Author: xuefu
Date: Fri Sep 19 05:01:42 2014
New Revision: 1626126
URL: http://svn.apache.org/r1626126
Log:
HIVE-8083: Authorization DDLs should not enforce hive identifier syntax for
user or group (Prasad via Xuefu)
Added:
hive/trunk/ql/src/test/queries/clientpositive/authorization_non_id.q
hive/trunk/ql/src/test/results/clientpositive/authorization_non_id.q.out
Modified:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g?rev=1626126&r1=1626125&r2=1626126&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g
(original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g Fri Sep
19 05:01:42 2014
@@ -1530,8 +1530,8 @@ principalSpecification
principalName
@init {pushMsg("user|group|role name", state);}
@after {popMsg(state);}
- : KW_USER identifier -> ^(TOK_USER identifier)
- | KW_GROUP identifier -> ^(TOK_GROUP identifier)
+ : KW_USER principalIdentifier -> ^(TOK_USER principalIdentifier)
+ | KW_GROUP principalIdentifier -> ^(TOK_GROUP principalIdentifier)
| KW_ROLE identifier -> ^(TOK_ROLE identifier)
;
Modified:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g?rev=1626126&r1=1626125&r2=1626126&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g
(original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/IdentifiersParser.g
Fri Sep 19 05:01:42 2014
@@ -536,6 +536,13 @@ functionIdentifier
identifier
;
+principalIdentifier
+@init { gParent.pushMsg("identifier for principal spec", state); }
+@after { gParent.popMsg(state); }
+ : identifier
+ | QuotedIdentifier
+ ;
+
nonReserved
:
KW_TRUE | KW_FALSE | KW_LIKE | KW_EXISTS | KW_ASC | KW_DESC | KW_ORDER |
KW_GROUP | KW_BY | KW_AS | KW_INSERT | KW_OVERWRITE | KW_OUTER | KW_LEFT |
KW_RIGHT | KW_FULL | KW_PARTITION | KW_PARTITIONS | KW_TABLE | KW_TABLES |
KW_COLUMNS | KW_INDEX | KW_INDEXES | KW_REBUILD | KW_FUNCTIONS | KW_SHOW |
KW_MSCK | KW_REPAIR | KW_DIRECTORY | KW_LOCAL | KW_USING | KW_CLUSTER |
KW_DISTRIBUTE | KW_SORT | KW_UNION | KW_LOAD | KW_EXPORT | KW_IMPORT | KW_DATA
| KW_INPATH | KW_IS | KW_NULL | KW_CREATE | KW_EXTERNAL | KW_ALTER | KW_CHANGE
| KW_FIRST | KW_AFTER | KW_DESCRIBE | KW_DROP | KW_RENAME | KW_IGNORE |
KW_PROTECTION | KW_TO | KW_COMMENT | KW_BOOLEAN | KW_TINYINT | KW_SMALLINT |
KW_INT | KW_BIGINT | KW_FLOAT | KW_DOUBLE | KW_DATE | KW_DATETIME |
KW_TIMESTAMP | KW_DECIMAL | KW_STRING | KW_ARRAY | KW_STRUCT | KW_UNIONTYPE |
KW_PARTITIONED | KW_CLUSTERED | KW_SORTED | KW_INTO | KW_BUCKETS | KW_ROW |
KW_ROWS | KW_FORMAT | KW_DELIMITED | KW_FIELDS | KW_TERMINATED | KW_ESCAPED |
KW_COLLECTION |
KW_ITEMS | KW_KEYS | KW_KEY_TYPE | KW_LINES | KW_STORED | KW_FILEFORMAT |
KW_INPUTFORMAT | KW_OUTPUTFORMAT | KW_INPUTDRIVER | KW_OUTPUTDRIVER |
KW_OFFLINE | KW_ENABLE | KW_DISABLE | KW_READONLY | KW_NO_DROP | KW_LOCATION |
KW_BUCKET | KW_OUT | KW_OF | KW_PERCENT | KW_ADD | KW_REPLACE | KW_RLIKE |
KW_REGEXP | KW_TEMPORARY | KW_EXPLAIN | KW_FORMATTED | KW_PRETTY |
KW_DEPENDENCY | KW_LOGICAL | KW_SERDE | KW_WITH | KW_DEFERRED |
KW_SERDEPROPERTIES | KW_DBPROPERTIES | KW_LIMIT | KW_SET | KW_UNSET |
KW_TBLPROPERTIES | KW_IDXPROPERTIES | KW_VALUE_TYPE | KW_ELEM_TYPE | KW_MAPJOIN
| KW_STREAMTABLE | KW_HOLD_DDLTIME | KW_CLUSTERSTATUS | KW_UTC |
KW_UTCTIMESTAMP | KW_LONG | KW_DELETE | KW_PLUS | KW_MINUS | KW_FETCH |
KW_INTERSECT | KW_VIEW | KW_IN | KW_DATABASES | KW_MATERIALIZED | KW_SCHEMA |
KW_SCHEMAS | KW_GRANT | KW_REVOKE | KW_SSL | KW_UNDO | KW_LOCK | KW_LOCKS |
KW_UNLOCK | KW_SHARED | KW_EXCLUSIVE | KW_PROCEDURE | KW_UNSIGNED | KW_WHILE |
KW_READ | KW_READS | KW_PURGE | KW_RANGE | KW_AN
ALYZE | KW_BEFORE | KW_BETWEEN | KW_BOTH | KW_BINARY | KW_CONTINUE | KW_CURSOR
| KW_TRIGGER | KW_RECORDREADER | KW_RECORDWRITER | KW_SEMI | KW_LATERAL |
KW_TOUCH | KW_ARCHIVE | KW_UNARCHIVE | KW_COMPUTE | KW_STATISTICS | KW_USE |
KW_OPTION | KW_CONCATENATE | KW_SHOW_DATABASE | KW_UPDATE | KW_RESTRICT |
KW_CASCADE | KW_SKEWED | KW_ROLLUP | KW_CUBE | KW_DIRECTORIES | KW_FOR |
KW_GROUPING | KW_SETS | KW_TRUNCATE | KW_NOSCAN | KW_USER | KW_ROLE | KW_ROLES
| KW_INNER | KW_DEFINED | KW_ADMIN | KW_JAR | KW_FILE | KW_OWNER |
KW_PRINCIPALS | KW_ALL | KW_DEFAULT | KW_NONE | KW_COMPACT | KW_COMPACTIONS |
KW_TRANSACTIONS | KW_REWRITE | KW_AUTHORIZATION | KW_VALUES
Added: hive/trunk/ql/src/test/queries/clientpositive/authorization_non_id.q
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientpositive/authorization_non_id.q?rev=1626126&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientpositive/authorization_non_id.q (added)
+++ hive/trunk/ql/src/test/queries/clientpositive/authorization_non_id.q Fri
Sep 19 05:01:42 2014
@@ -0,0 +1,25 @@
+set hive.test.authz.sstd.hs2.mode=true;
+set
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
+set
hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
+
+set role ADMIN;
+drop table if exists src_autho_test;
+create table src_autho_test (id int);
+
+create role src_role2;
+
+grant role src_role2 to user bar;
+grant role src_role2 to user `foo-1`;
+
+show role grant user bar;
+show role grant user `foo-1`;
+
+grant select on table src_autho_test to user bar;
+grant select on table src_autho_test to user `foo-1`;
+
+show grant user bar on all;
+show grant user `foo-1` on all;
+
+drop table src_autho_test;
+drop role src_role2;
Added: hive/trunk/ql/src/test/results/clientpositive/authorization_non_id.q.out
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_non_id.q.out?rev=1626126&view=auto
==============================================================================
--- hive/trunk/ql/src/test/results/clientpositive/authorization_non_id.q.out
(added)
+++ hive/trunk/ql/src/test/results/clientpositive/authorization_non_id.q.out
Fri Sep 19 05:01:42 2014
@@ -0,0 +1,74 @@
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: drop table if exists src_autho_test
+PREHOOK: type: DROPTABLE
+POSTHOOK: query: drop table if exists src_autho_test
+POSTHOOK: type: DROPTABLE
+PREHOOK: query: create table src_autho_test (id int)
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:default
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: create table src_autho_test (id int)
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: create role src_role2
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: create role src_role2
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: grant role src_role2 to user bar
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant role src_role2 to user bar
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: grant role src_role2 to user `foo-1`
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant role src_role2 to user `foo-1`
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: show role grant user bar
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user bar
+POSTHOOK: type: SHOW_ROLE_GRANT
+public false -1
+src_role2 false -1 hive_admin_user
+PREHOOK: query: show role grant user `foo-1`
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user `foo-1`
+POSTHOOK: type: SHOW_ROLE_GRANT
+public false -1
+src_role2 false -1 hive_admin_user
+PREHOOK: query: grant select on table src_autho_test to user bar
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: grant select on table src_autho_test to user bar
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: grant select on table src_autho_test to user `foo-1`
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: grant select on table src_autho_test to user `foo-1`
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: show grant user bar on all
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user bar on all
+POSTHOOK: type: SHOW_GRANT
+default src_autho_test bar USER SELECT false
-1 hive_admin_user
+PREHOOK: query: show grant user `foo-1` on all
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user `foo-1` on all
+POSTHOOK: type: SHOW_GRANT
+default src_autho_test foo-1 USER SELECT false
-1 hive_admin_user
+PREHOOK: query: drop table src_autho_test
+PREHOOK: type: DROPTABLE
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: drop table src_autho_test
+POSTHOOK: type: DROPTABLE
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: drop role src_role2
+PREHOOK: type: DROPROLE
+POSTHOOK: query: drop role src_role2
+POSTHOOK: type: DROPROLE
