You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by we...@apache.org on 2017/02/24 19:53:24 UTC
hive git commit: HIVE-16028 : Fail UPDATE/DELETE/MERGE queries when
Ranger authorization manager is used (Wei Zheng, reviewed by Pengcheng Xiong)
Repository: hive
Updated Branches:
refs/heads/master 9602a2f60 -> 8449304eb
HIVE-16028 : Fail UPDATE/DELETE/MERGE queries when Ranger authorization manager is used (Wei Zheng, reviewed by Pengcheng Xiong)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/8449304e
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/8449304e
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/8449304e
Branch: refs/heads/master
Commit: 8449304eb241f153f3f11ae93d76b8114f793486
Parents: 9602a2f
Author: Wei Zheng <we...@apache.org>
Authored: Fri Feb 24 11:53:09 2017 -0800
Committer: Wei Zheng <we...@apache.org>
Committed: Fri Feb 24 11:53:09 2017 -0800
----------------------------------------------------------------------
...SQLStdHiveAuthorizationValidatorForTest.java | 3 +
.../hadoop/hive/ql/parse/SemanticAnalyzer.java | 10 ++--
.../clientpositive/masking_acid_no_masking.q | 22 +++++++
.../masking_acid_no_masking.q.out | 61 ++++++++++++++++++++
4 files changed, 91 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hive/blob/8449304e/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java
----------------------------------------------------------------------
diff --git a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java
index 41dd966..4003274 100644
--- a/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java
+++ b/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidatorForTest.java
@@ -135,6 +135,9 @@ public class SQLStdHiveAuthorizationValidatorForTest extends SQLStdHiveAuthoriza
privObj
.setRowFilterExpression("key in (select key from src where src.key = masking_test_subq.key)");
needRewritePrivObjs.add(privObj);
+ } else if (privObj.getObjectName().equals("masking_acid_no_masking")) {
+ // testing acid usage when no masking/filtering is present
+ needRewritePrivObjs.add(privObj);
}
}
return needRewritePrivObjs;
http://git-wip-us.apache.org/repos/asf/hive/blob/8449304e/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
index 2430811..f765d99 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
@@ -10818,14 +10818,14 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer {
.applyRowFilterAndColumnMasking(basicPrivObjs);
if (needRewritePrivObjs != null && !needRewritePrivObjs.isEmpty()) {
for (HivePrivilegeObject privObj : needRewritePrivObjs) {
- // We don't support masking/filtering against ACID query at the moment
- if (ctx.getIsUpdateDeleteMerge()) {
- throw new SemanticException(ErrorMsg.MASKING_FILTERING_ON_ACID_NOT_SUPPORTED,
- privObj.getDbname(), privObj.getObjectName());
- }
MaskAndFilterInfo info = basicInfos.get(privObj);
String replacementText = tableMask.create(privObj, info);
if (replacementText != null) {
+ // We don't support masking/filtering against ACID query at the moment
+ if (ctx.getIsUpdateDeleteMerge()) {
+ throw new SemanticException(ErrorMsg.MASKING_FILTERING_ON_ACID_NOT_SUPPORTED,
+ privObj.getDbname(), privObj.getObjectName());
+ }
tableMask.setNeedsRewrite(true);
tableMask.addTranslation(info.astNode, replacementText);
}
http://git-wip-us.apache.org/repos/asf/hive/blob/8449304e/ql/src/test/queries/clientpositive/masking_acid_no_masking.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientpositive/masking_acid_no_masking.q b/ql/src/test/queries/clientpositive/masking_acid_no_masking.q
new file mode 100644
index 0000000..2d19826
--- /dev/null
+++ b/ql/src/test/queries/clientpositive/masking_acid_no_masking.q
@@ -0,0 +1,22 @@
+-- Simulate the case for org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory,
+-- when all tables are marked eligible for masking. This shouldn't break any ACID operations.
+
+set hive.mapred.mode=nonstrict;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
+set hive.support.concurrency=true;
+set hive.txn.manager=org.apache.hadoop.hive.ql.lockmgr.DbTxnManager;
+
+create table nonacid (key int, value string) stored as orc;
+
+create table masking_acid_no_masking (key int, value string)
+clustered by (value) into 2 buckets stored as orc
+tblproperties ("transactional"="true");
+
+update masking_acid_no_masking set key=1 where value='ddd';
+
+delete from masking_acid_no_masking where value='ddd';
+
+MERGE INTO masking_acid_no_masking as t using nonacid as s ON t.key = s.key
+WHEN MATCHED AND s.key < 5 THEN DELETE
+WHEN MATCHED AND s.key < 3 THEN UPDATE set key = 1
+WHEN NOT MATCHED THEN INSERT VALUES (s.key, s.value);
http://git-wip-us.apache.org/repos/asf/hive/blob/8449304e/ql/src/test/results/clientpositive/masking_acid_no_masking.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientpositive/masking_acid_no_masking.q.out b/ql/src/test/results/clientpositive/masking_acid_no_masking.q.out
new file mode 100644
index 0000000..77f659f
--- /dev/null
+++ b/ql/src/test/results/clientpositive/masking_acid_no_masking.q.out
@@ -0,0 +1,61 @@
+PREHOOK: query: create table nonacid (key int, value string) stored as orc
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:default
+PREHOOK: Output: default@nonacid
+POSTHOOK: query: create table nonacid (key int, value string) stored as orc
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@nonacid
+PREHOOK: query: create table masking_acid_no_masking (key int, value string)
+clustered by (value) into 2 buckets stored as orc
+tblproperties ("transactional"="true")
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:default
+PREHOOK: Output: default@masking_acid_no_masking
+POSTHOOK: query: create table masking_acid_no_masking (key int, value string)
+clustered by (value) into 2 buckets stored as orc
+tblproperties ("transactional"="true")
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@masking_acid_no_masking
+PREHOOK: query: update masking_acid_no_masking set key=1 where value='ddd'
+PREHOOK: type: QUERY
+PREHOOK: Input: default@masking_acid_no_masking
+PREHOOK: Output: default@masking_acid_no_masking
+POSTHOOK: query: update masking_acid_no_masking set key=1 where value='ddd'
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@masking_acid_no_masking
+POSTHOOK: Output: default@masking_acid_no_masking
+PREHOOK: query: delete from masking_acid_no_masking where value='ddd'
+PREHOOK: type: QUERY
+PREHOOK: Input: default@masking_acid_no_masking
+PREHOOK: Output: default@masking_acid_no_masking
+POSTHOOK: query: delete from masking_acid_no_masking where value='ddd'
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@masking_acid_no_masking
+POSTHOOK: Output: default@masking_acid_no_masking
+PREHOOK: query: MERGE INTO masking_acid_no_masking as t using nonacid as s ON t.key = s.key
+WHEN MATCHED AND s.key < 5 THEN DELETE
+WHEN MATCHED AND s.key < 3 THEN UPDATE set key = 1
+WHEN NOT MATCHED THEN INSERT VALUES (s.key, s.value)
+PREHOOK: type: QUERY
+PREHOOK: Input: default@masking_acid_no_masking
+PREHOOK: Input: default@nonacid
+PREHOOK: Output: default@masking_acid_no_masking
+PREHOOK: Output: default@masking_acid_no_masking
+PREHOOK: Output: default@masking_acid_no_masking
+PREHOOK: Output: default@merge_tmp_table
+POSTHOOK: query: MERGE INTO masking_acid_no_masking as t using nonacid as s ON t.key = s.key
+WHEN MATCHED AND s.key < 5 THEN DELETE
+WHEN MATCHED AND s.key < 3 THEN UPDATE set key = 1
+WHEN NOT MATCHED THEN INSERT VALUES (s.key, s.value)
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@masking_acid_no_masking
+POSTHOOK: Input: default@nonacid
+POSTHOOK: Output: default@masking_acid_no_masking
+POSTHOOK: Output: default@masking_acid_no_masking
+POSTHOOK: Output: default@masking_acid_no_masking
+POSTHOOK: Output: default@merge_tmp_table
+POSTHOOK: Lineage: masking_acid_no_masking.key SIMPLE [(nonacid)s.FieldSchema(name:key, type:int, comment:null), ]
+POSTHOOK: Lineage: masking_acid_no_masking.value SIMPLE [(nonacid)s.FieldSchema(name:value, type:string, comment:null), ]
+POSTHOOK: Lineage: merge_tmp_table.val EXPRESSION [(masking_acid_no_masking)t.FieldSchema(name:ROW__ID, type:struct<transactionId:bigint,bucketId:int,rowId:bigint>, comment:), ]