git commit: SENTRY-472: Hive binding should validate URI privileges on permenant function resource URI( Prasad Mujumdar via Sravya Tirukkovalur)

Mon, 29 Sep 2014 04:43:19 -0700 

Repository: incubator-sentry
Updated Branches:
  refs/heads/master 2982e3d1c -> 977d69f22


SENTRY-472: Hive binding should validate URI privileges on permenant function 
resource URI( Prasad Mujumdar via Sravya Tirukkovalur)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/977d69f2
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/977d69f2
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/977d69f2

Branch: refs/heads/master
Commit: 977d69f2263ba6d8c6866fc07153485ab62cc54e
Parents: 2982e3d
Author: Sravya Tirukkovalur <[email protected]>
Authored: Mon Sep 29 17:11:27 2014 +0530
Committer: Sravya Tirukkovalur <[email protected]>
Committed: Mon Sep 29 17:11:27 2014 +0530

----------------------------------------------------------------------
 .../binding/hive/HiveAuthzBindingHook.java      |  6 +++
 .../hive/authz/HiveAuthzPrivilegesMap.java      |  1 +
 .../e2e/hive/TestPrivilegesAtFunctionScope.java | 52 ++++++++++++++++++--
 3 files changed, 54 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/977d69f2/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git 
a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
 
b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index f872ea2..f94ae7c 100644
--- 
a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ 
b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -504,6 +504,12 @@ public class HiveAuthzBindingHook extends 
AbstractSemanticAnalyzerHook {
         udfUriHierarchy.add(hiveAuthzBinding.getAuthServer());
         udfUriHierarchy.add(udfURI);
         inputHierarchy.add(udfUriHierarchy);
+        for (WriteEntity writeEntity : outputs) {
+          List<DBModelAuthorizable> entityHierarchy = new 
ArrayList<DBModelAuthorizable>();
+          entityHierarchy.add(hiveAuthzBinding.getAuthServer());
+          entityHierarchy.addAll(getAuthzHierarchyFromEntity(writeEntity));
+          outputHierarchy.add(entityHierarchy);
+        }
       }
 
       outputHierarchy.add(connectHierarchy);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/977d69f2/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
----------------------------------------------------------------------
diff --git 
a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
 
b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
index 2f97e30..cc236f4 100644
--- 
a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
+++ 
b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
@@ -172,6 +172,7 @@ public class HiveAuthzPrivilegesMap {
             DBModelAction.ALTER, DBModelAction.CREATE, DBModelAction.DROP, 
DBModelAction.DROP,
             DBModelAction.INDEX, DBModelAction.LOCK)).
         addInputObjectPriviledge(AuthorizableType.URI, 
EnumSet.of(DBModelAction.ALL)). //TODO: make them ||
+        addOutputObjectPriviledge(AuthorizableType.URI, 
EnumSet.of(DBModelAction.ALL)).
         setOperationScope(HiveOperationScope.CONNECT).
         setOperationType(HiveOperationType.QUERY).
         build();

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/977d69f2/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
----------------------------------------------------------------------
diff --git 
a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
 
b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
index f1f64e6..8325a5c 100644
--- 
a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
+++ 
b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
@@ -17,7 +17,6 @@ printf_test_3 * Licensed to the Apache Software Foundation 
(ASF) under one or mo
 
 package org.apache.sentry.tests.e2e.hive;
 
-import org.apache.sentry.provider.file.PolicyFile;
 import static org.junit.Assert.assertFalse;
 
 import java.io.File;
@@ -27,6 +26,7 @@ import java.sql.Connection;
 import java.sql.SQLException;
 import java.sql.Statement;
 
+import org.apache.sentry.provider.file.PolicyFile;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -79,12 +79,13 @@ public class TestPrivilegesAtFunctionScope extends 
AbstractTestWithStaticConfigu
     context.close();
 
     policyFile
-        .addRolesToGroup(USERGROUP1, "db1_all", "UDF_JAR")
+        .addRolesToGroup(USERGROUP1, "db1_all", "UDF_JAR", "data_read")
         .addRolesToGroup(USERGROUP2, "db1_tab1", "UDF_JAR")
         .addRolesToGroup(USERGROUP3, "db1_tab1")
         .addPermissionsToRole("db1_all", "server=server1->db=" + DB1)
         .addPermissionsToRole("db1_tab1", "server=server1->db=" + DB1 + 
"->table=" + tableName1)
-        .addPermissionsToRole("UDF_JAR", "server=server1->uri=file://" + 
udfLocation);
+        .addPermissionsToRole("UDF_JAR", "server=server1->uri=file://" + 
udfLocation)
+        .addPermissionsToRole("data_read", "server=server1->URI=file://" + 
dataFile.getPath());
     writePolicyFile(policyFile);
 
     // user1 should be able create/drop temp functions
@@ -95,6 +96,18 @@ public class TestPrivilegesAtFunctionScope extends 
AbstractTestWithStaticConfigu
         "CREATE TEMPORARY FUNCTION printf_test AS 
'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
     statement.execute("SELECT printf_test(value) FROM " + tableName1);
     statement.execute("DROP TEMPORARY FUNCTION printf_test");
+
+    statement.execute(
+        "CREATE FUNCTION printf_test_perm AS 
'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf' ");
+    statement.execute("SELECT printf_test_perm(value) FROM " + tableName1);
+    statement.execute("DROP FUNCTION printf_test_perm");
+
+    // test perm UDF with 'using file' syntax
+    statement
+        .execute("CREATE FUNCTION printf_test_perm AS 
'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf' "
+            + " using file '" + "file://" + dataFile.getPath() + "'");
+    statement.execute("DROP FUNCTION printf_test_perm");
+
     context.close();
 
     // user2 has select privilege on one of the tables in db1, should be able 
create/drop temp functions
@@ -104,20 +117,49 @@ public class TestPrivilegesAtFunctionScope extends 
AbstractTestWithStaticConfigu
     statement.execute(
         "CREATE TEMPORARY FUNCTION printf_test_2 AS 
'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
     statement.execute("SELECT printf_test_2(value) FROM " + tableName1);
-    statement.execute("DROP TEMPORARY FUNCTION printf_test");
+    statement.execute("DROP TEMPORARY FUNCTION printf_test_2");
+
+    statement.execute(
+        "CREATE FUNCTION " + DB1 + ".printf_test_2_perm AS 
'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
+    statement.execute("SELECT printf_test_2_perm(value) FROM " + tableName1);
+    statement.execute("DROP FUNCTION printf_test_2_perm");
+
+    /*** Disabled till HIVE-8266 is addressed
+    // USER2 doesn't have URI perm on dataFile
+    try {
+      statement
+          .execute("CREATE FUNCTION "
+              + DB1
+              + ".printf_test_2_perm AS 
'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'"
+              + " using file '" + "file://" + dataFile.getPath() + "'");
+      assertFalse("CREATE TEMPORARY FUNCTION should fail for user3", true);
+    } catch (SQLException e) {
+      context.verifyAuthzException(e);
+    }
+    ***/
+
     context.close();
 
     // user3 shouldn't be able to create/drop temp functions since it doesn't 
have permission for jar
     connection = context.createConnection(USER3_1);
     statement = context.createStatement(connection);
+    statement.execute("USE " + DB1);
     try {
-      statement.execute("USE " + DB1);
       statement.execute(
       "CREATE TEMPORARY FUNCTION printf_test_bad AS 
'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
       assertFalse("CREATE TEMPORARY FUNCTION should fail for user3", true);
     } catch (SQLException e) {
       context.verifyAuthzException(e);
     }
+
+    try {
+      statement.execute(
+      "CREATE FUNCTION printf_test_perm_bad AS 
'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
+      assertFalse("CREATE FUNCTION should fail for user3", true);
+    } catch (SQLException e) {
+      context.verifyAuthzException(e);
+    }
+
     context.close();
 
     // user4 (not part of any group ) shouldn't be able to create/drop temp 
functions

Reply via email to