Repository: incubator-sentry Updated Branches: refs/heads/master fa5f81c77 -> 1e5826f85
SENTRY-423: Hive command "SHOW TABLE EXTENDED LIKE... " failed with NPE (Chaoyu Tang via Prasad Mujumdar) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/1e5826f8 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/1e5826f8 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/1e5826f8 Branch: refs/heads/master Commit: 1e5826f85601319a2ef9c4bdab999ff1db697668 Parents: fa5f81c Author: Prasad Mujumdar <[email protected]> Authored: Thu Sep 18 22:48:56 2014 -0700 Committer: Prasad Mujumdar <[email protected]> Committed: Thu Sep 18 22:48:56 2014 -0700 ---------------------------------------------------------------------- .../binding/hive/HiveAuthzBindingHook.java | 15 ++++- .../sentry/tests/e2e/hive/TestOperations.java | 7 +++ .../e2e/hive/TestRuntimeMetadataRetrieval.java | 62 ++++++++++++++++++++ 3 files changed, 83 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1e5826f8/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java index 6a00dc9..0546e6a 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java @@ -151,7 +151,6 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook { break; case HiveParser.TOK_DROPTABLE: case HiveParser.TOK_DROPVIEW: - case HiveParser.TOK_SHOW_TABLESTATUS: case HiveParser.TOK_SHOW_CREATETABLE: case HiveParser.TOK_ALTERTABLE_SERIALIZER: case HiveParser.TOK_ALTERVIEW_ADDPARTS: @@ -166,6 +165,20 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook { case HiveParser.TOK_ALTERINDEX_REBUILD: currTab = extractTable((ASTNode)ast.getChild(0)); //type is not TOK_TABNAME currDB = extractDatabase((ASTNode) ast.getChild(0)); + case HiveParser.TOK_SHOW_TABLESTATUS: + currDB = extractDatabase((ASTNode)ast.getChild(0)); + int children = ast.getChildCount(); + for (int i = 1; i < children; i++) { + ASTNode child = (ASTNode) ast.getChild(i); + if (child.getToken().getType() == HiveParser.Identifier) { + currDB = new Database(child.getText()); + break; + } + } + //loosing the requested privileges for possible wildcard tables, since + //further authorization will be done at the filter step and those unwanted will + //eventually be filtered out from the output + currTab = Table.ALL; break; case HiveParser.TOK_ALTERTABLE_RENAME: case HiveParser.TOK_ALTERTABLE_PROPERTIES: http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1e5826f8/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java index c59b2db..89d7b2a 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java @@ -326,6 +326,7 @@ public class TestOperations extends AbstractTestWithStaticConfiguration { 6. Describe tb1 : HiveOperation.DESCTABLE5. 7. HiveOperation.SHOWPARTITIONS 8. TODO: show functions? + 9. HiveOperation.SHOW_TABLESTATUS */ @Test public void testSelectOnTable() throws Exception { @@ -347,6 +348,7 @@ public class TestOperations extends AbstractTestWithStaticConfiguration { statement.executeQuery("SHOW indexes on tb1"); statement.executeQuery("SHOW COLUMNS from tb1"); statement.executeQuery("SHOW functions '.*'"); + statement.executeQuery("SHOW TABLE EXTENDED IN " + DB1 + " LIKE 'tb*'"); statement.executeQuery("DESCRIBE tb1"); statement.executeQuery("DESCRIBE tb1 PARTITION (b=1)"); @@ -355,6 +357,7 @@ public class TestOperations extends AbstractTestWithStaticConfiguration { connection.close(); //Negative case + adminCreate(DB2, tableName); policyFile .addPermissionsToRole("insert_db1_tb1", privileges.get("insert_db1_tb1")) .addRolesToGroup(USERGROUP3, "insert_db1_tb1"); @@ -363,6 +366,8 @@ public class TestOperations extends AbstractTestWithStaticConfiguration { statement = context.createStatement(connection); statement.execute("Use " + DB1); context.assertSentrySemanticException(statement, "select * from tb1", semanticException); + context.assertSentrySemanticException(statement, + "SHOW TABLE EXTENDED IN " + DB2 + " LIKE 'tb*'", semanticException); statement.close(); connection.close(); @@ -379,6 +384,7 @@ public class TestOperations extends AbstractTestWithStaticConfiguration { 6. HiveOperation.SHOWPARTITIONS 7. TODO: show functions? 8. TODO: lock, unlock, Show locks + 9. HiveOperation.SHOW_TABLESTATUS */ @Test public void testInsertOnTable() throws Exception { @@ -401,6 +407,7 @@ public class TestOperations extends AbstractTestWithStaticConfiguration { statement.executeQuery("SHOW COLUMNS from tb1"); statement.executeQuery("SHOW functions '.*'"); //statement.executeQuery("SHOW LOCKS tb1"); + statement.executeQuery("SHOW TABLE EXTENDED IN " + DB1 + " LIKE 'tb*'"); //NoViableAltException //statement.executeQuery("SHOW transactions"); http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1e5826f8/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java index 4eb1fdf..e103465 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java @@ -251,6 +251,52 @@ public class TestRuntimeMetadataRetrieval extends AbstractTestWithStaticConfigur } /** + * Steps: 1. admin create db_1 and tb_1, tb_2, tb_3, tb_4 and table_5 + * 2. admin should see all tables except table_5 which does not match tb* + * 3. user1 should only see the matched tables it has any level of privilege + */ + @Test + public void testShowTablesExtended() throws Exception { + // tables visible to user1 (not access to tb_4 + String tableNames[] = {"tb_1", "tb_2", "tb_3", "tb_4", "table_5"}; + List<String> tableNamesValidation = new ArrayList<String>(); + + policyFile + .addRolesToGroup(USERGROUP1, "tab1_priv,tab2_priv,tab3_priv") + .addPermissionsToRole("tab1_priv", "server=server1->db=" + DB1 + "->table=" + + tableNames[0] + "->action=select") + .addPermissionsToRole("tab2_priv", "server=server1->db=" + DB1 + "->table=" + + tableNames[1] + "->action=insert") + .addPermissionsToRole("tab3_priv", "server=server1->db=" + DB1 + "->table=" + + tableNames[2] + "->action=select") + .setUserGroupMapping(StaticUserGroup.getStaticMapping()); + writePolicyFile(policyFile); + + String user1TableNames[] = {"tb_1", "tb_2", "tb_3"}; + + Connection connection = context.createConnection(ADMIN1); + Statement statement = context.createStatement(connection); + statement.execute("DROP DATABASE IF EXISTS " + DB1 + " CASCADE"); + statement.execute("CREATE DATABASE " + DB1); + statement.execute("USE " + DB1); + createTabs(statement, DB1, tableNames); + // Admin should see all tables except table_5, the one does not match the pattern + ResultSet rs = statement.executeQuery("SHOW TABLE EXTENDED IN " + DB1 + " LIKE 'tb*'"); + tableNamesValidation.addAll(Arrays.asList(tableNames).subList(0, 4)); + validateTablesInRs(rs, DB1, tableNamesValidation); + statement.close(); + + connection = context.createConnection(USER1_1); + statement = context.createStatement(connection); + statement.execute("USE " + DB1); + // User1 should see tables with any level of access + rs = statement.executeQuery("SHOW TABLE EXTENDED IN " + DB1 + " LIKE 'tb*'"); + tableNamesValidation.addAll(Arrays.asList(user1TableNames)); + validateTablesInRs(rs, DB1, tableNamesValidation); + statement.close(); + } + + /** * Steps: 1. admin create few dbs * 2. admin can do show databases * 3. users with db level permissions should only those dbs on 'show database' @@ -359,4 +405,20 @@ public class TestRuntimeMetadataRetrieval extends AbstractTestWithStaticConfigur Assert.assertTrue(tableNames.toString(), tableNames.isEmpty()); rs.close(); } + + // compare the tables in resultset with given array of table names + // for some hive query like 'show table extended ...', the resultset does + // not only contains tableName (See HIVE-8109) + private void validateTablesInRs(ResultSet rs, String dbName, + List<String> tableNames) throws SQLException { + while (rs.next()) { + String tableName = rs.getString(1); + if (tableName.startsWith("tableName:")) { + Assert.assertTrue("Expected table " + tableName.substring(10), + tableNames.remove(tableName.substring(10).toLowerCase())); + } + } + Assert.assertTrue(tableNames.toString(), tableNames.isEmpty()); + rs.close(); + } }
