You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by ha...@apache.org on 2014/04/03 23:27:05 UTC
svn commit: r1584403 - in /hive/trunk/ql/src:
java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java
test/queries/clientnegative/authorization_addjar.q
test/results/clientnegative/authorization_addjar.q.out
Author: hashutosh
Date: Thu Apr 3 21:27:05 2014
New Revision: 1584403
URL: http://svn.apache.org/r1584403
Log:
HIVE-6827 : Disable insecure commands with std sql auth (Ashutosh Chauhan via Thejas Nair)
Added:
hive/trunk/ql/src/test/queries/clientnegative/authorization_addjar.q
hive/trunk/ql/src/test/results/clientnegative/authorization_addjar.q.out
Modified:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java?rev=1584403&r1=1584402&r2=1584403&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandProcessorFactory.java Thu Apr 3 21:27:05 2014
@@ -28,7 +28,12 @@ import java.util.Map;
import java.util.Set;
import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
import org.apache.hadoop.hive.ql.Driver;
+import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.metadata.HiveUtils;
+import org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
import org.apache.hadoop.hive.ql.session.SessionState;
/**
@@ -58,8 +63,18 @@ public final class CommandProcessorFacto
conf = new HiveConf();
}
Set<String> availableCommands = new HashSet<String>();
- for (String availableCommand : conf.getVar(HiveConf.ConfVars.HIVE_SECURITY_COMMAND_WHITELIST).split(",")) {
- availableCommands.add(availableCommand.toLowerCase().trim());
+ if (!HiveAuthorizerFactory.class.isAssignableFrom
+ (conf.getClass(ConfVars.HIVE_AUTHORIZATION_MANAGER.varname,DefaultHiveAuthorizationProvider.class))) {
+ // we are not on authV2, add processors.
+ for (String availableCommand : conf.getVar(HiveConf.ConfVars.HIVE_SECURITY_COMMAND_WHITELIST).split(",")) {
+ availableCommands.add(availableCommand.toLowerCase().trim());
+ }
+ }
+
+ if (conf.getBoolVar(ConfVars.HIVE_IN_TEST)) {
+ // because test case uses these.
+ availableCommands.add("set");
+ availableCommands.add("dfs");
}
if (!availableCommands.contains(cmd[0].trim().toLowerCase())) {
throw new SQLException("Insufficient privileges to execute " + cmd[0], "42000");
Added: hive/trunk/ql/src/test/queries/clientnegative/authorization_addjar.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_addjar.q?rev=1584403&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_addjar.q (added)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_addjar.q Thu Apr 3 21:27:05 2014
@@ -0,0 +1,3 @@
+set hive.security.authorization.enabled=true;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+add jar ${system:maven.local.repository}/org/apache/hive/hcatalog/hive-hcatalog-core/${system:hive.version}/hive-hcatalog-core-${system:hive.version}.jar;
Added: hive/trunk/ql/src/test/results/clientnegative/authorization_addjar.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_addjar.q.out?rev=1584403&view=auto
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_addjar.q.out (added)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_addjar.q.out Thu Apr 3 21:27:05 2014
@@ -0,0 +1 @@
+Failed processing command add Insufficient privileges to execute add