You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2017/10/19 09:00:03 UTC
[22/26] sentry git commit: SENTRY-1231: Sentry doesn't secure index
location uri, when do "CREATE INDEX LOCATION ''/uri" (Sergio Pena,
reviewed by kalyan kumar kalvagadda)
SENTRY-1231: Sentry doesn't secure index location uri, when do "CREATE INDEX LOCATION ''/uri" (Sergio Pena, reviewed by kalyan kumar kalvagadda)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/e0bdf3e6
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/e0bdf3e6
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/e0bdf3e6
Branch: refs/heads/akolb-cli
Commit: e0bdf3e65c0e999d2190269ae497a3c03a449462
Parents: 74d7d3a
Author: Sergio Pena <se...@cloudera.com>
Authored: Tue Oct 17 12:42:52 2017 -0500
Committer: Sergio Pena <se...@cloudera.com>
Committed: Tue Oct 17 12:42:52 2017 -0500
----------------------------------------------------------------------
.../binding/hive/HiveAuthzBindingHook.java | 1 +
.../hive/authz/HiveAuthzBindingHookBase.java | 23 +++++++++++++++++++
.../hive/authz/HiveAuthzPrivilegesMap.java | 2 ++
.../tests/e2e/hive/TestOperationsPart2.java | 24 ++++++++++++++++++++
4 files changed, 50 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/e0bdf3e6/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index f1531ed..802bf9c 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -148,6 +148,7 @@ public class HiveAuthzBindingHook extends HiveAuthzBindingHookBase {
case HiveParser.TOK_UNLOCKTABLE:
currTab = extractTable((ASTNode)ast.getFirstChildWithType(HiveParser.TOK_TABNAME));
currDB = extractDatabase((ASTNode) ast.getChild(0));
+ indexURI = extractTableLocation(ast);//As index location is captured using token HiveParser.TOK_TABLELOCATION
break;
case HiveParser.TOK_ALTERINDEX_REBUILD:
currTab = extractTable((ASTNode)ast.getChild(0)); //type is not TOK_TABNAME
http://git-wip-us.apache.org/repos/asf/sentry/blob/e0bdf3e6/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
index b4f220e..2e299a9 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
@@ -90,6 +90,7 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
protected List<AccessURI> udfURIs;
protected AccessURI serdeURI;
protected AccessURI partitionURI;
+ protected AccessURI indexURI;
protected Table currOutTab = null;
protected Database currOutDB = null;
protected final List<String> serdeWhiteList;
@@ -290,6 +291,24 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
}
}
+ protected static AccessURI extractTableLocation(ASTNode ast) throws SemanticException {
+ ASTNode locationChild = (ASTNode)ast.getFirstChildWithType(HiveParser.TOK_TABLELOCATION);
+ if (locationChild == null) {
+ LOG.debug("Token HiveParser.TOK_TABLELOCATION not found in ast. "
+ + "This means command does not have a location clause");
+ return null;
+ }
+
+ if (locationChild.getChildCount() != 1) {
+ LOG.error("Found Token HiveParser.TOK_TABLELOCATION, but was expecting the URI as its only "
+ + "child. This means it is possible that permissions on the URI are not checked for this "
+ + "command ");
+ return null;
+ }
+
+ return parseURI(BaseSemanticAnalyzer.unescapeSQLString(locationChild.getChild(0).getText()));
+ }
+
public static void runFailureHook(SentryOnFailureHookContext hookContext,
String csHooks) {
try {
@@ -371,6 +390,10 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
inputHierarchy.add(ImmutableList.of(hiveAuthzBinding.getAuthServer(), partitionURI));
}
+ if(indexURI != null) {
+ outputHierarchy.add(ImmutableList.of(hiveAuthzBinding.getAuthServer(), indexURI));
+ }
+
getInputHierarchyFromInputs(inputHierarchy, inputs);
for (WriteEntity writeEntity: outputs) {
if (filterWriteEntity(writeEntity)) {
http://git-wip-us.apache.org/repos/asf/sentry/blob/e0bdf3e6/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
index 2a215c4..ffa193f 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
@@ -77,6 +77,8 @@ public class HiveAuthzPrivilegesMap {
build();
HiveAuthzPrivileges indexTablePrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder().
addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.INDEX)).
+ //Only used for create index location
+ addOutputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.ALL)).
setOperationScope(HiveOperationScope.TABLE).
setOperationType(HiveOperationType.DDL).
build();
http://git-wip-us.apache.org/repos/asf/sentry/blob/e0bdf3e6/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
index 0e79ece..cf89b5d 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart2.java
@@ -112,9 +112,13 @@ public class TestOperationsPart2 extends AbstractTestWithStaticConfiguration {
@Test
public void testIndexTable() throws Exception {
adminCreate(DB1, tableName, true);
+ String indexLocation = dfs.getBaseDir() + "/" + Math.random();
policyFile
.addPermissionsToRole("index_db1_tb1", privileges.get("index_db1_tb1"))
.addRolesToGroup(USERGROUP1, "index_db1_tb1")
+ .addRolesToGroup(USERGROUP3, "index_db1_tb1")
+ .addPermissionsToRole("uri_role", "server=server1->uri=" + indexLocation)
+ .addRolesToGroup(USERGROUP3, "uri_role")
.addPermissionsToRole("insert_db1_tb1", privileges.get("insert_db1_tb1"))
.addRolesToGroup(USERGROUP2, "insert_db1_tb1");
writePolicyFile(policyFile);
@@ -148,6 +152,26 @@ public class TestOperationsPart2 extends AbstractTestWithStaticConfiguration {
exec(statement, "DROP INDEX table01_index ON tb1");
statement.close();
connection.close();
+
+ //Positive case for location
+ connection = context.createConnection(USER3_1);
+ statement = context.createStatement(connection);
+ exec(statement, "Use " + DB1);
+ exec(statement, "CREATE INDEX table01_index ON TABLE tb1 (a) AS 'COMPACT' WITH DEFERRED REBUILD LOCATION '"
+ + indexLocation + "'");
+ exec(statement, "ALTER INDEX table01_index ON tb1 REBUILD");
+ exec(statement, "DROP INDEX table01_index ON tb1");
+ statement.close();
+ connection.close();
+
+ //Negative case
+ connection = context.createConnection(USER1_1);
+ statement = context.createStatement(connection);
+ exec(statement, "Use " + DB1);
+ assertSemanticException(statement, "CREATE INDEX table01_index ON TABLE tb1 (a) AS 'COMPACT' WITH DEFERRED REBUILD " +
+ "LOCATION '" + indexLocation + "'");
+ statement.close();
+ connection.close();
}
/* Test all operations that require drop on table alone