Repository: incubator-sentry Updated Branches: refs/heads/master 6ab2a681e -> 5c5b87ce1
SENTRY-363: CTAS from view is requiring select on underlying table (Sravya Tirukkovalur via Jarek Jarcec Cecho) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/5c5b87ce Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/5c5b87ce Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/5c5b87ce Branch: refs/heads/master Commit: 5c5b87ce12988f5d8e16d148b23fd6d641c54a24 Parents: 6ab2a68 Author: Jarek Jarcec Cecho <[email protected]> Authored: Sat Jul 26 07:42:54 2014 -0700 Committer: Jarek Jarcec Cecho <[email protected]> Committed: Sat Jul 26 07:43:41 2014 -0700 ---------------------------------------------------------------------- .../binding/hive/HiveAuthzBindingHook.java | 6 ++++- .../sentry/tests/e2e/hive/TestOperations.java | 28 +++++++++++++++++--- 2 files changed, 30 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c5b87ce/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java index 44c0d20..98820e1 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java @@ -396,7 +396,11 @@ implements HiveDriverFilterHook { outputHierarchy.add(dbHierarchy); for(ReadEntity readEntity:inputs) { - // If this is a UDF, then check whether its allowed to be executed + // skip the tables/view that are part of expanded view definition. + if (isChildTabForView(readEntity)) { + continue; + } + // If this is a UDF, then check whether its allowed to be executed // TODO: when we support execute privileges on UDF, this can be removed. if (isUDF(readEntity)) { if (isBuiltinUDF(readEntity)) { http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/5c5b87ce/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java index ae6b33d..5db8546 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java @@ -49,6 +49,7 @@ public class TestOperations extends AbstractTestWithStaticConfiguration { privileges.put("select_db1_tb1", "server=server1->db=db1->table=tb1->action=select"); privileges.put("insert_db1_tb1", "server=server1->db=db1->table=tb1->action=insert"); privileges.put("insert_db2_tb2", "server=server1->db=db2->table=tb2->action=insert"); + privileges.put("select_db1_view1", "server=server1->db=db1->table=view1->action=select"); } @@ -607,16 +608,37 @@ public class TestOperations extends AbstractTestWithStaticConfiguration { adminCreate(dbName, tableName); adminCreate("db2", null); + Connection connection = context.createConnection(ADMIN1); + Statement statement = context.createStatement(connection); + statement.execute("Use db1"); + statement.execute("create view view1 as select a from db1.tb1"); + statement.close(); + connection.close(); + policyFile .addPermissionsToRole("select_db1_tb1", privileges.get("select_db1_tb1")) + .addPermissionsToRole("select_db1_view1", privileges.get("select_db1_view1")) .addPermissionsToRole("all_db2", privileges.get("all_db2")) - .addRolesToGroup(USERGROUP1, "select_db1_tb1", "all_db2"); + .addRolesToGroup(USERGROUP1, "select_db1_tb1", "all_db2") + .addRolesToGroup(USERGROUP2, "select_db1_view1", "all_db2"); writePolicyFile(policyFile); - Connection connection = context.createConnection(USER1_1); - Statement statement = context.createStatement(connection); + connection = context.createConnection(USER1_1); + statement = context.createStatement(connection); statement.execute("Use db2"); statement.execute("create table tb2 as select a from db1.tb1" ); + context.assertSentrySemanticException(statement, "create table tb3 as select a from db1.view1", + semanticException); + statement.close(); + connection.close(); + + connection = context.createConnection(USER2_1); + statement = context.createStatement(connection); + statement.execute("Use db2"); + statement.execute("create table tb3 as select a from db1.view1" ); + context.assertSentrySemanticException(statement, "create table tb4 as select a from db1.tb1", + semanticException); + statement.close(); connection.close(); }
