Repository: incubator-ranger Updated Branches: refs/heads/master 8e1e54e65 -> 99121ecc5
RANGER-772 Hive plugin: IMPORT table should authorize database level create privilage if IMPORT can lead to table creation Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/99121ecc Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/99121ecc Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/99121ecc Branch: refs/heads/master Commit: 99121ecc50c617ad335508b1b6bffa61ca4ee3b2 Parents: 8e1e54e Author: Alok Lal <[email protected]> Authored: Mon Dec 7 17:30:07 2015 -0800 Committer: Alok Lal <[email protected]> Committed: Tue Dec 8 15:28:26 2015 -0800 ---------------------------------------------------------------------- .../hive/authorizer/RangerHiveAuthorizer.java | 15 +++++++++++++++ 1 file changed, 15 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/99121ecc/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java index 5bbbb16..93b23e3 100644 --- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java +++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java @@ -309,6 +309,9 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { buildRequestContextWithAllAccessedResources(requests); for(RangerHiveAccessRequest request : requests) { + if (LOG.isDebugEnabled()) { + LOG.debug("request: " + request); + } RangerHiveResource resource = (RangerHiveResource)request.getResource(); RangerAccessResult result = null; @@ -655,6 +658,18 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase { break; case IMPORT: + /* + This can happen during hive IMPORT command IFF a table is also being created as part of IMPORT. + If so then + - this would appear in the outputHObjs, i.e. accessType == false + - user then must have CREATE permission on the database + + During IMPORT commnad it is not possible for a database to be in inputHObj list. Thus returning SELECT + when accessType==true is never expacted to be hit in practice. + */ + accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.CREATE; + break; + case EXPORT: case LOAD: accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.UPDATE;
