You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by th...@apache.org on 2014/10/10 23:53:24 UTC
svn commit: r1630997 - in /hive/branches/branch-0.14/hcatalog: ./
core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/
core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/
Author: thejas
Date: Fri Oct 10 21:53:24 2014
New Revision: 1630997
URL: http://svn.apache.org/r1630997
Log:
HIVE-8408 : hcat cli throws NPE when authorizer using new api is enabled (Thejas Nair, reviewed by Sushanth Sowmyan
Added:
hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatAuthUtil.java
hive/branches/branch-0.14/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/
hive/branches/branch-0.14/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/TestHCatAuthUtil.java
Modified:
hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/CreateTableHook.java
hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java
hive/branches/branch-0.14/hcatalog/pom.xml
Modified: hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/CreateTableHook.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/CreateTableHook.java?rev=1630997&r1=1630996&r2=1630997&view=diff
==============================================================================
--- hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/CreateTableHook.java (original)
+++ hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/CreateTableHook.java Fri Oct 10 21:53:24 2014
@@ -26,7 +26,6 @@ import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.metastore.api.FieldSchema;
import org.apache.hadoop.hive.ql.exec.DDLTask;
import org.apache.hadoop.hive.ql.exec.Task;
@@ -195,8 +194,7 @@ final class CreateTableHook extends HCat
//authorize against the table operation so that location permissions can be checked if any
- if (HiveConf.getBoolVar(context.getConf(),
- HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
+ if (HCatAuthUtil.isAuthorizationEnabled(context.getConf())) {
authorize(table, Privilege.CREATE);
}
} catch (HiveException ex) {
Added: hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatAuthUtil.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatAuthUtil.java?rev=1630997&view=auto
==============================================================================
--- hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatAuthUtil.java (added)
+++ hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatAuthUtil.java Fri Oct 10 21:53:24 2014
@@ -0,0 +1,36 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.hive.hcatalog.cli.SemanticAnalysis;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.session.SessionState;
+
+final class HCatAuthUtil {
+ public static boolean isAuthorizationEnabled(Configuration conf) {
+ // the session state getAuthorizer can return null even if authorization is
+ // enabled if the V2 api of authorizer in use.
+ // The additional authorization checks happening in hcatalog are designed to
+ // work with storage based authorization (on client side). It should not try doing
+ // additional checks if a V2 authorizer is in use. The reccomended configuration is to
+ // use storage based authorization in metastore server
+ return HiveConf.getBoolVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)
+ && SessionState.get().getAuthorizer() != null;
+ }
+}
Modified: hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java?rev=1630997&r1=1630996&r2=1630997&view=diff
==============================================================================
--- hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java (original)
+++ hive/branches/branch-0.14/hcatalog/core/src/main/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/HCatSemanticAnalyzerBase.java Fri Oct 10 21:53:24 2014
@@ -22,7 +22,6 @@ package org.apache.hive.hcatalog.cli.Sem
import java.io.Serializable;
import java.util.List;
-import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.metastore.api.Database;
import org.apache.hadoop.hive.ql.exec.Task;
import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
@@ -89,8 +88,7 @@ public class HCatSemanticAnalyzerBase ex
protected void authorizeDDL(HiveSemanticAnalyzerHookContext context,
List<Task<? extends Serializable>> rootTasks) throws SemanticException {
- if (!HiveConf.getBoolVar(context.getConf(),
- HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
+ if (!HCatAuthUtil.isAuthorizationEnabled(context.getConf())) {
return;
}
Added: hive/branches/branch-0.14/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/TestHCatAuthUtil.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/TestHCatAuthUtil.java?rev=1630997&view=auto
==============================================================================
--- hive/branches/branch-0.14/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/TestHCatAuthUtil.java (added)
+++ hive/branches/branch-0.14/hcatalog/core/src/test/java/org/apache/hive/hcatalog/cli/SemanticAnalysis/TestHCatAuthUtil.java Fri Oct 10 21:53:24 2014
@@ -0,0 +1,84 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.hive.hcatalog.cli.SemanticAnalysis;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
+import org.apache.hadoop.hive.ql.session.SessionState;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+/**
+ * Test HCatAuthUtil
+ */
+public class TestHCatAuthUtil {
+
+ public static class DummyV2AuthorizerFactory implements HiveAuthorizerFactory {
+
+ @Override
+ public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
+ HiveConf conf, HiveAuthenticationProvider hiveAuthenticator, HiveAuthzSessionContext ctx)
+ throws HiveAuthzPluginException {
+ return Mockito.mock(HiveAuthorizer.class);
+ }
+ }
+
+ /**
+ * Test with auth enabled and v1 auth
+ */
+ @Test
+ public void authEnabledV1Auth() throws Exception {
+ HiveConf hcatConf = new HiveConf(this.getClass());
+ hcatConf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, true);
+ SessionState.start(hcatConf);
+ assertTrue("hcat auth should be enabled", HCatAuthUtil.isAuthorizationEnabled(hcatConf));
+ }
+
+ /**
+ * Test with auth enabled and v2 auth
+ */
+ @Test
+ public void authEnabledV2Auth() throws Exception {
+ HiveConf hcatConf = new HiveConf(this.getClass());
+ hcatConf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, true);
+ hcatConf.setVar(ConfVars.HIVE_AUTHORIZATION_MANAGER, DummyV2AuthorizerFactory.class.getName());
+ SessionState.start(hcatConf);
+ assertFalse("hcat auth should be disabled", HCatAuthUtil.isAuthorizationEnabled(hcatConf));
+ }
+
+ /**
+ * Test with auth disabled
+ */
+ @Test
+ public void authDisabled() throws Exception {
+ HiveConf hcatConf = new HiveConf(this.getClass());
+ hcatConf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, false);
+ SessionState.start(hcatConf);
+ assertFalse("hcat auth should be disabled", HCatAuthUtil.isAuthorizationEnabled(hcatConf));
+ }
+}
Modified: hive/branches/branch-0.14/hcatalog/pom.xml
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/hcatalog/pom.xml?rev=1630997&r1=1630996&r2=1630997&view=diff
==============================================================================
--- hive/branches/branch-0.14/hcatalog/pom.xml (original)
+++ hive/branches/branch-0.14/hcatalog/pom.xml Fri Oct 10 21:53:24 2014
@@ -46,6 +46,15 @@
<module>streaming</module>
</modules>
+ <dependencies>
+ <dependency>
+ <groupId>org.mockito</groupId>
+ <artifactId>mockito-all</artifactId>
+ <version>${mockito-all.version}</version>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+
<profiles>
<profile>
<id>hadoop-1</id>