You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2017/10/19 09:00:03 UTC

[22/26] sentry git commit: SENTRY-1231: Sentry doesn't secure index location uri, when do "CREATE INDEX LOCATION ''/uri" (Sergio Pena, reviewed by kalyan kumar kalvagadda)

SENTRY-1231: Sentry doesn't secure index location uri, when do "CREATE INDEX LOCATION ''/uri" (Sergio Pena, reviewed by kalyan kumar kalvagadda)


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/e0bdf3e6
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/e0bdf3e6
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/e0bdf3e6

Branch: refs/heads/akolb-cli
Commit: e0bdf3e65c0e999d2190269ae497a3c03a449462
Parents: 74d7d3a
Author: Sergio Pena <se...@cloudera.com>
Authored: Tue Oct 17 12:42:52 2017 -0500
Committer: Sergio Pena <se...@cloudera.com>
Committed: Tue Oct 17 12:42:52 2017 -0500

----------------------------------------------------------------------
 .../binding/hive/HiveAuthzBindingHook.java      |  1 +
 .../hive/authz/HiveAuthzBindingHookBase.java    | 23 +++++++++++++++++++
 .../hive/authz/HiveAuthzPrivilegesMap.java      |  2 ++
 .../tests/e2e/hive/TestOperationsPart2.java     | 24 ++++++++++++++++++++
 4 files changed, 50 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/e0bdf3e6/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index f1531ed..802bf9c 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -148,6 +148,7 @@ public class HiveAuthzBindingHook extends HiveAuthzBindingHookBase {
       case HiveParser.TOK_UNLOCKTABLE:
         currTab = extractTable((ASTNode)ast.getFirstChildWithType(HiveParser.TOK_TABNAME));
         currDB = extractDatabase((ASTNode) ast.getChild(0));
+        indexURI = extractTableLocation(ast);//As index location is captured using token HiveParser.TOK_TABLELOCATION
         break;
       case HiveParser.TOK_ALTERINDEX_REBUILD:
         currTab = extractTable((ASTNode)ast.getChild(0)); //type is not TOK_TABNAME

http://git-wip-us.apache.org/repos/asf/sentry/blob/e0bdf3e6/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
index b4f220e..2e299a9 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
@@ -90,6 +90,7 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
   protected List<AccessURI> udfURIs;
   protected AccessURI serdeURI;
   protected AccessURI partitionURI;
+  protected AccessURI indexURI;
   protected Table currOutTab = null;
   protected Database currOutDB = null;
   protected final List<String> serdeWhiteList;
@@ -290,6 +291,24 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
     }
   }
 
+  protected static AccessURI extractTableLocation(ASTNode ast) throws SemanticException {
+    ASTNode locationChild = (ASTNode)ast.getFirstChildWithType(HiveParser.TOK_TABLELOCATION);
+    if (locationChild == null) {
+      LOG.debug("Token HiveParser.TOK_TABLELOCATION not found in ast. "
+          + "This means command does not have a location clause");
+      return null;
+    }
+
+    if (locationChild.getChildCount() != 1) {
+      LOG.error("Found Token HiveParser.TOK_TABLELOCATION, but was expecting the URI as its only "
+          + "child. This means it is possible that permissions on the URI are not checked for this "
+          + "command ");
+      return null;
+    }
+
+    return parseURI(BaseSemanticAnalyzer.unescapeSQLString(locationChild.getChild(0).getText()));
+  }
+
   public static void runFailureHook(SentryOnFailureHookContext hookContext,
       String csHooks) {
     try {
@@ -371,6 +390,10 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
         inputHierarchy.add(ImmutableList.of(hiveAuthzBinding.getAuthServer(), partitionURI));
       }
 
+      if(indexURI != null) {
+        outputHierarchy.add(ImmutableList.of(hiveAuthzBinding.getAuthServer(), indexURI));
+      }
+
       getInputHierarchyFromInputs(inputHierarchy, inputs);
       for (WriteEntity writeEntity: outputs) {
         if (filterWriteEntity(writeEntity)) {

http://git-wip-us.apache.org/repos/asf/sentry/blob/e0bdf3e6/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
index 2a215c4..ffa193f 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
@@ -77,6 +77,8 @@ public class HiveAuthzPrivilegesMap {
         build();
     HiveAuthzPrivileges indexTablePrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder().
         addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.INDEX)).
+        //Only used for create index location
+        addOutputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.ALL)).
         setOperationScope(HiveOperationScope.TABLE).
         setOperationType(HiveOperationType.DDL).
         build();

http://git-wip-us.apache.org/repos/asf/sentry/blob/e0bdf3e6/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
index 0e79ece..cf89b5d 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
@@ -112,9 +112,13 @@ public class TestOperationsPart2 extends AbstractTestWithStaticConfiguration {
   @Test
   public void testIndexTable() throws Exception {
     adminCreate(DB1, tableName, true);
+    String indexLocation = dfs.getBaseDir() + "/" + Math.random();
     policyFile
         .addPermissionsToRole("index_db1_tb1", privileges.get("index_db1_tb1"))
         .addRolesToGroup(USERGROUP1, "index_db1_tb1")
+        .addRolesToGroup(USERGROUP3, "index_db1_tb1")
+        .addPermissionsToRole("uri_role", "server=server1->uri=" + indexLocation)
+        .addRolesToGroup(USERGROUP3, "uri_role")
         .addPermissionsToRole("insert_db1_tb1", privileges.get("insert_db1_tb1"))
         .addRolesToGroup(USERGROUP2, "insert_db1_tb1");
     writePolicyFile(policyFile);
@@ -148,6 +152,26 @@ public class TestOperationsPart2 extends AbstractTestWithStaticConfiguration {
     exec(statement, "DROP INDEX table01_index ON tb1");
     statement.close();
     connection.close();
+
+    //Positive case for location
+    connection = context.createConnection(USER3_1);
+    statement = context.createStatement(connection);
+    exec(statement, "Use " + DB1);
+    exec(statement, "CREATE INDEX table01_index ON TABLE tb1 (a) AS 'COMPACT' WITH DEFERRED REBUILD LOCATION '"
+        + indexLocation + "'");
+    exec(statement, "ALTER INDEX table01_index ON tb1 REBUILD");
+    exec(statement, "DROP INDEX table01_index ON tb1");
+    statement.close();
+    connection.close();
+
+    //Negative case
+    connection = context.createConnection(USER1_1);
+    statement = context.createStatement(connection);
+    exec(statement, "Use " + DB1);
+    assertSemanticException(statement, "CREATE INDEX table01_index ON TABLE tb1 (a) AS 'COMPACT' WITH DEFERRED REBUILD " +
+            "LOCATION '" + indexLocation + "'");
+    statement.close();
+    connection.close();
   }
 
   /* Test all operations that require drop on table alone