You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by kh...@apache.org on 2014/05/09 01:38:12 UTC
svn commit: r1593461 - in /hive/branches/branch-0.13:
metastore/src/java/org/apache/hadoop/hive/metastore/
ql/src/test/queries/clientpositive/ ql/src/test/results/clientpositive/
Author: khorgath
Date: Thu May 8 23:38:11 2014
New Revision: 1593461
URL: http://svn.apache.org/r1593461
Log:
HIVE-6985 : sql std auth - privileges grants to public role not being honored (Thejas M Nair, reviewed by Ashutosh Chauhan)
Added:
hive/branches/branch-0.13/ql/src/test/queries/clientpositive/authorization_grant_public_role.q
hive/branches/branch-0.13/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out
Modified:
hive/branches/branch-0.13/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
hive/branches/branch-0.13/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java
Modified: hive/branches/branch-0.13/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java?rev=1593461&r1=1593460&r2=1593461&view=diff
==============================================================================
--- hive/branches/branch-0.13/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java (original)
+++ hive/branches/branch-0.13/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java Thu May 8 23:38:11 2014
@@ -42,7 +42,6 @@ import java.util.Map.Entry;
import java.util.Properties;
import java.util.Set;
import java.util.Timer;
-import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.locks.Condition;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
@@ -4002,8 +4001,6 @@ public class HiveMetaStore extends Thrif
result.add(role);
}
}
- // all users by default belongs to public role
- result.add(new Role(PUBLIC,0,PUBLIC));
return result;
} catch (MetaException e) {
throw e;
@@ -4912,9 +4909,6 @@ public class HiveMetaStore extends Thrif
}
List<RolePrincipalGrant> roleGrantsList = getRolePrincipalGrants(roleMaps);
- // all users by default belongs to public role
- roleGrantsList.add(new RolePrincipalGrant(PUBLIC, request.getPrincipal_name(), request
- .getPrincipal_type(), false, 0, null, null));
return new GetRoleGrantsForPrincipalResponse(roleGrantsList);
}
@@ -4934,7 +4928,9 @@ public class HiveMetaStore extends Thrif
roleMap.getGrantOption(),
roleMap.getAddTime(),
roleMap.getGrantor(),
- PrincipalType.valueOf(roleMap.getGrantorType())
+ // no grantor type for public role, hence the null check
+ roleMap.getGrantorType() == null ? null
+ : PrincipalType.valueOf(roleMap.getGrantorType())
);
rolePrinGrantList.add(rolePrinGrant);
}
Modified: hive/branches/branch-0.13/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java?rev=1593461&r1=1593460&r2=1593461&view=diff
==============================================================================
--- hive/branches/branch-0.13/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java (original)
+++ hive/branches/branch-0.13/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java Thu May 8 23:38:11 2014
@@ -3235,7 +3235,20 @@ public class ObjectStore implements RawS
rollbackTransaction();
}
}
+
+ if (principalType == PrincipalType.USER) {
+ // All users belong to public role implicitly, add that role
+ if (mRoleMember == null) {
+ mRoleMember = new ArrayList<MRoleMap>();
+ } else {
+ mRoleMember = new ArrayList<MRoleMap>(mRoleMember);
+ }
+ MRole publicRole = new MRole(HiveMetaStore.PUBLIC, 0, HiveMetaStore.PUBLIC);
+ mRoleMember.add(new MRoleMap(principalName, principalType.toString(), publicRole, 0,
+ null, null, false));
+ }
return mRoleMember;
+
}
@SuppressWarnings("unchecked")
Added: hive/branches/branch-0.13/ql/src/test/queries/clientpositive/authorization_grant_public_role.q
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/ql/src/test/queries/clientpositive/authorization_grant_public_role.q?rev=1593461&view=auto
==============================================================================
--- hive/branches/branch-0.13/ql/src/test/queries/clientpositive/authorization_grant_public_role.q (added)
+++ hive/branches/branch-0.13/ql/src/test/queries/clientpositive/authorization_grant_public_role.q Thu May 8 23:38:11 2014
@@ -0,0 +1,18 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+
+set user.name=user1;
+-- current user has been set (comment line before the set cmd is resulting in parse error!!)
+
+CREATE TABLE t_gpr1(i int);
+
+-- all privileges should have been set for user
+
+GRANT ALL ON t_gpr1 TO ROLE public;
+
+SHOW GRANT ON TABLE t_gpr1;
+
+set user.name=user2;
+SHOW CURRENT ROLES;
+-- user2 should be able to do a describe table, as pubic is in the current roles
+DESC t_gpr1;
Added: hive/branches/branch-0.13/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out?rev=1593461&view=auto
==============================================================================
--- hive/branches/branch-0.13/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out (added)
+++ hive/branches/branch-0.13/ql/src/test/results/clientpositive/authorization_grant_public_role.q.out Thu May 8 23:38:11 2014
@@ -0,0 +1,48 @@
+PREHOOK: query: -- current user has been set (comment line before the set cmd is resulting in parse error!!)
+
+CREATE TABLE t_gpr1(i int)
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:default
+POSTHOOK: query: -- current user has been set (comment line before the set cmd is resulting in parse error!!)
+
+CREATE TABLE t_gpr1(i int)
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@t_gpr1
+PREHOOK: query: -- all privileges should have been set for user
+
+GRANT ALL ON t_gpr1 TO ROLE public
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@t_gpr1
+POSTHOOK: query: -- all privileges should have been set for user
+
+GRANT ALL ON t_gpr1 TO ROLE public
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@t_gpr1
+PREHOOK: query: SHOW GRANT ON TABLE t_gpr1
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: SHOW GRANT ON TABLE t_gpr1
+POSTHOOK: type: SHOW_GRANT
+default t_gpr1 public ROLE DELETE false -1 user1
+default t_gpr1 public ROLE INSERT false -1 user1
+default t_gpr1 public ROLE SELECT false -1 user1
+default t_gpr1 public ROLE UPDATE false -1 user1
+default t_gpr1 user1 USER DELETE true -1 user1
+default t_gpr1 user1 USER INSERT true -1 user1
+default t_gpr1 user1 USER SELECT true -1 user1
+default t_gpr1 user1 USER UPDATE true -1 user1
+PREHOOK: query: SHOW CURRENT ROLES
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: SHOW CURRENT ROLES
+POSTHOOK: type: SHOW_ROLES
+public
+
+PREHOOK: query: -- user2 should be able to do a describe table, as pubic is in the current roles
+DESC t_gpr1
+PREHOOK: type: DESCTABLE
+PREHOOK: Input: default@t_gpr1
+POSTHOOK: query: -- user2 should be able to do a describe table, as pubic is in the current roles
+DESC t_gpr1
+POSTHOOK: type: DESCTABLE
+POSTHOOK: Input: default@t_gpr1
+i int