git commit: SENTRY-78 - UDFs can't be referenced in a CTAS when Sentry is enabled for Hive (Shreepadma via Brock)

[br...@apache.org]

Updated Branches:
  refs/heads/master 72b437564 -> c8c170324


SENTRY-78 - UDFs can't be referenced in a CTAS when Sentry is enabled for Hive (Shreepadma via Brock)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/c8c17032
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/c8c17032
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/c8c17032

Branch: refs/heads/master
Commit: c8c170324c06709e74e282b6117c0f9313a35bdb
Parents: 72b4375
Author: Brock Noland <br...@apache.org>
Authored: Mon Dec 30 15:11:22 2013 -0600
Committer: Brock Noland <br...@apache.org>
Committed: Mon Dec 30 15:11:22 2013 -0600

----------------------------------------------------------------------
 .../apache/sentry/binding/hive/HiveAuthzBindingHook.java    | 9 +++++++++
 .../tests/e2e/hive/TestPrivilegesAtDatabaseScope.java       | 4 ++++
 2 files changed, 13 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c17032/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index 7f9560f..0dd28b7 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -370,6 +370,15 @@ implements HiveDriverFilterHook {
       }
 
       for(ReadEntity readEntity:inputs) {
+      	 // If this is a UDF, then check whether its allowed to be executed
+         // TODO: when we support execute privileges on UDF, this can be removed.
+        if (isUDF(readEntity)) {
+          if (isBuiltinUDF(readEntity)) {
+            checkUDFWhiteList(readEntity.getUDF().getDisplayName());
+          }
+          continue;
+        }
+        
         List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>();
         entityHierarchy.add(hiveAuthzBinding.getAuthServer());
         entityHierarchy.addAll(getAuthzHierarchyFromEntity(readEntity));

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c17032/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
index 82d73e5..8c145ca 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
@@ -107,6 +107,10 @@ public class TestPrivilegesAtDatabaseScope extends AbstractTestWithStaticConfigu
     statement.execute("CREATE TABLE DB_1.TAB_2(A STRING)");
     statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE DB_1.TAB_2");
 
+    // test CTAS can reference UDFs
+    statement.execute("USE DB_1");
+    statement.execute("create table table2 as select A, count(A) from TAB_1 GROUP BY A");
+    
     // test user can switch db
     statement.execute("USE DB_1");
     //test user can create view