Repository: sentry Updated Branches: refs/heads/master 74d7d3ad7 -> e0bdf3e65
SENTRY-1231: Sentry doesn't secure index location uri, when do "CREATE INDEX LOCATION ''/uri" (Sergio Pena, reviewed by kalyan kumar kalvagadda) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/e0bdf3e6 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/e0bdf3e6 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/e0bdf3e6 Branch: refs/heads/master Commit: e0bdf3e65c0e999d2190269ae497a3c03a449462 Parents: 74d7d3a Author: Sergio Pena <[email protected]> Authored: Tue Oct 17 12:42:52 2017 -0500 Committer: Sergio Pena <[email protected]> Committed: Tue Oct 17 12:42:52 2017 -0500 ---------------------------------------------------------------------- .../binding/hive/HiveAuthzBindingHook.java | 1 + .../hive/authz/HiveAuthzBindingHookBase.java | 23 +++++++++++++++++++ .../hive/authz/HiveAuthzPrivilegesMap.java | 2 ++ .../tests/e2e/hive/TestOperationsPart2.java | 24 ++++++++++++++++++++ 4 files changed, 50 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/e0bdf3e6/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java index f1531ed..802bf9c 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java @@ -148,6 +148,7 @@ public class HiveAuthzBindingHook extends HiveAuthzBindingHookBase { case HiveParser.TOK_UNLOCKTABLE: currTab = extractTable((ASTNode)ast.getFirstChildWithType(HiveParser.TOK_TABNAME)); currDB = extractDatabase((ASTNode) ast.getChild(0)); + indexURI = extractTableLocation(ast);//As index location is captured using token HiveParser.TOK_TABLELOCATION break; case HiveParser.TOK_ALTERINDEX_REBUILD: currTab = extractTable((ASTNode)ast.getChild(0)); //type is not TOK_TABNAME http://git-wip-us.apache.org/repos/asf/sentry/blob/e0bdf3e6/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java index b4f220e..2e299a9 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java @@ -90,6 +90,7 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH protected List<AccessURI> udfURIs; protected AccessURI serdeURI; protected AccessURI partitionURI; + protected AccessURI indexURI; protected Table currOutTab = null; protected Database currOutDB = null; protected final List<String> serdeWhiteList; @@ -290,6 +291,24 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH } } + protected static AccessURI extractTableLocation(ASTNode ast) throws SemanticException { + ASTNode locationChild = (ASTNode)ast.getFirstChildWithType(HiveParser.TOK_TABLELOCATION); + if (locationChild == null) { + LOG.debug("Token HiveParser.TOK_TABLELOCATION not found in ast. " + + "This means command does not have a location clause"); + return null; + } + + if (locationChild.getChildCount() != 1) { + LOG.error("Found Token HiveParser.TOK_TABLELOCATION, but was expecting the URI as its only " + + "child. This means it is possible that permissions on the URI are not checked for this " + + "command "); + return null; + } + + return parseURI(BaseSemanticAnalyzer.unescapeSQLString(locationChild.getChild(0).getText())); + } + public static void runFailureHook(SentryOnFailureHookContext hookContext, String csHooks) { try { @@ -371,6 +390,10 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH inputHierarchy.add(ImmutableList.of(hiveAuthzBinding.getAuthServer(), partitionURI)); } + if(indexURI != null) { + outputHierarchy.add(ImmutableList.of(hiveAuthzBinding.getAuthServer(), indexURI)); + } + getInputHierarchyFromInputs(inputHierarchy, inputs); for (WriteEntity writeEntity: outputs) { if (filterWriteEntity(writeEntity)) { http://git-wip-us.apache.org/repos/asf/sentry/blob/e0bdf3e6/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java index 2a215c4..ffa193f 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java @@ -77,6 +77,8 @@ public class HiveAuthzPrivilegesMap { build(); HiveAuthzPrivileges indexTablePrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.INDEX)). + //Only used for create index location + addOutputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.ALL)). setOperationScope(HiveOperationScope.TABLE). setOperationType(HiveOperationType.DDL). build(); http://git-wip-us.apache.org/repos/asf/sentry/blob/e0bdf3e6/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java index 0e79ece..cf89b5d 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java @@ -112,9 +112,13 @@ public class TestOperationsPart2 extends AbstractTestWithStaticConfiguration { @Test public void testIndexTable() throws Exception { adminCreate(DB1, tableName, true); + String indexLocation = dfs.getBaseDir() + "/" + Math.random(); policyFile .addPermissionsToRole("index_db1_tb1", privileges.get("index_db1_tb1")) .addRolesToGroup(USERGROUP1, "index_db1_tb1") + .addRolesToGroup(USERGROUP3, "index_db1_tb1") + .addPermissionsToRole("uri_role", "server=server1->uri=" + indexLocation) + .addRolesToGroup(USERGROUP3, "uri_role") .addPermissionsToRole("insert_db1_tb1", privileges.get("insert_db1_tb1")) .addRolesToGroup(USERGROUP2, "insert_db1_tb1"); writePolicyFile(policyFile); @@ -148,6 +152,26 @@ public class TestOperationsPart2 extends AbstractTestWithStaticConfiguration { exec(statement, "DROP INDEX table01_index ON tb1"); statement.close(); connection.close(); + + //Positive case for location + connection = context.createConnection(USER3_1); + statement = context.createStatement(connection); + exec(statement, "Use " + DB1); + exec(statement, "CREATE INDEX table01_index ON TABLE tb1 (a) AS 'COMPACT' WITH DEFERRED REBUILD LOCATION '" + + indexLocation + "'"); + exec(statement, "ALTER INDEX table01_index ON tb1 REBUILD"); + exec(statement, "DROP INDEX table01_index ON tb1"); + statement.close(); + connection.close(); + + //Negative case + connection = context.createConnection(USER1_1); + statement = context.createStatement(connection); + exec(statement, "Use " + DB1); + assertSemanticException(statement, "CREATE INDEX table01_index ON TABLE tb1 (a) AS 'COMPACT' WITH DEFERRED REBUILD " + + "LOCATION '" + indexLocation + "'"); + statement.close(); + connection.close(); } /* Test all operations that require drop on table alone
