You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by ha...@apache.org on 2014/02/23 18:33:20 UTC

svn commit: r1571029 - in /hive/trunk/ql/src: java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/ test/queries/clientnegative/ test/results/clientnegative/

Author: hashutosh
Date: Sun Feb 23 17:33:19 2014
New Revision: 1571029

URL: http://svn.apache.org/r1571029
Log:
HIVE-6474 : SQL std auth - only db owner should be allowed to create table within a db (Ashutosh Chauhan via Thejas Nair)

Added:
    hive/trunk/ql/src/test/queries/clientnegative/authorize_create_tbl.q
    hive/trunk/ql/src/test/results/clientnegative/authorize_create_tbl.q.out
Modified:
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java?rev=1571029&r1=1571028&r2=1571029&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java Sun Feb 23 17:33:19 2014
@@ -179,7 +179,7 @@ public class Operation2Privilege {
 
     // require db ownership, if there is a file require SELECT , INSERT, and DELETE
     op2Priv.put(HiveOperationType.CREATETABLE,
-        new InOutPrivs(OWNER_INS_SEL_DEL_NOGRANT_AR, null));
+        new InOutPrivs(OWNER_INS_SEL_DEL_NOGRANT_AR, OWNER_PRIV_AR));
 
     op2Priv.put(HiveOperationType.ALTERDATABASE, new InOutPrivs(OWNER_PRIV_AR, null));
     op2Priv.put(HiveOperationType.DESCDATABASE, new InOutPrivs(null, null));

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java?rev=1571029&r1=1571028&r2=1571029&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java Sun Feb 23 17:33:19 2014
@@ -35,7 +35,10 @@ import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.fs.permission.FsAction;
 import org.apache.hadoop.hive.common.FileUtils;
 import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.metastore.HiveMetaStore;
 import org.apache.hadoop.hive.metastore.IMetaStoreClient;
+import org.apache.hadoop.hive.metastore.MetaStoreUtils;
+import org.apache.hadoop.hive.metastore.api.Database;
 import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege;
 import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
 import org.apache.hadoop.hive.metastore.api.HiveObjectType;
@@ -247,26 +250,40 @@ public class SQLAuthorizationUtils {
    */
   private static boolean isOwner(IMetaStoreClient metastoreClient, String userName,
       HivePrivilegeObject hivePrivObject) throws HiveAuthzPluginException {
-    //for now, check only table
-    if(hivePrivObject.getType() == HivePrivilegeObjectType.TABLE_OR_VIEW){
+    //for now, check only table & db
+    switch (hivePrivObject.getType()) {
+      case TABLE_OR_VIEW : {
       Table thriftTableObj = null;
       try {
         thriftTableObj = metastoreClient.getTable(hivePrivObject.getDbname(), hivePrivObject.getTableViewURI());
-      } catch (MetaException e) {
-        throwGetTableErr(e, hivePrivObject);
-      } catch (NoSuchObjectException e) {
-        throwGetTableErr(e, hivePrivObject);
-      } catch (TException e) {
-        throwGetTableErr(e, hivePrivObject);
+      } catch (Exception e) {
+        throwGetObjErr(e, hivePrivObject);
       }
       return userName.equals(thriftTableObj.getOwner());
     }
-    return false;
+      case DATABASE: {
+        if (MetaStoreUtils.DEFAULT_DATABASE_NAME.equalsIgnoreCase(hivePrivObject.getDbname())){
+          return true;
+        }
+        Database db = null;
+        try {
+          db = metastoreClient.getDatabase(hivePrivObject.getDbname());
+        } catch (Exception e) {
+          throwGetObjErr(e, hivePrivObject);
+        }
+        return userName.equals(db.getOwnerName());
+      }
+      case DFS_URI:
+      case LOCAL_URI:
+      case PARTITION:
+      default:
+        return false;
+    }
   }
 
-  private static void throwGetTableErr(Exception e, HivePrivilegeObject hivePrivObject)
+  private static void throwGetObjErr(Exception e, HivePrivilegeObject hivePrivObject)
       throws HiveAuthzPluginException {
-    String msg = "Error getting table object from metastore for" + hivePrivObject;
+    String msg = "Error getting object from metastore for " + hivePrivObject;
     throw new HiveAuthzPluginException(msg, e);
   }
 

Added: hive/trunk/ql/src/test/queries/clientnegative/authorize_create_tbl.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorize_create_tbl.q?rev=1571029&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorize_create_tbl.q (added)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorize_create_tbl.q Sun Feb 23 17:33:19 2014
@@ -0,0 +1,10 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+
+set hive.security.authorization.enabled=true;
+set user.name=user33;
+create database db23221;
+use db23221;
+
+set user.name=user44;
+create table twew221(a string);

Added: hive/trunk/ql/src/test/results/clientnegative/authorize_create_tbl.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorize_create_tbl.q.out?rev=1571029&view=auto
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorize_create_tbl.q.out (added)
+++ hive/trunk/ql/src/test/results/clientnegative/authorize_create_tbl.q.out Sun Feb 23 17:33:19 2014
@@ -0,0 +1,9 @@
+PREHOOK: query: create database db23221
+PREHOOK: type: CREATEDATABASE
+POSTHOOK: query: create database db23221
+POSTHOOK: type: CREATEDATABASE
+PREHOOK: query: use db23221
+PREHOOK: type: SWITCHDATABASE
+POSTHOOK: query: use db23221
+POSTHOOK: type: SWITCHDATABASE
+FAILED: HiveAccessControlException Permission denied. Principal [name=user44, type=USER] does not have following privileges on Object [type=DATABASE, name=db23221] : [OBJECT OWNERSHIP]