You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by sp...@apache.org on 2018/09/10 19:19:57 UTC

sentry git commit: SENTRY-2395: ALTER VIEW AS SELECT is asking for CREATE privileges instead of ALTER (Sergio Pena, reviewed by Na Li, kalyan kumar kalvagadda)

Repository: sentry
Updated Branches:
  refs/heads/master 2fc3374b9 -> 1fbb0aa41


SENTRY-2395: ALTER VIEW AS SELECT is asking for CREATE privileges instead of ALTER (Sergio Pena, reviewed by Na Li, kalyan kumar kalvagadda)


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/1fbb0aa4
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/1fbb0aa4
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/1fbb0aa4

Branch: refs/heads/master
Commit: 1fbb0aa4177cf80760f6b16952d4eb67265c50a7
Parents: 2fc3374
Author: Sergio Pena <se...@cloudera.com>
Authored: Mon Sep 10 14:19:22 2018 -0500
Committer: Sergio Pena <se...@cloudera.com>
Committed: Mon Sep 10 14:19:22 2018 -0500

----------------------------------------------------------------------
 .../binding/hive/HiveAuthzBindingHook.java      |  8 +++++
 .../hive/authz/HiveAuthzBindingHookBase.java    | 33 ++++++++++++++++++--
 .../hive/authz/HiveAuthzPrivilegesMap.java      |  9 +++++-
 .../tests/e2e/hive/TestOperationsPart1.java     |  6 ++--
 4 files changed, 50 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/1fbb0aa4/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index 0ab636a..6731d1a 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -149,6 +149,7 @@ public class HiveAuthzBindingHook extends HiveAuthzBindingHookBase {
         currTab = extractTable((ASTNode)ast.getFirstChildWithType(HiveParser.TOK_TABNAME));
         currDB = extractDatabase((ASTNode) ast.getChild(0));
         indexURI = extractTableLocation(ast);//As index location is captured using token HiveParser.TOK_TABLELOCATION
+        isAlterViewAs = isAlterViewAsOperation(ast);
         break;
       case HiveParser.TOK_ALTERINDEX_REBUILD:
         currTab = extractTable((ASTNode)ast.getChild(0)); //type is not TOK_TABNAME
@@ -298,6 +299,13 @@ public class HiveAuthzBindingHook extends HiveAuthzBindingHookBase {
     HiveOperation stmtOperation = context.getHiveOperation();
     HiveAuthzPrivileges stmtAuthObject;
 
+    // Hive has a bug that changes the operation of the ALTER VIEW AS SELECT to CREATEVIEW.
+    // isAlterViewAs is validated in the preAnalyze method which looks fo this operation
+    // in the ASTNode tree.
+    if (stmtOperation == HiveOperation.CREATEVIEW && isAlterViewAs) {
+      stmtOperation = HiveOperation.ALTERVIEW_AS;
+    }
+
     stmtAuthObject = HiveAuthzPrivilegesMap.getHiveAuthzPrivileges(stmtOperation);
 
     Subject subject = getCurrentSubject(context);

http://git-wip-us.apache.org/repos/asf/sentry/blob/1fbb0aa4/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
index 0973e98..da1956b 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBindingHookBase.java
@@ -112,6 +112,10 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
   // require table-level privileges.
   protected boolean isDescTableBasic = false;
 
+  // Flag that specifies if the operation to validate is an ALTER VIEW AS SELECT.
+  // Note: Hive sends CREATEVIEW even if ALTER VIEW AS SELECT is used.
+  protected boolean isAlterViewAs = false;
+
   public HiveAuthzBindingHookBase() throws Exception {
     SessionState session = SessionState.get();
     if(session == null) {
@@ -407,8 +411,10 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
         outputHierarchy.add(entityHierarchy);
       }
       // workaround for metadata queries.
-      // Capture the table name in pre-analyze and include that in the input entity list
-      if (currTab != null) {
+      // Capture the table name in pre-analyze and include that in the input entity list.
+      // The exception is for ALTERVIEW_AS operations which puts the table to read as input and
+      // the view as output. Having the view as input again will case extra privileges to be given.
+      if (currTab != null && stmtOperation != HiveOperation.ALTERVIEW_AS) {
         List<DBModelAuthorizable> externalAuthorizableHierarchy = new ArrayList<DBModelAuthorizable>();
         externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer());
         externalAuthorizableHierarchy.add(currDB);
@@ -898,4 +904,27 @@ public abstract class HiveAuthzBindingHookBase extends AbstractSemanticAnalyzerH
     // Extract the username from the hook context
     return new Subject(context.getUserName());
   }
+
+  /**
+   * Returns true if the ASTNode tree is an ALTER VIEW AS SELECT operation.
+   * <p>
+   * The ASTNode with an ALTER VIEW AS SELECT is formed as follows:*
+   *   Root: TOK_ALTERVIEW
+   *     Child(0): TOK_TABNAME
+   *     Child(1): TOK_QUERY    <-- This is the SELECT operation
+   *
+   * @param ast The ASTNode that Hive created while parsing the ALTER VIEW operation.
+   * @return True if it is an ALTER VIEW AS SELECT operation; False otherwise.
+   */
+  protected boolean isAlterViewAsOperation(ASTNode ast) {
+    if (ast == null || ast.getToken().getType() != HiveParser.TOK_ALTERVIEW) {
+      return false;
+    }
+
+    if (ast.getChildCount() <= 1 || ast.getChild(1).getType() != HiveParser.TOK_QUERY) {
+      return false;
+    }
+
+    return true;
+  }
 }

http://git-wip-us.apache.org/repos/asf/sentry/blob/1fbb0aa4/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
index feb77ad..385ca98 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
@@ -194,6 +194,13 @@ public class HiveAuthzPrivilegesMap {
         setOperationType(HiveOperationType.DDL).
         build();
 
+    HiveAuthzPrivileges alterViewAsPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder().
+      addOutputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.ALTER)).
+      addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.SELECT)).
+      setOperationScope(HiveOperationScope.TABLE).
+      setOperationType(HiveOperationType.DDL).
+      build();
+
     HiveAuthzPrivileges createViewPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder().
     addOutputObjectPriviledge(AuthorizableType.Db, EnumSet.of(DBModelAction.CREATE)).
     addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.SELECT)).
@@ -285,7 +292,7 @@ public class HiveAuthzPrivilegesMap {
     hiveAuthzStmtPrivMap.put(HiveOperation.ALTERPARTITION_MERGEFILES, alterTablePrivilege);
 
     hiveAuthzStmtPrivMap.put(HiveOperation.ALTERVIEW_PROPERTIES, alterTablePrivilege);
-    hiveAuthzStmtPrivMap.put(HiveOperation.ALTERVIEW_AS, createViewPrivilege);
+    hiveAuthzStmtPrivMap.put(HiveOperation.ALTERVIEW_AS, alterViewAsPrivilege);
     hiveAuthzStmtPrivMap.put(HiveOperation.ALTERVIEW_RENAME, alterTableRenamePrivilege);
     // TODO: once HIVE-18762 is in the hiver version integrated with Sentry, uncomment next line
     // hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_OWNER, alterTableSetOwnerPrivilege);

http://git-wip-us.apache.org/repos/asf/sentry/blob/1fbb0aa4/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java
index 42971d8..e11a0cf 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperationsPart1.java
@@ -75,7 +75,7 @@ public class TestOperationsPart1 extends AbstractTestWithStaticConfiguration {
     privileges.put("all_db1_view1", "server=server1->db=" + DB1  + "->action=all");
     privileges.put("drop_db1_view1", "server=server1->db=" + DB1  + "->action=drop");
     privileges.put("select_db1_tb2", "server=server1->db=" + DB1 + "->table=tb2->action=select");
-
+    privileges.put("alter_db1_view1", "server=server1->db=" + DB1  + "->table=view1->action=alter");
   }
 
   @Before
@@ -730,10 +730,10 @@ public class TestOperationsPart1 extends AbstractTestWithStaticConfiguration {
 
     policyFile
         .addPermissionsToRole("select_db1_tb2", privileges.get("select_db1_tb2"))
-        .addPermissionsToRole("create_db1_view1", privileges.get("create_db1_view1"))
+        .addPermissionsToRole("alter_db1_view1", privileges.get("alter_db1_view1"))
         .addPermissionsToRole("drop_db1_view1", privileges.get("drop_db1_view1"))
         .addPermissionsToRole("create_db1", privileges.get("create_db1"))
-        .addRolesToGroup(USERGROUP1, "select_db1_tb2", "create_db1_view1", "drop_db1_view1", "create_db1")
+        .addRolesToGroup(USERGROUP1, "select_db1_tb2", "alter_db1_view1")
         .addPermissionsToRole("select_db1_view1", privileges.get("select_db1_view1"))
         .addRolesToGroup(USERGROUP2, "create_db1", "select_db1_view1");
     writePolicyFile(policyFile);