You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sr...@apache.org on 2014/09/29 13:41:54 UTC
git commit: SENTRY-472: Hive binding should validate URI privileges
on permenant function resource URI( Prasad Mujumdar via Sravya Tirukkovalur)
Repository: incubator-sentry
Updated Branches:
refs/heads/master 2982e3d1c -> 977d69f22
SENTRY-472: Hive binding should validate URI privileges on permenant function resource URI( Prasad Mujumdar via Sravya Tirukkovalur)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/977d69f2
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/977d69f2
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/977d69f2
Branch: refs/heads/master
Commit: 977d69f2263ba6d8c6866fc07153485ab62cc54e
Parents: 2982e3d
Author: Sravya Tirukkovalur <sr...@clouera.com>
Authored: Mon Sep 29 17:11:27 2014 +0530
Committer: Sravya Tirukkovalur <sr...@clouera.com>
Committed: Mon Sep 29 17:11:27 2014 +0530
----------------------------------------------------------------------
.../binding/hive/HiveAuthzBindingHook.java | 6 +++
.../hive/authz/HiveAuthzPrivilegesMap.java | 1 +
.../e2e/hive/TestPrivilegesAtFunctionScope.java | 52 ++++++++++++++++++--
3 files changed, 54 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/977d69f2/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index f872ea2..f94ae7c 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -504,6 +504,12 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook {
udfUriHierarchy.add(hiveAuthzBinding.getAuthServer());
udfUriHierarchy.add(udfURI);
inputHierarchy.add(udfUriHierarchy);
+ for (WriteEntity writeEntity : outputs) {
+ List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>();
+ entityHierarchy.add(hiveAuthzBinding.getAuthServer());
+ entityHierarchy.addAll(getAuthzHierarchyFromEntity(writeEntity));
+ outputHierarchy.add(entityHierarchy);
+ }
}
outputHierarchy.add(connectHierarchy);
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/977d69f2/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
index 2f97e30..cc236f4 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
@@ -172,6 +172,7 @@ public class HiveAuthzPrivilegesMap {
DBModelAction.ALTER, DBModelAction.CREATE, DBModelAction.DROP, DBModelAction.DROP,
DBModelAction.INDEX, DBModelAction.LOCK)).
addInputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.ALL)). //TODO: make them ||
+ addOutputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.ALL)).
setOperationScope(HiveOperationScope.CONNECT).
setOperationType(HiveOperationType.QUERY).
build();
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/977d69f2/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
index f1f64e6..8325a5c 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
@@ -17,7 +17,6 @@ printf_test_3 * Licensed to the Apache Software Foundation (ASF) under one or mo
package org.apache.sentry.tests.e2e.hive;
-import org.apache.sentry.provider.file.PolicyFile;
import static org.junit.Assert.assertFalse;
import java.io.File;
@@ -27,6 +26,7 @@ import java.sql.Connection;
import java.sql.SQLException;
import java.sql.Statement;
+import org.apache.sentry.provider.file.PolicyFile;
import org.junit.Before;
import org.junit.Test;
@@ -79,12 +79,13 @@ public class TestPrivilegesAtFunctionScope extends AbstractTestWithStaticConfigu
context.close();
policyFile
- .addRolesToGroup(USERGROUP1, "db1_all", "UDF_JAR")
+ .addRolesToGroup(USERGROUP1, "db1_all", "UDF_JAR", "data_read")
.addRolesToGroup(USERGROUP2, "db1_tab1", "UDF_JAR")
.addRolesToGroup(USERGROUP3, "db1_tab1")
.addPermissionsToRole("db1_all", "server=server1->db=" + DB1)
.addPermissionsToRole("db1_tab1", "server=server1->db=" + DB1 + "->table=" + tableName1)
- .addPermissionsToRole("UDF_JAR", "server=server1->uri=file://" + udfLocation);
+ .addPermissionsToRole("UDF_JAR", "server=server1->uri=file://" + udfLocation)
+ .addPermissionsToRole("data_read", "server=server1->URI=file://" + dataFile.getPath());
writePolicyFile(policyFile);
// user1 should be able create/drop temp functions
@@ -95,6 +96,18 @@ public class TestPrivilegesAtFunctionScope extends AbstractTestWithStaticConfigu
"CREATE TEMPORARY FUNCTION printf_test AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
statement.execute("SELECT printf_test(value) FROM " + tableName1);
statement.execute("DROP TEMPORARY FUNCTION printf_test");
+
+ statement.execute(
+ "CREATE FUNCTION printf_test_perm AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf' ");
+ statement.execute("SELECT printf_test_perm(value) FROM " + tableName1);
+ statement.execute("DROP FUNCTION printf_test_perm");
+
+ // test perm UDF with 'using file' syntax
+ statement
+ .execute("CREATE FUNCTION printf_test_perm AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf' "
+ + " using file '" + "file://" + dataFile.getPath() + "'");
+ statement.execute("DROP FUNCTION printf_test_perm");
+
context.close();
// user2 has select privilege on one of the tables in db1, should be able create/drop temp functions
@@ -104,20 +117,49 @@ public class TestPrivilegesAtFunctionScope extends AbstractTestWithStaticConfigu
statement.execute(
"CREATE TEMPORARY FUNCTION printf_test_2 AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
statement.execute("SELECT printf_test_2(value) FROM " + tableName1);
- statement.execute("DROP TEMPORARY FUNCTION printf_test");
+ statement.execute("DROP TEMPORARY FUNCTION printf_test_2");
+
+ statement.execute(
+ "CREATE FUNCTION " + DB1 + ".printf_test_2_perm AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
+ statement.execute("SELECT printf_test_2_perm(value) FROM " + tableName1);
+ statement.execute("DROP FUNCTION printf_test_2_perm");
+
+ /*** Disabled till HIVE-8266 is addressed
+ // USER2 doesn't have URI perm on dataFile
+ try {
+ statement
+ .execute("CREATE FUNCTION "
+ + DB1
+ + ".printf_test_2_perm AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'"
+ + " using file '" + "file://" + dataFile.getPath() + "'");
+ assertFalse("CREATE TEMPORARY FUNCTION should fail for user3", true);
+ } catch (SQLException e) {
+ context.verifyAuthzException(e);
+ }
+ ***/
+
context.close();
// user3 shouldn't be able to create/drop temp functions since it doesn't have permission for jar
connection = context.createConnection(USER3_1);
statement = context.createStatement(connection);
+ statement.execute("USE " + DB1);
try {
- statement.execute("USE " + DB1);
statement.execute(
"CREATE TEMPORARY FUNCTION printf_test_bad AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
assertFalse("CREATE TEMPORARY FUNCTION should fail for user3", true);
} catch (SQLException e) {
context.verifyAuthzException(e);
}
+
+ try {
+ statement.execute(
+ "CREATE FUNCTION printf_test_perm_bad AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
+ assertFalse("CREATE FUNCTION should fail for user3", true);
+ } catch (SQLException e) {
+ context.verifyAuthzException(e);
+ }
+
context.close();
// user4 (not part of any group ) shouldn't be able to create/drop temp functions