Author: hashutosh
Date: Fri Apr 4 22:48:42 2014
New Revision: 1584934
URL: http://svn.apache.org/r1584934
Log:
HIVE-6827 : Disable insecure commands with std sql auth (Ashutosh Chauhan via
Thejas Nair)
Added:
hive/branches/branch-0.13/ql/src/test/queries/clientnegative/authorization_addjar.q
hive/branches/branch-0.13/ql/src/test/results/clientnegative/authorization_addjar.q.out
Modified:
hive/branches/branch-0.13/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java
hive/branches/branch-0.13/ql/src/test/org/apache/hadoop/hive/ql/processors/TestCommandProcessorFactory.java
Modified:
hive/branches/branch-0.13/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java
URL:
http://svn.apache.org/viewvc/hive/branches/branch-0.13/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java?rev=1584934&r1=1584933&r2=1584934&view=diff
==============================================================================
---
hive/branches/branch-0.13/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java
(original)
+++
hive/branches/branch-0.13/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java
Fri Apr 4 22:48:42 2014
@@ -28,7 +28,10 @@ import java.util.Map;
import java.util.Set;
import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
import org.apache.hadoop.hive.ql.Driver;
+import
org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider;
+import
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
import org.apache.hadoop.hive.ql.session.SessionState;
/**
@@ -58,8 +61,18 @@ public final class CommandProcessorFacto
conf = new HiveConf();
}
Set<String> availableCommands = new HashSet<String>();
- for (String availableCommand :
conf.getVar(HiveConf.ConfVars.HIVE_SECURITY_COMMAND_WHITELIST).split(",")) {
- availableCommands.add(availableCommand.toLowerCase().trim());
+ if (!HiveAuthorizerFactory.class.isAssignableFrom
+
(conf.getClass(ConfVars.HIVE_AUTHORIZATION_MANAGER.varname,DefaultHiveAuthorizationProvider.class)))
{
+ // we are not on authV2, add processors.
+ for (String availableCommand :
conf.getVar(HiveConf.ConfVars.HIVE_SECURITY_COMMAND_WHITELIST).split(",")) {
+ availableCommands.add(availableCommand.toLowerCase().trim());
+ }
+ }
+
+ if (conf.getBoolVar(ConfVars.HIVE_IN_TEST)) {
+ // because test case uses these.
+ availableCommands.add("set");
+ availableCommands.add("dfs");
}
if (!availableCommands.contains(cmd[0].trim().toLowerCase())) {
throw new SQLException("Insufficient privileges to execute " + cmd[0],
"42000");
Modified:
hive/branches/branch-0.13/ql/src/test/org/apache/hadoop/hive/ql/processors/TestCommandProcessorFactory.java
URL:
http://svn.apache.org/viewvc/hive/branches/branch-0.13/ql/src/test/org/apache/hadoop/hive/ql/processors/TestCommandProcessorFactory.java?rev=1584934&r1=1584933&r2=1584934&view=diff
==============================================================================
---
hive/branches/branch-0.13/ql/src/test/org/apache/hadoop/hive/ql/processors/TestCommandProcessorFactory.java
(original)
+++
hive/branches/branch-0.13/ql/src/test/org/apache/hadoop/hive/ql/processors/TestCommandProcessorFactory.java
Fri Apr 4 22:48:42 2014
@@ -23,6 +23,7 @@ import java.sql.SQLException;
import junit.framework.Assert;
import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.junit.Before;
import org.junit.Test;
@@ -54,6 +55,7 @@ public class TestCommandProcessorFactory
String cmd = command.name().toLowerCase();
Assert.assertNotNull("Cmd " + cmd + " not return null",
CommandProcessorFactory.getForHiveCommand(new String[]{cmd}, conf));
}
+ conf.setBoolVar(ConfVars.HIVE_IN_TEST, false);
conf.set(HiveConf.ConfVars.HIVE_SECURITY_COMMAND_WHITELIST.toString(), "");
for (HiveCommand command : HiveCommand.values()) {
String cmd = command.name();
@@ -65,5 +67,6 @@ public class TestCommandProcessorFactory
Assert.assertEquals("42000", e.getSQLState());
}
}
+ conf.setBoolVar(ConfVars.HIVE_IN_TEST, true);
}
}
Added:
hive/branches/branch-0.13/ql/src/test/queries/clientnegative/authorization_addjar.q
URL:
http://svn.apache.org/viewvc/hive/branches/branch-0.13/ql/src/test/queries/clientnegative/authorization_addjar.q?rev=1584934&view=auto
==============================================================================
---
hive/branches/branch-0.13/ql/src/test/queries/clientnegative/authorization_addjar.q
(added)
+++
hive/branches/branch-0.13/ql/src/test/queries/clientnegative/authorization_addjar.q
Fri Apr 4 22:48:42 2014
@@ -0,0 +1,3 @@
+set hive.security.authorization.enabled=true;
+set
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+add jar
${system:maven.local.repository}/org/apache/hive/hcatalog/hive-hcatalog-core/${system:hive.version}/hive-hcatalog-core-${system:hive.version}.jar;
Added:
hive/branches/branch-0.13/ql/src/test/results/clientnegative/authorization_addjar.q.out
URL:
http://svn.apache.org/viewvc/hive/branches/branch-0.13/ql/src/test/results/clientnegative/authorization_addjar.q.out?rev=1584934&view=auto
==============================================================================
---
hive/branches/branch-0.13/ql/src/test/results/clientnegative/authorization_addjar.q.out
(added)
+++
hive/branches/branch-0.13/ql/src/test/results/clientnegative/authorization_addjar.q.out
Fri Apr 4 22:48:42 2014
@@ -0,0 +1 @@
+Failed processing command add Insufficient privileges to execute add
