You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by kh...@apache.org on 2017/07/14 18:33:19 UTC
hive git commit: HIVE-17005 : Ensure REPL DUMP and REPL LOAD are
authorized properly (Sushanth Sowmyan, reviewed by Thejas Nair)
Repository: hive
Updated Branches:
refs/heads/master 094c1d503 -> 4ec00d364
HIVE-17005 : Ensure REPL DUMP and REPL LOAD are authorized properly (Sushanth Sowmyan, reviewed by Thejas Nair)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/4ec00d36
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/4ec00d36
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/4ec00d36
Branch: refs/heads/master
Commit: 4ec00d36463cc4f2440ba1616e3f250d98787963
Parents: 094c1d5
Author: Sushanth Sowmyan <kh...@gmail.com>
Authored: Fri Jul 14 11:30:56 2017 -0700
Committer: Sushanth Sowmyan <kh...@gmail.com>
Committed: Fri Jul 14 11:33:15 2017 -0700
----------------------------------------------------------------------
.../hive/ql/parse/ImportSemanticAnalyzer.java | 10 ++-
.../hive/ql/parse/SemanticAnalyzerFactory.java | 6 +-
.../hadoop/hive/ql/plan/HiveOperation.java | 3 +
.../authorization/plugin/HiveOperationType.java | 3 +
.../plugin/sqlstd/Operation2Privilege.java | 29 +++++++
.../SQLStdHiveAuthorizationValidator.java | 9 +++
.../clientnegative/repl_dump_requires_admin.q | 38 +++++++++
.../clientnegative/repl_load_requires_admin.q | 41 ++++++++++
.../repl_dump_requires_admin.q.out | 67 ++++++++++++++++
.../repl_load_requires_admin.q.out | 82 ++++++++++++++++++++
10 files changed, 282 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hive/blob/4ec00d36/ql/src/java/org/apache/hadoop/hive/ql/parse/ImportSemanticAnalyzer.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/ImportSemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/ImportSemanticAnalyzer.java
index 2d907ff..f3f206b 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/parse/ImportSemanticAnalyzer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/ImportSemanticAnalyzer.java
@@ -79,10 +79,14 @@ public class ImportSemanticAnalyzer extends BaseSemanticAnalyzer {
super(queryState);
}
- // FIXME : Note that the tableExists flag as used by Auth is kinda a hack and
+ // Note that the tableExists flag as used by Auth is kinda a hack and
// assumes only 1 table will ever be imported - this assumption is broken by
- // REPL LOAD. We need to fix this. Maybe by continuing the hack and replacing
- // by a map, maybe by coming up with a better api for it.
+ // REPL LOAD.
+ //
+ // However, we've not chosen to expand this to a map of tables/etc, since
+ // we have expanded how auth works with REPL DUMP / REPL LOAD to simply
+ // require ADMIN privileges, rather than checking each object, which
+ // quickly becomes untenable, and even more so, costly on memory.
private boolean tableExists = false;
public boolean existsTable() {
http://git-wip-us.apache.org/repos/asf/hive/blob/4ec00d36/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzerFactory.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzerFactory.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzerFactory.java
index 3c60e03..a24e038 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzerFactory.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzerFactory.java
@@ -129,9 +129,9 @@ public final class SemanticAnalyzerFactory {
commandType.put(HiveParser.TOK_COMMIT, HiveOperation.COMMIT);
commandType.put(HiveParser.TOK_ROLLBACK, HiveOperation.ROLLBACK);
commandType.put(HiveParser.TOK_SET_AUTOCOMMIT, HiveOperation.SET_AUTOCOMMIT);
- commandType.put(HiveParser.TOK_REPL_DUMP, HiveOperation.EXPORT); // piggyback on EXPORT security handling for now
- commandType.put(HiveParser.TOK_REPL_LOAD, HiveOperation.IMPORT); // piggyback on IMPORT security handling for now
- commandType.put(HiveParser.TOK_REPL_STATUS, HiveOperation.SHOW_TBLPROPERTIES); // TODO : also actually DESCDATABASE
+ commandType.put(HiveParser.TOK_REPL_DUMP, HiveOperation.REPLDUMP);
+ commandType.put(HiveParser.TOK_REPL_LOAD, HiveOperation.REPLLOAD);
+ commandType.put(HiveParser.TOK_REPL_STATUS, HiveOperation.REPLSTATUS);
}
static {
http://git-wip-us.apache.org/repos/asf/hive/blob/4ec00d36/ql/src/java/org/apache/hadoop/hive/ql/plan/HiveOperation.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/plan/HiveOperation.java b/ql/src/java/org/apache/hadoop/hive/ql/plan/HiveOperation.java
index ecac31f..d9b6969 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/plan/HiveOperation.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/plan/HiveOperation.java
@@ -25,6 +25,9 @@ public enum HiveOperation {
LOAD("LOAD", null, new Privilege[]{Privilege.ALTER_DATA}),
EXPORT("EXPORT", new Privilege[]{Privilege.SELECT}, null),
IMPORT("IMPORT", null, new Privilege[]{Privilege.ALTER_METADATA, Privilege.ALTER_DATA}),
+ REPLDUMP("REPLDUMP", new Privilege[]{Privilege.ALL}, null),
+ REPLLOAD("REPLLOAD", null, new Privilege[]{Privilege.ALL}),
+ REPLSTATUS("REPLSTATUS", new Privilege[]{Privilege.SELECT}, null),
CREATEDATABASE("CREATEDATABASE", null, new Privilege[]{Privilege.CREATE}),
DROPDATABASE("DROPDATABASE", null, new Privilege[]{Privilege.DROP}),
SWITCHDATABASE("SWITCHDATABASE", null, null, true, false),
http://git-wip-us.apache.org/repos/asf/hive/blob/4ec00d36/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java
index 7da44e8..2fb2a36 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java
@@ -30,6 +30,9 @@ public enum HiveOperationType {
LOAD,
EXPORT,
IMPORT,
+ REPLDUMP,
+ REPLLOAD,
+ REPLSTATUS,
CREATEDATABASE,
DROPDATABASE,
SWITCHDATABASE,
http://git-wip-us.apache.org/repos/asf/hive/blob/4ec00d36/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java
index 9688f8c..9458759 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java
@@ -113,6 +113,7 @@ public class Operation2Privilege {
}
private static Map<HiveOperationType, List<PrivRequirement>> op2Priv;
+ private static List<HiveOperationType> adminPrivOps;
private static SQLPrivTypeGrant[] OWNER_PRIV_AR = arr(SQLPrivTypeGrant.OWNER_PRIV);
private static SQLPrivTypeGrant[] SEL_NOGRANT_AR = arr(SQLPrivTypeGrant.SELECT_NOGRANT);
@@ -130,6 +131,8 @@ public class Operation2Privilege {
static {
+
+ adminPrivOps = new ArrayList<HiveOperationType>();
op2Priv = new HashMap<HiveOperationType, List<PrivRequirement>>();
op2Priv.put(HiveOperationType.EXPLAIN, PrivRequirement.newIOPrivRequirement
@@ -293,6 +296,21 @@ public class Operation2Privilege {
IOType.OUTPUT, null, HivePrivilegeObjectType.TABLE_OR_VIEW),
new PrivRequirement(OWNER_PRIV_AR, IOType.OUTPUT, null, HivePrivilegeObjectType.DATABASE)));
+ // Setting REPL DUMP and REPL LOAD as all requiring ADMIN privileges.
+ // We might wind up loosening this in the future, but right now, we do not want
+ // to do individual object based checks on every object possible, and thus, asking
+ // for a broad privilege such as this is the best route forward. REPL STATUS
+ // should use privileges similar to DESCRIBE DB/TABLE, and so, it asks for no
+ // output privileges, and asks for select-no-grant on input.
+ op2Priv.put(HiveOperationType.REPLDUMP, PrivRequirement.newIOPrivRequirement(
+ ADMIN_PRIV_AR, ADMIN_PRIV_AR));
+ op2Priv.put(HiveOperationType.REPLLOAD, PrivRequirement.newIOPrivRequirement(
+ ADMIN_PRIV_AR, ADMIN_PRIV_AR));
+ op2Priv.put(HiveOperationType.REPLSTATUS, PrivRequirement.newIOPrivRequirement(
+ SEL_NOGRANT_AR, null));
+ adminPrivOps.add(HiveOperationType.REPLDUMP);
+ adminPrivOps.add(HiveOperationType.REPLLOAD);
+
// operations require select priv
op2Priv.put(HiveOperationType.SHOWCOLUMNS, PrivRequirement.newIOPrivRequirement
(SEL_NOGRANT_AR, null));
@@ -501,6 +519,17 @@ public class Operation2Privilege {
return reqPrivs;
}
+ /**
+ * Some operations are tagged as requiring admin privileges, ignoring any object that
+ * might be checked on it. This check is run in those cases.
+ *
+ * @param hiveOpType
+ * @return
+ */
+ public static boolean isAdminPrivOperation(HiveOperationType hiveOpType) {
+ return adminPrivOps.contains(hiveOpType);
+ }
+
// for unit tests
public static Set<HiveOperationType> getOperationTypes() {
return op2Priv.keySet();
http://git-wip-us.apache.org/repos/asf/hive/blob/4ec00d36/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java
index 2977675..94fb7a0 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java
@@ -95,6 +95,15 @@ public class SQLStdHiveAuthorizationValidator implements HiveAuthorizationValida
return;
}
+ // Special-casing for ADMIN-level operations that do not require object checking.
+ if (Operation2Privilege.isAdminPrivOperation(hiveOpType)) {
+ // Require ADMIN privilege
+ if (!privController.isUserAdmin()) {
+ deniedMessages.add(SQLPrivTypeGrant.ADMIN_PRIV.toString() + " on " + ioType);
+ }
+ return; // Ignore object, fail if not admin, succeed if admin.
+ }
+
// Compare required privileges and available privileges for each hive object
for (HivePrivilegeObject hiveObj : hiveObjects) {
http://git-wip-us.apache.org/repos/asf/hive/blob/4ec00d36/ql/src/test/queries/clientnegative/repl_dump_requires_admin.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/repl_dump_requires_admin.q b/ql/src/test/queries/clientnegative/repl_dump_requires_admin.q
new file mode 100644
index 0000000..cd9080c
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/repl_dump_requires_admin.q
@@ -0,0 +1,38 @@
+set hive.security.authorization.enabled=true;
+set hive.test.authz.sstd.hs2.mode=true;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set hive.repl.rootdir=${system:test.tmp.dir}/hrepl;
+
+dfs ${system:test.dfs.mkdir} ${system:test.tmp.dir}/hrepl/sentinel;
+dfs -rmr ${system:test.tmp.dir}/hrepl;
+dfs ${system:test.dfs.mkdir} ${system:test.tmp.dir}/hrepl;
+
+set user.name=hive_admin_user;
+set role ADMIN;
+
+drop database if exists test_repldump_adminpriv cascade;
+
+set user.name=ruser1;
+show role grant user ruser1;
+
+create database test_repldump_adminpriv;
+create table test_repldump_adminpriv.dummy_tbl(a int) partitioned by (b string);
+show tables test_repldump_adminpriv;
+
+set user.name=hive_admin_user;
+set role ADMIN;
+show role grant user ruser1;
+show role grant user hive_admin_user;
+
+-- repl dump as admin should succeed
+show tables test_repldump_adminpriv;
+repl dump test_repldump_adminpriv;
+
+dfs -rmr ${system:test.tmp.dir}/hrepl/next;
+
+set user.name=ruser1;
+show tables test_repldump_adminpriv;
+
+-- repl dump as non-admin should fail
+repl dump test_repldump_adminpriv;
http://git-wip-us.apache.org/repos/asf/hive/blob/4ec00d36/ql/src/test/queries/clientnegative/repl_load_requires_admin.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/repl_load_requires_admin.q b/ql/src/test/queries/clientnegative/repl_load_requires_admin.q
new file mode 100644
index 0000000..68a132d
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/repl_load_requires_admin.q
@@ -0,0 +1,41 @@
+set hive.security.authorization.enabled=true;
+set hive.test.authz.sstd.hs2.mode=true;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set hive.repl.rootdir=${system:test.tmp.dir}/hrepl;
+
+dfs ${system:test.dfs.mkdir} ${system:test.tmp.dir}/hrepl/sentinel;
+dfs -rmr ${system:test.tmp.dir}/hrepl;
+dfs ${system:test.dfs.mkdir} ${system:test.tmp.dir}/hrepl;
+
+set user.name=hive_admin_user;
+set role ADMIN;
+
+drop database if exists test_replload_adminpriv_src cascade;
+drop database if exists test_replload_adminpriv_tgt1 cascade;
+drop database if exists test_replload_adminpriv_tgt2 cascade;
+
+set user.name=ruser1;
+show role grant user ruser1;
+
+create database test_replload_adminpriv_src;
+create table test_replload_adminpriv_src.dummy_tbl(a int) partitioned by (b string);
+show tables test_replload_adminpriv_src;
+
+set user.name=hive_admin_user;
+set role ADMIN;
+show role grant user ruser1;
+show role grant user hive_admin_user;
+
+-- repl dump
+show tables test_replload_adminpriv_src;
+repl dump test_replload_adminpriv_src;
+
+-- repl load as admin should succeed
+repl load test_replload_adminpriv_tgt1 from '${system:test.tmp.dir}/hrepl/next/';
+show tables test_replload_adminpriv_tgt1;
+
+set user.name=ruser1;
+
+-- repl load as non-admin should fail
+repl load test_replload_adminpriv_tgt2 from '${system:test.tmp.dir}/hrepl/next';
http://git-wip-us.apache.org/repos/asf/hive/blob/4ec00d36/ql/src/test/results/clientnegative/repl_dump_requires_admin.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/repl_dump_requires_admin.q.out b/ql/src/test/results/clientnegative/repl_dump_requires_admin.q.out
new file mode 100644
index 0000000..29e72f4
--- /dev/null
+++ b/ql/src/test/results/clientnegative/repl_dump_requires_admin.q.out
@@ -0,0 +1,67 @@
+#### A masked pattern was here ####
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: drop database if exists test_repldump_adminpriv cascade
+PREHOOK: type: DROPDATABASE
+POSTHOOK: query: drop database if exists test_repldump_adminpriv cascade
+POSTHOOK: type: DROPDATABASE
+PREHOOK: query: show role grant user ruser1
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user ruser1
+POSTHOOK: type: SHOW_ROLE_GRANT
+public false -1
+PREHOOK: query: create database test_repldump_adminpriv
+PREHOOK: type: CREATEDATABASE
+PREHOOK: Output: database:test_repldump_adminpriv
+POSTHOOK: query: create database test_repldump_adminpriv
+POSTHOOK: type: CREATEDATABASE
+POSTHOOK: Output: database:test_repldump_adminpriv
+PREHOOK: query: create table test_repldump_adminpriv.dummy_tbl(a int) partitioned by (b string)
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:test_repldump_adminpriv
+PREHOOK: Output: test_repldump_adminpriv@dummy_tbl
+POSTHOOK: query: create table test_repldump_adminpriv.dummy_tbl(a int) partitioned by (b string)
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:test_repldump_adminpriv
+POSTHOOK: Output: test_repldump_adminpriv@dummy_tbl
+PREHOOK: query: show tables test_repldump_adminpriv
+PREHOOK: type: SHOWTABLES
+PREHOOK: Input: database:default
+POSTHOOK: query: show tables test_repldump_adminpriv
+POSTHOOK: type: SHOWTABLES
+POSTHOOK: Input: database:default
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: show role grant user ruser1
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user ruser1
+POSTHOOK: type: SHOW_ROLE_GRANT
+public false -1
+PREHOOK: query: show role grant user hive_admin_user
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user hive_admin_user
+POSTHOOK: type: SHOW_ROLE_GRANT
+admin true -1 admin
+public false -1
+PREHOOK: query: show tables test_repldump_adminpriv
+PREHOOK: type: SHOWTABLES
+PREHOOK: Input: database:default
+POSTHOOK: query: show tables test_repldump_adminpriv
+POSTHOOK: type: SHOWTABLES
+POSTHOOK: Input: database:default
+PREHOOK: query: repl dump test_repldump_adminpriv
+PREHOOK: type: REPLDUMP
+POSTHOOK: query: repl dump test_repldump_adminpriv
+POSTHOOK: type: REPLDUMP
+#### A masked pattern was here ####
+PREHOOK: query: show tables test_repldump_adminpriv
+PREHOOK: type: SHOWTABLES
+PREHOOK: Input: database:default
+POSTHOOK: query: show tables test_repldump_adminpriv
+POSTHOOK: type: SHOWTABLES
+POSTHOOK: Input: database:default
+FAILED: HiveAccessControlException Permission denied: Principal [name=ruser1, type=USER] does not have following privileges for operation REPLDUMP [ADMIN PRIVILEGE on INPUT, ADMIN PRIVILEGE on OUTPUT]
http://git-wip-us.apache.org/repos/asf/hive/blob/4ec00d36/ql/src/test/results/clientnegative/repl_load_requires_admin.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/repl_load_requires_admin.q.out b/ql/src/test/results/clientnegative/repl_load_requires_admin.q.out
new file mode 100644
index 0000000..df0b5dc
--- /dev/null
+++ b/ql/src/test/results/clientnegative/repl_load_requires_admin.q.out
@@ -0,0 +1,82 @@
+#### A masked pattern was here ####
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: drop database if exists test_replload_adminpriv_src cascade
+PREHOOK: type: DROPDATABASE
+POSTHOOK: query: drop database if exists test_replload_adminpriv_src cascade
+POSTHOOK: type: DROPDATABASE
+PREHOOK: query: drop database if exists test_replload_adminpriv_tgt1 cascade
+PREHOOK: type: DROPDATABASE
+POSTHOOK: query: drop database if exists test_replload_adminpriv_tgt1 cascade
+POSTHOOK: type: DROPDATABASE
+PREHOOK: query: drop database if exists test_replload_adminpriv_tgt2 cascade
+PREHOOK: type: DROPDATABASE
+POSTHOOK: query: drop database if exists test_replload_adminpriv_tgt2 cascade
+POSTHOOK: type: DROPDATABASE
+PREHOOK: query: show role grant user ruser1
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user ruser1
+POSTHOOK: type: SHOW_ROLE_GRANT
+public false -1
+PREHOOK: query: create database test_replload_adminpriv_src
+PREHOOK: type: CREATEDATABASE
+PREHOOK: Output: database:test_replload_adminpriv_src
+POSTHOOK: query: create database test_replload_adminpriv_src
+POSTHOOK: type: CREATEDATABASE
+POSTHOOK: Output: database:test_replload_adminpriv_src
+PREHOOK: query: create table test_replload_adminpriv_src.dummy_tbl(a int) partitioned by (b string)
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:test_replload_adminpriv_src
+PREHOOK: Output: test_replload_adminpriv_src@dummy_tbl
+POSTHOOK: query: create table test_replload_adminpriv_src.dummy_tbl(a int) partitioned by (b string)
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:test_replload_adminpriv_src
+POSTHOOK: Output: test_replload_adminpriv_src@dummy_tbl
+PREHOOK: query: show tables test_replload_adminpriv_src
+PREHOOK: type: SHOWTABLES
+PREHOOK: Input: database:default
+POSTHOOK: query: show tables test_replload_adminpriv_src
+POSTHOOK: type: SHOWTABLES
+POSTHOOK: Input: database:default
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: show role grant user ruser1
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user ruser1
+POSTHOOK: type: SHOW_ROLE_GRANT
+public false -1
+PREHOOK: query: show role grant user hive_admin_user
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user hive_admin_user
+POSTHOOK: type: SHOW_ROLE_GRANT
+admin true -1 admin
+public false -1
+PREHOOK: query: show tables test_replload_adminpriv_src
+PREHOOK: type: SHOWTABLES
+PREHOOK: Input: database:default
+POSTHOOK: query: show tables test_replload_adminpriv_src
+POSTHOOK: type: SHOWTABLES
+POSTHOOK: Input: database:default
+PREHOOK: query: repl dump test_replload_adminpriv_src
+PREHOOK: type: REPLDUMP
+POSTHOOK: query: repl dump test_replload_adminpriv_src
+POSTHOOK: type: REPLDUMP
+#### A masked pattern was here ####
+PREHOOK: type: REPLLOAD
+#### A masked pattern was here ####
+PREHOOK: Output: test_replload_adminpriv_tgt1@dummy_tbl
+#### A masked pattern was here ####
+POSTHOOK: type: REPLLOAD
+#### A masked pattern was here ####
+POSTHOOK: Output: test_replload_adminpriv_tgt1@dummy_tbl
+PREHOOK: query: show tables test_replload_adminpriv_tgt1
+PREHOOK: type: SHOWTABLES
+PREHOOK: Input: database:default
+POSTHOOK: query: show tables test_replload_adminpriv_tgt1
+POSTHOOK: type: SHOWTABLES
+POSTHOOK: Input: database:default
+FAILED: HiveAccessControlException Permission denied: Principal [name=ruser1, type=USER] does not have following privileges for operation REPLLOAD [ADMIN PRIVILEGE on INPUT, ADMIN PRIVILEGE on OUTPUT]