You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by ha...@apache.org on 2014/04/05 00:48:43 UTC
svn commit: r1584934 - in /hive/branches/branch-0.13/ql/src:
java/org/apache/hadoop/hive/ql/processors/
test/org/apache/hadoop/hive/ql/processors/ test/queries/clientnegative/
test/results/clientnegative/
Author: hashutosh
Date: Fri Apr 4 22:48:42 2014
New Revision: 1584934
URL: http://svn.apache.org/r1584934
Log:
HIVE-6827 : Disable insecure commands with std sql auth (Ashutosh Chauhan via Thejas Nair)
Added:
hive/branches/branch-0.13/ql/src/test/queries/clientnegative/authorization_addjar.q
hive/branches/branch-0.13/ql/src/test/results/clientnegative/authorization_addjar.q.out
Modified:
hive/branches/branch-0.13/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java
hive/branches/branch-0.13/ql/src/test/org/apache/hadoop/hive/ql/processors/TestCommandProcessorFactory.java
Modified: hive/branches/branch-0.13/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java?rev=1584934&r1=1584933&r2=1584934&view=diff
==============================================================================
--- hive/branches/branch-0.13/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java (original)
+++ hive/branches/branch-0.13/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java Fri Apr 4 22:48:42 2014
@@ -28,7 +28,10 @@ import java.util.Map;
import java.util.Set;
import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
import org.apache.hadoop.hive.ql.Driver;
+import org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
import org.apache.hadoop.hive.ql.session.SessionState;
/**
@@ -58,8 +61,18 @@ public final class CommandProcessorFacto
conf = new HiveConf();
}
Set<String> availableCommands = new HashSet<String>();
- for (String availableCommand : conf.getVar(HiveConf.ConfVars.HIVE_SECURITY_COMMAND_WHITELIST).split(",")) {
- availableCommands.add(availableCommand.toLowerCase().trim());
+ if (!HiveAuthorizerFactory.class.isAssignableFrom
+ (conf.getClass(ConfVars.HIVE_AUTHORIZATION_MANAGER.varname,DefaultHiveAuthorizationProvider.class))) {
+ // we are not on authV2, add processors.
+ for (String availableCommand : conf.getVar(HiveConf.ConfVars.HIVE_SECURITY_COMMAND_WHITELIST).split(",")) {
+ availableCommands.add(availableCommand.toLowerCase().trim());
+ }
+ }
+
+ if (conf.getBoolVar(ConfVars.HIVE_IN_TEST)) {
+ // because test case uses these.
+ availableCommands.add("set");
+ availableCommands.add("dfs");
}
if (!availableCommands.contains(cmd[0].trim().toLowerCase())) {
throw new SQLException("Insufficient privileges to execute " + cmd[0], "42000");
Modified: hive/branches/branch-0.13/ql/src/test/org/apache/hadoop/hive/ql/processors/TestCommandProcessorFactory.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/ql/src/test/org/apache/hadoop/hive/ql/processors/TestCommandProcessorFactory.java?rev=1584934&r1=1584933&r2=1584934&view=diff
==============================================================================
--- hive/branches/branch-0.13/ql/src/test/org/apache/hadoop/hive/ql/processors/TestCommandProcessorFactory.java (original)
+++ hive/branches/branch-0.13/ql/src/test/org/apache/hadoop/hive/ql/processors/TestCommandProcessorFactory.java Fri Apr 4 22:48:42 2014
@@ -23,6 +23,7 @@ import java.sql.SQLException;
import junit.framework.Assert;
import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.junit.Before;
import org.junit.Test;
@@ -54,6 +55,7 @@ public class TestCommandProcessorFactory
String cmd = command.name().toLowerCase();
Assert.assertNotNull("Cmd " + cmd + " not return null", CommandProcessorFactory.getForHiveCommand(new String[]{cmd}, conf));
}
+ conf.setBoolVar(ConfVars.HIVE_IN_TEST, false);
conf.set(HiveConf.ConfVars.HIVE_SECURITY_COMMAND_WHITELIST.toString(), "");
for (HiveCommand command : HiveCommand.values()) {
String cmd = command.name();
@@ -65,5 +67,6 @@ public class TestCommandProcessorFactory
Assert.assertEquals("42000", e.getSQLState());
}
}
+ conf.setBoolVar(ConfVars.HIVE_IN_TEST, true);
}
}
Added: hive/branches/branch-0.13/ql/src/test/queries/clientnegative/authorization_addjar.q
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/ql/src/test/queries/clientnegative/authorization_addjar.q?rev=1584934&view=auto
==============================================================================
--- hive/branches/branch-0.13/ql/src/test/queries/clientnegative/authorization_addjar.q (added)
+++ hive/branches/branch-0.13/ql/src/test/queries/clientnegative/authorization_addjar.q Fri Apr 4 22:48:42 2014
@@ -0,0 +1,3 @@
+set hive.security.authorization.enabled=true;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+add jar ${system:maven.local.repository}/org/apache/hive/hcatalog/hive-hcatalog-core/${system:hive.version}/hive-hcatalog-core-${system:hive.version}.jar;
Added: hive/branches/branch-0.13/ql/src/test/results/clientnegative/authorization_addjar.q.out
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.13/ql/src/test/results/clientnegative/authorization_addjar.q.out?rev=1584934&view=auto
==============================================================================
--- hive/branches/branch-0.13/ql/src/test/results/clientnegative/authorization_addjar.q.out (added)
+++ hive/branches/branch-0.13/ql/src/test/results/clientnegative/authorization_addjar.q.out Fri Apr 4 22:48:42 2014
@@ -0,0 +1 @@
+Failed processing command add Insufficient privileges to execute add