You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by br...@apache.org on 2013/12/30 22:11:41 UTC
git commit: SENTRY-78 - UDFs can't be referenced in a CTAS when
Sentry is enabled for Hive (Shreepadma via Brock)
Updated Branches:
refs/heads/master 72b437564 -> c8c170324
SENTRY-78 - UDFs can't be referenced in a CTAS when Sentry is enabled for Hive (Shreepadma via Brock)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/c8c17032
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/c8c17032
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/c8c17032
Branch: refs/heads/master
Commit: c8c170324c06709e74e282b6117c0f9313a35bdb
Parents: 72b4375
Author: Brock Noland <br...@apache.org>
Authored: Mon Dec 30 15:11:22 2013 -0600
Committer: Brock Noland <br...@apache.org>
Committed: Mon Dec 30 15:11:22 2013 -0600
----------------------------------------------------------------------
.../apache/sentry/binding/hive/HiveAuthzBindingHook.java | 9 +++++++++
.../tests/e2e/hive/TestPrivilegesAtDatabaseScope.java | 4 ++++
2 files changed, 13 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c17032/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index 7f9560f..0dd28b7 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -370,6 +370,15 @@ implements HiveDriverFilterHook {
}
for(ReadEntity readEntity:inputs) {
+ // If this is a UDF, then check whether its allowed to be executed
+ // TODO: when we support execute privileges on UDF, this can be removed.
+ if (isUDF(readEntity)) {
+ if (isBuiltinUDF(readEntity)) {
+ checkUDFWhiteList(readEntity.getUDF().getDisplayName());
+ }
+ continue;
+ }
+
List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>();
entityHierarchy.add(hiveAuthzBinding.getAuthServer());
entityHierarchy.addAll(getAuthzHierarchyFromEntity(readEntity));
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/c8c17032/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
index 82d73e5..8c145ca 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
@@ -107,6 +107,10 @@ public class TestPrivilegesAtDatabaseScope extends AbstractTestWithStaticConfigu
statement.execute("CREATE TABLE DB_1.TAB_2(A STRING)");
statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE DB_1.TAB_2");
+ // test CTAS can reference UDFs
+ statement.execute("USE DB_1");
+ statement.execute("create table table2 as select A, count(A) from TAB_1 GROUP BY A");
+
// test user can switch db
statement.execute("USE DB_1");
//test user can create view