sentry git commit: SENTRY-2226: Support Hive operation ALTER TABLE EXCHANGE. (Na Li, reviewed by Sergio Pena, Kalyan Kumar Kalvagadda)
Repository: sentry Updated Branches: refs/heads/branch-2.0 d77edb505 -> b72d4fb22 SENTRY-2226: Support Hive operation ALTER TABLE EXCHANGE. (Na Li, reviewed by Sergio Pena, Kalyan Kumar Kalvagadda) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/b72d4fb2 Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/b72d4fb2 Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/b72d4fb2 Branch: refs/heads/branch-2.0 Commit: b72d4fb226114900abae99dfab5a5bc28d2892b8 Parents: d77edb5 Author: lina.li Authored: Fri May 11 11:17:09 2018 -0500 Committer: Sergio Pena Committed: Thu May 17 13:58:13 2018 -0500 -- .../hive/authz/HiveAuthzPrivilegesMap.java | 12 ++ .../TestDbColumnLevelMetaDataOps.java | 124 +++ 2 files changed, 136 insertions(+) -- http://git-wip-us.apache.org/repos/asf/sentry/blob/b72d4fb2/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java -- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java index ffa193f..4f932ea 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java @@ -112,6 +112,16 @@ public class HiveAuthzPrivilegesMap { setOperationType(HiveOperationType.DDL). build(); +// input required privilege from Hive: SELECT on column level and DELETE on table level +// output required privilege from Hive: INSERT on table level +// Sentry makes it more restrictive, and requires ALL at input, INSERT and ALTER at output +HiveAuthzPrivileges alterTableExchangePrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). +addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.ALL)). +addOutputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.INSERT, DBModelAction.ALTER)). +setOperationScope(HiveOperationScope.TABLE). +setOperationType(HiveOperationType.DDL). +build(); + HiveAuthzPrivileges alterPartPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.ALTER)). setOperationScope(HiveOperationScope.TABLE). @@ -240,6 +250,8 @@ public class HiveAuthzPrivilegesMap { hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_ADDCOLS, alterTablePrivilege); hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_REPLACECOLS, alterTablePrivilege); hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_PARTCOLTYPE, alterPartPrivilege); +hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_EXCHANGEPARTITION, alterTableExchangePrivilege); + hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_BUCKETNUM, alterPartPrivilege); hiveAuthzStmtPrivMap.put(HiveOperation.ALTERPARTITION_BUCKETNUM, alterPartPrivilege); http://git-wip-us.apache.org/repos/asf/sentry/blob/b72d4fb2/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbColumnLevelMetaDataOps.java -- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbColumnLevelMetaDataOps.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbColumnLevelMetaDataOps.java index 3735179..c065f7f 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbColumnLevelMetaDataOps.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbColumnLevelMetaDataOps.java @@ -371,4 +371,128 @@ public class TestDbColumnLevelMetaDataOps extends AbstractTestWithStaticConfigur String query = "SHOW TABLE EXTENDED IN " + TEST_COL_METADATA_OPS_DB + " LIKE " + TEST_COL_METADATA_OPS_TB; validateSemanticException(query, USER1_1); } + + /** + * User cannot exchange partition of tables without any privilege on input table and output table + * @throws Exception + */ + @Test + public void testAlterTableExchangeNoPrivilege() throws Exception { +final String PAR_ROLE_NAME = "config1_user_role"; +final String PAR_GROUP_NAME = USERGROUP1; +final String PAR_DB_NAME = "config1_test_database1"; +final String PAR_INPUT_TABLE_NAME = "aliens"; +final String PAR_OUTPUT_TABLE_NAME = "movie_stars"; + +est
sentry git commit: SENTRY-2226: Support Hive operation ALTER TABLE EXCHANGE. (Na Li, reviewed by Sergio Pena, Kalyan Kumar Kalvagadda)
Repository: sentry Updated Branches: refs/heads/master af8ea0ac1 -> 7ac2b05e5 SENTRY-2226: Support Hive operation ALTER TABLE EXCHANGE. (Na Li, reviewed by Sergio Pena, Kalyan Kumar Kalvagadda) Project: http://git-wip-us.apache.org/repos/asf/sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/7ac2b05e Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/7ac2b05e Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/7ac2b05e Branch: refs/heads/master Commit: 7ac2b05e5681e902dc01fc0d4cc21ac9eb13ae43 Parents: af8ea0a Author: lina.li Authored: Fri May 11 11:17:09 2018 -0500 Committer: lina.li Committed: Fri May 11 11:17:09 2018 -0500 -- .../hive/authz/HiveAuthzPrivilegesMap.java | 12 ++ .../TestDbColumnLevelMetaDataOps.java | 124 +++ 2 files changed, 136 insertions(+) -- http://git-wip-us.apache.org/repos/asf/sentry/blob/7ac2b05e/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java -- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java index ffa193f..4f932ea 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java @@ -112,6 +112,16 @@ public class HiveAuthzPrivilegesMap { setOperationType(HiveOperationType.DDL). build(); +// input required privilege from Hive: SELECT on column level and DELETE on table level +// output required privilege from Hive: INSERT on table level +// Sentry makes it more restrictive, and requires ALL at input, INSERT and ALTER at output +HiveAuthzPrivileges alterTableExchangePrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). +addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.ALL)). +addOutputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.INSERT, DBModelAction.ALTER)). +setOperationScope(HiveOperationScope.TABLE). +setOperationType(HiveOperationType.DDL). +build(); + HiveAuthzPrivileges alterPartPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.ALTER)). setOperationScope(HiveOperationScope.TABLE). @@ -240,6 +250,8 @@ public class HiveAuthzPrivilegesMap { hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_ADDCOLS, alterTablePrivilege); hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_REPLACECOLS, alterTablePrivilege); hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_PARTCOLTYPE, alterPartPrivilege); +hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_EXCHANGEPARTITION, alterTableExchangePrivilege); + hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_BUCKETNUM, alterPartPrivilege); hiveAuthzStmtPrivMap.put(HiveOperation.ALTERPARTITION_BUCKETNUM, alterPartPrivilege); http://git-wip-us.apache.org/repos/asf/sentry/blob/7ac2b05e/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbColumnLevelMetaDataOps.java -- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbColumnLevelMetaDataOps.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbColumnLevelMetaDataOps.java index 3735179..c065f7f 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbColumnLevelMetaDataOps.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbColumnLevelMetaDataOps.java @@ -371,4 +371,128 @@ public class TestDbColumnLevelMetaDataOps extends AbstractTestWithStaticConfigur String query = "SHOW TABLE EXTENDED IN " + TEST_COL_METADATA_OPS_DB + " LIKE " + TEST_COL_METADATA_OPS_TB; validateSemanticException(query, USER1_1); } + + /** + * User cannot exchange partition of tables without any privilege on input table and output table + * @throws Exception + */ + @Test + public void testAlterTableExchangeNoPrivilege() throws Exception { +final String PAR_ROLE_NAME = "config1_user_role"; +final String PAR_GROUP_NAME = USERGROUP1; +final String PAR_DB_NAME = "config1_test_database1"; +final String PAR_INPUT_TABLE_NAME = "aliens"; +final String PAR_OUTPUT_TABLE_NAME = "movie_stars"; + +establishSessio