You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sr...@apache.org on 2014/09/29 13:41:54 UTC

git commit: SENTRY-472: Hive binding should validate URI privileges on permenant function resource URI( Prasad Mujumdar via Sravya Tirukkovalur)

Repository: incubator-sentry
Updated Branches:
  refs/heads/master 2982e3d1c -> 977d69f22


SENTRY-472: Hive binding should validate URI privileges on permenant function resource URI( Prasad Mujumdar via Sravya Tirukkovalur)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/977d69f2
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/977d69f2
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/977d69f2

Branch: refs/heads/master
Commit: 977d69f2263ba6d8c6866fc07153485ab62cc54e
Parents: 2982e3d
Author: Sravya Tirukkovalur <sr...@clouera.com>
Authored: Mon Sep 29 17:11:27 2014 +0530
Committer: Sravya Tirukkovalur <sr...@clouera.com>
Committed: Mon Sep 29 17:11:27 2014 +0530

----------------------------------------------------------------------
 .../binding/hive/HiveAuthzBindingHook.java      |  6 +++
 .../hive/authz/HiveAuthzPrivilegesMap.java      |  1 +
 .../e2e/hive/TestPrivilegesAtFunctionScope.java | 52 ++++++++++++++++++--
 3 files changed, 54 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/977d69f2/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index f872ea2..f94ae7c 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -504,6 +504,12 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook {
         udfUriHierarchy.add(hiveAuthzBinding.getAuthServer());
         udfUriHierarchy.add(udfURI);
         inputHierarchy.add(udfUriHierarchy);
+        for (WriteEntity writeEntity : outputs) {
+          List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>();
+          entityHierarchy.add(hiveAuthzBinding.getAuthServer());
+          entityHierarchy.addAll(getAuthzHierarchyFromEntity(writeEntity));
+          outputHierarchy.add(entityHierarchy);
+        }
       }
 
       outputHierarchy.add(connectHierarchy);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/977d69f2/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
index 2f97e30..cc236f4 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
@@ -172,6 +172,7 @@ public class HiveAuthzPrivilegesMap {
             DBModelAction.ALTER, DBModelAction.CREATE, DBModelAction.DROP, DBModelAction.DROP,
             DBModelAction.INDEX, DBModelAction.LOCK)).
         addInputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.ALL)). //TODO: make them ||
+        addOutputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.ALL)).
         setOperationScope(HiveOperationScope.CONNECT).
         setOperationType(HiveOperationType.QUERY).
         build();

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/977d69f2/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
index f1f64e6..8325a5c 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtFunctionScope.java
@@ -17,7 +17,6 @@ printf_test_3 * Licensed to the Apache Software Foundation (ASF) under one or mo
 
 package org.apache.sentry.tests.e2e.hive;
 
-import org.apache.sentry.provider.file.PolicyFile;
 import static org.junit.Assert.assertFalse;
 
 import java.io.File;
@@ -27,6 +26,7 @@ import java.sql.Connection;
 import java.sql.SQLException;
 import java.sql.Statement;
 
+import org.apache.sentry.provider.file.PolicyFile;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -79,12 +79,13 @@ public class TestPrivilegesAtFunctionScope extends AbstractTestWithStaticConfigu
     context.close();
 
     policyFile
-        .addRolesToGroup(USERGROUP1, "db1_all", "UDF_JAR")
+        .addRolesToGroup(USERGROUP1, "db1_all", "UDF_JAR", "data_read")
         .addRolesToGroup(USERGROUP2, "db1_tab1", "UDF_JAR")
         .addRolesToGroup(USERGROUP3, "db1_tab1")
         .addPermissionsToRole("db1_all", "server=server1->db=" + DB1)
         .addPermissionsToRole("db1_tab1", "server=server1->db=" + DB1 + "->table=" + tableName1)
-        .addPermissionsToRole("UDF_JAR", "server=server1->uri=file://" + udfLocation);
+        .addPermissionsToRole("UDF_JAR", "server=server1->uri=file://" + udfLocation)
+        .addPermissionsToRole("data_read", "server=server1->URI=file://" + dataFile.getPath());
     writePolicyFile(policyFile);
 
     // user1 should be able create/drop temp functions
@@ -95,6 +96,18 @@ public class TestPrivilegesAtFunctionScope extends AbstractTestWithStaticConfigu
         "CREATE TEMPORARY FUNCTION printf_test AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
     statement.execute("SELECT printf_test(value) FROM " + tableName1);
     statement.execute("DROP TEMPORARY FUNCTION printf_test");
+
+    statement.execute(
+        "CREATE FUNCTION printf_test_perm AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf' ");
+    statement.execute("SELECT printf_test_perm(value) FROM " + tableName1);
+    statement.execute("DROP FUNCTION printf_test_perm");
+
+    // test perm UDF with 'using file' syntax
+    statement
+        .execute("CREATE FUNCTION printf_test_perm AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf' "
+            + " using file '" + "file://" + dataFile.getPath() + "'");
+    statement.execute("DROP FUNCTION printf_test_perm");
+
     context.close();
 
     // user2 has select privilege on one of the tables in db1, should be able create/drop temp functions
@@ -104,20 +117,49 @@ public class TestPrivilegesAtFunctionScope extends AbstractTestWithStaticConfigu
     statement.execute(
         "CREATE TEMPORARY FUNCTION printf_test_2 AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
     statement.execute("SELECT printf_test_2(value) FROM " + tableName1);
-    statement.execute("DROP TEMPORARY FUNCTION printf_test");
+    statement.execute("DROP TEMPORARY FUNCTION printf_test_2");
+
+    statement.execute(
+        "CREATE FUNCTION " + DB1 + ".printf_test_2_perm AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
+    statement.execute("SELECT printf_test_2_perm(value) FROM " + tableName1);
+    statement.execute("DROP FUNCTION printf_test_2_perm");
+
+    /*** Disabled till HIVE-8266 is addressed
+    // USER2 doesn't have URI perm on dataFile
+    try {
+      statement
+          .execute("CREATE FUNCTION "
+              + DB1
+              + ".printf_test_2_perm AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'"
+              + " using file '" + "file://" + dataFile.getPath() + "'");
+      assertFalse("CREATE TEMPORARY FUNCTION should fail for user3", true);
+    } catch (SQLException e) {
+      context.verifyAuthzException(e);
+    }
+    ***/
+
     context.close();
 
     // user3 shouldn't be able to create/drop temp functions since it doesn't have permission for jar
     connection = context.createConnection(USER3_1);
     statement = context.createStatement(connection);
+    statement.execute("USE " + DB1);
     try {
-      statement.execute("USE " + DB1);
       statement.execute(
       "CREATE TEMPORARY FUNCTION printf_test_bad AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
       assertFalse("CREATE TEMPORARY FUNCTION should fail for user3", true);
     } catch (SQLException e) {
       context.verifyAuthzException(e);
     }
+
+    try {
+      statement.execute(
+      "CREATE FUNCTION printf_test_perm_bad AS 'org.apache.hadoop.hive.ql.udf.generic.GenericUDFPrintf'");
+      assertFalse("CREATE FUNCTION should fail for user3", true);
+    } catch (SQLException e) {
+      context.verifyAuthzException(e);
+    }
+
     context.close();
 
     // user4 (not part of any group ) shouldn't be able to create/drop temp functions