Repository: incubator-ranger Updated Branches: refs/heads/ranger-0.5 5be2cdba7 -> a2b96f64e
RANGER-772 Hive plugin: IMPORT table should authorize database level create privilage if IMPORT can lead to table creation Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/a2b96f64 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/a2b96f64 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/a2b96f64 Branch: refs/heads/ranger-0.5 Commit: a2b96f64e3b124236dd83c36f2a5c8ba6d185307 Parents: 5be2cdb Author: Alok Lal <[email protected]> Authored: Mon Dec 7 17:30:07 2015 -0800 Committer: Alok Lal <[email protected]> Committed: Tue Dec 8 15:57:17 2015 -0800 ---------------------------------------------------------------------- .../hive/authorizer/RangerHiveAuthorizer.java | 15 +++++++++++++++ 1 file changed, 15 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2b96f64/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 7aaf8a1..eb2ea1e 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -304,6 +304,9 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { } for(RangerHiveAccessRequest request : requests) { + if (LOG.isDebugEnabled()) { + LOG.debug("request: " + request); + } RangerHiveResource resource = (RangerHiveResource)request.getResource(); RangerAccessResult result = null; @@ -641,6 +644,18 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { break; case IMPORT: + /* + This can happen during hive IMPORT command IFF a table is also being created as part of IMPORT. + If so then + - this would appear in the outputHObjs, i.e. accessType == false + - user then must have CREATE permission on the database + + During IMPORT commnad it is not possible for a database to be in inputHObj list. Thus returning SELECT + when accessType==true is never expacted to be hit in practice. + */ + accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.CREATE; + break; + case EXPORT: case LOAD: accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.UPDATE;
