Repository: impala Updated Branches: refs/heads/master 9a751f00b -> 5417e712f
IMPALA-6804: Allow SELECT and INSERT privileges on SERVER This change add the last two privileges at the SERVER level. GRANT SELECT ON SERVER TO ROLE test_role; REVOKE SELECT ON SERVER FROM ROLE test_role; GRANT INSERT ON SERVER TO ROLE test_role REVOKE INSERT ON SERVER FROM ROLE test_role Testing: Added tests to cover server level select and insert. Ran all front-end tests. Change-Id: If6510b4d54c9902029a357f1aebb2570cd75855d Reviewed-on: http://gerrit.cloudera.org:8080/9972 Reviewed-by: Alex Behm <alex.b...@cloudera.com> Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Project: http://git-wip-us.apache.org/repos/asf/impala/repo Commit: http://git-wip-us.apache.org/repos/asf/impala/commit/5417e712 Tree: http://git-wip-us.apache.org/repos/asf/impala/tree/5417e712 Diff: http://git-wip-us.apache.org/repos/asf/impala/diff/5417e712 Branch: refs/heads/master Commit: 5417e712f33dfb963b4646723ec173a5f3c4f49b Parents: 9a751f0 Author: Adam Holley <g...@holleyism.com> Authored: Tue Apr 10 11:29:55 2018 -0500 Committer: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Committed: Thu Apr 12 23:57:54 2018 +0000 ---------------------------------------------------------------------- .../apache/impala/analysis/PrivilegeSpec.java | 8 - .../impala/analysis/AnalyzeAuthStmtsTest.java | 8 +- .../impala/analysis/AuthorizationTest.java | 192 +++++++++++++++++-- 3 files changed, 179 insertions(+), 29 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/impala/blob/5417e712/fe/src/main/java/org/apache/impala/analysis/PrivilegeSpec.java ---------------------------------------------------------------------- diff --git a/fe/src/main/java/org/apache/impala/analysis/PrivilegeSpec.java b/fe/src/main/java/org/apache/impala/analysis/PrivilegeSpec.java index ec292a2..d848383 100644 --- a/fe/src/main/java/org/apache/impala/analysis/PrivilegeSpec.java +++ b/fe/src/main/java/org/apache/impala/analysis/PrivilegeSpec.java @@ -188,14 +188,6 @@ public class PrivilegeSpec implements ParseNode { switch (scope_) { case SERVER: - if (privilegeLevel_ != TPrivilegeLevel.ALL && - privilegeLevel_ != TPrivilegeLevel.REFRESH && - privilegeLevel_ != TPrivilegeLevel.CREATE && - privilegeLevel_ != TPrivilegeLevel.ALTER && - privilegeLevel_ != TPrivilegeLevel.DROP) { - throw new AnalysisException("Only 'ALL', 'REFRESH', 'CREATE', 'ALTER', or " + - "'DROP' privilege may be applied at SERVER scope in privilege spec."); - } break; case DATABASE: Preconditions.checkState(!Strings.isNullOrEmpty(dbName_)); http://git-wip-us.apache.org/repos/asf/impala/blob/5417e712/fe/src/test/java/org/apache/impala/analysis/AnalyzeAuthStmtsTest.java ---------------------------------------------------------------------- diff --git a/fe/src/test/java/org/apache/impala/analysis/AnalyzeAuthStmtsTest.java b/fe/src/test/java/org/apache/impala/analysis/AnalyzeAuthStmtsTest.java index c56102f..2741e5d 100644 --- a/fe/src/test/java/org/apache/impala/analysis/AnalyzeAuthStmtsTest.java +++ b/fe/src/test/java/org/apache/impala/analysis/AnalyzeAuthStmtsTest.java @@ -164,9 +164,7 @@ public class AnalyzeAuthStmtsTest extends AnalyzerTest { formatArgs)); AnalyzesOk(String.format("%s INSERT ON DATABASE functional %s myrole", formatArgs)); - AnalysisError(String.format("%s INSERT ON SERVER %s myrole", formatArgs), - "Only 'ALL', 'REFRESH', 'CREATE', 'ALTER', or 'DROP' privilege may be " + - "applied at SERVER scope in privilege spec."); + AnalyzesOk(String.format("%s INSERT ON SERVER %s myrole", formatArgs)); AnalysisError(String.format("%s INSERT ON URI 'hdfs:////abc//123' %s myrole", formatArgs), "Only 'ALL' privilege may be applied at URI scope in privilege " + "spec."); @@ -180,9 +178,7 @@ public class AnalyzeAuthStmtsTest extends AnalyzerTest { "%s SELECT ON TABLE functional_kudu.alltypessmall %s myrole", formatArgs)); AnalyzesOk(String.format("%s SELECT ON DATABASE functional %s myrole", formatArgs)); - AnalysisError(String.format("%s SELECT ON SERVER %s myrole", formatArgs), - "Only 'ALL', 'REFRESH', 'CREATE', 'ALTER', or 'DROP' privilege may be " + - "applied at SERVER scope in privilege spec."); + AnalyzesOk(String.format("%s SELECT ON SERVER %s myrole", formatArgs)); AnalysisError(String.format("%s SELECT ON URI 'hdfs:////abc//123' %s myrole", formatArgs), "Only 'ALL' privilege may be applied at URI scope in privilege " + "spec."); http://git-wip-us.apache.org/repos/asf/impala/blob/5417e712/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java ---------------------------------------------------------------------- diff --git a/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java b/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java index a5173fb..9a62e93 100644 --- a/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java +++ b/fe/src/test/java/org/apache/impala/analysis/AuthorizationTest.java @@ -612,9 +612,9 @@ public class AuthorizationTest extends FrontendTestBase { AuthzOk("select * from functional.view_view"); // User does not have SELECT privileges on this view. - AuthzError("select * from functional.complex_view_sub", + AuthzError("select * from functional.alltypes_view", "User '%s' does not have privileges to execute 'SELECT' on: " + - "functional.complex_view_sub"); + "functional.alltypes_view"); // User has SELECT privileges on the view and the join table. AuthzOk("select a.id from functional.view_view a " @@ -648,11 +648,6 @@ public class AuthorizationTest extends FrontendTestBase { "User '%s' does not have privileges to execute 'SELECT' on: " + "functional.alltypes"); - // Select with no privileges on view. - AuthzError("select * from functional.complex_view_sub", - "User '%s' does not have privileges to execute 'SELECT' on: " + - "functional.complex_view_sub"); - // Select without referencing a column. AuthzError("select 1 from functional.alltypes", "User '%s' does not have privileges to execute 'SELECT' on: " + @@ -711,7 +706,7 @@ public class AuthorizationTest extends FrontendTestBase { AuthzOk("select id, b.key from functional.allcomplextypes a, a.int_map_col b"); // No SELECT privileges on 'alltypessmall' - AuthzError("select a.* from functional.alltypesagg cross join " + + AuthzError("select a.* from functional.alltypesagg a cross join " + "functional.alltypessmall b", "User '%s' does not have privileges to execute " + "'SELECT' on: functional.alltypessmall"); @@ -765,11 +760,15 @@ public class AuthorizationTest extends FrontendTestBase { "functional.alltypes"); // User doesn't have permissions on source table within inline view. - AuthzError("insert into functional.alltypes " + - "select * from functional.alltypesagg a join (select * from " + - "functional_seq.alltypes) b on (a.int_col = b.int_col)", - "User '%s' does not have privileges to execute 'SELECT' on: " + - "functional_seq.alltypes"); + AuthzError("insert into functional.alltypes partition (month, year) " + + "select id, bool_col, tinyint_col, smallint_col, a.int_col, bigint_col, " + + "float_col, a.double_col, a.date_string_col, a.string_col, a.timestamp_col, " + + "a.year, a.month " + + "from functional_rc.alltypesagg a " + + "join (select int_col, double_col, date_string_col, string_col, timestamp_col, " + + "year, month from functional_seq.alltypes) b " + + "on (a.int_col = b.int_col)", "User '%s' does " + + "not have privileges to execute 'SELECT' on: functional_rc.alltypesagg"); // User doesn't have INSERT permissions on the target table but has sufficient SELECT // permissions on all the referenced columns of the source table @@ -1762,8 +1761,8 @@ public class AuthorizationTest extends FrontendTestBase { // Column level privileges will allow describe but with reduced data. AuthzOk("describe formatted functional.alltypessmall"); // Insufficient privileges on table for nested column. - AuthzError("describe functional.complextypestbl.nested_struct", - "User '%s' does not have privileges to access: functional.complextypestbl"); + AuthzError("describe functional.complextypes_fileformat.s", + "User '%s' does not have privileges to access: functional.complextypes_fileformat"); // Insufficient privileges on view. AuthzError("describe functional.alltypes_view_sub", "User '%s' does not have privileges to access: functional.alltypes_view_sub"); @@ -2721,6 +2720,169 @@ public class AuthorizationTest extends FrontendTestBase { } @Test + public void TestServerLevelInsert() throws ImpalaException { + // TODO: Add test support for dynamically changing privileges for + // file-based policy. + if (ctx_.authzConfig.isFileBasedPolicy()) return; + + SentryPolicyService sentryService = + new SentryPolicyService(ctx_.authzConfig.getSentryConfig()); + + // User has INSERT privilege on server. + String roleName = "insert_role"; + try { + sentryService.createRole(USER, roleName, true); + TPrivilege privilege = new TPrivilege("", TPrivilegeLevel.INSERT, + TPrivilegeScope.SERVER, false); + privilege.setServer_name("server1"); + sentryService.grantRolePrivilege(USER, roleName, privilege); + sentryService.grantRoleToGroup(USER, roleName, USER.getName()); + + privilege = new TPrivilege ("", TPrivilegeLevel.SELECT, TPrivilegeScope.DATABASE, + false); + privilege.setServer_name("server1"); + privilege.setDb_name("functional_rc"); + sentryService.grantRolePrivilege(USER, roleName, privilege); + sentryService.grantRoleToGroup(USER, roleName, USER.getName()); + + privilege = new TPrivilege ("", TPrivilegeLevel.SELECT, TPrivilegeScope.DATABASE, + false); + privilege.setServer_name("server1"); + privilege.setDb_name("functional_seq"); + sentryService.grantRolePrivilege(USER, roleName, privilege); + sentryService.grantRoleToGroup(USER, roleName, USER.getName()); + ctx_.catalog.reset(); + + // Copied majority of INSERT tests that should fail from authorization and + // ensure they succeed here. Some tests that fail will fail here with + // AnalysisException and are covered elsewhere. + + // User has SELECT permissions on source table. + AuthzOk("insert into functional.alltypes partition (month, year) " + + "select * from functional_rc.alltypes"); + + // Ensure INSERT at server does not allow other privileges + AuthzError("select * from functional.alltypes", + "User '%s' does not have privileges to execute 'SELECT' on: functional"); + AuthzError("create table functional.new_table (i int)", + "User '%s' does not have privileges to execute 'CREATE' on: functional"); + AuthzError("alter table functional.alltypes add columns (c1 int)", + "User '%s' does not have privileges to execute 'ALTER' on: " + + "functional.alltypes"); + AuthzError("drop table functional.alltypes", + "User '%s' does not have privileges to execute 'DROP' on: functional.alltypes"); + + // User has permissions on source table within inline view. + AuthzOk("insert into functional.alltypes partition (month, year) " + + "select id, bool_col, tinyint_col, smallint_col, a.int_col, bigint_col, " + + "float_col, a.double_col, a.date_string_col, a.string_col, a.timestamp_col, " + + "a.year, a.month from functional_rc.alltypesagg a " + + "join (select int_col, double_col, date_string_col, string_col, " + + "timestamp_col, year, month from functional_seq.alltypes) b " + + "on (a.int_col = b.int_col)"); + + // User has INSERT permissions on the target table and has sufficient SELECT + // permissions on all the referenced columns of the source table + AuthzOk("insert into functional.alltypestiny partition (month, year) " + + "select * from functional_rc.alltypestiny"); + + // User has INSERT permissions on target table and column-level + // permissions on the source table + AuthzOk("insert into functional.alltypes partition (month, year) " + + "select * from functional_rc.alltypessmall"); + + // Insert and Select allow view_metadata + AuthzOk("describe database functional_rc"); + AuthzOk("describe functional.complextypes_fileformat.s"); + AuthzOk("describe functional.alltypes_view_sub"); + AuthzOk("describe functional_rc.alltypes"); + } finally { + sentryService.dropRole(USER, roleName, true); + ctx_.catalog.reset(); + } + } + + @Test + public void TestServerLevelSelect() throws ImpalaException { + // TODO: Add test support for dynamically changing privileges for + // file-based policy. + if (ctx_.authzConfig.isFileBasedPolicy()) return; + + SentryPolicyService sentryService = + new SentryPolicyService(ctx_.authzConfig.getSentryConfig()); + + // User has SELECT privilege on server. + String roleName = "select_role"; + try { + sentryService.createRole(USER, roleName, true); + TPrivilege privilege = new TPrivilege("", TPrivilegeLevel.SELECT, + TPrivilegeScope.SERVER, false); + privilege.setServer_name("server1"); + sentryService.grantRolePrivilege(USER, roleName, privilege); + sentryService.grantRoleToGroup(USER, roleName, USER.getName()); + ctx_.catalog.reset(); + + // Copied majority of SELECT tests that should fail from authorization and + // ensure they succeed here. + AuthzOk("select * from functional.alltypes_view_sub"); + AuthzOk("select * from functional.alltypes"); + + // Ensure SELECT at server does not allow other privileges + AuthzError("insert into functional.alltypesagg select 1", + "User '%s' does not have privileges to execute 'INSERT' on: " + + "functional.alltypesagg"); + AuthzError("create table functional.new_table (i int)", + "User '%s' does not have privileges to execute 'CREATE' on: functional"); + AuthzError("alter table functional.alltypes add columns (c1 int)", + "User '%s' does not have privileges to execute 'ALTER' on: " + + "functional.alltypes"); + AuthzError("drop table functional.alltypes", + "User '%s' does not have privileges to execute 'DROP' on: functional.alltypes"); + + // User has SELECT privileges on the view, and has privileges + // to select join table. + AuthzOk("select a.id from functional.view_view a " + + "join functional.alltypes b ON (a.id = b.id)"); + + // User has SELECT privileges on the view which contains a subquery. + AuthzOk("select * from functional_rc.subquery_view"); + + // Constant select. + AuthzOk("select 1"); + + // Table within inline view is authorized properly. + AuthzOk("select a.* from (select * from functional.alltypes) a"); + + // SELECT privileges on all the columns of 'alltypessmall' + AuthzOk("select * from functional.alltypessmall"); + + // SELECT privileges on table 'alltypessmall' + AuthzOk("select count(*) from functional.alltypessmall"); + AuthzOk("select 1 from functional.alltypessmall"); + + // SELECT privileges on column 'month' + AuthzOk("select id, int_col, year, month from functional.alltypessmall"); + + // SELECT privileges on 'int_array_col' + AuthzOk("select a.id, b.item from functional.allcomplextypes a, " + + "a.int_array_col b"); + + // SELECT privileges on 'alltypessmall' + AuthzOk("select a.* from functional.alltypesagg a cross join " + + "functional.alltypessmall b"); + + // Insert allows view_metadata + AuthzOk("describe database functional_rc"); + AuthzOk("describe functional.complextypes_fileformat.s"); + AuthzOk("describe functional.alltypes_view_sub"); + AuthzOk("describe functional_rc.alltypes"); + } finally { + sentryService.dropRole(USER, roleName, true); + ctx_.catalog.reset(); + } + } + + @Test public void TestServerLevelCreate() throws ImpalaException { // TODO: Add test support for dynamically changing privileges for // file-based policy.