You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2018/09/10 19:19:57 UTC
sentry git commit: SENTRY-2395: ALTER VIEW AS SELECT is asking for
CREATE privileges instead of ALTER (Sergio Pena, reviewed by Na Li,
kalyan kumar kalvagadda)
Repository: sentry
Updated Branches:
refs/heads/master 2fc3374b9 -> 1fbb0aa41
SENTRY-2395: ALTER VIEW AS SELECT is asking for CREATE privileges instead of ALTER (Sergio Pena, reviewed by Na Li, kalyan kumar kalvagadda)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/1fbb0aa4
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/1fbb0aa4
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/1fbb0aa4
Branch: refs/heads/master
Commit: 1fbb0aa4177cf80760f6b16952d4eb67265c50a7
Parents: 2fc3374
Author: Sergio Pena <se...@cloudera.com>
Authored: Mon Sep 10 14:19:22 2018 -0500
Committer: Sergio Pena <se...@cloudera.com>
Committed: Mon Sep 10 14:19:22 2018 -0500
----------------------------------------------------------------------
.../binding/hive/HiveAuthzBindingHook.java | 8 +++++
.../hive/authz/HiveAuthzBindingHookBase.java | 33 ++++++++++++++++++--
.../hive/authz/HiveAuthzPrivilegesMap.java | 9 +++++-
.../tests/e2e/hive/TestOperationsPart1.java | 6 ++--
4 files changed, 50 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/1fbb0aa4/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index 0ab636a..6731d1a 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -149,6 +149,7 @@ public class HiveAuthzBindingHook extends HiveAuthzBindingHookBase {
currTab = extractTable((ASTNode)ast.getFirstChildWithType(HiveParser.TOK_TABNAME));
currDB = extractDatabase((ASTNode) ast.getChild(0));
indexURI = extractTableLocation(ast);//As index location is captured using token HiveParser.TOK_TABLELOCATION
+ isAlterViewAs = isAlterViewAsOperation(ast);
break;
case HiveParser.TOK_ALTERINDEX_REBUILD:
currTab = extractTable((ASTNode)ast.getChild(0)); //type is not TOK_TABNAME
@@ -298,6 +299,13 @@ public class HiveAuthzBindingHook extends HiveAuthzBindingHookBase {
HiveOperation stmtOperation = context.getHiveOperation();
HiveAuthzPrivileges stmtAuthObject;
+ // Hive has a bug that changes the operation of the ALTER VIEW AS SELECT to CREATEVIEW.
+ // isAlterViewAs is validated in the preAnalyze method which looks fo this operation
+ // in the ASTNode tree.
+ if (stmtOperation == HiveOperation.CREATEVIEW && isAlterViewAs) {
+ stmtOperation = HiveOperation.ALTERVIEW_AS;
+ }
+
stmtAuthObject = HiveAuthzPrivilegesMap.getHiveAuthzPrivileges(stmtOperation);
Subject subject = getCurrentSubject(context);
http://git-wip-us.apache.org/repos/asf/sentry/blob/1fbb0aa4/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
index 0973e98..da1956b 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
@@ -112,6 +112,10 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
// require table-level privileges.
protected boolean isDescTableBasic = false;
+ // Flag that specifies if the operation to validate is an ALTER VIEW AS SELECT.
+ // Note: Hive sends CREATEVIEW even if ALTER VIEW AS SELECT is used.
+ protected boolean isAlterViewAs = false;
+
public HiveAuthzBindingHookBase() throws Exception {
SessionState session = SessionState.get();
if(session == null) {
@@ -407,8 +411,10 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
outputHierarchy.add(entityHierarchy);
}
// workaround for metadata queries.
- // Capture the table name in pre-analyze and include that in the input entity list
- if (currTab != null) {
+ // Capture the table name in pre-analyze and include that in the input entity list.
+ // The exception is for ALTERVIEW_AS operations which puts the table to read as input and
+ // the view as output. Having the view as input again will case extra privileges to be given.
+ if (currTab != null && stmtOperation != HiveOperation.ALTERVIEW_AS) {
List<DBModelAuthorizable> externalAuthorizableHierarchy = new ArrayList<DBModelAuthorizable>();
externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer());
externalAuthorizableHierarchy.add(currDB);
@@ -898,4 +904,27 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
// Extract the username from the hook context
return new Subject(context.getUserName());
}
+
+ /**
+ * Returns true if the ASTNode tree is an ALTER VIEW AS SELECT operation.
+ * <p>
+ * The ASTNode with an ALTER VIEW AS SELECT is formed as follows:*
+ * Root: TOK_ALTERVIEW
+ * Child(0): TOK_TABNAME
+ * Child(1): TOK_QUERY <-- This is the SELECT operation
+ *
+ * @param ast The ASTNode that Hive created while parsing the ALTER VIEW operation.
+ * @return True if it is an ALTER VIEW AS SELECT operation; False otherwise.
+ */
+ protected boolean isAlterViewAsOperation(ASTNode ast) {
+ if (ast == null || ast.getToken().getType() != HiveParser.TOK_ALTERVIEW) {
+ return false;
+ }
+
+ if (ast.getChildCount() <= 1 || ast.getChild(1).getType() != HiveParser.TOK_QUERY) {
+ return false;
+ }
+
+ return true;
+ }
}
http://git-wip-us.apache.org/repos/asf/sentry/blob/1fbb0aa4/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
index feb77ad..385ca98 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
@@ -194,6 +194,13 @@ public class HiveAuthzPrivilegesMap {
setOperationType(HiveOperationType.DDL).
build();
+ HiveAuthzPrivileges alterViewAsPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder().
+ addOutputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.ALTER)).
+ addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.SELECT)).
+ setOperationScope(HiveOperationScope.TABLE).
+ setOperationType(HiveOperationType.DDL).
+ build();
+
HiveAuthzPrivileges createViewPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder().
addOutputObjectPriviledge(AuthorizableType.Db, EnumSet.of(DBModelAction.CREATE)).
addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.SELECT)).
@@ -285,7 +292,7 @@ public class HiveAuthzPrivilegesMap {
hiveAuthzStmtPrivMap.put(HiveOperation.ALTERPARTITION_MERGEFILES, alterTablePrivilege);
hiveAuthzStmtPrivMap.put(HiveOperation.ALTERVIEW_PROPERTIES, alterTablePrivilege);
- hiveAuthzStmtPrivMap.put(HiveOperation.ALTERVIEW_AS, createViewPrivilege);
+ hiveAuthzStmtPrivMap.put(HiveOperation.ALTERVIEW_AS, alterViewAsPrivilege);
hiveAuthzStmtPrivMap.put(HiveOperation.ALTERVIEW_RENAME, alterTableRenamePrivilege);
// TODO: once HIVE-18762 is in the hiver version integrated with Sentry, uncomment next line
// hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_OWNER, alterTableSetOwnerPrivilege);
http://git-wip-us.apache.org/repos/asf/sentry/blob/1fbb0aa4/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java
index 42971d8..e11a0cf 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java
@@ -75,7 +75,7 @@ public class TestOperationsPart1 extends AbstractTestWithStaticConfiguration {
privileges.put("all_db1_view1", "server=server1->db=" + DB1 + "->action=all");
privileges.put("drop_db1_view1", "server=server1->db=" + DB1 + "->action=drop");
privileges.put("select_db1_tb2", "server=server1->db=" + DB1 + "->table=tb2->action=select");
-
+ privileges.put("alter_db1_view1", "server=server1->db=" + DB1 + "->table=view1->action=alter");
}
@Before
@@ -730,10 +730,10 @@ public class TestOperationsPart1 extends AbstractTestWithStaticConfiguration {
policyFile
.addPermissionsToRole("select_db1_tb2", privileges.get("select_db1_tb2"))
- .addPermissionsToRole("create_db1_view1", privileges.get("create_db1_view1"))
+ .addPermissionsToRole("alter_db1_view1", privileges.get("alter_db1_view1"))
.addPermissionsToRole("drop_db1_view1", privileges.get("drop_db1_view1"))
.addPermissionsToRole("create_db1", privileges.get("create_db1"))
- .addRolesToGroup(USERGROUP1, "select_db1_tb2", "create_db1_view1", "drop_db1_view1", "create_db1")
+ .addRolesToGroup(USERGROUP1, "select_db1_tb2", "alter_db1_view1")
.addPermissionsToRole("select_db1_view1", privileges.get("select_db1_view1"))
.addRolesToGroup(USERGROUP2, "create_db1", "select_db1_view1");
writePolicyFile(policyFile);