You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by se...@apache.org on 2018/10/26 21:12:10 UTC
[60/75] [abbrv] hive git commit: HIVE-20420: Provide a fallback
authorizer when no other authorizer is in use (Daniel Dai,
reviewed by Laszlo Pinter, Thejas Nair)
HIVE-20420: Provide a fallback authorizer when no other authorizer is in use (Daniel Dai, reviewed by Laszlo Pinter, Thejas Nair)
Signed-off-by: Thejas M Nair <th...@hortonworks.com>
Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/1a1d6ca1
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/1a1d6ca1
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/1a1d6ca1
Branch: refs/heads/master-tez092
Commit: 1a1d6ca1bc3ae840238dc345fa1eb2c7c28c8cb0
Parents: 72349bb
Author: Daniel Dai <da...@gmail.com>
Authored: Tue Oct 23 16:30:41 2018 -0700
Committer: Daniel Dai <da...@gmail.com>
Committed: Tue Oct 23 16:31:25 2018 -0700
----------------------------------------------------------------------
ql/pom.xml | 13 +
.../plugin/SettableConfigUpdater.java | 2 +-
.../plugin/fallback/FallbackHiveAuthorizer.java | 253 +++++++++++++++++++
.../fallback/FallbackHiveAuthorizerFactory.java | 36 +++
.../clientnegative/fallbackauth_addjar.q | 4 +
.../clientnegative/fallbackauth_compile.q | 9 +
.../clientnegative/fallbackauth_create_func1.q | 5 +
.../clientnegative/fallbackauth_create_func2.q | 6 +
.../queries/clientnegative/fallbackauth_dfs.q | 4 +
.../fallbackauth_disallow_transform.q | 6 +
.../queries/clientnegative/fallbackauth_load.q | 15 ++
.../fallbackauth_set_invalidconf.q | 8 +
.../clientnegative/fallbackauth_addjar.q.out | 1 +
.../clientnegative/fallbackauth_compile.q.out | 1 +
.../fallbackauth_create_func1.q.out | 1 +
.../fallbackauth_create_func2.q.out | 1 +
.../clientnegative/fallbackauth_dfs.q.out | 1 +
.../fallbackauth_disallow_transform.q.out | 16 ++
.../clientnegative/fallbackauth_load.q.out | 9 +
.../fallbackauth_set_invalidconf.q.out | 7 +
20 files changed, 397 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/pom.xml
----------------------------------------------------------------------
diff --git a/ql/pom.xml b/ql/pom.xml
index d73deba..8c3e55e 100644
--- a/ql/pom.xml
+++ b/ql/pom.xml
@@ -904,6 +904,19 @@
<classifier>core</classifier>
</configuration>
</execution>
+ <execution>
+ <id>fallbackauthorizer-jar</id>
+ <phase>package</phase>
+ <goals>
+ <goal>jar</goal>
+ </goals>
+ <configuration>
+ <classifier>fallbackauthorizer</classifier>
+ <includes>
+ <include>org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/*.class</include>
+ </includes>
+ </configuration>
+ </execution>
</executions>
</plugin>
<plugin>
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java
index 12be41c..861fcde 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java
@@ -63,7 +63,7 @@ public class SettableConfigUpdater {
// if admin has already customized this list, honor that
String curBlackList = hiveConf.getVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST);
if (curBlackList == null || curBlackList.trim().isEmpty()) {
- hiveConf.setVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST, "reflect,reflect2,java_method");
+ hiveConf.setVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST, "reflect,reflect2,java_method,in_file");
}
}
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java
new file mode 100644
index 0000000..10cf4d4
--- /dev/null
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java
@@ -0,0 +1,253 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.fallback;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.parse.SemanticException;
+import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.AbstractHiveAuthorizer;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.SettableConfigUpdater;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.Operation2Privilege;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLAuthorizationUtils;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLPrivTypeGrant;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+public class FallbackHiveAuthorizer extends AbstractHiveAuthorizer {
+ private static final Log LOG = LogFactory.getLog(FallbackHiveAuthorizer.class);
+
+ private final HiveAuthzSessionContext sessionCtx;
+ private final HiveAuthenticationProvider authenticator;
+ private String[] admins = null;
+
+ FallbackHiveAuthorizer(HiveConf hiveConf, HiveAuthenticationProvider hiveAuthenticator,
+ HiveAuthzSessionContext ctx) {
+ this.authenticator = hiveAuthenticator;
+ this.sessionCtx = applyTestSettings(ctx, hiveConf);
+ String adminString = hiveConf.getVar(HiveConf.ConfVars.USERS_IN_ADMIN_ROLE);
+ if (adminString != null) {
+ admins = hiveConf.getVar(HiveConf.ConfVars.USERS_IN_ADMIN_ROLE).split(",");
+ }
+ }
+
+ /**
+ * Change the session context based on configuration to aid in testing of sql
+ * std auth
+ *
+ * @param ctx
+ * @param conf
+ * @return
+ */
+ static HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext ctx, HiveConf conf) {
+ if (conf.getBoolVar(HiveConf.ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE)
+ && ctx.getClientType() == HiveAuthzSessionContext.CLIENT_TYPE.HIVECLI) {
+ // create new session ctx object with HS2 as client type
+ HiveAuthzSessionContext.Builder ctxBuilder = new HiveAuthzSessionContext.Builder(ctx);
+ ctxBuilder.setClientType(HiveAuthzSessionContext.CLIENT_TYPE.HIVESERVER2);
+ return ctxBuilder.build();
+ }
+ return ctx;
+ }
+
+ @Override
+ public VERSION getVersion() {
+ return VERSION.V1;
+ }
+
+ @Override
+ public void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,
+ HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean
+ grantOption) throws HiveAuthzPluginException {
+ throw new HiveAuthzPluginException("grantPrivileges not implemented in FallbackHiveAuthorizer");
+ }
+
+ @Override
+ public void revokePrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,
+ HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean
+ grantOption) throws HiveAuthzPluginException {
+ throw new HiveAuthzPluginException("revokePrivileges not implemented in FallbackHiveAuthorizer");
+ }
+
+ @Override
+ public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException {
+ throw new HiveAuthzPluginException("createRole not implemented in FallbackHiveAuthorizer");
+ }
+
+ @Override
+ public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException {
+ throw new HiveAuthzPluginException("dropRole not implemented in FallbackHiveAuthorizer");
+ }
+
+ @Override
+ public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException,
+ HiveAccessControlException {
+ throw new HiveAuthzPluginException("getPrincipalGrantInfoForRole not implemented in FallbackHiveAuthorizer");
+ }
+
+ @Override
+ public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException,
+ HiveAccessControlException {
+ throw new HiveAuthzPluginException("getRoleGrantInfoForPrincipal not implemented in FallbackHiveAuthorizer");
+ }
+
+ @Override
+ public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption, HivePrincipal
+ grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException {
+ throw new HiveAuthzPluginException("grantRole not implemented in FallbackHiveAuthorizer");
+ }
+
+ @Override
+ public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption, HivePrincipal
+ grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException {
+ throw new HiveAuthzPluginException("revokeRole not implemented in FallbackHiveAuthorizer");
+ }
+
+ @Override
+ public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs,
+ List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws
+ HiveAuthzPluginException, HiveAccessControlException {
+ String userName = authenticator.getUserName();
+ // check privileges on input and output objects
+ List<String> deniedMessages = new ArrayList<>();
+ checkPrivileges(hiveOpType, inputHObjs, userName, Operation2Privilege.IOType.INPUT, deniedMessages);
+ checkPrivileges(hiveOpType, outputHObjs, userName, Operation2Privilege.IOType.OUTPUT, deniedMessages);
+
+ SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName,
+ HivePrincipal.HivePrincipalType.USER), hiveOpType, deniedMessages);
+ }
+
+ // Adapted from SQLStdHiveAuthorizationValidator, only check privileges for LOAD/ADD/DFS/COMPILE and admin privileges
+ private void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> hiveObjects,
+ String userName, Operation2Privilege.IOType ioType, List<String> deniedMessages) {
+
+ if (hiveObjects == null) {
+ return;
+ }
+ if (admins != null && Arrays.stream(admins).parallel().anyMatch(n -> n.equals(userName))) {
+ return; // Skip rest of checks if user is admin
+ }
+
+ // Special-casing for ADMIN-level operations that do not require object checking.
+ if (Operation2Privilege.isAdminPrivOperation(hiveOpType)) {
+ // Require ADMIN privilege
+ deniedMessages.add(SQLPrivTypeGrant.ADMIN_PRIV.toString() + " on " + ioType);
+ return; // Ignore object, fail if not admin, succeed if admin.
+ }
+
+ boolean needAdmin = false;
+ for (HivePrivilegeObject hiveObj : hiveObjects) {
+ // If involving local file system
+ if (hiveObj.getType() == HivePrivilegeObject.HivePrivilegeObjectType.LOCAL_URI) {
+ needAdmin = true;
+ break;
+ }
+ }
+ if (!needAdmin) {
+ switch (hiveOpType) {
+ case ADD:
+ case DFS:
+ case COMPILE:
+ needAdmin = true;
+ break;
+ default:
+ break;
+ }
+ }
+ if (needAdmin) {
+ deniedMessages.add("ADMIN");
+ }
+ }
+
+ @Override
+ public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, HiveAuthzContext context) {
+ return listObjs;
+ }
+
+ @Override
+ public List<String> getAllRoles() throws HiveAuthzPluginException {
+ throw new HiveAuthzPluginException("getAllRoles not implemented in FallbackHiveAuthorizer");
+ }
+
+ @Override
+ public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws
+ HiveAuthzPluginException {
+ throw new HiveAuthzPluginException("showPrivileges not implemented in FallbackHiveAuthorizer");
+ }
+
+ @Override
+ public void setCurrentRole(String roleName) throws HiveAuthzPluginException {
+ throw new HiveAuthzPluginException("setCurrentRole not implemented in FallbackHiveAuthorizer");
+ }
+
+ @Override
+ public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
+ throw new HiveAuthzPluginException("getCurrentRoleNames not implemented in FallbackHiveAuthorizer");
+ }
+
+ @Override
+ public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException {
+ // from SQLStdHiveAccessController.applyAuthorizationConfigPolicy()
+ if (sessionCtx.getClientType() == HiveAuthzSessionContext.CLIENT_TYPE.HIVESERVER2
+ && hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
+
+ // Configure PREEXECHOOKS with DisallowTransformHook to disallow transform queries
+ String hooks = hiveConf.getVar(HiveConf.ConfVars.PREEXECHOOKS).trim();
+ if (hooks.isEmpty()) {
+ hooks = DisallowTransformHook.class.getName();
+ } else {
+ hooks = hooks + "," + DisallowTransformHook.class.getName();
+ }
+ LOG.debug("Configuring hooks : " + hooks);
+ hiveConf.setVar(HiveConf.ConfVars.PREEXECHOOKS, hooks);
+
+ SettableConfigUpdater.setHiveConfWhiteList(hiveConf);
+ String curBlackList = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST);
+ if (curBlackList != null && curBlackList.trim().equals("reflect,reflect2,java_method")) {
+ hiveConf.setVar(HiveConf.ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST, "reflect,reflect2,java_method,in_file");
+ }
+
+ }
+ }
+
+ @Override
+ public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context, List<HivePrivilegeObject>
+ privObjs) throws SemanticException {
+ return privObjs;
+ }
+
+ @Override
+ public boolean needTransform() {
+ return false;
+ }
+}
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizerFactory.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizerFactory.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizerFactory.java
new file mode 100644
index 0000000..4dae8d3
--- /dev/null
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizerFactory.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.fallback;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
+
+public class FallbackHiveAuthorizerFactory implements HiveAuthorizerFactory {
+ @Override
+ public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
+ HiveConf conf, HiveAuthenticationProvider authenticator,
+ HiveAuthzSessionContext ctx) {
+ return new FallbackHiveAuthorizer(conf, authenticator, ctx);
+ }
+}
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/test/queries/clientnegative/fallbackauth_addjar.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/fallbackauth_addjar.q b/ql/src/test/queries/clientnegative/fallbackauth_addjar.q
new file mode 100644
index 0000000..c91d28f
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/fallbackauth_addjar.q
@@ -0,0 +1,4 @@
+set hive.security.authorization.enabled=true;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
+
+add jar dummy.jar
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/test/queries/clientnegative/fallbackauth_compile.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/fallbackauth_compile.q b/ql/src/test/queries/clientnegative/fallbackauth_compile.q
new file mode 100644
index 0000000..bf62264
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/fallbackauth_compile.q
@@ -0,0 +1,9 @@
+set hive.security.authorization.enabled=true;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
+
+compile `import org.apache.hadoop.hive.ql.exec.UDF \;
+public class Pyth extends UDF {
+ public double evaluate(double a, double b){
+ return Math.sqrt((a*a) + (b*b)) \;
+ }
+} ` AS GROOVY NAMED Pyth.groovy;
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/test/queries/clientnegative/fallbackauth_create_func1.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/fallbackauth_create_func1.q b/ql/src/test/queries/clientnegative/fallbackauth_create_func1.q
new file mode 100644
index 0000000..7d4fd42
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/fallbackauth_create_func1.q
@@ -0,0 +1,5 @@
+set hive.security.authorization.enabled=true;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
+
+-- permanent function creation should fail for non-admin roles
+create function perm_fn as 'org.apache.hadoop.hive.ql.udf.UDFAscii';
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/test/queries/clientnegative/fallbackauth_create_func2.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/fallbackauth_create_func2.q b/ql/src/test/queries/clientnegative/fallbackauth_create_func2.q
new file mode 100644
index 0000000..fc371d9
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/fallbackauth_create_func2.q
@@ -0,0 +1,6 @@
+set hive.security.authorization.enabled=true;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
+
+-- temp function creation should fail for non-admin roles
+create temporary function temp_fn as 'org.apache.hadoop.hive.ql.udf.UDFAscii';
+
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/test/queries/clientnegative/fallbackauth_dfs.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/fallbackauth_dfs.q b/ql/src/test/queries/clientnegative/fallbackauth_dfs.q
new file mode 100644
index 0000000..da0ac80
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/fallbackauth_dfs.q
@@ -0,0 +1,4 @@
+set hive.security.authorization.enabled=true;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
+
+dfs -ls;
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/test/queries/clientnegative/fallbackauth_disallow_transform.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/fallbackauth_disallow_transform.q b/ql/src/test/queries/clientnegative/fallbackauth_disallow_transform.q
new file mode 100644
index 0000000..eb9f680
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/fallbackauth_disallow_transform.q
@@ -0,0 +1,6 @@
+set hive.test.authz.sstd.hs2.mode=true;
+set hive.security.authorization.enabled=true;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
+
+create table t1(i int);
+SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM t1;
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/test/queries/clientnegative/fallbackauth_load.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/fallbackauth_load.q b/ql/src/test/queries/clientnegative/fallbackauth_load.q
new file mode 100644
index 0000000..10db24c
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/fallbackauth_load.q
@@ -0,0 +1,15 @@
+set hive.security.authorization.enabled=true;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
+
+!cp ../../data/files/kv1.txt .;
+
+create table fallbackauthload(c1 string, c2 string);
+
+!chmod 777 kv1.txt;
+load data local inpath 'kv1.txt' into table fallbackauthload;
+
+!chmod 755 kv1.txt;
+load data local inpath 'kv1.txt' into table fallbackauthload;
+
+!rm kv1.txt;
+drop table fallbackauthload;
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/test/queries/clientnegative/fallbackauth_set_invalidconf.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/fallbackauth_set_invalidconf.q b/ql/src/test/queries/clientnegative/fallbackauth_set_invalidconf.q
new file mode 100644
index 0000000..4ebf276
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/fallbackauth_set_invalidconf.q
@@ -0,0 +1,8 @@
+set hive.test.authz.sstd.hs2.mode=true;
+set hive.security.authorization.enabled=true;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
+
+-- run a sql query to initialize authorization, then try setting a allowed config and then a disallowed config param
+use default;
+set hive.optimize.listbucketing=true;
+set hive.security.authorization.enabled=true;
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/test/results/clientnegative/fallbackauth_addjar.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/fallbackauth_addjar.q.out b/ql/src/test/results/clientnegative/fallbackauth_addjar.q.out
new file mode 100644
index 0000000..2aae669
--- /dev/null
+++ b/ql/src/test/results/clientnegative/fallbackauth_addjar.q.out
@@ -0,0 +1 @@
+Query returned non-zero code: 1, cause: Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation ADD [ADMIN]
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/test/results/clientnegative/fallbackauth_compile.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/fallbackauth_compile.q.out b/ql/src/test/results/clientnegative/fallbackauth_compile.q.out
new file mode 100644
index 0000000..5699efe
--- /dev/null
+++ b/ql/src/test/results/clientnegative/fallbackauth_compile.q.out
@@ -0,0 +1 @@
+Query returned non-zero code: 1, cause: Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation COMPILE [ADMIN]
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/test/results/clientnegative/fallbackauth_create_func1.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/fallbackauth_create_func1.q.out b/ql/src/test/results/clientnegative/fallbackauth_create_func1.q.out
new file mode 100644
index 0000000..b2532eb
--- /dev/null
+++ b/ql/src/test/results/clientnegative/fallbackauth_create_func1.q.out
@@ -0,0 +1 @@
+FAILED: HiveAccessControlException Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation CREATEFUNCTION [ADMIN PRIVILEGE on INPUT, ADMIN PRIVILEGE on OUTPUT]
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/test/results/clientnegative/fallbackauth_create_func2.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/fallbackauth_create_func2.q.out b/ql/src/test/results/clientnegative/fallbackauth_create_func2.q.out
new file mode 100644
index 0000000..b2532eb
--- /dev/null
+++ b/ql/src/test/results/clientnegative/fallbackauth_create_func2.q.out
@@ -0,0 +1 @@
+FAILED: HiveAccessControlException Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation CREATEFUNCTION [ADMIN PRIVILEGE on INPUT, ADMIN PRIVILEGE on OUTPUT]
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/test/results/clientnegative/fallbackauth_dfs.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/fallbackauth_dfs.q.out b/ql/src/test/results/clientnegative/fallbackauth_dfs.q.out
new file mode 100644
index 0000000..9f4a71b
--- /dev/null
+++ b/ql/src/test/results/clientnegative/fallbackauth_dfs.q.out
@@ -0,0 +1 @@
+Query returned non-zero code: 1, cause: Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation DFS [ADMIN]
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/test/results/clientnegative/fallbackauth_disallow_transform.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/fallbackauth_disallow_transform.q.out b/ql/src/test/results/clientnegative/fallbackauth_disallow_transform.q.out
new file mode 100644
index 0000000..1ac04db
--- /dev/null
+++ b/ql/src/test/results/clientnegative/fallbackauth_disallow_transform.q.out
@@ -0,0 +1,16 @@
+PREHOOK: query: create table t1(i int)
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:default
+PREHOOK: Output: default@t1
+POSTHOOK: query: create table t1(i int)
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@t1
+PREHOOK: query: SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM t1
+PREHOOK: type: QUERY
+PREHOOK: Input: default@t1
+#### A masked pattern was here ####
+FAILED: Hive Internal Error: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException(Query with transform clause is disallowed in current configuration.)
+org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Query with transform clause is disallowed in current configuration.
+#### A masked pattern was here ####
+
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/test/results/clientnegative/fallbackauth_load.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/fallbackauth_load.q.out b/ql/src/test/results/clientnegative/fallbackauth_load.q.out
new file mode 100644
index 0000000..d2bcafc
--- /dev/null
+++ b/ql/src/test/results/clientnegative/fallbackauth_load.q.out
@@ -0,0 +1,9 @@
+PREHOOK: query: create table fallbackauthload(c1 string, c2 string)
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:default
+PREHOOK: Output: default@fallbackauthload
+POSTHOOK: query: create table fallbackauthload(c1 string, c2 string)
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@fallbackauthload
+FAILED: HiveAccessControlException Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation LOAD [ADMIN]
http://git-wip-us.apache.org/repos/asf/hive/blob/1a1d6ca1/ql/src/test/results/clientnegative/fallbackauth_set_invalidconf.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/fallbackauth_set_invalidconf.q.out b/ql/src/test/results/clientnegative/fallbackauth_set_invalidconf.q.out
new file mode 100644
index 0000000..dd6092b
--- /dev/null
+++ b/ql/src/test/results/clientnegative/fallbackauth_set_invalidconf.q.out
@@ -0,0 +1,7 @@
+PREHOOK: query: use default
+PREHOOK: type: SWITCHDATABASE
+PREHOOK: Input: database:default
+POSTHOOK: query: use default
+POSTHOOK: type: SWITCHDATABASE
+POSTHOOK: Input: database:default
+Query returned non-zero code: 1, cause: Cannot modify hive.security.authorization.enabled at runtime. It is not in list of params that are allowed to be modified at runtime