http://git-wip-us.apache.org/repos/asf/impala/blob/1d4df941/fe/src/test/java/org/apache/impala/analysis/AuthorizationStmtTest.java ---------------------------------------------------------------------- diff --git a/fe/src/test/java/org/apache/impala/analysis/AuthorizationStmtTest.java b/fe/src/test/java/org/apache/impala/analysis/AuthorizationStmtTest.java index abfff91..7e10eee 100644 --- a/fe/src/test/java/org/apache/impala/analysis/AuthorizationStmtTest.java +++ b/fe/src/test/java/org/apache/impala/analysis/AuthorizationStmtTest.java @@ -347,57 +347,72 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("select id from functional.alltypes"), // With clause with select. authorize("with t as (select id from functional.alltypes) select * from t")}) { - authzTest.ok(onServer(TPrivilegeLevel.ALL)) + authzTest .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.SELECT)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.SELECT)) .ok(onColumn("functional", "alltypes", "id", TPrivilegeLevel.SELECT)) .error(selectError("functional.alltypes")) .error(selectError("functional.alltypes"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypes"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypes"), onTable("functional", - "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))); + "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))); } // Select without referencing a column. authorize("select 1 from functional.alltypes") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.SELECT)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.SELECT)) .error(selectError("functional.alltypes")) .error(selectError("functional.alltypes"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypes"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypes"), onTable("functional", "alltypes", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))); // Select a specific column on a view. // Column-level privileges on views are not currently supported. authorize("select id from functional.alltypes_view") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.SELECT)) .ok(onTable("functional", "alltypes_view", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes_view", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes_view", TPrivilegeLevel.SELECT)) .error(selectError("functional.alltypes_view")) .error(selectError("functional.alltypes_view"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypes_view"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypes_view"), onTable("functional", - "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))); + "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))); // Constant select. authorize("select 1").ok(); @@ -406,51 +421,68 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("select a.id from functional.view_view a " + "join functional.alltypesagg b ON (a.id = b.id)") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.SELECT)) .ok(onTable("functional", "view_view", TPrivilegeLevel.ALL), onTable("functional", "alltypesagg", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "view_view", TPrivilegeLevel.OWNER), + onTable("functional", "alltypesagg", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "view_view", TPrivilegeLevel.ALL), onTable("functional", "alltypesagg", TPrivilegeLevel.SELECT)) + .ok(onTable("functional", "view_view", TPrivilegeLevel.OWNER), + onTable("functional", "alltypesagg", TPrivilegeLevel.SELECT)) .ok(onTable("functional", "view_view", TPrivilegeLevel.SELECT), onTable("functional", "alltypesagg", TPrivilegeLevel.ALL)) .ok(onTable("functional", "view_view", TPrivilegeLevel.SELECT), + onTable("functional", "alltypesagg", TPrivilegeLevel.OWNER)) + .ok(onTable("functional", "view_view", TPrivilegeLevel.SELECT), onTable("functional", "alltypesagg", TPrivilegeLevel.SELECT)) .error(selectError("functional.view_view")) .error(selectError("functional.view_view"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT))) .error(selectError("functional.view_view"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))) .error(selectError("functional.view_view"), onTable("functional", "view_view", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)), onTable("functional", - "alltypesagg", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT)), onTable("functional", "alltypesagg", + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))); // Tests authorization after a statement has been rewritten (IMPALA-3915). authorize("select * from functional_seq_snap.subquery_view") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.SELECT)) .ok(onDatabase("functional_seq_snap", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional_seq_snap", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional_seq_snap", TPrivilegeLevel.SELECT)) .ok(onTable("functional_seq_snap", "subquery_view", TPrivilegeLevel.ALL)) + .ok(onTable("functional_seq_snap", "subquery_view", TPrivilegeLevel.OWNER)) .ok(onTable("functional_seq_snap", "subquery_view", TPrivilegeLevel.SELECT)) .error(selectError("functional_seq_snap.subquery_view")) .error(selectError("functional_seq_snap.subquery_view"), onServer( - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))) .error(selectError("functional_seq_snap.subquery_view"), onDatabase("functional_seq_snap", allExcept(TPrivilegeLevel.ALL, - TPrivilegeLevel.SELECT))) + TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT))) .error(selectError("functional_seq_snap.subquery_view"), onTable("functional_seq_snap", "subquery_view", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))); + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT))); // Select a UDF. ScalarFunction fn = addFunction("functional", "f"); try { authorize("select functional.f()") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(viewMetadataPrivileges())) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", viewMetadataPrivileges())) .error(accessError("functional")) .error(accessError("functional"), onServer(allExcept( @@ -472,75 +504,96 @@ public class AuthorizationStmtTest extends FrontendTestBase { // Select with inline view. authorize("select a.* from (select * from functional.alltypes) a") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.SELECT)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.SELECT)) .ok(onColumn("functional", "alltypes", ALLTYPES_COLUMNS, TPrivilegeLevel.SELECT)) .error(selectError("functional.alltypes")) .error(selectError("functional.alltypes"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypes"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypes"), onTable("functional", "alltypes", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))); // Select with columns referenced in function, where clause and group by. authorize("select count(id), int_col from functional.alltypes where id = 10 " + "group by id, int_col") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.SELECT)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.SELECT)) .ok(onColumn("functional", "alltypes", new String[]{"id", "int_col"}, TPrivilegeLevel.SELECT)) .error(selectError("functional.alltypes")) .error(selectError("functional.alltypes"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypes"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypes"), onTable("functional", "alltypes", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))); // Select on tables with complex types. authorize("select a.int_struct_col.f1 from functional.allcomplextypes a " + "where a.id = 1") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.SELECT)) .ok(onTable("functional", "allcomplextypes", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "allcomplextypes", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "allcomplextypes", TPrivilegeLevel.SELECT)) .ok(onColumn("functional", "allcomplextypes", new String[]{"id", "int_struct_col"}, TPrivilegeLevel.SELECT)) .error(selectError("functional.allcomplextypes")) .error(selectError("functional.allcomplextypes"), onServer( - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))) .error(selectError("functional.allcomplextypes"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))) .error(selectError("functional.allcomplextypes"), onTable("functional", - "allcomplextypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))); + "allcomplextypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))); authorize("select key, pos, item.f1, f2 from functional.allcomplextypes t, " + "t.struct_array_col, functional.allcomplextypes.int_map_col") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.SELECT)) .ok(onTable("functional", "allcomplextypes", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "allcomplextypes", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "allcomplextypes", TPrivilegeLevel.SELECT)) .ok(onColumn("functional", "allcomplextypes", new String[]{"struct_array_col", "int_map_col"}, TPrivilegeLevel.SELECT)) .error(selectError("functional.allcomplextypes")) .error(selectError("functional.allcomplextypes"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT))) .error(selectError("functional.allcomplextypes"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))) .error(selectError("functional.allcomplextypes"), onTable("functional", - "allcomplextypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))); + "allcomplextypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))); for (AuthzTest authzTest: new AuthzTest[]{ // Select with cross join. @@ -550,15 +603,23 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("select * from functional.alltypes a cross join " + "functional.alltypessmall b")}) { authzTest.ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.SELECT)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL), onTable("functional", "alltypessmall", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER), + onTable("functional", "alltypessmall", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.SELECT), onTable("functional", "alltypessmall", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.SELECT), + onTable("functional", "alltypessmall", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL), onTable("functional", "alltypessmall", TPrivilegeLevel.SELECT)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER), + onTable("functional", "alltypessmall", TPrivilegeLevel.SELECT)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.SELECT), onTable("functional", "alltypessmall", TPrivilegeLevel.SELECT)) .ok(onColumn("functional", "alltypes", ALLTYPES_COLUMNS, @@ -566,12 +627,15 @@ public class AuthorizationStmtTest extends FrontendTestBase { ALLTYPES_COLUMNS, TPrivilegeLevel.SELECT)) .error(selectError("functional.alltypes")) .error(selectError("functional.alltypes"), onServer( - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypes"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypes"), onTable("functional", "alltypes", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)), - onTable("functional", "alltypessmall", allExcept(TPrivilegeLevel.ALL, + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT)), onTable("functional", "alltypessmall", + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypessmall"), onColumn("functional", "alltypes", ALLTYPES_COLUMNS, TPrivilegeLevel.SELECT)) @@ -584,23 +648,30 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("select id from functional.alltypes_view union all " + "select x from functional.alltypes_view_sub") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.SELECT)) .ok(onTable("functional", "alltypes_view", TPrivilegeLevel.ALL), onTable("functional", "alltypes_view_sub", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes_view", TPrivilegeLevel.OWNER), + onTable("functional", "alltypes_view_sub", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes_view", TPrivilegeLevel.SELECT), onTable("functional", "alltypes_view_sub", TPrivilegeLevel.SELECT)) .error(selectError("functional.alltypes_view")) .error(selectError("functional.alltypes_view"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypes_view"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypes_view"), onTable("functional", - "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)), + "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT)), onTable("functional", "alltypes_view_sub", TPrivilegeLevel.SELECT)) .error(selectError("functional.alltypes_view_sub"), onTable("functional", - "alltypes_view_sub", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)), + "alltypes_view_sub", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT)), onTable("functional", "alltypes_view", TPrivilegeLevel.SELECT)); // Union from non-existent databases. @@ -620,18 +691,23 @@ public class AuthorizationStmtTest extends FrontendTestBase { // Explain insert. authorize("explain insert into functional.zipcode_incomes(id) values('123')")}) { test.ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.INSERT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.INSERT)) .ok(onTable("functional", "zipcode_incomes", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "zipcode_incomes", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "zipcode_incomes", TPrivilegeLevel.INSERT)) .error(insertError("functional.zipcode_incomes")) .error(insertError("functional.zipcode_incomes"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.INSERT))) .error(insertError("functional.zipcode_incomes"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.INSERT))) .error(insertError("functional.zipcode_incomes"), onTable("functional", - "zipcode_incomes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT))); + "zipcode_incomes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.INSERT))); } for (AuthzTest test: new AuthzTest[]{ @@ -643,11 +719,15 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("insert into functional.alltypes partition(month, year) " + "select * from functional.alltypestiny where id < 100")}) { test.ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL), onTable("functional", "alltypestiny", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER), + onTable("functional", "alltypestiny", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.INSERT), onTable("functional", "alltypestiny", TPrivilegeLevel.SELECT)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.INSERT), @@ -655,16 +735,19 @@ public class AuthorizationStmtTest extends FrontendTestBase { TPrivilegeLevel.SELECT)) .error(selectError("functional.alltypestiny")) .error(selectError("functional.alltypestiny"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT))) - .error(selectError("functional.alltypestiny"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT, + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT))) + .error(selectError("functional.alltypestiny"), onDatabase("functional", + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT))) .error(insertError("functional.alltypes"), onTable("functional", "alltypestiny", TPrivilegeLevel.SELECT), onTable("functional", - "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT))) + "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.INSERT))) .error(selectError("functional.alltypestiny"), onTable("functional", - "alltypestiny", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)), - onTable("functional", "alltypes", TPrivilegeLevel.INSERT)); + "alltypestiny", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT)), onTable("functional", "alltypes", + TPrivilegeLevel.INSERT)); } // Insert with select on a target view. @@ -672,24 +755,31 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("insert into functional.alltypes partition(month, year) " + "select * from functional.alltypes_view where id < 100") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL), onTable("functional", "alltypes_view", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER), + onTable("functional", "alltypes_view", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.INSERT), onTable("functional", "alltypes_view", TPrivilegeLevel.SELECT)) .error(selectError("functional.alltypes_view")) .error(selectError("functional.alltypes_view"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.INSERT, + TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypes_view"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT, + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT))) .error(insertError("functional.alltypes"), onTable("functional", "alltypes_view", TPrivilegeLevel.SELECT), onTable("functional", - "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT))) + "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.INSERT))) .error(selectError("functional.alltypes_view"), onTable("functional", - "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)), + "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT)), onTable("functional", "alltypes", TPrivilegeLevel.INSERT)); // Insert with inline view. @@ -697,31 +787,41 @@ public class AuthorizationStmtTest extends FrontendTestBase { "select b.* from functional.alltypesagg a join (select * from " + "functional.alltypestiny) b on (a.int_col = b.int_col)") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL), onTable("functional", "alltypesagg", TPrivilegeLevel.ALL), onTable("functional", "alltypestiny", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER), + onTable("functional", "alltypesagg", TPrivilegeLevel.OWNER), + onTable("functional", "alltypestiny", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.INSERT), onTable("functional", "alltypesagg", TPrivilegeLevel.SELECT), onTable("functional", "alltypestiny", TPrivilegeLevel.SELECT)) .error(selectError("functional.alltypesagg")) .error(selectError("functional.alltypesagg"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.INSERT, + TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypesagg"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.INSERT, + TPrivilegeLevel.SELECT))) .error(insertError("functional.alltypes"), onTable("functional", "alltypesagg", TPrivilegeLevel.SELECT), onTable("functional", "alltypestiny", TPrivilegeLevel.SELECT), onTable("functional", - "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT))) + "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.INSERT))) .error(selectError("functional.alltypesagg"), onTable("functional", - "alltypesagg", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)), + "alltypesagg", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT)), onTable("functional", "alltypestiny", TPrivilegeLevel.SELECT), onTable("functional", "alltypes", TPrivilegeLevel.INSERT)) .error(selectError("functional.alltypestiny"), onTable("functional", "alltypesagg", TPrivilegeLevel.SELECT), onTable("functional", - "alltypestiny", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)), + "alltypestiny", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT)), onTable("functional", "alltypes", TPrivilegeLevel.INSERT)); // Inserting into a view is not allowed. @@ -763,18 +863,22 @@ public class AuthorizationStmtTest extends FrontendTestBase { // Truncate a table. authorize("truncate table functional.alltypes") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.INSERT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.INSERT)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.INSERT)) .error(insertError("functional.alltypes")) .error(insertError("functional.alltypes"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.INSERT))) .error(insertError("functional.alltypes"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.INSERT))) .error(insertError("functional.alltypes"), onTable("functional", "alltypes", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.INSERT))); // Truncate a non-existent database. authorize("truncate table nodb.alltypes") @@ -795,18 +899,31 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("load data inpath 'hdfs://localhost:20500/test-warehouse/tpch.lineitem' " + "into table functional.alltypes partition(month=10, year=2009)") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.ALL), onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER), + onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem", + TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.INSERT), onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.INSERT), + onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem", + TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL), onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER), + onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem", + TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.INSERT), onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.INSERT), + onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem", + TPrivilegeLevel.OWNER)) .error(insertError("functional.alltypes")) .error(accessError("hdfs://localhost:20500/test-warehouse/tpch.lineitem"), onDatabase("functional", TPrivilegeLevel.INSERT)) @@ -814,7 +931,10 @@ public class AuthorizationStmtTest extends FrontendTestBase { onTable("functional", "alltypes", TPrivilegeLevel.INSERT)) .error(insertError("functional.alltypes"), onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem", - TPrivilegeLevel.ALL)); + TPrivilegeLevel.ALL)) + .error(insertError("functional.alltypes"), + onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem", + TPrivilegeLevel.OWNER)); // Load from non-existent URI. authorize("load data inpath 'hdfs://localhost:20500/test-warehouse/nouri' " + @@ -830,14 +950,18 @@ public class AuthorizationStmtTest extends FrontendTestBase { "into table nodb.alltypes partition(month=10, year=2009)") .error(insertError("nodb.alltypes")) .error(insertError("nodb.alltypes"), onUri( - "hdfs://localhost:20500/test-warehouse/tpch.nouri", TPrivilegeLevel.ALL)); + "hdfs://localhost:20500/test-warehouse/tpch.nouri", TPrivilegeLevel.ALL)) + .error(insertError("nodb.alltypes"), onUri( + "hdfs://localhost:20500/test-warehouse/tpch.nouri", TPrivilegeLevel.OWNER)); // Load into non-existent table. authorize("load data inpath 'hdfs://localhost:20500/test-warehouse/tpch.lineitem' " + "into table functional.notbl partition(month=10, year=2009)") .error(insertError("functional.notbl")) .error(insertError("functional.notbl"), onUri( - "hdfs://localhost:20500/test-warehouse/tpch.nouri", TPrivilegeLevel.ALL)); + "hdfs://localhost:20500/test-warehouse/tpch.nouri", TPrivilegeLevel.ALL)) + .error(insertError("functional.notbl"), onUri( + "hdfs://localhost:20500/test-warehouse/tpch.nouri", TPrivilegeLevel.OWNER)); // Load into a view is not supported. authorize("load data inpath 'hdfs://localhost:20500/test-warehouse/tpch.lineitem' " + @@ -850,6 +974,7 @@ public class AuthorizationStmtTest extends FrontendTestBase { // Invalidate metadata on server. authorize("invalidate metadata") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.REFRESH)) .error(refreshError("server")); @@ -859,28 +984,33 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("invalidate metadata functional." + name), authorize("refresh functional." + name)}) { test.ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.REFRESH)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.REFRESH)) .ok(onTable("functional", name, TPrivilegeLevel.ALL)) + .ok(onTable("functional", name, TPrivilegeLevel.OWNER)) .ok(onTable("functional", name, TPrivilegeLevel.REFRESH)) .error(refreshError("functional." + name)) .error(refreshError("functional." + name), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.REFRESH))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.REFRESH))) .error(refreshError("functional." + name), onTable("functional", name, - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.REFRESH))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.REFRESH))); } } authorize("refresh functions functional") .ok(onServer(TPrivilegeLevel.REFRESH)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.REFRESH)) .error(refreshError("functional")) .error(refreshError("functional"), onServer(allExcept(TPrivilegeLevel.ALL, - TPrivilegeLevel.REFRESH))) + TPrivilegeLevel.OWNER, TPrivilegeLevel.REFRESH))) .error(refreshError("functional"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.REFRESH))); + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.REFRESH))); // Reset metadata in non-existent database. authorize("invalidate metadata nodb").error(refreshError("default.nodb")); @@ -1187,69 +1317,81 @@ public class AuthorizationStmtTest extends FrontendTestBase { // Compute stats. authorize("compute stats functional.alltypes") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT)) .error(alterError("functional.alltypes")) .error(alterError("functional.alltypes"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER, + TPrivilegeLevel.SELECT))) .error(alterError("functional.alltypes"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT))) .error(alterError("functional.alltypes"), onTable("functional", "alltypes", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT))); // Compute stats on database that does not exist. authorize("compute stats nodb.notbl") .error(alterError("nodb.notbl")) .error(alterError("nodb.notbl"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER, + TPrivilegeLevel.SELECT))) .error(alterError("nodb.notbl"), onDatabase("nodb", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT))); + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER, + TPrivilegeLevel.SELECT))); // Compute stats on table that does not exist. authorize("compute stats functional.notbl") .error(alterError("functional.notbl")) .error(alterError("functional.notbl"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER, + TPrivilegeLevel.SELECT))) .error(alterError("functional.notbl"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT))); + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER, + TPrivilegeLevel.SELECT))); // Drop stats. authorize("drop stats functional.alltypes") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.ALTER)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.ALTER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALTER)) .error(alterError("functional.alltypes")) .error(alterError("functional.alltypes"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER))) .error(alterError("functional.alltypes"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER))) .error(alterError("functional.alltypes"), onTable("functional", "alltypes", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.ALTER))); // Drop stats on database that does not exist. authorize("drop stats nodb.notbl") .error(alterError("nodb.notbl")) .error(alterError("nodb.notbl"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER))) .error(alterError("nodb.notbl"), onDatabase("nodb", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER))); + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER))); // Drop stats on table that does not exist. authorize("drop stats functional.notbl") .error(alterError("functional.notbl")) .error(alterError("functional.notbl"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER))) .error(alterError("functional.notbl"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER))); + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER))); } @Test @@ -1258,22 +1400,29 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("create database newdb"), authorize("create database if not exists newdb")}) { test.ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.CREATE)) .error(createError("newdb")) .error(createError("newdb"), onServer(allExcept(TPrivilegeLevel.ALL, - TPrivilegeLevel.CREATE))); + TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE))); } // Create a database with a specific location. authorize("create database newdb location " + "'hdfs://localhost:20500/test-warehouse/new_location'") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.CREATE), onUri( "hdfs://localhost:20500/test-warehouse/new_location", TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.CREATE), onUri( + "hdfs://localhost:20500/test-warehouse/new_location", TPrivilegeLevel.OWNER)) .error(createError("newdb")) .error(createError("newdb"), onServer(allExcept(TPrivilegeLevel.ALL, - TPrivilegeLevel.CREATE)), onUri( + TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onUri( "hdfs://localhost:20500/test-warehouse/new_location", TPrivilegeLevel.ALL)) + .error(createError("newdb"), onServer(allExcept(TPrivilegeLevel.ALL, + TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onUri( + "hdfs://localhost:20500/test-warehouse/new_location", TPrivilegeLevel.OWNER)) .error(accessError("hdfs://localhost:20500/test-warehouse/new_location"), onServer(TPrivilegeLevel.CREATE)); @@ -1283,11 +1432,12 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("create database if not exists functional")}) { test.error(createError("functional")) .error(createError("functional"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE))); + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE))); } authorize("create database if not exists _impala_builtins") - .error(systemDbError(), onServer(TPrivilegeLevel.ALL)); + .error(systemDbError(), onServer(TPrivilegeLevel.ALL)) + .error(systemDbError(), onServer(TPrivilegeLevel.OWNER)); } @Test @@ -1296,20 +1446,24 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("create table functional.new_table(i int)"), authorize("create external table functional.new_table(i int)")}) { test.ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.CREATE)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.CREATE)) .error(createError("functional"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE))) .error(createError("functional"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE))); + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE))); } // Create table like. authorize("create table functional.new_table like functional.alltypes") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(join(viewMetadataPrivileges(), TPrivilegeLevel.CREATE))) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", join(viewMetadataPrivileges(), TPrivilegeLevel.CREATE))) .ok(onDatabase("functional"), onDatabase("functional", TPrivilegeLevel.CREATE), @@ -1318,9 +1472,10 @@ public class AuthorizationStmtTest extends FrontendTestBase { .error(accessError("functional.alltypes"), onServer(allExcept( join(viewMetadataPrivileges(), TPrivilegeLevel.CREATE)))) .error(createError("functional"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE, + TPrivilegeLevel.SELECT))) .error(createError("functional"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)), onTable( + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onTable( "functional", "alltypes", viewMetadataPrivileges())) .error(accessError("functional.alltypes"), onDatabase("functional", TPrivilegeLevel.CREATE), onTable("functional", "alltypes", allExcept( @@ -1332,9 +1487,9 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("create table if not exists functional.alltypes(i int)")}) { test.error(createError("functional")) .error(createError("functional"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE))) .error(createError("functional"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE))); + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE))); } // CTAS. @@ -1345,9 +1500,11 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("explain create table functional.new_table as " + "select int_col from functional.alltypes")}) { test.ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)) .ok(onDatabase("functional"), onDatabase("functional", TPrivilegeLevel.CREATE, @@ -1356,32 +1513,44 @@ public class AuthorizationStmtTest extends FrontendTestBase { .ok(onDatabase("functional"), onDatabase("functional", TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT), onColumn("functional", "alltypes", "int_col", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional"), onDatabase("functional", TPrivilegeLevel.CREATE, + TPrivilegeLevel.INSERT), onColumn("functional", "alltypes", "int_col", + TPrivilegeLevel.OWNER)) .error(createError("functional")) .error(createError("functional"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT, - TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE, + TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT))) .error(createError("functional"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT, - TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE, + TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT))) .error(createError("functional"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT)), + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE, + TPrivilegeLevel.INSERT)), onTable("functional", "alltypes", TPrivilegeLevel.SELECT)) .error(selectError("functional"), onDatabase("functional", TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT), onTable("functional", - "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))); + "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))); } // Table with a specific location. authorize("create table functional.new_table(i int) location " + "'hdfs://localhost:20500/test-warehouse/new_table'") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.CREATE), onUri("hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.CREATE), + onUri("hdfs://localhost:20500/test-warehouse/new_table", + TPrivilegeLevel.OWNER)) .error(createError("functional"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE))) .error(createError("functional"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)), onUri( + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onUri( "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.ALL)) + .error(createError("functional"), onDatabase("functional", allExcept( + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onUri( + "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.OWNER)) .error(accessError("hdfs://localhost:20500/test-warehouse/new_table"), onDatabase("functional", TPrivilegeLevel.CREATE)); @@ -1389,65 +1558,93 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("create external table functional.new_table(i int) location " + "'hdfs://localhost:20500/test-warehouse/UPPER_CASE/test'") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.CREATE), onUri("hdfs://localhost:20500/test-warehouse/UPPER_CASE/test", TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.CREATE), + onUri("hdfs://localhost:20500/test-warehouse/UPPER_CASE/test", + TPrivilegeLevel.OWNER)) // Wrong case letters on URI. .error(accessError("hdfs://localhost:20500/test-warehouse/UPPER_CASE/test"), onServer(TPrivilegeLevel.CREATE), onUri("hdfs://localhost:20500/test-warehouse/upper_case/test", TPrivilegeLevel.ALL)) + .error(accessError("hdfs://localhost:20500/test-warehouse/UPPER_CASE/test"), + onServer(TPrivilegeLevel.CREATE), + onUri("hdfs://localhost:20500/test-warehouse/upper_case/test", + TPrivilegeLevel.OWNER)) .error(createError("functional"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE))) .error(createError("functional"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)), onUri( + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onUri( "hdfs://localhost:20500/test-warehouse/UPPER_CASE/test", TPrivilegeLevel.ALL)) + .error(createError("functional"), onDatabase("functional", allExcept( + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onUri( + "hdfs://localhost:20500/test-warehouse/UPPER_CASE/test", + TPrivilegeLevel.OWNER)) .error(accessError("hdfs://localhost:20500/test-warehouse/UPPER_CASE/test"), onDatabase("functional", TPrivilegeLevel.CREATE)); authorize("create table functional.new_table like parquet " + "'hdfs://localhost:20500/test-warehouse/schemas/alltypestiny.parquet'") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.CREATE), onUri("hdfs://localhost:20500/test-warehouse/schemas/alltypestiny.parquet", TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.CREATE), + onUri("hdfs://localhost:20500/test-warehouse/schemas/alltypestiny.parquet", + TPrivilegeLevel.OWNER)) .error(accessError( "hdfs://localhost:20500/test-warehouse/schemas/alltypestiny.parquet"), - onServer(allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE))) + onServer(allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.CREATE))) .error(createError("functional"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)), onUri( + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onUri( "hdfs://localhost:20500/test-warehouse/schemas/alltypestiny.parquet", TPrivilegeLevel.ALL)) + .error(createError("functional"), onDatabase("functional", allExcept( + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onUri( + "hdfs://localhost:20500/test-warehouse/schemas/alltypestiny.parquet", + TPrivilegeLevel.OWNER)) .error(accessError( "hdfs://localhost:20500/test-warehouse/schemas/alltypestiny.parquet"), onDatabase("functional", TPrivilegeLevel.CREATE)); authorize("create table if not exists _impala_builtins.new_table(i int)") - .error(systemDbError(), onServer(TPrivilegeLevel.ALL)); + .error(systemDbError(), onServer(TPrivilegeLevel.ALL)) + .error(systemDbError(), onServer(TPrivilegeLevel.OWNER)); - // IMPALA-4000: Only users with ALL privileges on SERVER may create external Kudu - // tables. + // IMPALA-4000: Only users with ALL/OWNER privileges on SERVER may create external + // Kudu tables. authorize("create external table functional.kudu_tbl stored as kudu " + "tblproperties ('kudu.master_addresses'='127.0.0.1', 'kudu.table_name'='tbl')") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .error(createError("functional")) - .error(accessError("server1"), onServer(allExcept(TPrivilegeLevel.ALL))) - .error(accessError("server1"), onDatabase("functional", TPrivilegeLevel.ALL)); + .error(accessError("server1"), onServer(allExcept(TPrivilegeLevel.ALL, + TPrivilegeLevel.OWNER))) + .error(accessError("server1"), onDatabase("functional", TPrivilegeLevel.ALL)) + .error(accessError("server1"), onDatabase("functional", TPrivilegeLevel.OWNER)); - // IMPALA-4000: ALL privileges on SERVER are not required to create managed tables. + // IMPALA-4000: ALL/OWNER privileges on SERVER are not required to create managed + // tables. authorize("create table functional.kudu_tbl (i int, j int, primary key (i))" + " partition by hash (i) partitions 9 stored as kudu") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.CREATE)) .error(createError("functional")) .error(createError("functional"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE))) .error(createError("functional"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE))); + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE))); // IMPALA-6451: CTAS for Kudu tables on non-external tables and without - // TBLPROPERTIES ('kudu.master_addresses') should not require ALL privileges + // TBLPROPERTIES ('kudu.master_addresses') should not require ALL/OWNER privileges // on SERVER. // The statement below causes the SQL statement to be rewritten. authorize("create table functional.kudu_tbl primary key (bigint_col) " + @@ -1456,22 +1653,24 @@ public class AuthorizationStmtTest extends FrontendTestBase { "from functional.alltypes " + "where exists (select 1 from functional.alltypes)") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)) .error(createError("functional")) .error(createError("functional"), onServer(allExcept(TPrivilegeLevel.ALL, - TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT, + TPrivilegeLevel.SELECT))) .error(createError("functional"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT, - TPrivilegeLevel.SELECT))); + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE, + TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT))); // Database does not exist. authorize("create table nodb.new_table(i int)") .error(createError("nodb")) .error(createError("nodb"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE))) .error(createError("nodb"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE))); + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE))); } @Test @@ -1482,35 +1681,44 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("create view functional.new_view(a) as " + "select int_col from functional.alltypes")}) { test.ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.CREATE, TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.CREATE, TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.CREATE), onTable( "functional", "alltypes", TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.CREATE), onColumn( "functional", "alltypes", "int_col", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.CREATE), onColumn( + "functional", "alltypes", "int_col", TPrivilegeLevel.OWNER)) .error(selectError("functional.alltypes")) .error(selectError("functional.alltypes"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE, + TPrivilegeLevel.SELECT))) .error(createError("functional"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE))) .error(selectError("functional.alltypes"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypes"), onTable("functional", "alltypes", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))); } // View with constant select. authorize("create view functional.new_view as select 1") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.CREATE)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.CREATE)) .error(createError("functional")) .error(createError("functional"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE, + TPrivilegeLevel.SELECT))) .error(createError("functional"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE))); + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE))); // View already exists. for (AuthzTest test: new AuthzTest[]{ @@ -1520,25 +1728,28 @@ public class AuthorizationStmtTest extends FrontendTestBase { "select int_col from functional.alltypes")}) { test.error(selectError("functional.alltypes")) .error(selectError("functional.alltypes"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE, + TPrivilegeLevel.SELECT))) .error(createError("functional"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE))) .error(selectError("functional.alltypes"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT))) .error(selectError("functional.alltypes"), onTable("functional", "alltypes", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.SELECT))); } authorize("create view if not exists _impala_builtins.new_view as select 1") - .error(systemDbError(), onServer(TPrivilegeLevel.ALL)); + .error(systemDbError(), onServer(TPrivilegeLevel.ALL)) + .error(systemDbError(), onServer(TPrivilegeLevel.OWNER)); // Database does not exist. authorize("create view nodb.new_view as select 1") .error(createError("nodb")) .error(createError("nodb"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE))) .error(createError("nodb"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE))); + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE))); } @Test @@ -1548,14 +1759,17 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("drop database functional cascade"), authorize("drop database functional restrict")}) { test.ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.DROP)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.DROP)) .error(dropError("functional")) .error(dropError("functional"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))) .error(dropError("functional"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.DROP))); } // Database does not exist. @@ -1565,7 +1779,8 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("drop database nodb restrict")}) { test.error(dropError("nodb")) .error(dropError("nodb"), onServer( - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.DROP))); } // Database does not exist but with if exists clause. @@ -1574,117 +1789,132 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("drop database if exists nodb cascade"), authorize("drop database if exists nodb restrict")}) { test.ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.DROP)) .error(dropError("nodb")) .error(dropError("nodb"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))); + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))); } - // Dropping system database is not allowed even if with ALL privilege on server. + // Dropping system database is not allowed even if with ALL/OWNER privilege on server. authorize("drop database _impala_builtins") - .error(systemDbError(), onServer(TPrivilegeLevel.ALL)); + .error(systemDbError(), onServer(TPrivilegeLevel.ALL)) + .error(systemDbError(), onServer(TPrivilegeLevel.OWNER)); } @Test public void testDropTable() throws ImpalaException { authorize("drop table functional.alltypes") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.DROP)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.DROP)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.DROP)) .error(dropError("functional.alltypes")) .error(dropError("functional.alltypes"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))) .error(dropError("functional.alltypes"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))) .error(dropError("functional.alltypes"), onTable("functional", "alltypes", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))); // Database/Table does not exist. authorize("drop table nodb.notbl") .error(dropError("nodb.notbl")) .error(dropError("nodb.notbl"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))) .error(dropError("nodb.notbl"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))); // Table does not exist. authorize("drop table functional.notbl") .error(dropError("functional.notbl")) .error(dropError("functional.notbl"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))) .error(dropError("functional.notbl"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))); // Table does not exist but with if exists clause. authorize("drop table if exists functional.notbl") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.DROP)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.DROP)) .error(dropError("functional.notbl")) .error(dropError("functional.notbl"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))) .error(dropError("functional.notbl"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))); - // Dropping any tables in the system database is not allowed even with ALL privilege - // on server. + // Dropping any tables in the system database is not allowed even with ALL/OWNER + // privilege on server. authorize("drop table _impala_builtins.tbl") - .error(systemDbError(), onServer(TPrivilegeLevel.ALL)); + .error(systemDbError(), onServer(TPrivilegeLevel.ALL)) + .error(systemDbError(), onServer(TPrivilegeLevel.OWNER)); } @Test public void testDropView() throws ImpalaException { authorize("drop view functional.alltypes_view") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.DROP)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.DROP)) .ok(onTable("functional", "alltypes_view", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes_view", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes_view", TPrivilegeLevel.DROP)) .error(dropError("functional.alltypes_view")) .error(dropError("functional.alltypes_view"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))) .error(dropError("functional.alltypes_view"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))) .error(dropError("functional.alltypes_view"), onTable("functional", - "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))); + "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.DROP))); // Database does not exist. authorize("drop view nodb.noview") .error(dropError("nodb.noview")) .error(dropError("nodb.noview"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))) .error(dropError("nodb.noview"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))); // View does not exist. authorize("drop table functional.noview") .error(dropError("functional.noview")) .error(dropError("functional.noview"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))) .error(dropError("functional.noview"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))); // View does not exist but with if exists clause. authorize("drop table if exists functional.noview") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.DROP)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.DROP)) .error(dropError("functional.noview")) .error(dropError("functional.noview"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))) .error(dropError("functional.noview"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP))); - // Dropping any views in the system database is not allowed even with ALL privilege - // on server. + // Dropping any views in the system database is not allowed even with ALL/OWNER + // privilege on server. authorize("drop table _impala_builtins.v") - .error(systemDbError(), onServer(TPrivilegeLevel.ALL)); + .error(systemDbError(), onServer(TPrivilegeLevel.ALL)) + .error(systemDbError(), onServer(TPrivilegeLevel.OWNER)); } @Test @@ -1715,37 +1945,45 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("alter table functional.alltypes set owner user foo_owner"), authorize("alter table functional.alltypes set owner role foo_owner")}) { test.ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.ALTER)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.ALTER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALTER)) .error(alterError("functional.alltypes")) .error(alterError("functional.alltypes"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER))) .error(alterError("functional.alltypes"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER))) .error(alterError("functional.alltypes"), onTable("functional", "alltypes", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER))); + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.ALTER))); } // Alter table rename. authorize("alter table functional.alltypes rename to functional.new_table") .ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.ALTER, TPrivilegeLevel.CREATE)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.ALTER, TPrivilegeLevel.CREATE)) .ok(onDatabase("functional", TPrivilegeLevel.CREATE), onTable("functional", "alltypes", TPrivilegeLevel.ALTER)) .error(alterError("functional.alltypes")) .error(alterError("functional.alltypes"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilegeLevel.CREATE))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER, + TPrivilegeLevel.CREATE))) .error(alterError("functional.alltypes"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilegeLevel.CREATE))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER, + TPrivilegeLevel.CREATE))) .error(alterError("functional.alltypes"), onDatabase("functional", TPrivilegeLevel.CREATE), onTable("functional", "alltypes", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER))) .error(createError("functional"), onDatabase("functional", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)), + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.CREATE)), onTable("functional", "alltypes", TPrivilegeLevel.ALTER)); // Only for Kudu tables. @@ -1759,18 +1997,23 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("alter table functional_kudu.testtbl drop range partition " + "1 < values < 2")}) { test.ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.ALTER)) .ok(onDatabase("functional_kudu", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional_kudu", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional_kudu", TPrivilegeLevel.ALTER)) .ok(onTable("functional_kudu", "testtbl", TPrivilegeLevel.ALL)) + .ok(onTable("functional_kudu", "testtbl", TPrivilegeLevel.OWNER)) .ok(onTable("functional_kudu", "testtbl", TPrivilegeLevel.ALTER)) .error(alterError("functional_kudu.testtbl")) .error(alterError("functional_kudu.testtbl"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER))) .error(alterError("functional_kudu.testtbl"), onDatabase("functional_kudu", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER))) + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.ALTER))) .error(alterError("functional_kudu.testtbl"), onTable("functional_kudu", - "testtbl", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER))); + "testtbl", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.ALTER))); } // Alter table set location. @@ -1780,25 +2023,38 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("alter table functional.alltypes partition(year=2009, month=1) " + "set location 'hdfs://localhost:20500/test-warehouse/new_table'")}) { test.ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.ALTER), onUri( "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.ALTER), onUri( + "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.ALL), onUri( "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER), onUri( + "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.ALTER), onUri( "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.ALTER), onUri( + "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL), onUri( "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER), onUri( + "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.OWNER)) .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALTER), onUri( "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.ALL)) + .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALTER), onUri( + "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.OWNER)) .error(alterError("functional.alltypes")) .error(alterError("functional.alltypes"), - onServer(allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)), + onServer(allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.ALTER)), onUri("hdfs://localhost:20500/test-warehouse/new_table")) .error(alterError("functional.alltypes"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)), + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)), onUri("hdfs://localhost:20500/test-warehouse/new_table")) .error(alterError("functional.alltypes"), onTable("functional", "alltypes", - allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)), + allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, + TPrivilegeLevel.ALTER)), onUri("hdfs://localhost:20500/test-warehouse/new_table")) .error(accessError("hdfs://localhost:20500/test-warehouse/new_table"), onDatabase("functional", TPrivilegeLevel.ALTER)) @@ -1810,15 +2066,15 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("alter table nodb.alltypes add columns(c1 int)") .error(alterError("nodb")) .error(alterError("nodb"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER))); + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER))); // Table does not exist. authorize("alter table functional.notbl add columns(c1 int)") .error(alterError("functional.notbl")) .error(alterError("functional.notbl"), onServer(allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER))) + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER))) .error(alterError("functional.notbl"), onDatabase("functional", allExcept( - TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER))); + TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER))); } @Test @@ -1829,95 +2085,115 @@ public class AuthorizationStmtTest extends FrontendTestBase { authorize("alter view functional.alltypes_view(a) as " + "select int_col from functional.alltypes")}) { test.ok(onServer(TPrivilegeLevel.ALL)) + .ok(onServer(TPrivilegeLevel.OWNER)) .ok(onServer(TPrivilegeLevel.ALTER), onTable("functional", "alltypes", TPrivilegeLevel.SELECT)) .ok(onDatabase("functional", TPrivilegeLevel.ALL)) + .ok(onDatabase("functional", TPrivilegeLevel.OWNER)) .ok(onDatabase("functional", TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilege
<TRUNCATED>
