You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by ls...@apache.org on 2015/08/05 09:46:48 UTC
incubator-sentry git commit: SENTRY-810: CTAS without location is not
verified properly (Ryan P via Lenni Kuff)
Repository: incubator-sentry
Updated Branches:
refs/heads/master 444031474 -> 7613ede9c
SENTRY-810: CTAS without location is not verified properly (Ryan P via Lenni Kuff)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/7613ede9
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/7613ede9
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/7613ede9
Branch: refs/heads/master
Commit: 7613ede9c6b940fe132e6cc7657bac9b0cf236b2
Parents: 4440314
Author: Lenni Kuff <ls...@cloudera.com>
Authored: Wed Aug 5 00:46:04 2015 -0700
Committer: Lenni Kuff <ls...@cloudera.com>
Committed: Wed Aug 5 00:46:38 2015 -0700
----------------------------------------------------------------------
.../hive/authz/HiveAuthzPrivilegesMap.java | 2 ++
.../sentry/tests/e2e/hive/TestOperations.java | 38 +++++++++++++++-----
2 files changed, 32 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7613ede9/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
index 6efeed6..0291b6c 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
@@ -23,6 +23,7 @@ import java.util.Map;
import org.apache.hadoop.hive.ql.plan.HiveOperation;
import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationScope;
import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType;
+import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.model.db.DBModelAction;
import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
@@ -283,6 +284,7 @@ public class HiveAuthzPrivilegesMap {
new HiveAuthzPrivileges.AuthzPrivilegeBuilder().
addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.SELECT)).
addInputObjectPriviledge(AuthorizableType.Column, EnumSet.of(DBModelAction.SELECT)).
+ addInputObjectPriviledge(AuthorizableType.URI,EnumSet.of(DBModelAction.ALL)).
addOutputObjectPriviledge(AuthorizableType.Db, EnumSet.of(DBModelAction.CREATE)).
setOperationScope(HiveOperationScope.DATABASE).
setOperationType(HiveOperationType.DDL).
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7613ede9/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java
index 2fbdfa6..29b2d60 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java
@@ -897,6 +897,8 @@ public class TestOperations extends AbstractTestWithStaticConfiguration {
adminCreate(DB1, tableName);
adminCreate(DB2, null);
+ String location = dfs.getBaseDir() + "/" + Math.random();
+
Connection connection = context.createConnection(ADMIN1);
Statement statement = context.createStatement(connection);
statement.execute("Use " + DB1);
@@ -905,19 +907,27 @@ public class TestOperations extends AbstractTestWithStaticConfiguration {
connection.close();
policyFile
- .addPermissionsToRole("select_db1_tb1", privileges.get("select_db1_tb1"))
- .addPermissionsToRole("select_db1_view1", privileges.get("select_db1_view1"))
- .addPermissionsToRole("create_db2", privileges.get("create_db2"))
- .addRolesToGroup(USERGROUP1, "select_db1_tb1", "create_db2")
- .addRolesToGroup(USERGROUP2, "select_db1_view1", "create_db2");
+ .addPermissionsToRole("select_db1_tb1", privileges.get("select_db1_tb1"))
+ .addPermissionsToRole("select_db1_view1", privileges.get("select_db1_view1"))
+ .addPermissionsToRole("create_db2", privileges.get("create_db2"))
+ .addPermissionsToRole("all_uri", "server=server1->uri=" + location)
+ .addRolesToGroup(USERGROUP1, "select_db1_tb1", "create_db2")
+ .addRolesToGroup(USERGROUP2, "select_db1_view1", "create_db2")
+ .addRolesToGroup(USERGROUP3, "select_db1_tb1", "create_db2,all_uri");
writePolicyFile(policyFile);
connection = context.createConnection(USER1_1);
statement = context.createStatement(connection);
statement.execute("Use " + DB2);
- statement.execute("create table tb2 as select a from " + DB1 + ".tb1" );
+ statement.execute("create table tb2 as select a from " + DB1 + ".tb1");
+ //Ensure CTAS fails without URI
+ context.assertSentrySemanticException(statement, "create table tb3 location '" + location +
+ "' as select a from " + DB1 + ".tb1",
+ semanticException);
context.assertSentrySemanticException(statement, "create table tb3 as select a from " + DB1 + ".view1",
- semanticException);
+ semanticException);
+
+
statement.close();
connection.close();
@@ -926,12 +936,24 @@ public class TestOperations extends AbstractTestWithStaticConfiguration {
statement.execute("Use " + DB2);
statement.execute("create table tb3 as select a from " + DB1 + ".view1" );
context.assertSentrySemanticException(statement, "create table tb4 as select a from " + DB1 + ".tb1",
- semanticException);
+ semanticException);
statement.close();
connection.close();
+
+ connection = context.createConnection(USER3_1);
+ statement = context.createStatement(connection);
+ //CTAS is valid with URI
+ statement.execute("Use " + DB2);
+ statement.execute("create table tb4 location '" + location +
+ "' as select a from " + DB1 + ".tb1");
+
+ statement.close();
+ connection.close();
+
}
+
/*
1. INSERT : IP: select on table, OP: insert on table + all on uri(optional)
*/