You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by pr...@apache.org on 2015/04/02 00:07:10 UTC
incubator-sentry git commit: SENTRY-687: Handle authorization for
'select ' hive queries (Yibing Shi via Prasad Mujumdar)
Repository: incubator-sentry
Updated Branches:
refs/heads/master 80dc59287 -> 0ca688383
SENTRY-687: Handle authorization for 'select <expr>' hive queries (Yibing Shi via Prasad Mujumdar)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/0ca68838
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/0ca68838
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/0ca68838
Branch: refs/heads/master
Commit: 0ca68838338ff1418495a442249323c7da0ccbba
Parents: 80dc592
Author: Prasad Mujumdar <pr...@apache.org>
Authored: Wed Apr 1 15:06:07 2015 -0700
Committer: Prasad Mujumdar <pr...@apache.org>
Committed: Wed Apr 1 15:06:07 2015 -0700
----------------------------------------------------------------------
.../binding/hive/HiveAuthzBindingHook.java | 10 ++++--
.../e2e/hive/TestPrivilegesAtTableScope.java | 33 ++++++++++++++++++++
2 files changed, 41 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0ca68838/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index 48afa08..814e65d 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -618,8 +618,9 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook {
private void getInputHierarchyFromInputs(List<List<DBModelAuthorizable>> inputHierarchy,
Set<ReadEntity> inputs) {
for (ReadEntity readEntity: inputs) {
- // skip the tables/view that are part of expanded view definition.
- if (isChildTabForView(readEntity)) {
+ // skip the tables/view that are part of expanded view definition
+ // skip the Hive generated dummy entities created for queries like 'select <expr>'
+ if (isChildTabForView(readEntity) || isDummyEntity(readEntity)) {
continue;
}
if (readEntity.getAccessedColumns() != null && !readEntity.getAccessedColumns().isEmpty()) {
@@ -829,4 +830,9 @@ hiveAuthzBinding.getAuthzConf().get(
return hooks;
}
+
+ // Check if the given entity is identified as dummy by Hive compilers.
+ private boolean isDummyEntity(Entity entity) {
+ return entity.isDummy();
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0ca68838/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
index 7abc684..69073e0 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
@@ -19,6 +19,7 @@ package org.apache.sentry.tests.e2e.hive;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
import java.io.File;
import java.io.FileOutputStream;
@@ -490,6 +491,38 @@ public class TestPrivilegesAtTableScope extends AbstractTestWithStaticConfigurat
connection.close();
}
+ /**
+ * Test queries without from clause. Hive rewrites the queries with dummy db and table
+ * entities which should not trip authorization check.
+ * @throws Exception
+ */
+ @Test
+ public void testSelectWithoutFrom() throws Exception {
+ policyFile
+ .addRolesToGroup(USERGROUP1, "all_tab1")
+ .addPermissionsToRole("all_tab1",
+ "server=server1->db=" + DB1 + "->table=" + TBL1)
+ .addRolesToGroup(USERGROUP2, "select_tab1")
+ .addPermissionsToRole("select_tab1",
+ "server=server1->db=" + DB1 + "->table=" + TBL1)
+ .setUserGroupMapping(StaticUserGroup.getStaticMapping());
+ writePolicyFile(policyFile);
+
+ Connection connection = context.createConnection(USER1_1);
+ Statement statement = context.createStatement(connection);
+
+ // test with implicit default database
+ assertTrue(statement.executeQuery("SELECT 1 ").next());
+ assertTrue(statement.executeQuery("SELECT current_database()").next());
+
+ // test after switching database
+ statement.execute("USE " + DB1);
+ assertTrue(statement.executeQuery("SELECT 1 ").next());
+ assertTrue(statement.executeQuery("SELECT current_database() ").next());
+ statement.close();
+ connection.close();
+ }
+
// verify that the given table has data
private boolean hasData(Statement stmt, String tableName) throws Exception {
ResultSet rs1 = stmt.executeQuery("SELECT * FROM " + tableName);