Re: [PR] HIVE-28957: Enhance TestHiveMetaStoreAuthorizer [hive]

Wed, 11 Jun 2025 16:00:59 -0700 


jjiang037 commented on code in PR #5819:
URL: https://github.com/apache/hive/pull/5819#discussion_r2141239290


##########
ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/TestHiveMetaStoreAuthorizer.java:
##########
@@ -112,16 +134,61 @@ public void setUp() throws Exception {
     } catch (Exception e) {
       // NoSuchObjectException will be ignored if the step objects are not 
there
     }
+    // Reset the mock for each test
+    mockHiveAuthorizer = Mockito.mock(HiveAuthorizer.class);
+    configureMockAuthorizer();
+  }
+
+  /**
+   * Configures the mock authorizer to check permissions based on username
+   */
+  private static void configureMockAuthorizer() throws 
HiveAuthzPluginException, HiveAccessControlException {
+    doAnswer(invocation -> {
+      HiveOperationType opType = invocation.getArgument(0);
+      String user;
+      try {
+        user = UserGroupInformation.getLoginUser().getShortUserName();
+      } catch (Exception e) {
+        throw new HiveAuthzPluginException("Unable to get 
UserGroupInformation");
+      }
+
+      if (!allowedUsers.contains(user) && !user.equals(superUser)) {
+        throw new HiveAuthzPluginException("Operation type " + opType + " not 
allowed for user:" + user);
+      }
+      return null;
+    }).when(mockHiveAuthorizer).checkPrivileges(any(HiveOperationType.class), 
any(), any(), any(HiveAuthzContext.class));
+  }
+
+  /**
+   * Factory class that provides MockHiveAuthorizer instance
+   */
+  public static class MockHiveAuthorizerFactory implements 
HiveAuthorizerFactory {
+    @Override
+    public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory 
metastoreClientFactory, HiveConf conf, HiveAuthenticationProvider 
hiveAuthenticator, HiveAuthzSessionContext ctx) {
+      return mockHiveAuthorizer;
+    }
+  }
+
+  /**
+   * Captures and returns the privilege objects passed to the authorizer
+   */
+  private Pair<List<HivePrivilegeObject>, List<HivePrivilegeObject>> 
getHivePrivilegeObjectsFromLastCall() throws HiveAuthzPluginException, 
HiveAccessControlException {
+    @SuppressWarnings("unchecked") Class<List<HivePrivilegeObject>> 
class_listPrivObjects = (Class) List.class;
+    ArgumentCaptor<List<HivePrivilegeObject>> inputsCapturer = 
ArgumentCaptor.forClass(class_listPrivObjects);
+    ArgumentCaptor<List<HivePrivilegeObject>> outputsCapturer = 
ArgumentCaptor.forClass(class_listPrivObjects);
+
+    verify(mockHiveAuthorizer).checkPrivileges(any(HiveOperationType.class), 
inputsCapturer.capture(), outputsCapturer.capture(), 
any(HiveAuthzContext.class));
+
+    return new ImmutablePair<>(inputsCapturer.getValue(), 
outputsCapturer.getValue());
   }
 
   @Test
   public void testA_CreateDatabase_unAuthorizedUser() throws Exception {
     
UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(unAuthorizedUser));
     try {
-      Database db = new DatabaseBuilder()
-          .setName(dbName)
-          .build(conf);
+      Database db = new DatabaseBuilder().setName(dbName).build(conf);
       hmsHandler.create_database(db);
+      fail("Expected authorization exception for unauthorized user");

Review Comment:
   Fix in the latest commit: 
https://github.com/apache/hive/pull/5819/commits/acbe766ca689086ad447ab4f44bd363058dd7495
   



##########
ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/MockMetaStoreFilterHook.java:
##########
@@ -0,0 +1,190 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.metastore;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.metastore.MetaStoreFilterHook;
+import org.apache.hadoop.hive.metastore.api.Database;
+import org.apache.hadoop.hive.metastore.api.MetaException;
+import org.apache.hadoop.hive.metastore.api.NoSuchObjectException;
+import org.apache.hadoop.hive.metastore.api.Partition;
+import org.apache.hadoop.hive.metastore.api.PartitionSpec;
+import org.apache.hadoop.hive.metastore.api.Table;
+import org.apache.hadoop.hive.metastore.api.TableMeta;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+/**
+ * Mock implementation of MetaStoreFilterHook that filters based on ownership.
+ */
+public class MockMetaStoreFilterHook implements MetaStoreFilterHook {
+
+  private static final Logger LOG = 
LoggerFactory.getLogger(MockMetaStoreFilterHook.class);
+  private static final String AUTHORIZED_OWNER = 
TestHiveMetaStoreAuthorizer.authorizedUser;
+
+  public MockMetaStoreFilterHook(Configuration conf) {
+    LOG.info("Initialized MockMetaStoreFilterHook with authorized owner: " + 
AUTHORIZED_OWNER);
+  }
+
+  @Override
+  public List<String> filterDatabases(List<String> dbList) throws 
MetaException {
+    LOG.debug("filterDatabases: Original list size: {}", dbList != null ? 
dbList.size() : 0);
+    return dbList;
+  }
+
+  @Override
+  public Database filterDatabase(Database dataBase) throws MetaException, 
NoSuchObjectException {
+    if (dataBase == null) {
+      LOG.debug("filterDatabase: Database is null");
+      return null;
+    }
+
+    String dbName = dataBase.getName();
+    String ownerName = dataBase.getOwnerName();
+
+    if (!AUTHORIZED_OWNER.equals(ownerName)) {
+      LOG.info("filterDatabase: Filtering out database '{}' - owner '{}' is 
not authorized", dbName, ownerName);
+      return null;
+    }
+
+    LOG.debug("filterDatabase: Allowed access to database '{}' for owner 
'{}'", dbName, ownerName);
+    return dataBase;
+  }
+
+  @Override
+  public List<String> filterTableNames(String catName, String dbName, 
List<String> tableList) throws MetaException {
+    LOG.debug("filterTableNames: Returning all tables for {}.{}, count: {}", 
catName, dbName, tableList != null ? tableList.size() : 0);
+    return tableList;
+  }
+
+  @Override
+  public List<TableMeta> filterTableMetas(String catName, String dbName, 
List<TableMeta> tableMetas) throws MetaException {
+    if (tableMetas == null) {
+      LOG.debug("filterTableMetas: Table metas list is null");
+      return null;
+    }
+
+    LOG.info("filterTableMetas: Filtering {} table metas for {}.{}", 
tableMetas.size(), catName, dbName);
+
+    List<TableMeta> filtered = tableMetas.stream()
+        .filter(tm -> {
+          boolean authorized = AUTHORIZED_OWNER.equals(tm.getOwnerName());
+          if (!authorized) {
+            LOG.debug("Filtering out table meta '{}' - owner '{}' is not 
authorized", tm.getTableName(), tm.getOwnerName());
+          }
+          return authorized;
+        })
+        .collect(Collectors.toList());
+
+    LOG.info("filterTableMetas: Filtered result contains {} table metas", 
filtered.size());
+    return filtered;
+  }
+
+  @Override
+  public List<TableMeta> filterTableMetas(List<TableMeta> tableMetas) throws 
MetaException {
+    if (tableMetas == null) {
+      return null;
+    }
+
+    LOG.info("filterTableMetas: Filtering {} table metas", tableMetas.size());
+
+    return tableMetas.stream()
+        .filter(tm -> {
+          return AUTHORIZED_OWNER.equals(tm.getOwnerName());
+        })
+        .collect(Collectors.toList());
+  }
+
+  @Override
+  public Table filterTable(Table table) throws MetaException, 
NoSuchObjectException {
+    if (table == null) {
+      LOG.debug("filterTable: Table is null");
+      return null;
+    }
+
+    String tableName = table.getTableName();
+    String owner = table.getOwner();
+
+    if (!AUTHORIZED_OWNER.equals(owner)) {
+      LOG.info("filterTable: Filtering out table '{}' - owner '{}' is not 
authorized", tableName, owner);
+      return null;
+    }
+
+    LOG.debug("filterTable: Allowed access to table '{}' for owner '{}'", 
tableName, owner);
+    return table;
+  }
+
+  @Override
+  public List<Table> filterTables(List<Table> tableList) throws MetaException {
+    if (tableList == null) {
+      LOG.debug("filterTables: Table list is null");
+      return null;
+    }
+
+    LOG.info("filterTables: Filtering {} tables", tableList.size());
+
+    List<Table> filtered = tableList.stream()
+        .filter(t -> {
+          boolean authorized = AUTHORIZED_OWNER.equals(t.getOwner());
+          if (!authorized) {
+            LOG.debug("Filtering out table '{}' - owner '{}' is not 
authorized", t.getTableName(), t.getOwner());
+          }
+          return authorized;
+        })
+        .collect(Collectors.toList());
+
+    LOG.info("filterTables: Filtered result contains " + filtered.size() + " 
tables");
+    return filtered;
+  }
+
+  @Override
+  public List<Partition> filterPartitions(List<Partition> partitionList) 
throws MetaException {
+    LOG.debug("filterPartitions: Returning all partitions, count: {}", 
partitionList != null ? partitionList.size() : 0);
+    return partitionList;
+  }
+
+  @Override
+  public List<PartitionSpec> filterPartitionSpecs(List<PartitionSpec> 
partitionSpecList) throws MetaException {
+    LOG.debug("filterPartitionSpecs: Returning all partition specs, count: 
{}", partitionSpecList != null ? partitionSpecList.size() : 0);
+    return partitionSpecList;
+  }
+
+  @Override
+  public Partition filterPartition(Partition partition) throws MetaException, 
NoSuchObjectException {
+    if (partition != null) {
+      LOG.debug("filterPartition: Returning partition for table: {}", 
partition.getTableName());
+    }
+    return partition;
+  }
+
+  @Override
+  public List<String> filterPartitionNames(String catName, String dbName, 
String tblName, List<String> partitionNames) throws MetaException {
+    LOG.debug("filterPartitionNames: Returning all partition names for 
{}.{}.{}, count: {}", catName, dbName, tblName, partitionNames != null ? 
partitionNames.size() : 0);
+    return partitionNames;
+  }
+
+  @Override
+  public List<String> filterDataConnectors(List<String> dcList) throws 
MetaException {
+    LOG.debug("filterDataConnectors: Returning all data connectors, count: 
{}", dcList != null ? dcList.size() : 0);
+    return dcList;
+  }
+}

Review Comment:
   Fix in the latest commit: 
https://github.com/apache/hive/commit/acbe766ca689086ad447ab4f44bd363058dd7495



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For additional commands, e-mail: gitbox-h...@hive.apache.org

Reply via email to