You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by th...@apache.org on 2014/10/10 23:53:24 UTC

svn commit: r1630997 - in /hive/branches/branch-0.14/hcatalog: ./ core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/ core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/

Author: thejas
Date: Fri Oct 10 21:53:24 2014
New Revision: 1630997

URL: http://svn.apache.org/r1630997
Log:
HIVE-8408 : hcat cli throws NPE when authorizer using new api is enabled (Thejas Nair, reviewed by Sushanth Sowmyan

Added:
    hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatAuthUtil.java
    hive/branches/branch-0.14/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/
    hive/branches/branch-0.14/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/TestHCatAuthUtil.java
Modified:
    hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/CreateTableHook.java
    hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java
    hive/branches/branch-0.14/hcatalog/pom.xml

Modified: hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/CreateTableHook.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/CreateTableHook.java?rev=1630997&r1=1630996&r2=1630997&view=diff
==============================================================================
--- hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/CreateTableHook.java (original)
+++ hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/CreateTableHook.java Fri Oct 10 21:53:24 2014
@@ -26,7 +26,6 @@ import java.util.Map;
 
 import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.metastore.api.FieldSchema;
 import org.apache.hadoop.hive.ql.exec.DDLTask;
 import org.apache.hadoop.hive.ql.exec.Task;
@@ -195,8 +194,7 @@ final class CreateTableHook extends HCat
 
         //authorize against the table operation so that location permissions can be checked if any
 
-        if (HiveConf.getBoolVar(context.getConf(),
-          HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
+        if (HCatAuthUtil.isAuthorizationEnabled(context.getConf())) {
           authorize(table, Privilege.CREATE);
         }
       } catch (HiveException ex) {

Added: hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatAuthUtil.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatAuthUtil.java?rev=1630997&view=auto
==============================================================================
--- hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatAuthUtil.java (added)
+++ hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatAuthUtil.java Fri Oct 10 21:53:24 2014
@@ -0,0 +1,36 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.hive.hcatalog.cli.SemanticAnalysis;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.session.SessionState;
+
+final class HCatAuthUtil {
+  public static boolean isAuthorizationEnabled(Configuration conf) {
+    // the session state getAuthorizer can return null even if authorization is
+    // enabled if the V2 api of authorizer in use.
+    // The additional authorization checks happening in hcatalog are designed to
+    // work with  storage based authorization (on client side). It should not try doing
+    // additional checks if a V2 authorizer is in use. The reccomended configuration is to
+    // use storage based authorization in metastore server
+    return HiveConf.getBoolVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)
+        && SessionState.get().getAuthorizer() != null;
+  }
+}

Modified: hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java?rev=1630997&r1=1630996&r2=1630997&view=diff
==============================================================================
--- hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java (original)
+++ hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java Fri Oct 10 21:53:24 2014
@@ -22,7 +22,6 @@ package org.apache.hive.hcatalog.cli.Sem
 import java.io.Serializable;
 import java.util.List;
 
-import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.metastore.api.Database;
 import org.apache.hadoop.hive.ql.exec.Task;
 import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
@@ -89,8 +88,7 @@ public class HCatSemanticAnalyzerBase ex
   protected void authorizeDDL(HiveSemanticAnalyzerHookContext context,
                 List<Task<? extends Serializable>> rootTasks) throws SemanticException {
 
-    if (!HiveConf.getBoolVar(context.getConf(),
-      HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
+    if (!HCatAuthUtil.isAuthorizationEnabled(context.getConf())) {
       return;
     }
 

Added: hive/branches/branch-0.14/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/TestHCatAuthUtil.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/TestHCatAuthUtil.java?rev=1630997&view=auto
==============================================================================
--- hive/branches/branch-0.14/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/TestHCatAuthUtil.java (added)
+++ hive/branches/branch-0.14/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/TestHCatAuthUtil.java Fri Oct 10 21:53:24 2014
@@ -0,0 +1,84 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.hive.hcatalog.cli.SemanticAnalysis;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
+import org.apache.hadoop.hive.ql.session.SessionState;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+/**
+ * Test HCatAuthUtil
+ */
+public class TestHCatAuthUtil {
+
+  public static class DummyV2AuthorizerFactory implements HiveAuthorizerFactory {
+
+    @Override
+    public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
+        HiveConf conf, HiveAuthenticationProvider hiveAuthenticator, HiveAuthzSessionContext ctx)
+        throws HiveAuthzPluginException {
+      return Mockito.mock(HiveAuthorizer.class);
+    }
+  }
+
+  /**
+   * Test with auth enabled and v1 auth
+   */
+  @Test
+  public void authEnabledV1Auth() throws Exception {
+    HiveConf hcatConf = new HiveConf(this.getClass());
+    hcatConf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, true);
+    SessionState.start(hcatConf);
+    assertTrue("hcat auth should be enabled", HCatAuthUtil.isAuthorizationEnabled(hcatConf));
+  }
+
+  /**
+   * Test with auth enabled and v2 auth
+   */
+  @Test
+  public void authEnabledV2Auth() throws Exception {
+    HiveConf hcatConf = new HiveConf(this.getClass());
+    hcatConf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, true);
+    hcatConf.setVar(ConfVars.HIVE_AUTHORIZATION_MANAGER, DummyV2AuthorizerFactory.class.getName());
+    SessionState.start(hcatConf);
+    assertFalse("hcat auth should be disabled", HCatAuthUtil.isAuthorizationEnabled(hcatConf));
+  }
+
+  /**
+   * Test with auth disabled
+   */
+  @Test
+  public void authDisabled() throws Exception {
+    HiveConf hcatConf = new HiveConf(this.getClass());
+    hcatConf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, false);
+    SessionState.start(hcatConf);
+    assertFalse("hcat auth should be disabled", HCatAuthUtil.isAuthorizationEnabled(hcatConf));
+  }
+}

Modified: hive/branches/branch-0.14/hcatalog/pom.xml
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/hcatalog/pom.xml?rev=1630997&r1=1630996&r2=1630997&view=diff
==============================================================================
--- hive/branches/branch-0.14/hcatalog/pom.xml (original)
+++ hive/branches/branch-0.14/hcatalog/pom.xml Fri Oct 10 21:53:24 2014
@@ -46,6 +46,15 @@
     <module>streaming</module>
   </modules>
 
+  <dependencies>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-all</artifactId>
+      <version>${mockito-all.version}</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
   <profiles>
     <profile>
       <id>hadoop-1</id>