You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by pr...@apache.org on 2015/04/30 09:37:56 UTC
incubator-sentry git commit: SENTRY-702: Hive binding should support
RELOAD command (Dapeng Sun via Prasad Mujumdar)
Repository: incubator-sentry
Updated Branches:
refs/heads/master 16ef2c3bd -> 0b8d822ba
SENTRY-702: Hive binding should support RELOAD command (Dapeng Sun via Prasad Mujumdar)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/0b8d822b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/0b8d822b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/0b8d822b
Branch: refs/heads/master
Commit: 0b8d822ba3b88998aca0046780fe4f28bbcba48a
Parents: 16ef2c3
Author: Prasad Mujumdar <pr...@cloudera.com>
Authored: Thu Apr 30 00:37:46 2015 -0700
Committer: Prasad Mujumdar <pr...@cloudera.com>
Committed: Thu Apr 30 00:37:46 2015 -0700
----------------------------------------------------------------------
.../hive/HiveAuthzBindingSessionHook.java | 9 +++-
.../sentry/binding/hive/conf/HiveAuthzConf.java | 4 ++
.../tests/e2e/hive/TestReloadPrivileges.java | 54 ++++++++++++++++++++
3 files changed, 65 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0b8d822b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
index 0fa4a87..a51653c 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
@@ -57,6 +57,7 @@ public class HiveAuthzBindingSessionHook
ConfVars.HIVE_SECURITY_COMMAND_WHITELIST.varname,
ConfVars.HIVE_AUTHORIZATION_TASK_FACTORY.varname,
ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY.varname,
+ ConfVars.HIVERELOADABLEJARS.varname,
HiveAuthzConf.HIVE_ACCESS_CONF_URL,
HiveAuthzConf.HIVE_SENTRY_CONF_URL,
HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME,
@@ -95,7 +96,7 @@ public class HiveAuthzBindingSessionHook
* 2. Set additional config properties required for auth
* set HIVE_EXTENDED_ENITITY_CAPTURE = true
* set SCRATCHDIRPERMISSION = 700
- * 3. Add sensetive config parameters to the config restrict list so that they can't be overridden by users
+ * 3. Add sensitive config parameters to the config restrict list so that they can't be overridden by users
*/
@Override
public void run(HiveSessionHookContext sessionHookContext) throws HiveSQLException {
@@ -104,7 +105,11 @@ public class HiveAuthzBindingSessionHook
appendConfVar(sessionConf, ConfVars.SEMANTIC_ANALYZER_HOOK.varname,
SEMANTIC_HOOK);
- sessionConf.setVar(ConfVars.HIVE_SECURITY_COMMAND_WHITELIST, "set");
+ HiveAuthzConf authzConf = HiveAuthzBindingHook.loadAuthzConf(sessionConf);
+ String commandWhitelist =
+ authzConf.get(HiveAuthzConf.HIVE_SENTRY_SECURITY_COMMAND_WHITELIST,
+ HiveAuthzConf.HIVE_SENTRY_SECURITY_COMMAND_WHITELIST_DEFAULT);
+ sessionConf.setVar(ConfVars.HIVE_SECURITY_COMMAND_WHITELIST, commandWhitelist);
sessionConf.setVar(ConfVars.SCRATCHDIRPERMISSION, SCRATCH_DIR_PERMISSIONS);
sessionConf.setBoolVar(ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY, true);
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0b8d822b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
index 0a3b509..f02ce9a 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
@@ -47,6 +47,10 @@ public class HiveAuthzConf extends Configuration {
*/
public static final String SENTRY_ACTIVE_ROLE_SET = "hive.sentry.active.role.set";
+ public static final String HIVE_SENTRY_SECURITY_COMMAND_WHITELIST =
+ "hive.sentry.security.command.whitelist";
+ public static final String HIVE_SENTRY_SECURITY_COMMAND_WHITELIST_DEFAULT =
+ "set,reset,reload";
/**
* Config setting definitions
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0b8d822b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java
new file mode 100644
index 0000000..6d4e8d3
--- /dev/null
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.tests.e2e.hive;
+
+import java.sql.Connection;
+import java.sql.Statement;
+
+import org.apache.sentry.provider.file.PolicyFile;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class TestReloadPrivileges extends AbstractTestWithStaticConfiguration {
+ private PolicyFile policyFile;
+
+ @BeforeClass
+ public static void setupTestStaticConfiguration() throws Exception {
+ AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
+ }
+
+ @Before
+ public void setup() throws Exception {
+ policyFile =
+ PolicyFile.setAdminOnServer1(ADMINGROUP).setUserGroupMapping(
+ StaticUserGroup.getStaticMapping());
+ writePolicyFile(policyFile);
+ }
+
+ @Test
+ public void testReload() throws Exception {
+ Connection connection = context.createConnection(USER1_1);
+ Statement statement = context.createStatement(connection);
+ statement.execute("RELOAD");
+ statement.close();
+ connection.close();
+ }
+
+}