svn commit: r1631601 - in /hive/trunk/ql/src: java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/ test/queries/clientpositive/ test/results/clientnegative/ test/results/clientpositive/

Mon, 13 Oct 2014 16:51:40 -0700 

Author: thejas
Date: Mon Oct 13 23:50:58 2014
New Revision: 1631601

URL: http://svn.apache.org/r1631601
Log:
HIVE-7919 : sql std auth: user with 'admin option' for role should be able to 
list all users in the role (Thejas Nair, reviewed by Jason Dere)

Modified:
    
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
    hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q
    
hive/trunk/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out
    
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out

Modified: 
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
URL: 
http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java?rev=1631601&r1=1631600&r2=1631601&view=diff
==============================================================================
--- 
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
 (original)
+++ 
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
 Mon Oct 13 23:50:58 2014
@@ -18,6 +18,7 @@
 package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -350,9 +351,9 @@ public class SQLStdHiveAccessController 
   @Override
   public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) 
throws HiveAuthzPluginException, HiveAccessControlException {
     // only user belonging to admin role can list role
-    if (!isUserAdmin()) {
+    if (!isUserAdmin() &&  !doesUserHasAdminOption(Arrays.asList(roleName))) {
       throw new HiveAccessControlException("Current user : " + 
currentUserName+ " is not"
-        + " allowed get principals in a role. " + ADMIN_ONLY_MSG);
+        + " allowed get principals in a role. " + ADMIN_ONLY_MSG + " 
Otherwise, " + HAS_ADMIN_PRIV_MSG);
     }
     try {
       return 
getHiveRoleGrants(metastoreClientFactory.getHiveMetastoreClient(), roleName);

Modified: 
hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q
URL: 
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q?rev=1631601&r1=1631600&r2=1631601&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q 
(original)
+++ hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q 
Mon Oct 13 23:50:58 2014
@@ -20,6 +20,7 @@ show principals src_role_wadmin;
 
 set user.name=user2;
 set role src_role_WadMin;
+show principals src_role_wadmin;
 -- grant role to another user
 grant src_Role_wadmin to user user3;
 

Modified: 
hive/trunk/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out
URL: 
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out?rev=1631601&r1=1631600&r2=1631601&view=diff
==============================================================================
--- 
hive/trunk/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out
 (original)
+++ 
hive/trunk/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out
 Mon Oct 13 23:50:58 2014
@@ -1,4 +1,4 @@
 PREHOOK: query: -- This test will fail because hive_test_user is not in admin 
role
 show principals role1
 PREHOOK: type: SHOW_ROLE_PRINCIPALS
-FAILED: Execution Error, return code 1 from 
org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_test_user is not 
allowed get principals in a role. User has to belong to ADMIN role and have it 
as current role, for this action.
+FAILED: Execution Error, return code 1 from 
org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_test_user is not 
allowed get principals in a role. User has to belong to ADMIN role and have it 
as current role, for this action. Otherwise, grantor need to have ADMIN OPTION 
on role being granted and have it as a current role for this action.

Modified: 
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out
URL: 
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out?rev=1631601&r1=1631600&r2=1631601&view=diff
==============================================================================
--- 
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out 
(original)
+++ 
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out 
Mon Oct 13 23:50:58 2014
@@ -41,6 +41,12 @@ PREHOOK: query: set role src_role_WadMin
 PREHOOK: type: SHOW_ROLES
 POSTHOOK: query: set role src_role_WadMin
 POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: show principals src_role_wadmin
+PREHOOK: type: SHOW_ROLE_PRINCIPALS
+POSTHOOK: query: show principals src_role_wadmin
+POSTHOOK: type: SHOW_ROLE_PRINCIPALS
+principal_name principal_type  grant_option    grantor grantor_type    
grant_time
+user2  USER    true    hive_admin_user USER    -1
 PREHOOK: query: -- grant role to another user
 grant src_Role_wadmin to user user3
 PREHOOK: type: GRANT_ROLE

Reply via email to