You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by ha...@apache.org on 2014/02/23 18:33:20 UTC
svn commit: r1571029 - in /hive/trunk/ql/src:
java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/
test/queries/clientnegative/ test/results/clientnegative/
Author: hashutosh
Date: Sun Feb 23 17:33:19 2014
New Revision: 1571029
URL: http://svn.apache.org/r1571029
Log:
HIVE-6474 : SQL std auth - only db owner should be allowed to create table within a db (Ashutosh Chauhan via Thejas Nair)
Added:
hive/trunk/ql/src/test/queries/clientnegative/authorize_create_tbl.q
hive/trunk/ql/src/test/results/clientnegative/authorize_create_tbl.q.out
Modified:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java?rev=1571029&r1=1571028&r2=1571029&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java Sun Feb 23 17:33:19 2014
@@ -179,7 +179,7 @@ public class Operation2Privilege {
// require db ownership, if there is a file require SELECT , INSERT, and DELETE
op2Priv.put(HiveOperationType.CREATETABLE,
- new InOutPrivs(OWNER_INS_SEL_DEL_NOGRANT_AR, null));
+ new InOutPrivs(OWNER_INS_SEL_DEL_NOGRANT_AR, OWNER_PRIV_AR));
op2Priv.put(HiveOperationType.ALTERDATABASE, new InOutPrivs(OWNER_PRIV_AR, null));
op2Priv.put(HiveOperationType.DESCDATABASE, new InOutPrivs(null, null));
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java?rev=1571029&r1=1571028&r2=1571029&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java Sun Feb 23 17:33:19 2014
@@ -35,7 +35,10 @@ import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.hive.common.FileUtils;
import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.metastore.HiveMetaStore;
import org.apache.hadoop.hive.metastore.IMetaStoreClient;
+import org.apache.hadoop.hive.metastore.MetaStoreUtils;
+import org.apache.hadoop.hive.metastore.api.Database;
import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege;
import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
import org.apache.hadoop.hive.metastore.api.HiveObjectType;
@@ -247,26 +250,40 @@ public class SQLAuthorizationUtils {
*/
private static boolean isOwner(IMetaStoreClient metastoreClient, String userName,
HivePrivilegeObject hivePrivObject) throws HiveAuthzPluginException {
- //for now, check only table
- if(hivePrivObject.getType() == HivePrivilegeObjectType.TABLE_OR_VIEW){
+ //for now, check only table & db
+ switch (hivePrivObject.getType()) {
+ case TABLE_OR_VIEW : {
Table thriftTableObj = null;
try {
thriftTableObj = metastoreClient.getTable(hivePrivObject.getDbname(), hivePrivObject.getTableViewURI());
- } catch (MetaException e) {
- throwGetTableErr(e, hivePrivObject);
- } catch (NoSuchObjectException e) {
- throwGetTableErr(e, hivePrivObject);
- } catch (TException e) {
- throwGetTableErr(e, hivePrivObject);
+ } catch (Exception e) {
+ throwGetObjErr(e, hivePrivObject);
}
return userName.equals(thriftTableObj.getOwner());
}
- return false;
+ case DATABASE: {
+ if (MetaStoreUtils.DEFAULT_DATABASE_NAME.equalsIgnoreCase(hivePrivObject.getDbname())){
+ return true;
+ }
+ Database db = null;
+ try {
+ db = metastoreClient.getDatabase(hivePrivObject.getDbname());
+ } catch (Exception e) {
+ throwGetObjErr(e, hivePrivObject);
+ }
+ return userName.equals(db.getOwnerName());
+ }
+ case DFS_URI:
+ case LOCAL_URI:
+ case PARTITION:
+ default:
+ return false;
+ }
}
- private static void throwGetTableErr(Exception e, HivePrivilegeObject hivePrivObject)
+ private static void throwGetObjErr(Exception e, HivePrivilegeObject hivePrivObject)
throws HiveAuthzPluginException {
- String msg = "Error getting table object from metastore for" + hivePrivObject;
+ String msg = "Error getting object from metastore for " + hivePrivObject;
throw new HiveAuthzPluginException(msg, e);
}
Added: hive/trunk/ql/src/test/queries/clientnegative/authorize_create_tbl.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorize_create_tbl.q?rev=1571029&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorize_create_tbl.q (added)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorize_create_tbl.q Sun Feb 23 17:33:19 2014
@@ -0,0 +1,10 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+
+set hive.security.authorization.enabled=true;
+set user.name=user33;
+create database db23221;
+use db23221;
+
+set user.name=user44;
+create table twew221(a string);
Added: hive/trunk/ql/src/test/results/clientnegative/authorize_create_tbl.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorize_create_tbl.q.out?rev=1571029&view=auto
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorize_create_tbl.q.out (added)
+++ hive/trunk/ql/src/test/results/clientnegative/authorize_create_tbl.q.out Sun Feb 23 17:33:19 2014
@@ -0,0 +1,9 @@
+PREHOOK: query: create database db23221
+PREHOOK: type: CREATEDATABASE
+POSTHOOK: query: create database db23221
+POSTHOOK: type: CREATEDATABASE
+PREHOOK: query: use db23221
+PREHOOK: type: SWITCHDATABASE
+POSTHOOK: query: use db23221
+POSTHOOK: type: SWITCHDATABASE
+FAILED: HiveAccessControlException Permission denied. Principal [name=user44, type=USER] does not have following privileges on Object [type=DATABASE, name=db23221] : [OBJECT OWNERSHIP]