hive git commit: HIVE-19666 : SQL standard auth for create fn may make an impossible privilege check (branch-2) (Sergey Shelukhin, reviewed by Thejas M Nair)

sershe Tue, 29 May 2018 13:24:29 -0700

Repository: hive
Updated Branches:
  refs/heads/branch-2 977ea4559 -> da84a1d39



HIVE-19666 : SQL standard auth for create fn may make an impossible privilege 
check (branch-2) (Sergey Shelukhin, reviewed by Thejas M Nair)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/da84a1d3
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/da84a1d3
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/da84a1d3

Branch: refs/heads/branch-2
Commit: da84a1d39d657d9c1a99ab524b4791740c77d02f
Parents: 977ea45
Author: sergey <[email protected]>
Authored: Tue May 29 13:10:05 2018 -0700
Committer: sergey <[email protected]>
Committed: Tue May 29 13:10:05 2018 -0700

----------------------------------------------------------------------
 .../sqlstd/SQLStdHiveAuthorizationValidator.java  |  4 ++++
 .../clientpositive/authorization_create_func1.q   |  2 ++
 .../authorization_create_func1.q.out              | 18 ++++++++++++++++++
 3 files changed, 24 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/da84a1d3/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java
----------------------------------------------------------------------
diff --git 
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java
 
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java
index 2977675..0dac476 100644
--- 
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java
+++ 
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java
@@ -113,6 +113,10 @@ public class SQLStdHiveAuthorizationValidator implements 
HiveAuthorizationValida
       case DFS_URI:
         availPrivs = SQLAuthorizationUtils.getPrivilegesFromFS(new 
Path(hiveObj.getObjectName()),
             conf, userName);
+        // For operations like create fn, we require admin privilege from the 
FS but never get it.
+        if (privController.isUserAdmin()) {
+          availPrivs.addPrivilege(SQLPrivTypeGrant.ADMIN_PRIV);
+        }
         break;
       case PARTITION:
         // sql std authorization is managing privileges at the table/view 
levels

http://git-wip-us.apache.org/repos/asf/hive/blob/da84a1d3/ql/src/test/queries/clientpositive/authorization_create_func1.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientpositive/authorization_create_func1.q 
b/ql/src/test/queries/clientpositive/authorization_create_func1.q
index 6c7ebc7..f9f77ce 100644
--- a/ql/src/test/queries/clientpositive/authorization_create_func1.q
+++ b/ql/src/test/queries/clientpositive/authorization_create_func1.q
@@ -9,6 +9,8 @@ set role ADMIN;
 
 create temporary function temp_fn as 'org.apache.hadoop.hive.ql.udf.UDFAscii';
 create function perm_fn as 'org.apache.hadoop.hive.ql.udf.UDFAscii';
+create function perm_fn_using as 'IdentityStringUDF' using jar 
'../../data/files/identity_udf.jar';
 
 drop temporary function temp_fn;
 drop function perm_fn;
+drop function perm_fn_using;

http://git-wip-us.apache.org/repos/asf/hive/blob/da84a1d3/ql/src/test/results/clientpositive/authorization_create_func1.q.out
----------------------------------------------------------------------
diff --git 
a/ql/src/test/results/clientpositive/authorization_create_func1.q.out 
b/ql/src/test/results/clientpositive/authorization_create_func1.q.out
index d7de21a..3e60e4d 100644
--- a/ql/src/test/results/clientpositive/authorization_create_func1.q.out
+++ b/ql/src/test/results/clientpositive/authorization_create_func1.q.out
@@ -16,6 +16,16 @@ POSTHOOK: query: create function perm_fn as 
'org.apache.hadoop.hive.ql.udf.UDFAs
 POSTHOOK: type: CREATEFUNCTION
 POSTHOOK: Output: database:default
 POSTHOOK: Output: default.perm_fn
+PREHOOK: query: create function perm_fn_using as 'IdentityStringUDF' using jar 
'../../data/files/identity_udf.jar'
+PREHOOK: type: CREATEFUNCTION
+PREHOOK: Output: database:default
+PREHOOK: Output: default.perm_fn_using
+#### A masked pattern was here ####
+POSTHOOK: query: create function perm_fn_using as 'IdentityStringUDF' using 
jar '../../data/files/identity_udf.jar'
+POSTHOOK: type: CREATEFUNCTION
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default.perm_fn_using
+#### A masked pattern was here ####
 PREHOOK: query: drop temporary function temp_fn
 PREHOOK: type: DROPFUNCTION
 PREHOOK: Output: temp_fn
@@ -30,3 +40,11 @@ POSTHOOK: query: drop function perm_fn
 POSTHOOK: type: DROPFUNCTION
 POSTHOOK: Output: database:default
 POSTHOOK: Output: default.perm_fn
+PREHOOK: query: drop function perm_fn_using
+PREHOOK: type: DROPFUNCTION
+PREHOOK: Output: database:default
+PREHOOK: Output: default.perm_fn_using
+POSTHOOK: query: drop function perm_fn_using
+POSTHOOK: type: DROPFUNCTION
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default.perm_fn_using

hive git commit: HIVE-19666 : SQL standard auth for create fn may make an impossible privilege check (branch-2) (Sergey Shelukhin, reviewed by Thejas M Nair)

Reply via email to