You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by pr...@apache.org on 2015/04/02 00:07:10 UTC

incubator-sentry git commit: SENTRY-687: Handle authorization for 'select ' hive queries (Yibing Shi via Prasad Mujumdar)

Repository: incubator-sentry
Updated Branches:
  refs/heads/master 80dc59287 -> 0ca688383


SENTRY-687: Handle authorization for 'select <expr>' hive queries (Yibing Shi via Prasad Mujumdar)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/0ca68838
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/0ca68838
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/0ca68838

Branch: refs/heads/master
Commit: 0ca68838338ff1418495a442249323c7da0ccbba
Parents: 80dc592
Author: Prasad Mujumdar <pr...@apache.org>
Authored: Wed Apr 1 15:06:07 2015 -0700
Committer: Prasad Mujumdar <pr...@apache.org>
Committed: Wed Apr 1 15:06:07 2015 -0700

----------------------------------------------------------------------
 .../binding/hive/HiveAuthzBindingHook.java      | 10 ++++--
 .../e2e/hive/TestPrivilegesAtTableScope.java    | 33 ++++++++++++++++++++
 2 files changed, 41 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0ca68838/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index 48afa08..814e65d 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -618,8 +618,9 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook {
   private void getInputHierarchyFromInputs(List<List<DBModelAuthorizable>> inputHierarchy,
       Set<ReadEntity> inputs) {
     for (ReadEntity readEntity: inputs) {
-      // skip the tables/view that are part of expanded view definition.
-      if (isChildTabForView(readEntity)) {
+      // skip the tables/view that are part of expanded view definition
+      // skip the Hive generated dummy entities created for queries like 'select <expr>'
+      if (isChildTabForView(readEntity) || isDummyEntity(readEntity)) {
         continue;
       }
       if (readEntity.getAccessedColumns() != null && !readEntity.getAccessedColumns().isEmpty()) {
@@ -829,4 +830,9 @@ hiveAuthzBinding.getAuthzConf().get(
 
     return hooks;
   }
+
+  // Check if the given entity is identified as dummy by Hive compilers.
+  private boolean isDummyEntity(Entity entity) {
+    return entity.isDummy();
+  }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0ca68838/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
index 7abc684..69073e0 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
@@ -19,6 +19,7 @@ package org.apache.sentry.tests.e2e.hive;
 
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
 
 import java.io.File;
 import java.io.FileOutputStream;
@@ -490,6 +491,38 @@ public class TestPrivilegesAtTableScope extends AbstractTestWithStaticConfigurat
     connection.close();
   }
 
+  /**
+   * Test queries without from clause. Hive rewrites the queries with dummy db and table
+   * entities which should not trip authorization check.
+   * @throws Exception
+   */
+  @Test
+  public void testSelectWithoutFrom() throws Exception {
+    policyFile
+        .addRolesToGroup(USERGROUP1, "all_tab1")
+        .addPermissionsToRole("all_tab1",
+            "server=server1->db=" + DB1 + "->table=" + TBL1)
+        .addRolesToGroup(USERGROUP2, "select_tab1")
+        .addPermissionsToRole("select_tab1",
+            "server=server1->db=" + DB1 + "->table=" + TBL1)
+        .setUserGroupMapping(StaticUserGroup.getStaticMapping());
+    writePolicyFile(policyFile);
+
+    Connection connection = context.createConnection(USER1_1);
+    Statement statement = context.createStatement(connection);
+
+    // test with implicit default database
+    assertTrue(statement.executeQuery("SELECT 1 ").next());
+    assertTrue(statement.executeQuery("SELECT current_database()").next());
+
+    // test after switching database
+    statement.execute("USE " + DB1);
+    assertTrue(statement.executeQuery("SELECT 1 ").next());
+    assertTrue(statement.executeQuery("SELECT current_database() ").next());
+    statement.close();
+    connection.close();
+  }
+
   // verify that the given table has data
   private boolean hasData(Statement stmt, String tableName) throws Exception {
     ResultSet rs1 = stmt.executeQuery("SELECT * FROM " + tableName);