Repository: hive Updated Branches: refs/heads/master aaa356932 -> 90a9a90ed
HIVE-13095: Support view column authorization (Pengcheng Xiong, reviewed by Ashutosh Chauhan) Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/90a9a90e Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/90a9a90e Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/90a9a90e Branch: refs/heads/master Commit: 90a9a90edc6e5229b5030d655ffa19427779158b Parents: aaa3569 Author: Pengcheng Xiong <[email protected]> Authored: Mon Feb 29 14:40:01 2016 -0800 Committer: Pengcheng Xiong <[email protected]> Committed: Mon Feb 29 14:40:01 2016 -0800 ---------------------------------------------------------------------- .../java/org/apache/hadoop/hive/ql/Driver.java | 6 + .../hadoop/hive/ql/optimizer/ColumnPruner.java | 4 + .../ql/optimizer/ColumnPrunerProcFactory.java | 12 + .../calcite/rules/HiveRelFieldTrimmer.java | 38 ++- .../hadoop/hive/ql/parse/CalcitePlanner.java | 40 ++- .../hadoop/hive/ql/parse/ParseContext.java | 35 ++- .../org/apache/hadoop/hive/ql/parse/QB.java | 14 +- .../hadoop/hive/ql/parse/SemanticAnalyzer.java | 34 +- .../hadoop/hive/ql/parse/TaskCompiler.java | 2 +- .../clientnegative/authorization_view_1.q | 13 + .../clientnegative/authorization_view_2.q | 17 + .../clientnegative/authorization_view_3.q | 15 + .../clientnegative/authorization_view_4.q | 23 ++ .../authorization_view_disable_cbo_1.q | 14 + .../authorization_view_disable_cbo_2.q | 17 + .../authorization_view_disable_cbo_3.q | 16 + .../authorization_view_disable_cbo_4.q | 24 ++ .../clientpositive/authorization_view_1.q | 59 ++++ .../authorization_view_disable_cbo_1.q | 70 +++++ .../clientnegative/authorization_view_1.q.out | 31 ++ .../clientnegative/authorization_view_2.q.out | 37 +++ .../clientnegative/authorization_view_3.q.out | 37 +++ .../clientnegative/authorization_view_4.q.out | 69 +++++ .../authorization_view_disable_cbo_1.q.out | 31 ++ .../authorization_view_disable_cbo_2.q.out | 37 +++ .../authorization_view_disable_cbo_3.q.out | 37 +++ .../authorization_view_disable_cbo_4.q.out | 69 +++++ .../clientpositive/authorization_view_1.q.out | 261 ++++++++++++++++ .../authorization_view_disable_cbo_1.q.out | 309 +++++++++++++++++++ 29 files changed, 1357 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/Driver.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java index 10bd97b..3253146 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java @@ -38,6 +38,7 @@ import java.util.concurrent.locks.ReentrantLock; import com.google.common.collect.ImmutableMap; import com.google.common.collect.Sets; + import org.apache.commons.lang.StringUtils; import org.apache.hadoop.mapreduce.MRJobConfig; import org.slf4j.Logger; @@ -85,6 +86,7 @@ import org.apache.hadoop.hive.ql.metadata.formatting.MetaDataFormatter; import org.apache.hadoop.hive.ql.optimizer.ppr.PartitionPruner; import org.apache.hadoop.hive.ql.parse.ASTNode; import org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer; +import org.apache.hadoop.hive.ql.parse.CalcitePlanner; import org.apache.hadoop.hive.ql.parse.ColumnAccessInfo; import org.apache.hadoop.hive.ql.parse.HiveSemanticAnalyzerHook; import org.apache.hadoop.hive.ql.parse.HiveSemanticAnalyzerHookContext; @@ -747,6 +749,10 @@ public class Driver implements CommandProcessor { continue; } Table tbl = read.getTable(); + if (tbl.isView() && sem instanceof SemanticAnalyzer) { + tab2Cols.put(tbl, + sem.getColumnAccessInfo().getTableToColumnAccessMap().get(tbl.getTableName())); + } if (read.getPartition() != null) { Partition partition = read.getPartition(); tbl = partition.getTable(); http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPruner.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPruner.java b/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPruner.java index c353e3e..7e39d77 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPruner.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPruner.java @@ -44,6 +44,7 @@ import org.apache.hadoop.hive.ql.lib.Node; import org.apache.hadoop.hive.ql.lib.NodeProcessor; import org.apache.hadoop.hive.ql.lib.Rule; import org.apache.hadoop.hive.ql.lib.RuleRegExp; +import org.apache.hadoop.hive.ql.parse.ColumnAccessInfo; import org.apache.hadoop.hive.ql.parse.ParseContext; import org.apache.hadoop.hive.ql.parse.SemanticException; @@ -133,6 +134,9 @@ public class ColumnPruner extends Transform { ArrayList<Node> topNodes = new ArrayList<Node>(); topNodes.addAll(pGraphContext.getTopOps().values()); ogw.startWalking(topNodes, null); + // set it back so that column pruner in the optimizer will not do the + // view column authorization again even if it is triggered again. + pGraphContext.setNeedViewColumnAuthorization(false); return pGraphContext; } http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPrunerProcFactory.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPrunerProcFactory.java b/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPrunerProcFactory.java index 78bce23..7638ba0 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPrunerProcFactory.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPrunerProcFactory.java @@ -52,6 +52,7 @@ import org.apache.hadoop.hive.ql.exec.Utilities; import org.apache.hadoop.hive.ql.lib.Node; import org.apache.hadoop.hive.ql.lib.NodeProcessor; import org.apache.hadoop.hive.ql.lib.NodeProcessorCtx; +import org.apache.hadoop.hive.ql.metadata.Table; import org.apache.hadoop.hive.ql.metadata.VirtualColumn; import org.apache.hadoop.hive.ql.parse.RowResolver; import org.apache.hadoop.hive.ql.parse.SemanticException; @@ -781,6 +782,17 @@ public final class ColumnPrunerProcFactory { // by now, 'prunedCols' are columns used by child operators, and 'columns' // are columns used by this select operator. List<String> originalOutputColumnNames = conf.getOutputColumnNames(); + // get view column authorization. + if (cppCtx.getParseContext().getColumnAccessInfo() != null + && cppCtx.getParseContext().getViewProjectToTableSchema() != null + && cppCtx.getParseContext().getViewProjectToTableSchema().containsKey(op)) { + for (String col : cols) { + int index = originalOutputColumnNames.indexOf(col); + Table tab = cppCtx.getParseContext().getViewProjectToTableSchema().get(op); + cppCtx.getParseContext().getColumnAccessInfo() + .add(tab.getTableName(), tab.getCols().get(index).getName()); + } + } if (cols.size() < originalOutputColumnNames.size()) { ArrayList<ExprNodeDesc> newColList = new ArrayList<ExprNodeDesc>(); ArrayList<String> newOutputColumnNames = new ArrayList<String>(); http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/rules/HiveRelFieldTrimmer.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/rules/HiveRelFieldTrimmer.java b/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/rules/HiveRelFieldTrimmer.java index 18145ae..997b82c 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/rules/HiveRelFieldTrimmer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/rules/HiveRelFieldTrimmer.java @@ -21,8 +21,10 @@ import java.util.ArrayList; import java.util.Collections; import java.util.LinkedHashSet; import java.util.List; +import java.util.Map; import java.util.Set; +import org.apache.calcite.linq4j.Ord; import org.apache.calcite.plan.RelOptCluster; import org.apache.calcite.plan.RelOptUtil; import org.apache.calcite.rel.RelCollation; @@ -50,7 +52,6 @@ import org.apache.calcite.sql2rel.CorrelationReferenceFinder; import org.apache.calcite.sql2rel.RelFieldTrimmer; import org.apache.calcite.tools.RelBuilder; import org.apache.calcite.util.ImmutableBitSet; -import org.apache.calcite.util.Stacks; import org.apache.calcite.util.Util; import org.apache.calcite.util.mapping.IntPair; import org.apache.calcite.util.mapping.Mapping; @@ -58,8 +59,11 @@ import org.apache.calcite.util.mapping.MappingType; import org.apache.calcite.util.mapping.Mappings; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.hive.ql.metadata.Table; import org.apache.hadoop.hive.ql.optimizer.calcite.reloperators.HiveMultiJoin; +import org.apache.hadoop.hive.ql.optimizer.calcite.reloperators.HiveProject; import org.apache.hadoop.hive.ql.optimizer.calcite.reloperators.HiveSortLimit; +import org.apache.hadoop.hive.ql.parse.ColumnAccessInfo; import com.google.common.collect.ImmutableList; import com.google.common.collect.Lists; @@ -70,11 +74,23 @@ public class HiveRelFieldTrimmer extends RelFieldTrimmer { private RelBuilder relBuilder; + private ColumnAccessInfo columnAccessInfo; + + private Map<HiveProject, Table> viewProjectToTableSchema; + public HiveRelFieldTrimmer(SqlValidator validator, RelBuilder relBuilder) { super(validator, relBuilder); this.relBuilder = relBuilder; } + public HiveRelFieldTrimmer(SqlValidator validator, RelBuilder relBuilder, + ColumnAccessInfo columnAccessInfo, Map<HiveProject, Table> viewToTableSchema) { + super(validator, relBuilder); + this.relBuilder = relBuilder; + this.columnAccessInfo = columnAccessInfo; + this.viewProjectToTableSchema = viewToTableSchema; + } + /** * Variant of {@link #trimFields(RelNode, ImmutableBitSet, Set)} for * {@link org.apache.hadoop.hive.ql.optimizer.calcite.reloperators.HiveMultiJoin}. @@ -358,4 +374,24 @@ public class HiveRelFieldTrimmer extends RelFieldTrimmer { } return new TrimResult(r, mapping); } + + /** + * Variant of {@link #trimFields(RelNode, ImmutableBitSet, Set)} for + * {@link org.apache.calcite.rel.logical.LogicalProject}. + */ + public TrimResult trimFields(Project project, ImmutableBitSet fieldsUsed, + Set<RelDataTypeField> extraFields) { + // set columnAccessInfo for ViewColumnAuthorization + for (Ord<RexNode> ord : Ord.zip(project.getProjects())) { + if (fieldsUsed.get(ord.i)) { + if (this.columnAccessInfo != null && this.viewProjectToTableSchema != null + && this.viewProjectToTableSchema.containsKey(project)) { + Table tab = this.viewProjectToTableSchema.get(project); + this.columnAccessInfo.add(tab.getTableName(), tab.getCols().get(ord.i).getName()); + } + } + } + return super.trimFields(project, fieldsUsed, extraFields); + } + } http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/parse/CalcitePlanner.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/CalcitePlanner.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/CalcitePlanner.java index f928a58..d056c5d 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/CalcitePlanner.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/CalcitePlanner.java @@ -695,7 +695,12 @@ public class CalcitePlanner extends SemanticAnalyzer { ASTNode getOptimizedAST() throws SemanticException { ASTNode optiqOptimizedAST = null; RelNode optimizedOptiqPlan = null; - CalcitePlannerAction calcitePlannerAction = new CalcitePlannerAction(prunedPartitions); + + CalcitePlannerAction calcitePlannerAction = null; + if (this.columnAccessInfo == null) { + this.columnAccessInfo = new ColumnAccessInfo(); + } + calcitePlannerAction = new CalcitePlannerAction(prunedPartitions, this.columnAccessInfo); try { optimizedOptiqPlan = Frameworks.withPlanner(calcitePlannerAction, Frameworks @@ -717,7 +722,11 @@ public class CalcitePlanner extends SemanticAnalyzer { */ Operator getOptimizedHiveOPDag() throws SemanticException { RelNode optimizedOptiqPlan = null; - CalcitePlannerAction calcitePlannerAction = new CalcitePlannerAction(prunedPartitions); + CalcitePlannerAction calcitePlannerAction = null; + if (this.columnAccessInfo == null) { + this.columnAccessInfo = new ColumnAccessInfo(); + } + calcitePlannerAction = new CalcitePlannerAction(prunedPartitions, this.columnAccessInfo); try { optimizedOptiqPlan = Frameworks.withPlanner(calcitePlannerAction, Frameworks @@ -879,14 +888,17 @@ public class CalcitePlanner extends SemanticAnalyzer { private RelOptCluster cluster; private RelOptSchema relOptSchema; private final Map<String, PrunedPartitionList> partitionCache; + private final ColumnAccessInfo columnAccessInfo; + private Map<HiveProject, Table> viewProjectToTableSchema; // TODO: Do we need to keep track of RR, ColNameToPosMap for every op or // just last one. LinkedHashMap<RelNode, RowResolver> relToHiveRR = new LinkedHashMap<RelNode, RowResolver>(); LinkedHashMap<RelNode, ImmutableMap<String, Integer>> relToHiveColNameCalcitePosMap = new LinkedHashMap<RelNode, ImmutableMap<String, Integer>>(); - CalcitePlannerAction(Map<String, PrunedPartitionList> partitionCache) { + CalcitePlannerAction(Map<String, PrunedPartitionList> partitionCache, ColumnAccessInfo columnAccessInfo) { this.partitionCache = partitionCache; + this.columnAccessInfo = columnAccessInfo; } @Override @@ -928,6 +940,12 @@ public class CalcitePlanner extends SemanticAnalyzer { } perfLogger.PerfLogEnd(this.getClass().getName(), PerfLogger.OPTIMIZER, "Calcite: Plan generation"); + // We need to get the ColumnAccessInfo and viewToTableSchema for views. + HiveRelFieldTrimmer fieldTrimmer = new HiveRelFieldTrimmer(null, + HiveRelFactories.HIVE_BUILDER.create(cluster, null), this.columnAccessInfo, + this.viewProjectToTableSchema); + fieldTrimmer.trim(calciteGenPlan); + // Create MD provider HiveDefaultRelMetadataProvider mdProvider = new HiveDefaultRelMetadataProvider(conf); @@ -1048,7 +1066,7 @@ public class CalcitePlanner extends SemanticAnalyzer { HiveJoinToMultiJoinRule.INSTANCE, HiveProjectMergeRule.INSTANCE); // The previous rules can pull up projections through join operators, // thus we run the field trimmer again to push them back down - HiveRelFieldTrimmer fieldTrimmer = new HiveRelFieldTrimmer(null, + fieldTrimmer = new HiveRelFieldTrimmer(null, HiveRelFactories.HIVE_BUILDER.create(cluster, null)); calciteOptimizedPlan = fieldTrimmer.trim(calciteOptimizedPlan); calciteOptimizedPlan = hepPlan(calciteOptimizedPlan, false, mdProvider.getMetadataProvider(), null, @@ -3020,7 +3038,19 @@ public class CalcitePlanner extends SemanticAnalyzer { // 1.1. Recurse over the subqueries to fill the subquery part of the plan for (String subqAlias : qb.getSubqAliases()) { QBExpr qbexpr = qb.getSubqForAlias(subqAlias); - aliasToRel.put(subqAlias, genLogicalPlan(qbexpr)); + RelNode relNode = genLogicalPlan(qbexpr); + aliasToRel.put(subqAlias, relNode); + if (qb.getViewToTabSchema().containsKey(subqAlias)) { + if (relNode instanceof HiveProject) { + if (this.viewProjectToTableSchema == null) { + this.viewProjectToTableSchema = new LinkedHashMap<>(); + } + viewProjectToTableSchema.put((HiveProject) relNode, qb.getViewToTabSchema().get(subqAlias)); + } else { + throw new SemanticException("View " + subqAlias + " is corresponding to " + + relNode.toString() + ", rather than a HiveProject."); + } + } } // 1.2 Recurse over all the source tables http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/parse/ParseContext.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/ParseContext.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/ParseContext.java index 642c227..4f784d1 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/ParseContext.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/ParseContext.java @@ -36,10 +36,12 @@ import org.apache.hadoop.hive.ql.exec.MapJoinOperator; import org.apache.hadoop.hive.ql.exec.Operator; import org.apache.hadoop.hive.ql.exec.ReduceSinkOperator; import org.apache.hadoop.hive.ql.exec.SMBMapJoinOperator; +import org.apache.hadoop.hive.ql.exec.SelectOperator; import org.apache.hadoop.hive.ql.exec.TableScanOperator; import org.apache.hadoop.hive.ql.exec.Task; import org.apache.hadoop.hive.ql.hooks.LineageInfo; import org.apache.hadoop.hive.ql.hooks.ReadEntity; +import org.apache.hadoop.hive.ql.metadata.Table; import org.apache.hadoop.hive.ql.optimizer.ppr.PartitionPruner; import org.apache.hadoop.hive.ql.optimizer.unionproc.UnionProcContext; import org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer.AnalyzeRewriteContext; @@ -107,6 +109,9 @@ public class ParseContext { private CreateTableDesc createTableDesc; private boolean reduceSinkAddedBySortedDynPartition; + private Map<SelectOperator, Table> viewProjectToViewSchema; + private ColumnAccessInfo columnAccessInfo; + private boolean needViewColumnAuthorization; public ParseContext() { } @@ -165,7 +170,7 @@ public class ParseContext { Map<String, ReadEntity> viewAliasToInput, List<ReduceSinkOperator> reduceSinkOperatorsAddedByEnforceBucketingSorting, AnalyzeRewriteContext analyzeRewrite, CreateTableDesc createTableDesc, - QueryProperties queryProperties) { + QueryProperties queryProperties, Map<SelectOperator, Table> viewProjectToTableSchema) { this.conf = conf; this.opToPartPruner = opToPartPruner; this.opToPartList = opToPartList; @@ -192,6 +197,14 @@ public class ParseContext { this.analyzeRewrite = analyzeRewrite; this.createTableDesc = createTableDesc; this.queryProperties = queryProperties; + this.viewProjectToViewSchema = viewProjectToTableSchema; + this.needViewColumnAuthorization = viewProjectToTableSchema != null + && !viewProjectToTableSchema.isEmpty(); + if (this.needViewColumnAuthorization) { + // this will trigger the column pruner to collect view column + // authorization info. + this.columnAccessInfo = new ColumnAccessInfo(); + } } /** @@ -539,4 +552,24 @@ public class ParseContext { public boolean isReduceSinkAddedBySortedDynPartition() { return reduceSinkAddedBySortedDynPartition; } + + public Map<SelectOperator, Table> getViewProjectToTableSchema() { + return viewProjectToViewSchema; + } + + public ColumnAccessInfo getColumnAccessInfo() { + return columnAccessInfo; + } + + public void setColumnAccessInfo(ColumnAccessInfo columnAccessInfo) { + this.columnAccessInfo = columnAccessInfo; + } + + public boolean isNeedViewColumnAuthorization() { + return needViewColumnAuthorization; + } + + public void setNeedViewColumnAuthorization(boolean needViewColumnAuthorization) { + this.needViewColumnAuthorization = needViewColumnAuthorization; + } } http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/parse/QB.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/QB.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/QB.java index f04b493..91352b2 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/QB.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/QB.java @@ -47,6 +47,7 @@ public class QB { private int numSelDi = 0; private HashMap<String, String> aliasToTabs; private HashMap<String, QBExpr> aliasToSubq; + private HashMap<String, Table> viewAliasToViewSchema; private HashMap<String, Map<String, String>> aliasToProps; private List<String> aliases; private QBParseInfo qbp; @@ -110,6 +111,7 @@ public class QB { // Must be deterministic order maps - see HIVE-8707 aliasToTabs = new LinkedHashMap<String, String>(); aliasToSubq = new LinkedHashMap<String, QBExpr>(); + viewAliasToViewSchema = new LinkedHashMap<String, Table>(); aliasToProps = new LinkedHashMap<String, Map<String, String>>(); aliases = new ArrayList<String>(); if (alias != null) { @@ -231,15 +233,18 @@ public class QB { return aliasToProps.get(alias.toLowerCase()); } - public void rewriteViewToSubq(String alias, String viewName, QBExpr qbexpr) { + public void rewriteViewToSubq(String alias, String viewName, QBExpr qbexpr, Table tab) { alias = alias.toLowerCase(); String tableName = aliasToTabs.remove(alias); assert (viewName.equals(tableName)); aliasToSubq.put(alias, qbexpr); + if (tab != null) { + viewAliasToViewSchema.put(alias, tab); + } } public void rewriteCTEToSubq(String alias, String cteName, QBExpr qbexpr) { - rewriteViewToSubq(alias, cteName, qbexpr); + rewriteViewToSubq(alias, cteName, qbexpr, null); } public QBJoinTree getQbJoinTree() { @@ -406,4 +411,9 @@ public class QB { } return encryptedTargetTablePaths; } + + public HashMap<String, Table> getViewToTabSchema() { + return viewAliasToViewSchema; + } + } http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java index 7d2595d..0db1dab 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java @@ -117,6 +117,7 @@ import org.apache.hadoop.hive.ql.metadata.Partition; import org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient; import org.apache.hadoop.hive.ql.metadata.Table; import org.apache.hadoop.hive.ql.metadata.VirtualColumn; +import org.apache.hadoop.hive.ql.optimizer.ColumnPruner; import org.apache.hadoop.hive.ql.optimizer.Optimizer; import org.apache.hadoop.hive.ql.optimizer.Transform; import org.apache.hadoop.hive.ql.optimizer.calcite.CalciteSemanticException; @@ -262,6 +263,7 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer { List<AbstractMapJoinOperator<? extends MapJoinDesc>> listMapJoinOpsNoReducer; private HashMap<TableScanOperator, SampleDesc> opToSamplePruner; private final Map<TableScanOperator, Map<String, ExprNodeDesc>> opToPartToSkewedPruner; + private Map<SelectOperator, Table> viewProjectToTableSchema; /** * a map for the split sampling, from alias to an instance of SplitSample * that describes percentage and number. @@ -427,7 +429,7 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer { listMapJoinOpsNoReducer, prunedPartitions, opToSamplePruner, globalLimitCtx, nameToSplitSample, inputs, rootTasks, opToPartToSkewedPruner, viewAliasToInput, reduceSinkOperatorsAddedByEnforceBucketingSorting, - analyzeRewrite, tableDesc, queryProperties); + analyzeRewrite, tableDesc, queryProperties, viewProjectToTableSchema); } public CompilationOpContext getOpContext() { @@ -2303,7 +2305,13 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer { } QBExpr qbexpr = new QBExpr(alias); doPhase1QBExpr(viewTree, qbexpr, qb.getId(), alias); - qb.rewriteViewToSubq(alias, tab_name, qbexpr); + if (!this.skipAuthorization() + && HiveConf.getBoolVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) { + qb.rewriteViewToSubq(alias, tab_name, qbexpr, tab); + } + else{ + qb.rewriteViewToSubq(alias, tab_name, qbexpr, null); + } } private boolean isPresent(String[] list, String elem) { @@ -9855,7 +9863,21 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer { // Recurse over the subqueries to fill the subquery part of the plan for (String alias : qb.getSubqAliases()) { QBExpr qbexpr = qb.getSubqForAlias(alias); - aliasToOpInfo.put(alias, genPlan(qb, qbexpr)); + Operator operator = genPlan(qb, qbexpr); + aliasToOpInfo.put(alias, operator); + if (qb.getViewToTabSchema().containsKey(alias)) { + // we set viewProjectToTableSchema so that we can leverage ColumnPruner. + if (operator instanceof SelectOperator) { + if (this.viewProjectToTableSchema == null) { + this.viewProjectToTableSchema = new LinkedHashMap<>(); + } + viewProjectToTableSchema.put((SelectOperator) operator, qb.getViewToTabSchema() + .get(alias)); + } else { + throw new SemanticException("View " + alias + " is corresponding to " + + operator.getType().name() + ", rather than a SelectOperator."); + } + } } // Recurse over all the source tables @@ -10376,7 +10398,7 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer { listMapJoinOpsNoReducer, prunedPartitions, opToSamplePruner, globalLimitCtx, nameToSplitSample, inputs, rootTasks, opToPartToSkewedPruner, viewAliasToInput, reduceSinkOperatorsAddedByEnforceBucketingSorting, - analyzeRewrite, tableDesc, queryProperties); + analyzeRewrite, tableDesc, queryProperties, viewProjectToTableSchema); // 5. Take care of view creation if (createVwDesc != null) { @@ -10426,6 +10448,10 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer { optm.setPctx(pCtx); optm.initialize(conf); pCtx = optm.optimize(); + if (pCtx.getColumnAccessInfo() != null) { + // set ColumnAccessInfo for view column authorization + setColumnAccessInfo(pCtx.getColumnAccessInfo()); + } FetchTask origFetchTask = pCtx.getFetchTask(); if (LOG.isDebugEnabled()) { LOG.debug("After logical optimization\n" + Operator.toString(pCtx.getTopOps().values())); http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/parse/TaskCompiler.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/TaskCompiler.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/TaskCompiler.java index fc555ca..7415078 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/parse/TaskCompiler.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/TaskCompiler.java @@ -402,7 +402,7 @@ public abstract class TaskCompiler { pCtx.getNameToSplitSample(), pCtx.getSemanticInputs(), rootTasks, pCtx.getOpToPartToSkewedPruner(), pCtx.getViewAliasToInput(), pCtx.getReduceSinkOperatorsAddedByEnforceBucketingSorting(), - pCtx.getAnalyzeRewrite(), pCtx.getCreateTable(), pCtx.getQueryProperties()); + pCtx.getAnalyzeRewrite(), pCtx.getCreateTable(), pCtx.getQueryProperties(), pCtx.getViewProjectToTableSchema()); clone.setFetchTask(pCtx.getFetchTask()); clone.setLineageInfo(pCtx.getLineageInfo()); clone.setMapJoinOps(pCtx.getMapJoinOps()); http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientnegative/authorization_view_1.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientnegative/authorization_view_1.q b/ql/src/test/queries/clientnegative/authorization_view_1.q new file mode 100644 index 0000000..d37b406 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_view_1.q @@ -0,0 +1,13 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v as select * from src_autho_test; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select(key) on table src_autho_test to user hive_test_user; + +select * from v order by key limit 1; http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientnegative/authorization_view_2.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientnegative/authorization_view_2.q b/ql/src/test/queries/clientnegative/authorization_view_2.q new file mode 100644 index 0000000..37297c8 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_view_2.q @@ -0,0 +1,17 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v as select * from src_autho_test; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select(key) on table src_autho_test to user hive_test_user; + +grant select(key) on table v to user hive_test_user; + +select key from +(select v.key from src_autho_test join v on src_autho_test.value=v.value)subq +order by key limit 10; http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientnegative/authorization_view_3.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientnegative/authorization_view_3.q b/ql/src/test/queries/clientnegative/authorization_view_3.q new file mode 100644 index 0000000..abcd877 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_view_3.q @@ -0,0 +1,15 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v as select * from src_autho_test; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select(key) on table src_autho_test to user hive_test_user; + +grant select(key) on v to user hive_test_user; + +select * from v order by key limit 1; http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientnegative/authorization_view_4.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientnegative/authorization_view_4.q b/ql/src/test/queries/clientnegative/authorization_view_4.q new file mode 100644 index 0000000..c51bdae --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_view_4.q @@ -0,0 +1,23 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v as select * from src_autho_test; + +create view v1 as select * from src_autho_test; + +create view v2 as select * from src_autho_test; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select on table src_autho_test to user hive_test_user; + +grant select on table v to user hive_test_user; +grant select on table v1 to user hive_test_user; +grant select(key) on table v2 to user hive_test_user; + +select key from +(select value as key from v1 union select value as key from v2 union all select key from v)subq +limit 10; http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_1.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_1.q b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_1.q new file mode 100644 index 0000000..7c4b343 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_1.q @@ -0,0 +1,14 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; +set hive.cbo.enable=false; + +create table src_autho_test as select * from src; + +create view v as select * from src_autho_test; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select(key) on table src_autho_test to user hive_test_user; + +select * from v order by key limit 1; http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_2.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_2.q b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_2.q new file mode 100644 index 0000000..37297c8 --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_2.q @@ -0,0 +1,17 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v as select * from src_autho_test; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select(key) on table src_autho_test to user hive_test_user; + +grant select(key) on table v to user hive_test_user; + +select key from +(select v.key from src_autho_test join v on src_autho_test.value=v.value)subq +order by key limit 10; http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_3.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_3.q b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_3.q new file mode 100644 index 0000000..954072d --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_3.q @@ -0,0 +1,16 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; +set hive.cbo.enable=false; + +create table src_autho_test as select * from src; + +create view v as select * from src_autho_test; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select(key) on table src_autho_test to user hive_test_user; + +grant select(key) on v to user hive_test_user; + +select * from v order by key limit 1; http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_4.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_4.q b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_4.q new file mode 100644 index 0000000..11cedcf --- /dev/null +++ b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_4.q @@ -0,0 +1,24 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; +set hive.cbo.enable=false; + +create table src_autho_test as select * from src; + +create view v as select * from src_autho_test; + +create view v1 as select * from src_autho_test; + +create view v2 as select * from src_autho_test; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select on table src_autho_test to user hive_test_user; + +grant select on table v to user hive_test_user; +grant select on table v1 to user hive_test_user; +grant select(key) on table v2 to user hive_test_user; + +select key from +(select value as key from v1 union select value as key from v2 union all select key from v)subq +limit 10; http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientpositive/authorization_view_1.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientpositive/authorization_view_1.q b/ql/src/test/queries/clientpositive/authorization_view_1.q new file mode 100644 index 0000000..86accdc --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_view_1.q @@ -0,0 +1,59 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; + +create table src_autho_test as select * from src; + +create view v as select * from src_autho_test; + +create view v1 as select * from src_autho_test; + +create view v2 as select * from src_autho_test; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select on table src_autho_test to user hive_test_user; + +grant select on table v to user hive_test_user; +grant select on table v1 to user hive_test_user; +grant select on table v2 to user hive_test_user; + +show grant user hive_test_user on table v; +show grant user hive_test_user on v; +show grant user hive_test_user on v(key); + +select * from v order by key limit 10; + +revoke select on table src_autho_test from user hive_test_user; + +show grant user hive_test_user on table v; +show grant user hive_test_user on v; +show grant user hive_test_user on v(key); + +revoke select on table v from user hive_test_user; + +show grant user hive_test_user on table v; +show grant user hive_test_user on v; +show grant user hive_test_user on v(key); + +--column grant to user + +grant select on table src_autho_test to user hive_test_user; +grant select(key) on table v to user hive_test_user; + +show grant user hive_test_user on table v; +show grant user hive_test_user on v(key); + +select key from v order by key limit 10; + +select key from +(select v.key from src_autho_test join v on src_autho_test.key=v.key)subq +order by key limit 10; + +select key from +(select key as key from src_autho_test union all select key from v)subq +limit 10; + +select key from +(select value as key from v2 union select value as key from v1 union all select key from v)subq +limit 10; http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientpositive/authorization_view_disable_cbo_1.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientpositive/authorization_view_disable_cbo_1.q b/ql/src/test/queries/clientpositive/authorization_view_disable_cbo_1.q new file mode 100644 index 0000000..42652ea --- /dev/null +++ b/ql/src/test/queries/clientpositive/authorization_view_disable_cbo_1.q @@ -0,0 +1,70 @@ +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider; +set hive.cbo.enable=false; + +create table src_autho_test as select * from src; + +create view v as select * from src_autho_test; + +create view v1 as select * from src_autho_test; + +create view v2 as select * from src_autho_test; + +set hive.security.authorization.enabled=true; + +--table grant to user + +grant select on table src_autho_test to user hive_test_user; + +grant select on table v to user hive_test_user; +grant select on table v1 to user hive_test_user; +grant select on table v2 to user hive_test_user; + +show grant user hive_test_user on table v; +show grant user hive_test_user on v; +show grant user hive_test_user on v(key); + +select * from v order by key limit 10; + +revoke select on table src_autho_test from user hive_test_user; + +show grant user hive_test_user on table v; +show grant user hive_test_user on v; +show grant user hive_test_user on v(key); + +revoke select on table v from user hive_test_user; + +show grant user hive_test_user on table v; +show grant user hive_test_user on v; +show grant user hive_test_user on v(key); + +--column grant to user + +grant select on table src_autho_test to user hive_test_user; +grant select(key) on table v to user hive_test_user; + +show grant user hive_test_user on table v; +show grant user hive_test_user on v(key); + +select key from v order by key limit 10; + +select key from +(select v.key from src_autho_test join v on src_autho_test.key=v.key)subq +order by key limit 10; + +select key from +(select key as key from src_autho_test union all select key from v)subq +limit 10; + +select key from +(select value as key from v2 union select value as key from v1 union all select key from v)subq +limit 10; + +set hive.cbo.enable=true; + +--although cbo is enabled, it will not succeed. + +select key from v sort by key limit 10; + +select key from +(select key as key from src_autho_test union all select key from v cluster by key)subq +limit 10; http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientnegative/authorization_view_1.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientnegative/authorization_view_1.q.out b/ql/src/test/results/clientnegative/authorization_view_1.q.out new file mode 100644 index 0000000..2feb0d8 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_view_1.q.out @@ -0,0 +1,31 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: create view v as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v +POSTHOOK: query: create view v as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v +PREHOOK: query: --table grant to user + +grant select(key) on table src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --table grant to user + +grant select(key) on table src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +Authorization failed:No privilege 'Select' found for inputs { database:default, table:v, columnName:key}. Use SHOW GRANT to get more details. http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientnegative/authorization_view_2.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientnegative/authorization_view_2.q.out b/ql/src/test/results/clientnegative/authorization_view_2.q.out new file mode 100644 index 0000000..0f8bd13 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_view_2.q.out @@ -0,0 +1,37 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: create view v as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v +POSTHOOK: query: create view v as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v +PREHOOK: query: --table grant to user + +grant select(key) on table src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --table grant to user + +grant select(key) on table src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: grant select(key) on table v to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v +POSTHOOK: query: grant select(key) on table v to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v +Authorization failed:No privilege 'Select' found for inputs { database:default, table:src_autho_test, columnName:value}. Use SHOW GRANT to get more details. http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientnegative/authorization_view_3.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientnegative/authorization_view_3.q.out b/ql/src/test/results/clientnegative/authorization_view_3.q.out new file mode 100644 index 0000000..e6d2352 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_view_3.q.out @@ -0,0 +1,37 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: create view v as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v +POSTHOOK: query: create view v as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v +PREHOOK: query: --table grant to user + +grant select(key) on table src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --table grant to user + +grant select(key) on table src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: grant select(key) on v to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v +POSTHOOK: query: grant select(key) on v to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v +Authorization failed:No privilege 'Select' found for inputs { database:default, table:v, columnName:value}. Use SHOW GRANT to get more details. http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientnegative/authorization_view_4.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientnegative/authorization_view_4.q.out b/ql/src/test/results/clientnegative/authorization_view_4.q.out new file mode 100644 index 0000000..371d407 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_view_4.q.out @@ -0,0 +1,69 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: create view v as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v +POSTHOOK: query: create view v as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v +PREHOOK: query: create view v1 as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v1 +POSTHOOK: query: create view v1 as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v1 +PREHOOK: query: create view v2 as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v2 +POSTHOOK: query: create view v2 as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v2 +PREHOOK: query: --table grant to user + +grant select on table src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --table grant to user + +grant select on table src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: grant select on table v to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v +POSTHOOK: query: grant select on table v to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v +PREHOOK: query: grant select on table v1 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v1 +POSTHOOK: query: grant select on table v1 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v1 +PREHOOK: query: grant select(key) on table v2 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v2 +POSTHOOK: query: grant select(key) on table v2 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v2 +Authorization failed:No privilege 'Select' found for inputs { database:default, table:v2, columnName:value}. Use SHOW GRANT to get more details. http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientnegative/authorization_view_disable_cbo_1.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientnegative/authorization_view_disable_cbo_1.q.out b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_1.q.out new file mode 100644 index 0000000..2feb0d8 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_1.q.out @@ -0,0 +1,31 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: create view v as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v +POSTHOOK: query: create view v as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v +PREHOOK: query: --table grant to user + +grant select(key) on table src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --table grant to user + +grant select(key) on table src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +Authorization failed:No privilege 'Select' found for inputs { database:default, table:v, columnName:key}. Use SHOW GRANT to get more details. http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientnegative/authorization_view_disable_cbo_2.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientnegative/authorization_view_disable_cbo_2.q.out b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_2.q.out new file mode 100644 index 0000000..0f8bd13 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_2.q.out @@ -0,0 +1,37 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: create view v as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v +POSTHOOK: query: create view v as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v +PREHOOK: query: --table grant to user + +grant select(key) on table src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --table grant to user + +grant select(key) on table src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: grant select(key) on table v to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v +POSTHOOK: query: grant select(key) on table v to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v +Authorization failed:No privilege 'Select' found for inputs { database:default, table:src_autho_test, columnName:value}. Use SHOW GRANT to get more details. http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientnegative/authorization_view_disable_cbo_3.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientnegative/authorization_view_disable_cbo_3.q.out b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_3.q.out new file mode 100644 index 0000000..e6d2352 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_3.q.out @@ -0,0 +1,37 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: create view v as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v +POSTHOOK: query: create view v as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v +PREHOOK: query: --table grant to user + +grant select(key) on table src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --table grant to user + +grant select(key) on table src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: grant select(key) on v to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v +POSTHOOK: query: grant select(key) on v to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v +Authorization failed:No privilege 'Select' found for inputs { database:default, table:v, columnName:value}. Use SHOW GRANT to get more details. http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientnegative/authorization_view_disable_cbo_4.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientnegative/authorization_view_disable_cbo_4.q.out b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_4.q.out new file mode 100644 index 0000000..371d407 --- /dev/null +++ b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_4.q.out @@ -0,0 +1,69 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: create view v as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v +POSTHOOK: query: create view v as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v +PREHOOK: query: create view v1 as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v1 +POSTHOOK: query: create view v1 as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v1 +PREHOOK: query: create view v2 as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v2 +POSTHOOK: query: create view v2 as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v2 +PREHOOK: query: --table grant to user + +grant select on table src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --table grant to user + +grant select on table src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: grant select on table v to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v +POSTHOOK: query: grant select on table v to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v +PREHOOK: query: grant select on table v1 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v1 +POSTHOOK: query: grant select on table v1 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v1 +PREHOOK: query: grant select(key) on table v2 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v2 +POSTHOOK: query: grant select(key) on table v2 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v2 +Authorization failed:No privilege 'Select' found for inputs { database:default, table:v2, columnName:value}. Use SHOW GRANT to get more details. http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientpositive/authorization_view_1.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientpositive/authorization_view_1.q.out b/ql/src/test/results/clientpositive/authorization_view_1.q.out new file mode 100644 index 0000000..0703c4f --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_view_1.q.out @@ -0,0 +1,261 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: create view v as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v +POSTHOOK: query: create view v as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v +PREHOOK: query: create view v1 as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v1 +POSTHOOK: query: create view v1 as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v1 +PREHOOK: query: create view v2 as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v2 +POSTHOOK: query: create view v2 as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v2 +PREHOOK: query: --table grant to user + +grant select on table src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --table grant to user + +grant select on table src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: grant select on table v to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v +POSTHOOK: query: grant select on table v to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v +PREHOOK: query: grant select on table v1 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v1 +POSTHOOK: query: grant select on table v1 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v1 +PREHOOK: query: grant select on table v2 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v2 +POSTHOOK: query: grant select on table v2 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v2 +PREHOOK: query: show grant user hive_test_user on table v +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on table v +POSTHOOK: type: SHOW_GRANT +default v hive_test_user USER SELECT false -1 hive_test_user +PREHOOK: query: show grant user hive_test_user on v +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on v +POSTHOOK: type: SHOW_GRANT +default v hive_test_user USER SELECT false -1 hive_test_user +PREHOOK: query: show grant user hive_test_user on v(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on v(key) +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: select * from v order by key limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v +#### A masked pattern was here #### +POSTHOOK: query: select * from v order by key limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v +#### A masked pattern was here #### +0 val_0 +0 val_0 +0 val_0 +10 val_10 +100 val_100 +100 val_100 +103 val_103 +103 val_103 +104 val_104 +104 val_104 +PREHOOK: query: revoke select on table src_autho_test from user hive_test_user +PREHOOK: type: REVOKE_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: revoke select on table src_autho_test from user hive_test_user +POSTHOOK: type: REVOKE_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: show grant user hive_test_user on table v +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on table v +POSTHOOK: type: SHOW_GRANT +default v hive_test_user USER SELECT false -1 hive_test_user +PREHOOK: query: show grant user hive_test_user on v +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on v +POSTHOOK: type: SHOW_GRANT +default v hive_test_user USER SELECT false -1 hive_test_user +PREHOOK: query: show grant user hive_test_user on v(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on v(key) +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: revoke select on table v from user hive_test_user +PREHOOK: type: REVOKE_PRIVILEGE +PREHOOK: Output: default@v +POSTHOOK: query: revoke select on table v from user hive_test_user +POSTHOOK: type: REVOKE_PRIVILEGE +POSTHOOK: Output: default@v +PREHOOK: query: show grant user hive_test_user on table v +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on table v +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: show grant user hive_test_user on v +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on v +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: show grant user hive_test_user on v(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on v(key) +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: --column grant to user + +grant select on table src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --column grant to user + +grant select on table src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: grant select(key) on table v to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v +POSTHOOK: query: grant select(key) on table v to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v +PREHOOK: query: show grant user hive_test_user on table v +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on table v +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: show grant user hive_test_user on v(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on v(key) +POSTHOOK: type: SHOW_GRANT +default v [key] hive_test_user USER SELECT false -1 hive_test_user +PREHOOK: query: select key from v order by key limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v +#### A masked pattern was here #### +POSTHOOK: query: select key from v order by key limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v +#### A masked pattern was here #### +0 +0 +0 +10 +100 +100 +103 +103 +104 +104 +PREHOOK: query: select key from +(select v.key from src_autho_test join v on src_autho_test.key=v.key)subq +order by key limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v +#### A masked pattern was here #### +POSTHOOK: query: select key from +(select v.key from src_autho_test join v on src_autho_test.key=v.key)subq +order by key limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v +#### A masked pattern was here #### +0 +0 +0 +0 +0 +0 +0 +0 +0 +10 +PREHOOK: query: select key from +(select key as key from src_autho_test union all select key from v)subq +limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v +#### A masked pattern was here #### +POSTHOOK: query: select key from +(select key as key from src_autho_test union all select key from v)subq +limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v +#### A masked pattern was here #### +238 +238 +86 +86 +311 +311 +27 +27 +165 +165 +PREHOOK: query: select key from +(select value as key from v2 union select value as key from v1 union all select key from v)subq +limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v +PREHOOK: Input: default@v1 +PREHOOK: Input: default@v2 +#### A masked pattern was here #### +POSTHOOK: query: select key from +(select value as key from v2 union select value as key from v1 union all select key from v)subq +limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v +POSTHOOK: Input: default@v1 +POSTHOOK: Input: default@v2 +#### A masked pattern was here #### +val_0 +val_10 +val_100 +val_103 +val_104 +val_105 +val_11 +val_111 +val_113 +val_114 http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientpositive/authorization_view_disable_cbo_1.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientpositive/authorization_view_disable_cbo_1.q.out b/ql/src/test/results/clientpositive/authorization_view_disable_cbo_1.q.out new file mode 100644 index 0000000..0341f0b --- /dev/null +++ b/ql/src/test/results/clientpositive/authorization_view_disable_cbo_1.q.out @@ -0,0 +1,309 @@ +PREHOOK: query: create table src_autho_test as select * from src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@src +PREHOOK: Output: database:default +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: create table src_autho_test as select * from src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: create view v as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v +POSTHOOK: query: create view v as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v +PREHOOK: query: create view v1 as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v1 +POSTHOOK: query: create view v1 as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v1 +PREHOOK: query: create view v2 as select * from src_autho_test +PREHOOK: type: CREATEVIEW +PREHOOK: Input: default@src_autho_test +PREHOOK: Output: database:default +PREHOOK: Output: default@v2 +POSTHOOK: query: create view v2 as select * from src_autho_test +POSTHOOK: type: CREATEVIEW +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Output: database:default +POSTHOOK: Output: default@v2 +PREHOOK: query: --table grant to user + +grant select on table src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --table grant to user + +grant select on table src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: grant select on table v to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v +POSTHOOK: query: grant select on table v to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v +PREHOOK: query: grant select on table v1 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v1 +POSTHOOK: query: grant select on table v1 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v1 +PREHOOK: query: grant select on table v2 to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v2 +POSTHOOK: query: grant select on table v2 to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v2 +PREHOOK: query: show grant user hive_test_user on table v +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on table v +POSTHOOK: type: SHOW_GRANT +default v hive_test_user USER SELECT false -1 hive_test_user +PREHOOK: query: show grant user hive_test_user on v +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on v +POSTHOOK: type: SHOW_GRANT +default v hive_test_user USER SELECT false -1 hive_test_user +PREHOOK: query: show grant user hive_test_user on v(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on v(key) +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: select * from v order by key limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v +#### A masked pattern was here #### +POSTHOOK: query: select * from v order by key limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v +#### A masked pattern was here #### +0 val_0 +0 val_0 +0 val_0 +10 val_10 +100 val_100 +100 val_100 +103 val_103 +103 val_103 +104 val_104 +104 val_104 +PREHOOK: query: revoke select on table src_autho_test from user hive_test_user +PREHOOK: type: REVOKE_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: revoke select on table src_autho_test from user hive_test_user +POSTHOOK: type: REVOKE_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: show grant user hive_test_user on table v +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on table v +POSTHOOK: type: SHOW_GRANT +default v hive_test_user USER SELECT false -1 hive_test_user +PREHOOK: query: show grant user hive_test_user on v +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on v +POSTHOOK: type: SHOW_GRANT +default v hive_test_user USER SELECT false -1 hive_test_user +PREHOOK: query: show grant user hive_test_user on v(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on v(key) +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: revoke select on table v from user hive_test_user +PREHOOK: type: REVOKE_PRIVILEGE +PREHOOK: Output: default@v +POSTHOOK: query: revoke select on table v from user hive_test_user +POSTHOOK: type: REVOKE_PRIVILEGE +POSTHOOK: Output: default@v +PREHOOK: query: show grant user hive_test_user on table v +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on table v +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: show grant user hive_test_user on v +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on v +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: show grant user hive_test_user on v(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on v(key) +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: --column grant to user + +grant select on table src_autho_test to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@src_autho_test +POSTHOOK: query: --column grant to user + +grant select on table src_autho_test to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@src_autho_test +PREHOOK: query: grant select(key) on table v to user hive_test_user +PREHOOK: type: GRANT_PRIVILEGE +PREHOOK: Output: default@v +POSTHOOK: query: grant select(key) on table v to user hive_test_user +POSTHOOK: type: GRANT_PRIVILEGE +POSTHOOK: Output: default@v +PREHOOK: query: show grant user hive_test_user on table v +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on table v +POSTHOOK: type: SHOW_GRANT +PREHOOK: query: show grant user hive_test_user on v(key) +PREHOOK: type: SHOW_GRANT +POSTHOOK: query: show grant user hive_test_user on v(key) +POSTHOOK: type: SHOW_GRANT +default v [key] hive_test_user USER SELECT false -1 hive_test_user +PREHOOK: query: select key from v order by key limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v +#### A masked pattern was here #### +POSTHOOK: query: select key from v order by key limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v +#### A masked pattern was here #### +0 +0 +0 +10 +100 +100 +103 +103 +104 +104 +PREHOOK: query: select key from +(select v.key from src_autho_test join v on src_autho_test.key=v.key)subq +order by key limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v +#### A masked pattern was here #### +POSTHOOK: query: select key from +(select v.key from src_autho_test join v on src_autho_test.key=v.key)subq +order by key limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v +#### A masked pattern was here #### +0 +0 +0 +0 +0 +0 +0 +0 +0 +10 +PREHOOK: query: select key from +(select key as key from src_autho_test union all select key from v)subq +limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v +#### A masked pattern was here #### +POSTHOOK: query: select key from +(select key as key from src_autho_test union all select key from v)subq +limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v +#### A masked pattern was here #### +238 +238 +86 +86 +311 +311 +27 +27 +165 +165 +PREHOOK: query: select key from +(select value as key from v2 union select value as key from v1 union all select key from v)subq +limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v +PREHOOK: Input: default@v1 +PREHOOK: Input: default@v2 +#### A masked pattern was here #### +POSTHOOK: query: select key from +(select value as key from v2 union select value as key from v1 union all select key from v)subq +limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v +POSTHOOK: Input: default@v1 +POSTHOOK: Input: default@v2 +#### A masked pattern was here #### +val_0 +val_10 +val_100 +val_103 +val_104 +val_105 +val_11 +val_111 +val_113 +val_114 +PREHOOK: query: --although cbo is enabled, it will not succeed. + +select key from v sort by key limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v +#### A masked pattern was here #### +POSTHOOK: query: --although cbo is enabled, it will not succeed. + +select key from v sort by key limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v +#### A masked pattern was here #### +0 +0 +0 +10 +100 +100 +103 +103 +104 +104 +PREHOOK: query: select key from +(select key as key from src_autho_test union all select key from v cluster by key)subq +limit 10 +PREHOOK: type: QUERY +PREHOOK: Input: default@src_autho_test +PREHOOK: Input: default@v +#### A masked pattern was here #### +POSTHOOK: query: select key from +(select key as key from src_autho_test union all select key from v cluster by key)subq +limit 10 +POSTHOOK: type: QUERY +POSTHOOK: Input: default@src_autho_test +POSTHOOK: Input: default@v +#### A masked pattern was here #### +0 +0 +0 +0 +0 +0 +10 +10 +100 +100
