You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by pr...@apache.org on 2015/04/30 09:37:56 UTC

incubator-sentry git commit: SENTRY-702: Hive binding should support RELOAD command (Dapeng Sun via Prasad Mujumdar)

Repository: incubator-sentry
Updated Branches:
  refs/heads/master 16ef2c3bd -> 0b8d822ba


SENTRY-702: Hive binding should support RELOAD command (Dapeng Sun via Prasad Mujumdar)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/0b8d822b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/0b8d822b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/0b8d822b

Branch: refs/heads/master
Commit: 0b8d822ba3b88998aca0046780fe4f28bbcba48a
Parents: 16ef2c3
Author: Prasad Mujumdar <pr...@cloudera.com>
Authored: Thu Apr 30 00:37:46 2015 -0700
Committer: Prasad Mujumdar <pr...@cloudera.com>
Committed: Thu Apr 30 00:37:46 2015 -0700

----------------------------------------------------------------------
 .../hive/HiveAuthzBindingSessionHook.java       |  9 +++-
 .../sentry/binding/hive/conf/HiveAuthzConf.java |  4 ++
 .../tests/e2e/hive/TestReloadPrivileges.java    | 54 ++++++++++++++++++++
 3 files changed, 65 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0b8d822b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
index 0fa4a87..a51653c 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
@@ -57,6 +57,7 @@ public class HiveAuthzBindingSessionHook
     ConfVars.HIVE_SECURITY_COMMAND_WHITELIST.varname,
     ConfVars.HIVE_AUTHORIZATION_TASK_FACTORY.varname,
     ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY.varname,
+    ConfVars.HIVERELOADABLEJARS.varname,
     HiveAuthzConf.HIVE_ACCESS_CONF_URL,
     HiveAuthzConf.HIVE_SENTRY_CONF_URL,
     HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME,
@@ -95,7 +96,7 @@ public class HiveAuthzBindingSessionHook
    * 2. Set additional config properties required for auth
    *      set HIVE_EXTENDED_ENITITY_CAPTURE = true
    *      set SCRATCHDIRPERMISSION = 700
-   * 3. Add sensetive config parameters to the config restrict list so that they can't be overridden by users
+   * 3. Add sensitive config parameters to the config restrict list so that they can't be overridden by users
    */
   @Override
   public void run(HiveSessionHookContext sessionHookContext) throws HiveSQLException {
@@ -104,7 +105,11 @@ public class HiveAuthzBindingSessionHook
 
     appendConfVar(sessionConf, ConfVars.SEMANTIC_ANALYZER_HOOK.varname,
         SEMANTIC_HOOK);
-    sessionConf.setVar(ConfVars.HIVE_SECURITY_COMMAND_WHITELIST, "set");
+    HiveAuthzConf authzConf = HiveAuthzBindingHook.loadAuthzConf(sessionConf);
+    String commandWhitelist =
+        authzConf.get(HiveAuthzConf.HIVE_SENTRY_SECURITY_COMMAND_WHITELIST,
+            HiveAuthzConf.HIVE_SENTRY_SECURITY_COMMAND_WHITELIST_DEFAULT);
+    sessionConf.setVar(ConfVars.HIVE_SECURITY_COMMAND_WHITELIST, commandWhitelist);
     sessionConf.setVar(ConfVars.SCRATCHDIRPERMISSION, SCRATCH_DIR_PERMISSIONS);
     sessionConf.setBoolVar(ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY, true);
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0b8d822b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
index 0a3b509..f02ce9a 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
@@ -47,6 +47,10 @@ public class HiveAuthzConf extends Configuration {
    */
   public static final String SENTRY_ACTIVE_ROLE_SET = "hive.sentry.active.role.set";
 
+  public static final String HIVE_SENTRY_SECURITY_COMMAND_WHITELIST =
+      "hive.sentry.security.command.whitelist";
+  public static final String HIVE_SENTRY_SECURITY_COMMAND_WHITELIST_DEFAULT =
+      "set,reset,reload";
 
   /**
    * Config setting definitions

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0b8d822b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java
new file mode 100644
index 0000000..6d4e8d3
--- /dev/null
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.tests.e2e.hive;
+
+import java.sql.Connection;
+import java.sql.Statement;
+
+import org.apache.sentry.provider.file.PolicyFile;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class TestReloadPrivileges extends AbstractTestWithStaticConfiguration {
+  private PolicyFile policyFile;
+
+  @BeforeClass
+  public static void setupTestStaticConfiguration() throws Exception {
+    AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
+  }
+
+  @Before
+  public void setup() throws Exception {
+    policyFile =
+        PolicyFile.setAdminOnServer1(ADMINGROUP).setUserGroupMapping(
+            StaticUserGroup.getStaticMapping());
+    writePolicyFile(policyFile);
+  }
+
+  @Test
+  public void testReload() throws Exception {
+    Connection connection = context.createConnection(USER1_1);
+    Statement statement = context.createStatement(connection);
+    statement.execute("RELOAD");
+    statement.close();
+    connection.close();
+  }
+
+}