Updated Branches: refs/heads/master 5601cdd18 -> 4baffe9b4
SENTRY-78: UDFs can't be referenced in a CTAS when Sentry is enabled for Hive Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/4baffe9b Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/4baffe9b Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/4baffe9b Branch: refs/heads/master Commit: 4baffe9b4182d54a69a7ff7c3765212bb92becd8 Parents: 5601cdd Author: Shreepadma Venugopalan <[email protected]> Authored: Thu Dec 26 15:53:51 2013 -0800 Committer: Shreepadma Venugopalan <[email protected]> Committed: Thu Dec 26 15:53:51 2013 -0800 ---------------------------------------------------------------------- .../apache/sentry/binding/hive/HiveAuthzBindingHook.java | 9 +++++++++ .../tests/e2e/hive/TestPrivilegesAtDatabaseScope.java | 4 ++++ 2 files changed, 13 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/4baffe9b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java index 7f9560f..0dd28b7 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java @@ -370,6 +370,15 @@ implements HiveDriverFilterHook { } for(ReadEntity readEntity:inputs) { + // If this is a UDF, then check whether its allowed to be executed + // TODO: when we support execute privileges on UDF, this can be removed. + if (isUDF(readEntity)) { + if (isBuiltinUDF(readEntity)) { + checkUDFWhiteList(readEntity.getUDF().getDisplayName()); + } + continue; + } + List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>(); entityHierarchy.add(hiveAuthzBinding.getAuthServer()); entityHierarchy.addAll(getAuthzHierarchyFromEntity(readEntity)); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/4baffe9b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java index 82d73e5..8c145ca 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java @@ -107,6 +107,10 @@ public class TestPrivilegesAtDatabaseScope extends AbstractTestWithStaticConfigu statement.execute("CREATE TABLE DB_1.TAB_2(A STRING)"); statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE DB_1.TAB_2"); + // test CTAS can reference UDFs + statement.execute("USE DB_1"); + statement.execute("create table table2 as select A, count(A) from TAB_1 GROUP BY A"); + // test user can switch db statement.execute("USE DB_1"); //test user can create view
