You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by br...@apache.org on 2014/02/25 03:52:45 UTC
[02/26] git commit: SENTRY-78: UDFs can't be referenced in a CTAS
when Sentry is enabled for Hive
SENTRY-78: UDFs can't be referenced in a CTAS when Sentry is enabled for Hive
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/4baffe9b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/4baffe9b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/4baffe9b
Branch: refs/heads/db_policy_store
Commit: 4baffe9b4182d54a69a7ff7c3765212bb92becd8
Parents: 5601cdd
Author: Shreepadma Venugopalan <sh...@apache.org>
Authored: Thu Dec 26 15:53:51 2013 -0800
Committer: Shreepadma Venugopalan <sh...@apache.org>
Committed: Thu Dec 26 15:53:51 2013 -0800
----------------------------------------------------------------------
.../apache/sentry/binding/hive/HiveAuthzBindingHook.java | 9 +++++++++
.../tests/e2e/hive/TestPrivilegesAtDatabaseScope.java | 4 ++++
2 files changed, 13 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/4baffe9b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index 7f9560f..0dd28b7 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -370,6 +370,15 @@ implements HiveDriverFilterHook {
}
for(ReadEntity readEntity:inputs) {
+ // If this is a UDF, then check whether its allowed to be executed
+ // TODO: when we support execute privileges on UDF, this can be removed.
+ if (isUDF(readEntity)) {
+ if (isBuiltinUDF(readEntity)) {
+ checkUDFWhiteList(readEntity.getUDF().getDisplayName());
+ }
+ continue;
+ }
+
List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>();
entityHierarchy.add(hiveAuthzBinding.getAuthServer());
entityHierarchy.addAll(getAuthzHierarchyFromEntity(readEntity));
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/4baffe9b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
index 82d73e5..8c145ca 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtDatabaseScope.java
@@ -107,6 +107,10 @@ public class TestPrivilegesAtDatabaseScope extends AbstractTestWithStaticConfigu
statement.execute("CREATE TABLE DB_1.TAB_2(A STRING)");
statement.execute("LOAD DATA LOCAL INPATH '" + dataFile.getPath() + "' INTO TABLE DB_1.TAB_2");
+ // test CTAS can reference UDFs
+ statement.execute("USE DB_1");
+ statement.execute("create table table2 as select A, count(A) from TAB_1 GROUP BY A");
+
// test user can switch db
statement.execute("USE DB_1");
//test user can create view