You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by ha...@apache.org on 2014/02/12 18:34:07 UTC
svn commit: r1567695 - in /hive/trunk:
common/src/java/org/apache/hadoop/hive/conf/
itests/util/src/main/java/org/apache/hadoop/hive/ql/
ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/
ql/src/java/org/apache/hadoop/hive/ql/security...
Author: hashutosh
Date: Wed Feb 12 17:34:06 2014
New Revision: 1567695
URL: http://svn.apache.org/r1567695
Log:
HIVE-5944 : SQL std auth - authorize show all roles, create role, drop role (Ashutosh Chauhan via Thejas Nair)
Added:
hive/trunk/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q
hive/trunk/ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out
hive/trunk/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out
hive/trunk/ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out
Modified:
hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles1.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles2.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q
hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out
hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out
hive/trunk/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out
hive/trunk/ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out
Modified: hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
URL: http://svn.apache.org/viewvc/hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java (original)
+++ hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java Wed Feb 12 17:34:06 2014
@@ -135,7 +135,8 @@ public class HiveConf extends Configurat
HiveConf.ConfVars.HMSHANDLERFORCERELOADCONF,
HiveConf.ConfVars.METASTORE_PARTITION_NAME_WHITELIST_PATTERN,
HiveConf.ConfVars.METASTORE_DISALLOW_INCOMPATIBLE_COL_TYPE_CHANGES,
- HiveConf.ConfVars.USERS_IN_ADMIN_ROLE
+ HiveConf.ConfVars.USERS_IN_ADMIN_ROLE,
+ HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER
};
/**
Modified: hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java
URL: http://svn.apache.org/viewvc/hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java (original)
+++ hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java Wed Feb 12 17:34:06 2014
@@ -267,7 +267,7 @@ public class QTestUtil {
(new Path(dfsUriString,
"/build/ql/test/data/warehouse/")).toString());
}
-
+
// Windows paths should be converted after MiniMrShim.setupConfiguration()
// since setupConfiguration may overwrite configuration values.
if (Shell.WINDOWS) {
@@ -330,12 +330,12 @@ public class QTestUtil {
}
}
- public QTestUtil(String outDir, String logDir, MiniClusterType clusterType, String hadoopVer)
+ public QTestUtil(String outDir, String logDir, MiniClusterType clusterType, String hadoopVer)
throws Exception {
this(outDir, logDir, clusterType, null, hadoopVer);
}
- public QTestUtil(String outDir, String logDir, MiniClusterType clusterType,
+ public QTestUtil(String outDir, String logDir, MiniClusterType clusterType,
String confDir, String hadoopVer)
throws Exception {
this.outDir = outDir;
@@ -589,7 +589,7 @@ public class QTestUtil {
List<String> roleNames = db.getAllRoleNames();
for (String roleName : roleNames) {
- if (!"PUBLIC".equals(roleName)) {
+ if (!"PUBLIC".equalsIgnoreCase(roleName) && !"ADMIN".equalsIgnoreCase(roleName)) {
db.dropRole(roleName);
}
}
@@ -1376,7 +1376,7 @@ public class QTestUtil {
}
private static int executeCmd(Collection<String> args, String outFile, String errFile) throws Exception {
- String[] cmdArray = (String[]) args.toArray(new String[args.size()]);
+ String[] cmdArray = args.toArray(new String[args.size()]);
return executeCmd(cmdArray, outFile, errFile);
}
@@ -1520,6 +1520,7 @@ public class QTestUtil {
this.fname = fname;
}
+ @Override
public void run() {
try {
// assumption is that environment has already been cleaned once globally
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java Wed Feb 12 17:34:06 2014
@@ -47,5 +47,4 @@ public class HiveAccessControlException
public HiveAccessControlException(Throwable cause){
super(cause);
}
-
}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java Wed Feb 12 17:34:06 2014
@@ -62,7 +62,7 @@ public interface HiveAccessController {
List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
throws HiveAuthzPluginException, HiveAccessControlException;
- void setCurrentRole(String roleName) throws HiveAuthzPluginException;
+ void setCurrentRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException;
List<HiveRole> getCurrentRoles() throws HiveAuthzPluginException;
}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java Wed Feb 12 17:34:06 2014
@@ -160,13 +160,11 @@ public interface HiveAuthorizer {
List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
throws HiveAuthzPluginException, HiveAccessControlException;
- void setCurrentRole(String roleName) throws HiveAuthzPluginException;
+ void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException;
List<HiveRole> getCurrentRoles() throws HiveAuthzPluginException;
+
//other functions to be added -
//showUsersInRole(rolename)
- //isSuperuser(username)
-
-
}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java Wed Feb 12 17:34:06 2014
@@ -105,7 +105,7 @@ public class HiveAuthorizerImpl implemen
}
@Override
- public void setCurrentRole(String roleName) throws HiveAuthzPluginException {
+ public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException {
accessController.setCurrentRole(roleName);
}
@@ -113,10 +113,7 @@ public class HiveAuthorizerImpl implemen
public List<HiveRole> getCurrentRoles() throws HiveAuthzPluginException {
return accessController.getCurrentRoles();
}
-
-
// other access control functions
-
// void validateAuthority(HiveAction, inputs, outputs){
// authValidator.validateAuthority(HiveAction, inputs, outputs);
// }
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java Wed Feb 12 17:34:06 2014
@@ -42,6 +42,7 @@ import org.apache.hadoop.hive.ql.securit
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
@@ -220,7 +221,12 @@ public class SQLStdHiveAccessController
@Override
public void createRole(String roleName, HivePrincipal adminGrantor)
- throws HiveAuthzPluginException {
+ throws HiveAuthzPluginException, HiveAccessControlException {
+ // only user belonging to admin role can create new roles.
+ if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) {
+ throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
+ + " allowed to add roles. Only users belonging to admin role can add new roles.");
+ }
try {
String grantorName = adminGrantor == null ? null : adminGrantor.getName();
metastoreClientFactory.getHiveMetastoreClient().create_role(
@@ -231,7 +237,12 @@ public class SQLStdHiveAccessController
}
@Override
- public void dropRole(String roleName) throws HiveAuthzPluginException {
+ public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException {
+ // only user belonging to admin role can drop existing role
+ if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) {
+ throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
+ + " allowed to drop role. Only users belonging to admin role can drop roles.");
+ }
try {
metastoreClientFactory.getHiveMetastoreClient().drop_role(roleName);
} catch (Exception e) {
@@ -257,7 +268,12 @@ public class SQLStdHiveAccessController
@Override
public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roleNames,
- boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException {
+ boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
+ HiveAccessControlException {
+ if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) {
+ throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
+ + " allowed to grant role. Currently only users belonging to admin role can grant roles.");
+ }
for (HivePrincipal hivePrincipal : hivePrincipals) {
for (String roleName : roleNames) {
try {
@@ -279,11 +295,16 @@ public class SQLStdHiveAccessController
@Override
public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roleNames,
- boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException {
+ boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
+ HiveAccessControlException {
if (grantOption) {
// removing grant privileges only is not supported in metastore api
throw new HiveAuthzPluginException("Revoking only the admin privileges on "
- + "role is not currently supported");
+ + "role is not currently supported");
+ }
+ if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) {
+ throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
+ + " allowed to revoke role. Currently only users belonging to admin role can revoke roles.");
}
for (HivePrincipal hivePrincipal : hivePrincipals) {
for (String roleName : roleNames) {
@@ -301,7 +322,12 @@ public class SQLStdHiveAccessController
}
@Override
- public List<String> getAllRoles() throws HiveAuthzPluginException {
+ public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException {
+ // only user belonging to admin role can list role
+ if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) {
+ throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
+ + " allowed to list roles. Only users belonging to admin role can list roles.");
+ }
try {
return metastoreClientFactory.getHiveMetastoreClient().listRoleNames();
} catch (Exception e) {
@@ -370,7 +396,8 @@ public class SQLStdHiveAccessController
}
@Override
- public void setCurrentRole(String roleName) throws HiveAuthzPluginException {
+ public void setCurrentRole(String roleName) throws HiveAccessControlException,
+ HiveAuthzPluginException {
if ("NONE".equalsIgnoreCase(roleName)) {
// for set role NONE, reset roles to default roles.
@@ -393,7 +420,7 @@ public class SQLStdHiveAccessController
return;
}
// If we are here it means, user is requesting a role he doesn't belong to.
- throw new HiveAuthzPluginException(currentUserName +" doesn't belong to role "
+ throw new HiveAccessControlException(currentUserName +" doesn't belong to role "
+roleName);
}
@@ -402,4 +429,24 @@ public class SQLStdHiveAccessController
initUserRoles();
return currentRoles;
}
+
+ /**
+ * @param principal
+ * @return true only if current role of user is Admin
+ * @throws HiveAuthzPluginException
+ */
+ private boolean isUserAdmin(HivePrincipal principal) throws HiveAuthzPluginException {
+ List<HiveRole> roles;
+ try {
+ roles = getCurrentRoles();
+ } catch (Exception e) {
+ throw new HiveAuthzPluginException(e);
+ }
+ for (HiveRole role : roles){
+ if (role.getRoleName().equalsIgnoreCase(HiveMetaStore.ADMIN)) {
+ return true;
+ }
+ }
+ return false;
+ }
}
Added: hive/trunk/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q?rev=1567695&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q (added)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q Wed Feb 12 17:34:06 2014
@@ -0,0 +1,3 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+-- this test will fail because hive_test_user is not in admin role.
+create role r1;
Added: hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q?rev=1567695&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q (added)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q Wed Feb 12 17:34:06 2014
@@ -0,0 +1,10 @@
+set hive.users.in.admin.role=hive_admin_user;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
+set role ADMIN;
+show current roles;
+create role r1;
+set role NONE;
+show current roles;
+drop role r1;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles1.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles1.q?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles1.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles1.q Wed Feb 12 17:34:06 2014
@@ -1,8 +1,12 @@
+set hive.users.in.admin.role=hive_admin_user;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
+set role ADMIN;
-- this is applicable to any security mode as check is in metastore
create role role1;
create role role2;
grant role role1 to role role2;
-- this will create a cycle
-grant role role2 to role role1;
\ No newline at end of file
+grant role role2 to role role1;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles2.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles2.q?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles2.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles2.q Wed Feb 12 17:34:06 2014
@@ -1,4 +1,9 @@
+set hive.users.in.admin.role=hive_admin_user;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+
+set user.name=hive_admin_user;
+set role ADMIN;
-- this is applicable to any security mode as check is in metastore
create role role1;
Added: hive/trunk/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q?rev=1567695&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q (added)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q Wed Feb 12 17:34:06 2014
@@ -0,0 +1,3 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+-- This test will fail because hive_test_user is not in admin role
+show roles;
Modified: hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q (original)
+++ hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q Wed Feb 12 17:34:06 2014
@@ -1,9 +1,12 @@
+set hive.users.in.admin.role=hive_admin_user;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
create table src_autho_test (key STRING, value STRING) ;
set hive.security.authorization.enabled=true;
-
+set role ADMIN;
--table grant to user
grant select on table src_autho_test to user user_sauth;
@@ -30,4 +33,4 @@ revoke select on table src_autho_test fr
drop role src_role;
set hive.security.authorization.enabled=false;
-drop table src_autho_test;
\ No newline at end of file
+drop table src_autho_test;
Modified: hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q (original)
+++ hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q Wed Feb 12 17:34:06 2014
@@ -1,7 +1,11 @@
+set hive.users.in.admin.role=hive_admin_user;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
--- enable sql standard authorization
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
+-- enable sql standard authorization
-- role granting without role keyword
+set role ADMIN;
create role src_role2;
grant src_role2 to user user2 ;
show role grant user user2;
Modified: hive/trunk/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q (original)
+++ hive/trunk/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q Wed Feb 12 17:34:06 2014
@@ -1,9 +1,12 @@
+set hive.users.in.admin.role=hive_admin_user;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
-
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
+set role ADMIN;
show current roles;
create role r1;
-grant role r1 to user hive_test_user;
+grant role r1 to user hive_admin_user;
set role r1;
show current roles;
@@ -13,5 +16,6 @@ show current roles;
set role NONE;
show current roles;
+set role ADMIN;
drop role r1;
Added: hive/trunk/ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out?rev=1567695&view=auto
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out (added)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out Wed Feb 12 17:34:06 2014
@@ -0,0 +1,4 @@
+PREHOOK: query: -- this test will fail because hive_test_user is not in admin role.
+create role r1
+PREHOOK: type: CREATEROLE
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_test_user is not allowed to add roles. Only users belonging to admin role can add new roles.
Added: hive/trunk/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out?rev=1567695&view=auto
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out (added)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out Wed Feb 12 17:34:06 2014
@@ -0,0 +1,27 @@
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: show current roles
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: show current roles
+POSTHOOK: type: SHOW_ROLES
+ADMIN
+
+PREHOOK: query: create role r1
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: create role r1
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: set role NONE
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role NONE
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: show current roles
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: show current roles
+POSTHOOK: type: SHOW_ROLES
+PUBLIC
+
+PREHOOK: query: drop role r1
+PREHOOK: type: DROPROLE
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_admin_user is not allowed to drop role. Only users belonging to admin role can drop roles.
Modified: hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out (original)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out Wed Feb 12 17:34:06 2014
@@ -1,3 +1,7 @@
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
PREHOOK: query: -- this is applicable to any security mode as check is in metastore
create role role1
PREHOOK: type: CREATEROLE
Modified: hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out (original)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out Wed Feb 12 17:34:06 2014
@@ -1,3 +1,7 @@
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
PREHOOK: query: -- this is applicable to any security mode as check is in metastore
create role role1
Added: hive/trunk/ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out?rev=1567695&view=auto
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out (added)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out Wed Feb 12 17:34:06 2014
@@ -0,0 +1,4 @@
+PREHOOK: query: -- This test will fail because hive_test_user is not in admin role
+show roles
+PREHOOK: type: SHOW_ROLES
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_test_user is not allowed to list roles. Only users belonging to admin role can list roles.
Modified: hive/trunk/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out (original)
+++ hive/trunk/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out Wed Feb 12 17:34:06 2014
@@ -3,6 +3,10 @@ PREHOOK: type: CREATETABLE
POSTHOOK: query: create table src_autho_test (key STRING, value STRING)
POSTHOOK: type: CREATETABLE
POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
PREHOOK: query: --table grant to user
grant select on table src_autho_test to user user_sauth
@@ -17,7 +21,7 @@ PREHOOK: query: show grant user user_sau
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant user user_sauth on table src_autho_test
POSTHOOK: type: SHOW_GRANT
-default src_autho_test user_sauth USER SELECT false -1 hive_test_user
+default src_autho_test user_sauth USER SELECT false -1 hive_admin_user
PREHOOK: query: revoke select on table src_autho_test from user user_sauth
PREHOOK: type: REVOKE_PRIVILEGE
PREHOOK: Output: default@src_autho_test
@@ -42,7 +46,7 @@ PREHOOK: query: show role grant user use
PREHOOK: type: SHOW_ROLE_GRANT
POSTHOOK: query: show role grant user user_sauth
POSTHOOK: type: SHOW_ROLE_GRANT
-src_role -1 user_sauth USER false -1 hive_test_user
+src_role -1 user_sauth USER false -1 hive_admin_user
PUBLIC -1 false -1
PREHOOK: query: --table grant to role
@@ -58,7 +62,7 @@ PREHOOK: query: show grant role src_role
PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant role src_role on table src_autho_test
POSTHOOK: type: SHOW_GRANT
-default src_autho_test src_role ROLE SELECT false -1 hive_test_user
+default src_autho_test src_role ROLE SELECT false -1 hive_admin_user
PREHOOK: query: revoke select on table src_autho_test from role src_role
PREHOOK: type: REVOKE_PRIVILEGE
PREHOOK: Output: default@src_autho_test
Modified: hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out (original)
+++ hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out Wed Feb 12 17:34:06 2014
@@ -1,12 +1,14 @@
PREHOOK: query: -- enable sql standard authorization
-
-- role granting without role keyword
-create role src_role2
-PREHOOK: type: CREATEROLE
+set role ADMIN
+PREHOOK: type: SHOW_ROLES
POSTHOOK: query: -- enable sql standard authorization
-
-- role granting without role keyword
-create role src_role2
+set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: create role src_role2
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: create role src_role2
POSTHOOK: type: CREATEROLE
PREHOOK: query: grant src_role2 to user user2
PREHOOK: type: GRANT_ROLE
@@ -16,12 +18,14 @@ PREHOOK: query: show role grant user use
PREHOOK: type: SHOW_ROLE_GRANT
POSTHOOK: query: show role grant user user2
POSTHOOK: type: SHOW_ROLE_GRANT
-src_role2 -1 user2 USER false -1 hive_test_user
+src_role2 -1 user2 USER false -1 hive_admin_user
PUBLIC -1 false -1
PREHOOK: query: show roles
PREHOOK: type: SHOW_ROLES
POSTHOOK: query: show roles
POSTHOOK: type: SHOW_ROLES
+ADMIN
+PUBLIC
src_role2
PREHOOK: query: -- revoke role without role keyword
@@ -39,6 +43,8 @@ PREHOOK: query: show roles
PREHOOK: type: SHOW_ROLES
POSTHOOK: query: show roles
POSTHOOK: type: SHOW_ROLES
+ADMIN
+PUBLIC
src_role2
PREHOOK: query: ----------------------------------------
@@ -61,7 +67,7 @@ PREHOOK: query: show role grant user use
PREHOOK: type: SHOW_ROLE_GRANT
POSTHOOK: query: show role grant user user2
POSTHOOK: type: SHOW_ROLE_GRANT
-src_role_wadmin -1 user2 USER false -1 hive_test_user
+src_role_wadmin -1 user2 USER false -1 hive_admin_user
PUBLIC -1 false -1
PREHOOK: query: -- revoke role without role keyword
revoke src_role_wadmin from user user2 with admin option
@@ -80,6 +86,8 @@ PREHOOK: type: SHOW_ROLES
POSTHOOK: query: -- drop roles
show roles
POSTHOOK: type: SHOW_ROLES
+ADMIN
+PUBLIC
src_role2
src_role_wadmin
@@ -91,6 +99,8 @@ PREHOOK: query: show roles
PREHOOK: type: SHOW_ROLES
POSTHOOK: query: show roles
POSTHOOK: type: SHOW_ROLES
+ADMIN
+PUBLIC
src_role_wadmin
PREHOOK: query: drop role src_role_wadmin
@@ -101,3 +111,6 @@ PREHOOK: query: show roles
PREHOOK: type: SHOW_ROLES
POSTHOOK: query: show roles
POSTHOOK: type: SHOW_ROLES
+ADMIN
+PUBLIC
+
Modified: hive/trunk/ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out (original)
+++ hive/trunk/ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out Wed Feb 12 17:34:06 2014
@@ -1,16 +1,20 @@
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
PREHOOK: query: show current roles
PREHOOK: type: SHOW_ROLES
POSTHOOK: query: show current roles
POSTHOOK: type: SHOW_ROLES
-PUBLIC
+ADMIN
PREHOOK: query: create role r1
PREHOOK: type: CREATEROLE
POSTHOOK: query: create role r1
POSTHOOK: type: CREATEROLE
-PREHOOK: query: grant role r1 to user hive_test_user
+PREHOOK: query: grant role r1 to user hive_admin_user
PREHOOK: type: GRANT_ROLE
-POSTHOOK: query: grant role r1 to user hive_test_user
+POSTHOOK: query: grant role r1 to user hive_admin_user
POSTHOOK: type: GRANT_ROLE
PREHOOK: query: set role r1
PREHOOK: type: SHOW_ROLES
@@ -43,6 +47,10 @@ POSTHOOK: type: SHOW_ROLES
r1
PUBLIC
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
PREHOOK: query: drop role r1
PREHOOK: type: DROPROLE
POSTHOOK: query: drop role r1