You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by th...@apache.org on 2014/08/04 06:45:49 UTC
svn commit: r1615487 - in /hive/trunk:
metastore/src/java/org/apache/hadoop/hive/metastore/
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/
ql/src/test/queries/clientnegative/ ql/src/test/results/clientnegative/
Author: thejas
Date: Mon Aug 4 04:45:49 2014
New Revision: 1615487
URL: http://svn.apache.org/r1615487
Log:
HIVE-7579 : error message for 'drop admin role' in sql std auth mode is not informative (Thejas Nair, reviewed by Jason Dere)
Added:
hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_admin_role.q
hive/trunk/ql/src/test/results/clientnegative/authorization_drop_admin_role.q.out
Modified:
hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
hive/trunk/ql/src/test/results/clientnegative/authorization_public_drop.q.out
hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out
hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out
Modified: hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java?rev=1615487&r1=1615486&r2=1615487&view=diff
==============================================================================
--- hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java (original)
+++ hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java Mon Aug 4 04:45:49 2014
@@ -4008,7 +4008,7 @@ public class HiveMetaStore extends Thrif
incrementCounter("drop_role");
firePreEvent(new PreAuthorizationCallEvent(this));
if (ADMIN.equals(roleName) || PUBLIC.equals(roleName)) {
- throw new MetaException(PUBLIC + "/" + ADMIN +" role can't be dropped.");
+ throw new MetaException(PUBLIC + "," + ADMIN + " roles can't be dropped.");
}
Boolean ret = null;
try {
@@ -4078,6 +4078,7 @@ public class HiveMetaStore extends Thrif
return ret;
}
+ @Override
public GrantRevokeRoleResponse grant_revoke_role(GrantRevokeRoleRequest request)
throws MetaException, org.apache.thrift.TException {
GrantRevokeRoleResponse response = new GrantRevokeRoleResponse();
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java?rev=1615487&r1=1615486&r2=1615487&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java Mon Aug 4 04:45:49 2014
@@ -412,5 +412,8 @@ public class SQLAuthorizationUtils {
}
}
+ static HiveAuthzPluginException getPluginException(String prefix, Exception e) {
+ return new HiveAuthzPluginException(prefix + ": " + e.getMessage(), e);
+ }
}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java?rev=1615487&r1=1615486&r2=1615487&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java Mon Aug 4 04:45:49 2014
@@ -123,8 +123,8 @@ public class SQLStdHiveAccessController
}
return currentRoles;
} catch (Exception e) {
- throw new HiveAuthzPluginException("Failed to retrieve roles for " + currentUserName + ": "
- + e.getMessage(), e);
+ throw SQLAuthorizationUtils.getPluginException("Failed to retrieve roles for "
+ + currentUserName, e);
}
}
@@ -179,7 +179,7 @@ public class SQLStdHiveAccessController
try {
metastoreClient.grant_privileges(privBag);
} catch (Exception e) {
- throw new HiveAuthzPluginException("Error granting privileges: " + e.getMessage(), e);
+ throw SQLAuthorizationUtils.getPluginException("Error granting privileges", e);
}
}
@@ -239,7 +239,7 @@ public class SQLStdHiveAccessController
// that has desired behavior.
metastoreClient.revoke_privileges(new PrivilegeBag(revokePrivs), grantOption);
} catch (Exception e) {
- throw new HiveAuthzPluginException("Error revoking privileges", e);
+ throw SQLAuthorizationUtils.getPluginException("Error revoking privileges", e);
}
}
@@ -260,7 +260,7 @@ public class SQLStdHiveAccessController
metastoreClientFactory.getHiveMetastoreClient().create_role(
new Role(roleName, 0, grantorName));
} catch (TException e) {
- throw new HiveAuthzPluginException("Error create role : " + e.getMessage(), e);
+ throw SQLAuthorizationUtils.getPluginException("Error create role", e);
}
}
@@ -274,7 +274,7 @@ public class SQLStdHiveAccessController
try {
metastoreClientFactory.getHiveMetastoreClient().drop_role(roleName);
} catch (Exception e) {
- throw new HiveAuthzPluginException("Error dropping role", e);
+ throw SQLAuthorizationUtils.getPluginException("Error dropping role", e);
}
}
@@ -295,11 +295,11 @@ public class SQLStdHiveAccessController
grantorPrinc.getName(),
AuthorizationUtils.getThriftPrincipalType(grantorPrinc.getType()), grantOption);
} catch (MetaException e) {
- throw new HiveAuthzPluginException(e.getMessage(), e);
+ throw SQLAuthorizationUtils.getPluginException("Error granting role", e);
} catch (Exception e) {
String msg = "Error granting roles for " + hivePrincipal.getName() + " to role "
- + roleName + ": " + e.getMessage();
- throw new HiveAuthzPluginException(msg, e);
+ + roleName;
+ throw SQLAuthorizationUtils.getPluginException(msg, e);
}
}
}
@@ -321,8 +321,8 @@ public class SQLStdHiveAccessController
AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType()), grantOption);
} catch (Exception e) {
String msg = "Error revoking roles for " + hivePrincipal.getName() + " to role "
- + roleName + ": " + e.getMessage();
- throw new HiveAuthzPluginException(msg, e);
+ + roleName;
+ throw SQLAuthorizationUtils.getPluginException(msg, e);
}
}
}
@@ -338,7 +338,7 @@ public class SQLStdHiveAccessController
try {
return metastoreClientFactory.getHiveMetastoreClient().listRoleNames();
} catch (Exception e) {
- throw new HiveAuthzPluginException("Error listing all roles", e);
+ throw SQLAuthorizationUtils.getPluginException("Error listing all roles", e);
}
}
@@ -353,10 +353,12 @@ public class SQLStdHiveAccessController
try {
return getHiveRoleGrants(metastoreClientFactory.getHiveMetastoreClient(), roleName);
} catch (Exception e) {
- throw new HiveAuthzPluginException("Error getting principals for all roles", e);
+ throw SQLAuthorizationUtils.getPluginException("Error getting principals for all roles", e);
}
}
+
+
public static List<HiveRoleGrant> getHiveRoleGrants(IMetaStoreClient client, String roleName)
throws Exception {
GetPrincipalsInRoleRequest request = new GetPrincipalsInRoleRequest(roleName);
@@ -435,7 +437,7 @@ public class SQLStdHiveAccessController
return resPrivInfos;
} catch (Exception e) {
- throw new HiveAuthzPluginException("Error showing privileges: "+ e.getMessage(), e);
+ throw SQLAuthorizationUtils.getPluginException("Error showing privileges", e);
}
}
@@ -550,11 +552,7 @@ public class SQLStdHiveAccessController
*/
boolean isUserAdmin() throws HiveAuthzPluginException {
List<HiveRoleGrant> roles;
- try {
- roles = getCurrentRoles();
- } catch (Exception e) {
- throw new HiveAuthzPluginException(e);
- }
+ roles = getCurrentRoles();
for (HiveRoleGrant role : roles) {
if (role.getRoleName().equalsIgnoreCase(HiveMetaStore.ADMIN)) {
return true;
@@ -565,11 +563,7 @@ public class SQLStdHiveAccessController
private boolean doesUserHasAdminOption(List<String> roleNames) throws HiveAuthzPluginException {
List<HiveRoleGrant> currentRoles;
- try {
- currentRoles = getCurrentRoles();
- } catch (Exception e) {
- throw new HiveAuthzPluginException(e);
- }
+ currentRoles = getCurrentRoles();
for (String roleName : roleNames) {
boolean roleFound = false;
for (HiveRoleGrant currentRole : currentRoles) {
@@ -606,8 +600,8 @@ public class SQLStdHiveAccessController
}
return hiveRoleGrants;
} catch (Exception e) {
- throw new HiveAuthzPluginException("Error getting role grant information for user "
- + principal.getName() + ": " + e.getMessage(), e);
+ throw SQLAuthorizationUtils.getPluginException("Error getting role grant information for user "
+ + principal.getName(), e);
}
}
Added: hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_admin_role.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_admin_role.q?rev=1615487&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_admin_role.q (added)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_admin_role.q Mon Aug 4 04:45:49 2014
@@ -0,0 +1,5 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
+set role admin;
+drop role admin;
Added: hive/trunk/ql/src/test/results/clientnegative/authorization_drop_admin_role.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_drop_admin_role.q.out?rev=1615487&view=auto
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_drop_admin_role.q.out (added)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_drop_admin_role.q.out Mon Aug 4 04:45:49 2014
@@ -0,0 +1,7 @@
+PREHOOK: query: set role admin
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role admin
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: drop role admin
+PREHOOK: type: DROPROLE
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error dropping role: public,admin roles can't be dropped.
Modified: hive/trunk/ql/src/test/results/clientnegative/authorization_public_drop.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_public_drop.q.out?rev=1615487&r1=1615486&r2=1615487&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_public_drop.q.out (original)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_public_drop.q.out Mon Aug 4 04:45:49 2014
@@ -1,3 +1,3 @@
PREHOOK: query: drop role PUBLIC
PREHOOK: type: DROPROLE
-FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:public/admin role can't be dropped.)
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:public,admin roles can't be dropped.)
Modified: hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out?rev=1615487&r1=1615486&r2=1615487&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out (original)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out Mon Aug 4 04:45:49 2014
@@ -19,4 +19,4 @@ POSTHOOK: type: GRANT_ROLE
PREHOOK: query: -- this will create a cycle
grant role role2 to role role1
PREHOOK: type: GRANT_ROLE
-FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Cannot grant role role1 to role2 as role2 already belongs to the role role1. (no cycles allowed)
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error granting role: Cannot grant role role1 to role2 as role2 already belongs to the role role1. (no cycles allowed)
Modified: hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out?rev=1615487&r1=1615486&r2=1615487&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out (original)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out Mon Aug 4 04:45:49 2014
@@ -45,4 +45,4 @@ POSTHOOK: type: GRANT_ROLE
PREHOOK: query: -- this will create a cycle in middle of the hierarchy
grant role role2 to role role4
PREHOOK: type: GRANT_ROLE
-FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Cannot grant role role4 to role2 as role2 already belongs to the role role4. (no cycles allowed)
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Error granting role: Cannot grant role role4 to role2 as role2 already belongs to the role role4. (no cycles allowed)