You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by ls...@apache.org on 2015/08/05 09:46:48 UTC

incubator-sentry git commit: SENTRY-810: CTAS without location is not verified properly (Ryan P via Lenni Kuff)

Repository: incubator-sentry
Updated Branches:
  refs/heads/master 444031474 -> 7613ede9c


SENTRY-810: CTAS without location is not verified properly (Ryan P via Lenni Kuff)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/7613ede9
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/7613ede9
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/7613ede9

Branch: refs/heads/master
Commit: 7613ede9c6b940fe132e6cc7657bac9b0cf236b2
Parents: 4440314
Author: Lenni Kuff <ls...@cloudera.com>
Authored: Wed Aug 5 00:46:04 2015 -0700
Committer: Lenni Kuff <ls...@cloudera.com>
Committed: Wed Aug 5 00:46:38 2015 -0700

----------------------------------------------------------------------
 .../hive/authz/HiveAuthzPrivilegesMap.java      |  2 ++
 .../sentry/tests/e2e/hive/TestOperations.java   | 38 +++++++++++++++-----
 2 files changed, 32 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7613ede9/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
index 6efeed6..0291b6c 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
@@ -23,6 +23,7 @@ import java.util.Map;
 import org.apache.hadoop.hive.ql.plan.HiveOperation;
 import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationScope;
 import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType;
+import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.model.db.DBModelAction;
 import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
 
@@ -283,6 +284,7 @@ public class HiveAuthzPrivilegesMap {
         new HiveAuthzPrivileges.AuthzPrivilegeBuilder().
         addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.SELECT)).
         addInputObjectPriviledge(AuthorizableType.Column, EnumSet.of(DBModelAction.SELECT)).
+        addInputObjectPriviledge(AuthorizableType.URI,EnumSet.of(DBModelAction.ALL)).
         addOutputObjectPriviledge(AuthorizableType.Db, EnumSet.of(DBModelAction.CREATE)).
         setOperationScope(HiveOperationScope.DATABASE).
         setOperationType(HiveOperationType.DDL).

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7613ede9/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java
index 2fbdfa6..29b2d60 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java
@@ -897,6 +897,8 @@ public class TestOperations extends AbstractTestWithStaticConfiguration {
     adminCreate(DB1, tableName);
     adminCreate(DB2, null);
 
+    String location = dfs.getBaseDir() + "/" + Math.random();
+
     Connection connection = context.createConnection(ADMIN1);
     Statement statement = context.createStatement(connection);
     statement.execute("Use " + DB1);
@@ -905,19 +907,27 @@ public class TestOperations extends AbstractTestWithStaticConfiguration {
     connection.close();
 
     policyFile
-        .addPermissionsToRole("select_db1_tb1", privileges.get("select_db1_tb1"))
-        .addPermissionsToRole("select_db1_view1", privileges.get("select_db1_view1"))
-        .addPermissionsToRole("create_db2", privileges.get("create_db2"))
-        .addRolesToGroup(USERGROUP1, "select_db1_tb1", "create_db2")
-        .addRolesToGroup(USERGROUP2, "select_db1_view1", "create_db2");
+      .addPermissionsToRole("select_db1_tb1", privileges.get("select_db1_tb1"))
+      .addPermissionsToRole("select_db1_view1", privileges.get("select_db1_view1"))
+      .addPermissionsToRole("create_db2", privileges.get("create_db2"))
+      .addPermissionsToRole("all_uri", "server=server1->uri=" + location)
+      .addRolesToGroup(USERGROUP1, "select_db1_tb1", "create_db2")
+      .addRolesToGroup(USERGROUP2, "select_db1_view1", "create_db2")
+      .addRolesToGroup(USERGROUP3, "select_db1_tb1", "create_db2,all_uri");
     writePolicyFile(policyFile);
 
     connection = context.createConnection(USER1_1);
     statement = context.createStatement(connection);
     statement.execute("Use " + DB2);
-    statement.execute("create table tb2 as select a from " + DB1 + ".tb1" );
+    statement.execute("create table tb2 as select a from " + DB1 + ".tb1");
+    //Ensure CTAS fails without URI
+    context.assertSentrySemanticException(statement, "create table tb3 location '" + location +
+        "' as select a from " + DB1 + ".tb1",
+      semanticException);
     context.assertSentrySemanticException(statement, "create table tb3 as select a from " + DB1 + ".view1",
-        semanticException);
+      semanticException);
+
+
     statement.close();
     connection.close();
 
@@ -926,12 +936,24 @@ public class TestOperations extends AbstractTestWithStaticConfiguration {
     statement.execute("Use " + DB2);
     statement.execute("create table tb3 as select a from " + DB1 + ".view1" );
     context.assertSentrySemanticException(statement, "create table tb4 as select a from " + DB1 + ".tb1",
-        semanticException);
+      semanticException);
 
     statement.close();
     connection.close();
+
+    connection = context.createConnection(USER3_1);
+    statement = context.createStatement(connection);
+    //CTAS is valid with URI
+    statement.execute("Use " + DB2);
+    statement.execute("create table tb4 location '" + location +
+      "' as select a from " + DB1 + ".tb1");
+
+    statement.close();
+    connection.close();
+
   }
 
+
   /*
   1. INSERT : IP: select on table, OP: insert on table + all on uri(optional)
    */