You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by ay...@apache.org on 2022/11/15 14:46:14 UTC
[hive] branch master updated: HIVE-26736: Authorization failure for nested Views having WITH clause. (#3760). (Ayush Saxena, reviewed by Denys Kuzmenko)
This is an automated email from the ASF dual-hosted git repository.
ayushsaxena pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push:
new 606cf5535e4 HIVE-26736: Authorization failure for nested Views having WITH clause. (#3760). (Ayush Saxena, reviewed by Denys Kuzmenko)
606cf5535e4 is described below
commit 606cf5535e45aebd94c4505a812c2722f263d723
Author: Ayush Saxena <ay...@apache.org>
AuthorDate: Tue Nov 15 20:16:06 2022 +0530
HIVE-26736: Authorization failure for nested Views having WITH clause. (#3760). (Ayush Saxena, reviewed by Denys Kuzmenko)
---
.../hadoop/hive/ql/parse/SemanticAnalyzer.java | 3 +
.../clientpositive/authorization_nested_views.q | 32 +++++
.../llap/authorization_nested_views.q.out | 152 +++++++++++++++++++++
3 files changed, 187 insertions(+)
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
index 0f07fa4dbd4..4373643aea4 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
@@ -2342,6 +2342,9 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer {
ctesExpanded.add(sqAliasToCTEName.get(alias));
}
QBExpr qbexpr = qb.getSubqForAlias(alias);
+ if (qbexpr.getQB() != null && (wasView || qb.isInsideView())) {
+ qbexpr.getQB().setInsideView(true);
+ }
getMetaData(qbexpr, newParentInput);
if (wasView) {
viewsExpanded.remove(viewsExpanded.size() - 1);
diff --git a/ql/src/test/queries/clientpositive/authorization_nested_views.q b/ql/src/test/queries/clientpositive/authorization_nested_views.q
new file mode 100644
index 00000000000..d27c2b7f99d
--- /dev/null
+++ b/ql/src/test/queries/clientpositive/authorization_nested_views.q
@@ -0,0 +1,32 @@
+--! qt:dataset:src
+
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider;
+
+-- create a table
+create table src_autho_test as select * from src;
+
+-- create a view
+create view v1 as select * from src_autho_test;
+
+-- create a second view by simple select query
+create view v2 as select * from v1;
+
+-- create a third view by with clause
+create view v3 as with t as (select * from v1) select * from t;
+
+set hive.security.authorization.enabled=true;
+
+-- grant access to the views barring the source view and table.
+
+grant select on table v2 to user hive_test_user;
+grant select on table v3 to user hive_test_user;
+
+explain authorization select * from v2;
+explain authorization select * from v3;
+
+-- try reading from the views
+select * from v2 order by key LIMIT 10;
+
+select * from v3 order by key LIMIT 10;
+
+
diff --git a/ql/src/test/results/clientpositive/llap/authorization_nested_views.q.out b/ql/src/test/results/clientpositive/llap/authorization_nested_views.q.out
new file mode 100644
index 00000000000..11b57e683b2
--- /dev/null
+++ b/ql/src/test/results/clientpositive/llap/authorization_nested_views.q.out
@@ -0,0 +1,152 @@
+PREHOOK: query: create table src_autho_test as select * from src
+PREHOOK: type: CREATETABLE_AS_SELECT
+PREHOOK: Input: default@src
+PREHOOK: Output: database:default
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: create table src_autho_test as select * from src
+POSTHOOK: type: CREATETABLE_AS_SELECT
+POSTHOOK: Input: default@src
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@src_autho_test
+POSTHOOK: Lineage: src_autho_test.key SIMPLE [(src)src.FieldSchema(name:key, type:string, comment:default), ]
+POSTHOOK: Lineage: src_autho_test.value SIMPLE [(src)src.FieldSchema(name:value, type:string, comment:default), ]
+PREHOOK: query: create view v1 as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v1
+POSTHOOK: query: create view v1 as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v1
+POSTHOOK: Lineage: v1.key SIMPLE [(src_autho_test)src_autho_test.FieldSchema(name:key, type:string, comment:null), ]
+POSTHOOK: Lineage: v1.value SIMPLE [(src_autho_test)src_autho_test.FieldSchema(name:value, type:string, comment:null), ]
+PREHOOK: query: create view v2 as select * from v1
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v1
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v2
+POSTHOOK: query: create view v2 as select * from v1
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v1
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v2
+POSTHOOK: Lineage: v2.key SIMPLE [(src_autho_test)src_autho_test.FieldSchema(name:key, type:string, comment:null), ]
+POSTHOOK: Lineage: v2.value SIMPLE [(src_autho_test)src_autho_test.FieldSchema(name:value, type:string, comment:null), ]
+PREHOOK: query: create view v3 as with t as (select * from v1) select * from t
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v1
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v3
+POSTHOOK: query: create view v3 as with t as (select * from v1) select * from t
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v1
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v3
+POSTHOOK: Lineage: v3.key SIMPLE [(src_autho_test)src_autho_test.FieldSchema(name:key, type:string, comment:null), ]
+POSTHOOK: Lineage: v3.value SIMPLE [(src_autho_test)src_autho_test.FieldSchema(name:value, type:string, comment:null), ]
+PREHOOK: query: grant select on table v2 to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v2
+POSTHOOK: query: grant select on table v2 to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v2
+PREHOOK: query: grant select on table v3 to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v3
+POSTHOOK: query: grant select on table v3 to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v3
+PREHOOK: query: explain authorization select * from v2
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v1
+PREHOOK: Input: default@v2
+#### A masked pattern was here ####
+POSTHOOK: query: explain authorization select * from v2
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v1
+POSTHOOK: Input: default@v2
+#### A masked pattern was here ####
+INPUTS:
+ default@v2
+ default@v1
+ default@src_autho_test
+OUTPUTS:
+#### A masked pattern was here ####
+CURRENT_USER:
+ hive_test_user
+OPERATION:
+ QUERY
+PREHOOK: query: explain authorization select * from v3
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v1
+PREHOOK: Input: default@v3
+#### A masked pattern was here ####
+POSTHOOK: query: explain authorization select * from v3
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v1
+POSTHOOK: Input: default@v3
+#### A masked pattern was here ####
+INPUTS:
+ default@v3
+ default@v1
+ default@src_autho_test
+OUTPUTS:
+#### A masked pattern was here ####
+CURRENT_USER:
+ hive_test_user
+OPERATION:
+ QUERY
+PREHOOK: query: select * from v2 order by key LIMIT 10
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v1
+PREHOOK: Input: default@v2
+#### A masked pattern was here ####
+POSTHOOK: query: select * from v2 order by key LIMIT 10
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v1
+POSTHOOK: Input: default@v2
+#### A masked pattern was here ####
+0 val_0
+0 val_0
+0 val_0
+10 val_10
+100 val_100
+100 val_100
+103 val_103
+103 val_103
+104 val_104
+104 val_104
+PREHOOK: query: select * from v3 order by key LIMIT 10
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v1
+PREHOOK: Input: default@v3
+#### A masked pattern was here ####
+POSTHOOK: query: select * from v3 order by key LIMIT 10
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v1
+POSTHOOK: Input: default@v3
+#### A masked pattern was here ####
+0 val_0
+0 val_0
+0 val_0
+10 val_10
+100 val_100
+100 val_100
+103 val_103
+103 val_103
+104 val_104
+104 val_104