction, inputs, outputs){ -// authValidator.validateAuthority(HiveAction, inputs, outputs); -// } + + @Override + public List<HiveRoleGrant> getPrincipalsInRoleInfo(String roleName) + throws HiveAuthzPluginException, HiveAccessControlException { + return accessController.getPrincipalsInRoleInfo(roleName); + } } Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java (original) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java Wed Mar 12 09:50:31 2014 @@ -91,6 +91,7 @@ public enum HiveOperationType { REVOKE_ROLE, SHOW_ROLES, SHOW_ROLE_GRANT, + SHOW_ROLE_PRINCIPALS, ALTERTABLE_PROTECTMODE, ALTERPARTITION_PROTECTMODE, ALTERTABLE_FILEFORMAT, Added: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRoleGrant.java URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRoleGrant.java?rev=1576675&view=auto ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRoleGrant.java (added) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRoleGrant.java Wed Mar 12 09:50:31 2014 @@ -0,0 +1,126 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hive.ql.security.authorization.plugin; + +import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate; +import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving; +import org.apache.hadoop.hive.metastore.api.RolePrincipalGrant; + +import com.google.common.collect.ComparisonChain; + +/** + * Represents a grant of a role to a principal + */ +@LimitedPrivate(value = { "" }) +@Evolving +public class HiveRoleGrant implements Comparable<HiveRoleGrant> { + + private String roleName; + private String principalName; + private String principalType; + private boolean grantOption; + private int grantTime; + private String grantor; + private String grantorType; + + public HiveRoleGrant() {} + + public HiveRoleGrant(RolePrincipalGrant thriftRoleGrant) { + this.roleName = thriftRoleGrant.getRoleName(); + this.principalName = thriftRoleGrant.getPrincipalName(); + this.principalType = thriftRoleGrant.getPrincipalType().name(); + this.grantOption = thriftRoleGrant.isGrantOption(); + this.grantTime = thriftRoleGrant.getGrantTime(); + this.grantor = thriftRoleGrant.getGrantorName(); + this.grantorType = thriftRoleGrant.getGrantorPrincipalType().name(); + + } + + public String getRoleName() { + return roleName; + } + + public void setRoleName(String roleName) { + this.roleName = roleName; + } + + public String getPrincipalName() { + return principalName; + } + + public void setPrincipalName(String principalName) { + this.principalName = principalName; + } + + public String getPrincipalType() { + return principalType; + } + + public void setPrincipalType(String principalType) { + this.principalType = principalType; + } + + public boolean isGrantOption() { + return grantOption; + } + + public void setGrantOption(boolean grantOption) { + this.grantOption = grantOption; + } + + public int getGrantTime() { + return grantTime; + } + + public void setGrantTime(int grantTime) { + this.grantTime = grantTime; + } + + public String getGrantor() { + return grantor; + } + + public void setGrantor(String grantor) { + this.grantor = grantor; + } + + public String getGrantorType() { + return grantorType; + } + + public void setGrantorType(String grantorType) { + this.grantorType = grantorType; + } + + @Override + public int compareTo(HiveRoleGrant other) { + if(other == null){ + return 1; + } + return ComparisonChain.start().compare(roleName, other.roleName) + .compare(principalName, other.principalName) + .compare(principalType, other.principalType) + .compare(grantOption, other.grantOption) + .compare(grantTime, other.grantTime) + .compare(grantor, other.grantor) + .result(); + + } + + +} Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java (original) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java Wed Mar 12 09:50:31 2014 @@ -199,6 +199,9 @@ public class Operation2Privilege { op2Priv.put(HiveOperationType.SHOW_ROLES, new InOutPrivs(null, null)); op2Priv.put(HiveOperationType.SHOW_ROLE_GRANT, new InOutPrivs(null, null)); + op2Priv.put(HiveOperationType.SHOW_ROLE_PRINCIPALS, new InOutPrivs(null, + null)); + } Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java (original) +++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java Wed Mar 12 09:50:31 2014 @@ -28,6 +28,8 @@ import org.apache.hadoop.classification. import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.metastore.HiveMetaStore; import org.apache.hadoop.hive.metastore.IMetaStoreClient; +import org.apache.hadoop.hive.metastore.api.GetPrincipalsInRoleRequest; +import org.apache.hadoop.hive.metastore.api.GetPrincipalsInRoleResponse; import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege; import org.apache.hadoop.hive.metastore.api.HiveObjectRef; import org.apache.hadoop.hive.metastore.api.HiveObjectType; @@ -36,6 +38,7 @@ import org.apache.hadoop.hive.metastore. import org.apache.hadoop.hive.metastore.api.PrivilegeBag; import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo; import org.apache.hadoop.hive.metastore.api.Role; +import org.apache.hadoop.hive.metastore.api.RolePrincipalGrant; import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils; @@ -49,6 +52,7 @@ import org.apache.hadoop.hive.ql.securit import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRole; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; import org.apache.thrift.TException; /** @@ -371,6 +375,28 @@ public class SQLStdHiveAccessController } } + + @Override + public List<HiveRoleGrant> getPrincipalsInRoleInfo(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { + // only user belonging to admin role can list role + if (!isUserAdmin()) { + throw new HiveAccessControlException("Current user : " + currentUserName+ " is not" + + " allowed get principals in a role. " + ADMIN_ONLY_MSG); + } + try { + GetPrincipalsInRoleResponse princGrantInfo = + metastoreClientFactory.getHiveMetastoreClient().get_principals_in_role(new GetPrincipalsInRoleRequest(roleName)); + + List<HiveRoleGrant> hiveRoleGrants = new ArrayList<HiveRoleGrant>(); + for(RolePrincipalGrant thriftRoleGrant : princGrantInfo.getPrincipalGrants()){ + hiveRoleGrants.add(new HiveRoleGrant(thriftRoleGrant)); + } + return hiveRoleGrants; + } catch (Exception e) { + throw new HiveAuthzPluginException("Error getting principals for all roles", e); + } + } + @Override public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException { @@ -511,4 +537,5 @@ public class SQLStdHiveAccessController } return true; } + } Added: hive/trunk/ql/src/test/queries/clientnegative/authorization_show_role_principals_no_admin.q URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_show_role_principals_no_admin.q?rev=1576675&view=auto ============================================================================== --- hive/trunk/ql/src/test/queries/clientnegative/authorization_show_role_principals_no_admin.q (added) +++ hive/trunk/ql/src/test/queries/clientnegative/authorization_show_role_principals_no_admin.q Wed Mar 12 09:50:31 2014 @@ -0,0 +1,3 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; +-- This test will fail because hive_test_user is not in admin role +show principals role1; Added: hive/trunk/ql/src/test/queries/clientnegative/authorization_show_role_principals_v1.q URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_show_role_principals_v1.q?rev=1576675&view=auto ============================================================================== --- hive/trunk/ql/src/test/queries/clientnegative/authorization_show_role_principals_v1.q (added) +++ hive/trunk/ql/src/test/queries/clientnegative/authorization_show_role_principals_v1.q Wed Mar 12 09:50:31 2014 @@ -0,0 +1,2 @@ +-- This test will fail because the command is not currently supported in auth mode v1 +show principals role1; Modified: hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q (original) +++ hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q Wed Mar 12 09:50:31 2014 @@ -1,8 +1,8 @@ set hive.users.in.admin.role=hive_admin_user; set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory; set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator; -set user.name=hive_admin_user; +set user.name=hive_admin_user; set role ADMIN; ---------------------------------------- @@ -12,10 +12,22 @@ set role ADMIN; create role src_role_wadmin; grant src_role_wadmin to user user2 with admin option; show role grant user user2; +show principals src_role_wadmin; set user.name=user2; set role src_role_wadmin; grant src_role_wadmin to user user3; show role grant user user3; + +set user.name=hive_admin_user; +set role ADMIN; +show principals src_role_wadmin; + +set user.name=user2; +set role src_role_wadmin; revoke src_role_wadmin from user user3; show role grant user user3; + +set user.name=hive_admin_user; +set role ADMIN; +show principals src_role_wadmin; Added: hive/trunk/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out?rev=1576675&view=auto ============================================================================== --- hive/trunk/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out (added) +++ hive/trunk/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out Wed Mar 12 09:50:31 2014 @@ -0,0 +1,4 @@ +PREHOOK: query: -- This test will fail because hive_test_user is not in admin role +show principals role1 +PREHOOK: type: SHOW_ROLE_PRINCIPALS +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_test_user is not allowed get principals in a role. User has to belong to ADMIN role and have it as current role, for this action. Added: hive/trunk/ql/src/test/results/clientnegative/authorization_show_role_principals_v1.q.out URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_show_role_principals_v1.q.out?rev=1576675&view=auto ============================================================================== --- hive/trunk/ql/src/test/results/clientnegative/authorization_show_role_principals_v1.q.out (added) +++ hive/trunk/ql/src/test/results/clientnegative/authorization_show_role_principals_v1.q.out Wed Mar 12 09:50:31 2014 @@ -0,0 +1,5 @@ +PREHOOK: query: -- This test will fail because the command is not currently supported in auth mode v1 +show principals role1 +PREHOOK: type: SHOW_ROLE_PRINCIPALS +Error in role operation show_role_principals on role name role1, error message Show role principals is not currently supported in authorization mode V1 +FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask Modified: hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out?rev=1576675&r1=1576674&r2=1576675&view=diff ============================================================================== --- hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out (original) +++ hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out Wed Mar 12 09:50:31 2014 @@ -24,6 +24,11 @@ POSTHOOK: query: show role grant user us POSTHOOK: type: SHOW_ROLE_GRANT PUBLIC -1 false -1 src_role_wadmin -1 user2 USER true -1 hive_admin_user +PREHOOK: query: show principals src_role_wadmin +PREHOOK: type: SHOW_ROLE_PRINCIPALS +POSTHOOK: query: show principals src_role_wadmin +POSTHOOK: type: SHOW_ROLE_PRINCIPALS +user2 USER true hive_admin_user USER -1 PREHOOK: query: set role src_role_wadmin PREHOOK: type: SHOW_ROLES POSTHOOK: query: set role src_role_wadmin @@ -38,6 +43,20 @@ POSTHOOK: query: show role grant user us POSTHOOK: type: SHOW_ROLE_GRANT PUBLIC -1 false -1 src_role_wadmin -1 user3 USER false -1 user2 +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: show principals src_role_wadmin +PREHOOK: type: SHOW_ROLE_PRINCIPALS +POSTHOOK: query: show principals src_role_wadmin +POSTHOOK: type: SHOW_ROLE_PRINCIPALS +user2 USER true hive_admin_user USER -1 +user3 USER false user2 USER -1 +PREHOOK: query: set role src_role_wadmin +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role src_role_wadmin +POSTHOOK: type: SHOW_ROLES PREHOOK: query: revoke src_role_wadmin from user user3 PREHOOK: type: REVOKE_ROLE POSTHOOK: query: revoke src_role_wadmin from user user3 @@ -47,3 +66,12 @@ PREHOOK: type: SHOW_ROLE_GRANT POSTHOOK: query: show role grant user user3 POSTHOOK: type: SHOW_ROLE_GRANT PUBLIC -1 false -1 +PREHOOK: query: set role ADMIN +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role ADMIN +POSTHOOK: type: SHOW_ROLES +PREHOOK: query: show principals src_role_wadmin +PREHOOK: type: SHOW_ROLE_PRINCIPALS +POSTHOOK: query: show principals src_role_wadmin +POSTHOOK: type: SHOW_ROLE_PRINCIPALS +user2 USER true hive_admin_user USER -1
