Repository: sentry Updated Branches: refs/heads/master 2fc3374b9 -> 1fbb0aa41
SENTRY-2395: ALTER VIEW AS SELECT is asking for CREATE privileges instead of ALTER (Sergio Pena, reviewed by Na Li, kalyan kumar kalvagadda) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/1fbb0aa4 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/1fbb0aa4 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/1fbb0aa4 Branch: refs/heads/master Commit: 1fbb0aa4177cf80760f6b16952d4eb67265c50a7 Parents: 2fc3374 Author: Sergio Pena <[email protected]> Authored: Mon Sep 10 14:19:22 2018 -0500 Committer: Sergio Pena <[email protected]> Committed: Mon Sep 10 14:19:22 2018 -0500 ---------------------------------------------------------------------- .../binding/hive/HiveAuthzBindingHook.java | 8 +++++ .../hive/authz/HiveAuthzBindingHookBase.java | 33 ++++++++++++++++++-- .../hive/authz/HiveAuthzPrivilegesMap.java | 9 +++++- .../tests/e2e/hive/TestOperationsPart1.java | 6 ++-- 4 files changed, 50 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/sentry/blob/1fbb0aa4/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java index 0ab636a..6731d1a 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java @@ -149,6 +149,7 @@ public class HiveAuthzBindingHook extends HiveAuthzBindingHookBase { currTab = extractTable((ASTNode)ast.getFirstChildWithType(HiveParser.TOK_TABNAME)); currDB = extractDatabase((ASTNode) ast.getChild(0)); indexURI = extractTableLocation(ast);//As index location is captured using token HiveParser.TOK_TABLELOCATION + isAlterViewAs = isAlterViewAsOperation(ast); break; case HiveParser.TOK_ALTERINDEX_REBUILD: currTab = extractTable((ASTNode)ast.getChild(0)); //type is not TOK_TABNAME @@ -298,6 +299,13 @@ public class HiveAuthzBindingHook extends HiveAuthzBindingHookBase { HiveOperation stmtOperation = context.getHiveOperation(); HiveAuthzPrivileges stmtAuthObject; + // Hive has a bug that changes the operation of the ALTER VIEW AS SELECT to CREATEVIEW. + // isAlterViewAs is validated in the preAnalyze method which looks fo this operation + // in the ASTNode tree. + if (stmtOperation == HiveOperation.CREATEVIEW && isAlterViewAs) { + stmtOperation = HiveOperation.ALTERVIEW_AS; + } + stmtAuthObject = HiveAuthzPrivilegesMap.getHiveAuthzPrivileges(stmtOperation); Subject subject = getCurrentSubject(context); http://git-wip-us.apache.org/repos/asf/sentry/blob/1fbb0aa4/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java index 0973e98..da1956b 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java @@ -112,6 +112,10 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH // require table-level privileges. protected boolean isDescTableBasic = false; + // Flag that specifies if the operation to validate is an ALTER VIEW AS SELECT. + // Note: Hive sends CREATEVIEW even if ALTER VIEW AS SELECT is used. + protected boolean isAlterViewAs = false; + public HiveAuthzBindingHookBase() throws Exception { SessionState session = SessionState.get(); if(session == null) { @@ -407,8 +411,10 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH outputHierarchy.add(entityHierarchy); } // workaround for metadata queries. - // Capture the table name in pre-analyze and include that in the input entity list - if (currTab != null) { + // Capture the table name in pre-analyze and include that in the input entity list. + // The exception is for ALTERVIEW_AS operations which puts the table to read as input and + // the view as output. Having the view as input again will case extra privileges to be given. + if (currTab != null && stmtOperation != HiveOperation.ALTERVIEW_AS) { List<DBModelAuthorizable> externalAuthorizableHierarchy = new ArrayList<DBModelAuthorizable>(); externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer()); externalAuthorizableHierarchy.add(currDB); @@ -898,4 +904,27 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH // Extract the username from the hook context return new Subject(context.getUserName()); } + + /** + * Returns true if the ASTNode tree is an ALTER VIEW AS SELECT operation. + * <p> + * The ASTNode with an ALTER VIEW AS SELECT is formed as follows:* + * Root: TOK_ALTERVIEW + * Child(0): TOK_TABNAME + * Child(1): TOK_QUERY <-- This is the SELECT operation + * + * @param ast The ASTNode that Hive created while parsing the ALTER VIEW operation. + * @return True if it is an ALTER VIEW AS SELECT operation; False otherwise. + */ + protected boolean isAlterViewAsOperation(ASTNode ast) { + if (ast == null || ast.getToken().getType() != HiveParser.TOK_ALTERVIEW) { + return false; + } + + if (ast.getChildCount() <= 1 || ast.getChild(1).getType() != HiveParser.TOK_QUERY) { + return false; + } + + return true; + } } http://git-wip-us.apache.org/repos/asf/sentry/blob/1fbb0aa4/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java index feb77ad..385ca98 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java @@ -194,6 +194,13 @@ public class HiveAuthzPrivilegesMap { setOperationType(HiveOperationType.DDL). build(); + HiveAuthzPrivileges alterViewAsPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). + addOutputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.ALTER)). + addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.SELECT)). + setOperationScope(HiveOperationScope.TABLE). + setOperationType(HiveOperationType.DDL). + build(); + HiveAuthzPrivileges createViewPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). addOutputObjectPriviledge(AuthorizableType.Db, EnumSet.of(DBModelAction.CREATE)). addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.SELECT)). @@ -285,7 +292,7 @@ public class HiveAuthzPrivilegesMap { hiveAuthzStmtPrivMap.put(HiveOperation.ALTERPARTITION_MERGEFILES, alterTablePrivilege); hiveAuthzStmtPrivMap.put(HiveOperation.ALTERVIEW_PROPERTIES, alterTablePrivilege); - hiveAuthzStmtPrivMap.put(HiveOperation.ALTERVIEW_AS, createViewPrivilege); + hiveAuthzStmtPrivMap.put(HiveOperation.ALTERVIEW_AS, alterViewAsPrivilege); hiveAuthzStmtPrivMap.put(HiveOperation.ALTERVIEW_RENAME, alterTableRenamePrivilege); // TODO: once HIVE-18762 is in the hiver version integrated with Sentry, uncomment next line // hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_OWNER, alterTableSetOwnerPrivilege); http://git-wip-us.apache.org/repos/asf/sentry/blob/1fbb0aa4/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java index 42971d8..e11a0cf 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java @@ -75,7 +75,7 @@ public class TestOperationsPart1 extends AbstractTestWithStaticConfiguration { privileges.put("all_db1_view1", "server=server1->db=" + DB1 + "->action=all"); privileges.put("drop_db1_view1", "server=server1->db=" + DB1 + "->action=drop"); privileges.put("select_db1_tb2", "server=server1->db=" + DB1 + "->table=tb2->action=select"); - + privileges.put("alter_db1_view1", "server=server1->db=" + DB1 + "->table=view1->action=alter"); } @Before @@ -730,10 +730,10 @@ public class TestOperationsPart1 extends AbstractTestWithStaticConfiguration { policyFile .addPermissionsToRole("select_db1_tb2", privileges.get("select_db1_tb2")) - .addPermissionsToRole("create_db1_view1", privileges.get("create_db1_view1")) + .addPermissionsToRole("alter_db1_view1", privileges.get("alter_db1_view1")) .addPermissionsToRole("drop_db1_view1", privileges.get("drop_db1_view1")) .addPermissionsToRole("create_db1", privileges.get("create_db1")) - .addRolesToGroup(USERGROUP1, "select_db1_tb2", "create_db1_view1", "drop_db1_view1", "create_db1") + .addRolesToGroup(USERGROUP1, "select_db1_tb2", "alter_db1_view1") .addPermissionsToRole("select_db1_view1", privileges.get("select_db1_view1")) .addRolesToGroup(USERGROUP2, "create_db1", "select_db1_view1"); writePolicyFile(policyFile);
