Repository: incubator-sentry Updated Branches: refs/heads/master cee623339 -> 219534765
SENTRY-1095: Insert into requires URI privilege on partition location under table. (Sravya Tirukkovalur, Reviewed by: Hao Hao) Change-Id: Iddd43e74cadf2badcd3ff3b0c0345a5d8e55eb06 Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/21953476 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/21953476 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/21953476 Branch: refs/heads/master Commit: 219534765e3f285d30d2a8fd40f0914381301288 Parents: cee6233 Author: Sravya Tirukkovalur <sra...@cloudera.com> Authored: Wed Feb 24 15:32:31 2016 -0800 Committer: Sravya Tirukkovalur <sra...@cloudera.com> Committed: Wed Feb 24 15:32:31 2016 -0800 ---------------------------------------------------------------------- .../metastore/MetastoreAuthzBinding.java | 21 ++++++++++++------- .../e2e/metastore/TestMetastoreEndToEnd.java | 22 ++++++++++++++++++-- 2 files changed, 34 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/21953476/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBinding.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBinding.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBinding.java index b1148d8..cea8e13 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBinding.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/metastore/MetastoreAuthzBinding.java @@ -35,6 +35,7 @@ import org.apache.hadoop.hive.metastore.MetaStorePreEventListener; import org.apache.hadoop.hive.metastore.api.InvalidOperationException; import org.apache.hadoop.hive.metastore.api.MetaException; import org.apache.hadoop.hive.metastore.api.NoSuchObjectException; +import org.apache.hadoop.hive.metastore.api.Partition; import org.apache.hadoop.hive.metastore.api.StorageDescriptor; import org.apache.hadoop.hive.metastore.events.PreAddPartitionEvent; import org.apache.hadoop.hive.metastore.events.PreAlterPartitionEvent; @@ -310,7 +311,7 @@ public class MetastoreAuthzBinding extends MetaStorePreEventListener { // non-default, ie something not under the parent table String partitionLocation = null; - if (mapiPart.isSetSd()) { + if (mapiPart.isSetSd()) { partitionLocation = mapiPart.getSd().getLocation(); } if (!StringUtils.isEmpty(partitionLocation)) { @@ -325,8 +326,8 @@ public class MetastoreAuthzBinding extends MetaStorePreEventListener { } catch (URISyntaxException e) { throw new MetaException(e.getMessage()); } - if (!partitionLocation.equals(tableLocation) && - !partitionLocation.startsWith(tableLocation + File.separator)) { + if (!partitionLocation.equals(tableLocation) && + !partitionLocation.startsWith(tableLocation + File.separator)) { outputBuilder.addUriToOutput(getAuthServer(), uriPath, warehouseDir); } } @@ -348,7 +349,7 @@ public class MetastoreAuthzBinding extends MetaStorePreEventListener { } private void authorizeAlterPartition(PreAlterPartitionEvent context) - throws InvalidOperationException, MetaException { + throws InvalidOperationException, MetaException, NoSuchObjectException { /* * There are multiple alter partition options and it's tricky to figure out * which is attempted here. Currently all alter partition need full level @@ -361,15 +362,21 @@ public class MetastoreAuthzBinding extends MetaStorePreEventListener { HierarcyBuilder outputBuilder = new HierarcyBuilder().addTableToOutput( getAuthServer(), context.getDbName(), context.getTableName()); - String partitionLocation = getSdLocation(context.getNewPartition().getSd()); + Partition partition = context.getNewPartition(); + String partitionLocation = getSdLocation(partition.getSd()); if (!StringUtils.isEmpty(partitionLocation)) { + String tableLocation = context.getHandler().get_table( + partition.getDbName(), partition.getTableName()).getSd().getLocation(); + String uriPath; try { uriPath = PathUtils.parseDFSURI(warehouseDir, partitionLocation); - } catch (URISyntaxException e) { + } catch (URISyntaxException e) { throw new MetaException(e.getMessage()); } - outputBuilder.addUriToOutput(getAuthServer(), uriPath, warehouseDir); + if (!partitionLocation.startsWith(tableLocation + File.separator)) { + outputBuilder.addUriToOutput(getAuthServer(), uriPath, warehouseDir); + } } authorizeMetastoreAccess( HiveOperation.ALTERPARTITION_LOCATION, http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/21953476/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java index 0fb29fd..4d4b0fe 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java @@ -29,7 +29,6 @@ import java.util.Map; import junit.framework.Assert; -import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.metastore.HiveMetaStoreClient; import org.apache.hadoop.hive.metastore.api.FieldSchema; @@ -562,6 +561,7 @@ public class TestMetastoreEndToEnd extends String tabDir1 = hiveServer.getProperty(HiveServerFactory.WAREHOUSE_DIR) + File.separator + newPath1; + //URI privilege required when "using location" policyFile.addRolesToGroup(USERGROUP1, uri_role).addPermissionsToRole( uri_role, "server=server1->URI=" + tabDir1); writePolicyFile(policyFile); @@ -570,8 +570,9 @@ public class TestMetastoreEndToEnd extends execHiveSQL("CREATE TABLE " + dbName + "." + tabName1 + " (id int) PARTITIONED BY (part_col string)", USER1_1); + //User with all on table execHiveSQL("ALTER TABLE " + dbName + "." + tabName1 - + " ADD PARTITION (part_col ='" + partVal1 + "')", USER1_1); + + " ADD PARTITION (part_col ='" + partVal1 + "')", USER2_1); verifyPartitionExists(dbName, tabName1, partVal1); execHiveSQL("ALTER TABLE " + dbName + "." + tabName1 @@ -590,6 +591,23 @@ public class TestMetastoreEndToEnd extends } + + @Test + public void testInsertInto() throws Exception { + String partVal1 = "part1"; + + writePolicyFile(policyFile); + + execHiveSQL("DROP TABLE IF EXISTS " + dbName + "." + tabName1, USER1_1); + execHiveSQL("CREATE TABLE " + dbName + "." + tabName1 + + " (id int) PARTITIONED BY (part_col string)", USER1_1); + + execHiveSQL("INSERT INTO " + dbName + "." + tabName1 + + " PARTITION(part_col ='" + partVal1 + "') select 1 from " + dbName + "." + tabName1, USER2_1); + verifyPartitionExists(dbName, tabName1, partVal1); + + } + private void verifyPartitionExists(String dbName, String tabName, String partVal) throws Exception { HiveMetaStoreClient client = context.getMetaStoreClient(ADMIN1);
