You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hive.apache.org by Ashutosh Chauhan <ha...@apache.org> on 2014/02/19 01:28:48 UTC

Review Request 18250: SQL std auth - allow grant/revoke roles if user has ADMIN OPTION

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18250/
-----------------------------------------------------------

Review request for hive.


Bugs: HIVE-6433
    https://issues.apache.org/jira/browse/HIVE-6433


Repository: hive-git


Description
-------

SQL std auth - allow grant/revoke roles if user has ADMIN OPTION


Diffs
-----

  ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java c1afaee 
  ql/src/test/queries/clientpositive/authorization_role_grant2.q PRE-CREATION 
  ql/src/test/results/clientpositive/authorization_role_grant2.q.out PRE-CREATION 

Diff: https://reviews.apache.org/r/18250/diff/


Testing
-------

Added new test


Thanks,

Ashutosh Chauhan

Re: Review Request 18250: SQL std auth - allow grant/revoke roles if user has ADMIN OPTION

Posted by Thejas Nair <th...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18250/#review34941
-----------------------------------------------------------



ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
<https://reviews.apache.org/r/18250/#comment65337>

    missing space before "granted"



ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
<https://reviews.apache.org/r/18250/#comment65342>

    I think it will be better to replace "or " with " Otherwise, " .
    



ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
<https://reviews.apache.org/r/18250/#comment65333>

    can you call this one currentRoles ? Otherwise the variable names are too similar making it little hard to read.
    



ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
<https://reviews.apache.org/r/18250/#comment65334>

    currentRole as variable name instead of role?
    



ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
<https://reviews.apache.org/r/18250/#comment65335>

    indentation



ql/src/test/queries/clientnegative/authorization_role_grant.q
<https://reviews.apache.org/r/18250/#comment65341>

    Can you also state in the comment that this test is verifying that user needs to have role being granted in current role.


- Thejas Nair


On Feb. 19, 2014, 9:51 p.m., Ashutosh Chauhan wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/18250/
> -----------------------------------------------------------
> 
> (Updated Feb. 19, 2014, 9:51 p.m.)
> 
> 
> Review request for hive.
> 
> 
> Bugs: HIVE-6433
>     https://issues.apache.org/jira/browse/HIVE-6433
> 
> 
> Repository: hive-git
> 
> 
> Description
> -------
> 
> SQL std auth - allow grant/revoke roles if user has ADMIN OPTION
> 
> 
> Diffs
> -----
> 
>   ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java c1afaee 
>   ql/src/test/queries/clientnegative/authorization_role_grant.q PRE-CREATION 
>   ql/src/test/queries/clientpositive/authorization_role_grant2.q PRE-CREATION 
>   ql/src/test/results/clientnegative/authorization_role_grant.q.out PRE-CREATION 
>   ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out eec684d 
>   ql/src/test/results/clientpositive/authorization_role_grant2.q.out PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/18250/diff/
> 
> 
> Testing
> -------
> 
> Added new test
> 
> 
> Thanks,
> 
> Ashutosh Chauhan
> 
>

Re: Review Request 18250: SQL std auth - allow grant/revoke roles if user has ADMIN OPTION

Posted by Thejas Nair <th...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18250/#review34966
-----------------------------------------------------------

Ship it!


Ship It!

- Thejas Nair


On Feb. 20, 2014, 1:08 a.m., Ashutosh Chauhan wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/18250/
> -----------------------------------------------------------
> 
> (Updated Feb. 20, 2014, 1:08 a.m.)
> 
> 
> Review request for hive.
> 
> 
> Bugs: HIVE-6433
>     https://issues.apache.org/jira/browse/HIVE-6433
> 
> 
> Repository: hive-git
> 
> 
> Description
> -------
> 
> SQL std auth - allow grant/revoke roles if user has ADMIN OPTION
> 
> 
> Diffs
> -----
> 
>   ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java c1afaee 
>   ql/src/test/queries/clientnegative/authorization_role_grant.q PRE-CREATION 
>   ql/src/test/queries/clientpositive/authorization_role_grant2.q PRE-CREATION 
>   ql/src/test/results/clientnegative/authorization_role_grant.q.out PRE-CREATION 
>   ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out eec684d 
>   ql/src/test/results/clientpositive/authorization_role_grant2.q.out PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/18250/diff/
> 
> 
> Testing
> -------
> 
> Added new test
> 
> 
> Thanks,
> 
> Ashutosh Chauhan
> 
>

Re: Review Request 18250: SQL std auth - allow grant/revoke roles if user has ADMIN OPTION

Posted by Ashutosh Chauhan <ha...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18250/
-----------------------------------------------------------

(Updated Feb. 20, 2014, 1:08 a.m.)


Review request for hive.


Bugs: HIVE-6433
    https://issues.apache.org/jira/browse/HIVE-6433


Repository: hive-git


Description
-------

SQL std auth - allow grant/revoke roles if user has ADMIN OPTION


Diffs (updated)
-----

  ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java c1afaee 
  ql/src/test/queries/clientnegative/authorization_role_grant.q PRE-CREATION 
  ql/src/test/queries/clientpositive/authorization_role_grant2.q PRE-CREATION 
  ql/src/test/results/clientnegative/authorization_role_grant.q.out PRE-CREATION 
  ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out eec684d 
  ql/src/test/results/clientpositive/authorization_role_grant2.q.out PRE-CREATION 

Diff: https://reviews.apache.org/r/18250/diff/


Testing
-------

Added new test


Thanks,

Ashutosh Chauhan

Re: Review Request 18250: SQL std auth - allow grant/revoke roles if user has ADMIN OPTION

Posted by Ashutosh Chauhan <ha...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18250/
-----------------------------------------------------------

(Updated Feb. 19, 2014, 9:51 p.m.)


Review request for hive.


Bugs: HIVE-6433
    https://issues.apache.org/jira/browse/HIVE-6433


Repository: hive-git


Description
-------

SQL std auth - allow grant/revoke roles if user has ADMIN OPTION


Diffs
-----

  ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java c1afaee 
  ql/src/test/queries/clientnegative/authorization_role_grant.q PRE-CREATION 
  ql/src/test/queries/clientpositive/authorization_role_grant2.q PRE-CREATION 
  ql/src/test/results/clientnegative/authorization_role_grant.q.out PRE-CREATION 
  ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out eec684d 
  ql/src/test/results/clientpositive/authorization_role_grant2.q.out PRE-CREATION 

Diff: https://reviews.apache.org/r/18250/diff/


Testing
-------

Added new test


Thanks,

Ashutosh Chauhan

Re: Review Request 18250: SQL std auth - allow grant/revoke roles if user has ADMIN OPTION

Posted by Ashutosh Chauhan <ha...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18250/
-----------------------------------------------------------

(Updated Feb. 19, 2014, 9:51 p.m.)


Review request for hive.


Changes
-------

Incorporated Thejas feedback. Also, added new -ve test.


Bugs: HIVE-6433
    https://issues.apache.org/jira/browse/HIVE-6433


Repository: hive-git


Description
-------

SQL std auth - allow grant/revoke roles if user has ADMIN OPTION


Diffs (updated)
-----

  ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java c1afaee 
  ql/src/test/queries/clientnegative/authorization_role_grant.q PRE-CREATION 
  ql/src/test/queries/clientpositive/authorization_role_grant2.q PRE-CREATION 
  ql/src/test/results/clientnegative/authorization_role_grant.q.out PRE-CREATION 
  ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out eec684d 
  ql/src/test/results/clientpositive/authorization_role_grant2.q.out PRE-CREATION 

Diff: https://reviews.apache.org/r/18250/diff/


Testing
-------

Added new test


Thanks,

Ashutosh Chauhan

Re: Review Request 18250: SQL std auth - allow grant/revoke roles if user has ADMIN OPTION

Posted by Ashutosh Chauhan <ha...@apache.org>.

> On Feb. 19, 2014, 4:31 p.m., Thejas Nair wrote:
> > ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java, line 278
> > <https://reviews.apache.org/r/18250/diff/2/?file=497456#file497456line278>
> >
> >     We need to pass the roleNames argument to this function and check that user has admin option on these roles. For example the role in grant-role could be role A while current role is role B. The check is happening now on role B only.
> >     What should we do if a user a member with admin option of role Y , because it belongs to role X and role X has admin option on Y?
> >     Should we check that X is in the current role in that case? I guess so, that will make it consistent with rest of the current role behavior.

Lets say, user X has an admin option on role A. User X now wants to grant role A to user B. IMO, user X's current role should be A. He shouldn't be allowed to grant role A to user B, if his current role is C. Currently is that is whats implemented. It seems you are suggesting that user X should be allowed to grant role A to user B, even if his current role is C. To me, this seems counter intuitive. Not sure what does standard says here.


- Ashutosh


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18250/#review34869
-----------------------------------------------------------


On Feb. 19, 2014, 3:31 a.m., Ashutosh Chauhan wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/18250/
> -----------------------------------------------------------
> 
> (Updated Feb. 19, 2014, 3:31 a.m.)
> 
> 
> Review request for hive.
> 
> 
> Bugs: HIVE-6433
>     https://issues.apache.org/jira/browse/HIVE-6433
> 
> 
> Repository: hive-git
> 
> 
> Description
> -------
> 
> SQL std auth - allow grant/revoke roles if user has ADMIN OPTION
> 
> 
> Diffs
> -----
> 
>   ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java c1afaee 
>   ql/src/test/queries/clientpositive/authorization_role_grant2.q PRE-CREATION 
>   ql/src/test/results/clientpositive/authorization_role_grant2.q.out PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/18250/diff/
> 
> 
> Testing
> -------
> 
> Added new test
> 
> 
> Thanks,
> 
> Ashutosh Chauhan
> 
>

Re: Review Request 18250: SQL std auth - allow grant/revoke roles if user has ADMIN OPTION

Posted by Thejas Nair <th...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18250/#review34869
-----------------------------------------------------------



ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
<https://reviews.apache.org/r/18250/#comment65253>

    We need to pass the roleNames argument to this function and check that user has admin option on these roles. For example the role in grant-role could be role A while current role is role B. The check is happening now on role B only.
    What should we do if a user a member with admin option of role Y , because it belongs to role X and role X has admin option on Y?
    Should we check that X is in the current role in that case? I guess so, that will make it consistent with rest of the current role behavior.



ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
<https://reviews.apache.org/r/18250/#comment65252>

    ADMIN_ONLY_MSG is not the right message with this change. For the grant/revoke roles statements, we should change it to : ADMIN_ONLY_MSG + HAS_ADMIN_PRIV_MSG


- Thejas Nair


On Feb. 19, 2014, 3:31 a.m., Ashutosh Chauhan wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/18250/
> -----------------------------------------------------------
> 
> (Updated Feb. 19, 2014, 3:31 a.m.)
> 
> 
> Review request for hive.
> 
> 
> Bugs: HIVE-6433
>     https://issues.apache.org/jira/browse/HIVE-6433
> 
> 
> Repository: hive-git
> 
> 
> Description
> -------
> 
> SQL std auth - allow grant/revoke roles if user has ADMIN OPTION
> 
> 
> Diffs
> -----
> 
>   ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java c1afaee 
>   ql/src/test/queries/clientpositive/authorization_role_grant2.q PRE-CREATION 
>   ql/src/test/results/clientpositive/authorization_role_grant2.q.out PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/18250/diff/
> 
> 
> Testing
> -------
> 
> Added new test
> 
> 
> Thanks,
> 
> Ashutosh Chauhan
> 
>

Re: Review Request 18250: SQL std auth - allow grant/revoke roles if user has ADMIN OPTION

Posted by Ashutosh Chauhan <ha...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18250/
-----------------------------------------------------------

(Updated Feb. 19, 2014, 3:31 a.m.)


Review request for hive.


Changes
-------

Incorporating Navis feedback.


Bugs: HIVE-6433
    https://issues.apache.org/jira/browse/HIVE-6433


Repository: hive-git


Description
-------

SQL std auth - allow grant/revoke roles if user has ADMIN OPTION


Diffs (updated)
-----

  ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java c1afaee 
  ql/src/test/queries/clientpositive/authorization_role_grant2.q PRE-CREATION 
  ql/src/test/results/clientpositive/authorization_role_grant2.q.out PRE-CREATION 

Diff: https://reviews.apache.org/r/18250/diff/


Testing
-------

Added new test


Thanks,

Ashutosh Chauhan

Re: Review Request 18250: SQL std auth - allow grant/revoke roles if user has ADMIN OPTION

Posted by Navis Ryu <na...@nexr.com>.

> On Feb. 19, 2014, 2:04 a.m., Navis Ryu wrote:
> > ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java, line 457
> > <https://reviews.apache.org/r/18250/diff/1/?file=497250#file497250line457>
> >
> >     should this be doesUserHasGrantOption?
> 
> Ashutosh Chauhan wrote:
>     Although our api says, role.isGrantOption(), sql syntax is "with admin option". So, I think doesUserHasAdminOption() makes sense. But, if you feel strongly about this, I can change it. Its a private method anyway, so doesn't matter that much. Let me know what you prefer.

bq. if (!(isUserAdmin() || doesUserHasAdminOption())) {

Seeing this, thought strange that there are non-admin user having admin option. I'm good either way.


- Navis


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18250/#review34828
-----------------------------------------------------------


On Feb. 19, 2014, 3:31 a.m., Ashutosh Chauhan wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/18250/
> -----------------------------------------------------------
> 
> (Updated Feb. 19, 2014, 3:31 a.m.)
> 
> 
> Review request for hive.
> 
> 
> Bugs: HIVE-6433
>     https://issues.apache.org/jira/browse/HIVE-6433
> 
> 
> Repository: hive-git
> 
> 
> Description
> -------
> 
> SQL std auth - allow grant/revoke roles if user has ADMIN OPTION
> 
> 
> Diffs
> -----
> 
>   ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java c1afaee 
>   ql/src/test/queries/clientpositive/authorization_role_grant2.q PRE-CREATION 
>   ql/src/test/results/clientpositive/authorization_role_grant2.q.out PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/18250/diff/
> 
> 
> Testing
> -------
> 
> Added new test
> 
> 
> Thanks,
> 
> Ashutosh Chauhan
> 
>

Re: Review Request 18250: SQL std auth - allow grant/revoke roles if user has ADMIN OPTION

Posted by Ashutosh Chauhan <ha...@apache.org>.

> On Feb. 19, 2014, 2:04 a.m., Navis Ryu wrote:
> > ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java, line 457
> > <https://reviews.apache.org/r/18250/diff/1/?file=497250#file497250line457>
> >
> >     should this be doesUserHasGrantOption?

Although our api says, role.isGrantOption(), sql syntax is "with admin option". So, I think doesUserHasAdminOption() makes sense. But, if you feel strongly about this, I can change it. Its a private method anyway, so doesn't matter that much. Let me know what you prefer.


> On Feb. 19, 2014, 2:04 a.m., Navis Ryu wrote:
> > ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java, line 465
> > <https://reviews.apache.org/r/18250/diff/1/?file=497250#file497250line465>
> >
> >     nit. indent

will fix this.


- Ashutosh


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18250/#review34828
-----------------------------------------------------------


On Feb. 19, 2014, 12:28 a.m., Ashutosh Chauhan wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/18250/
> -----------------------------------------------------------
> 
> (Updated Feb. 19, 2014, 12:28 a.m.)
> 
> 
> Review request for hive.
> 
> 
> Bugs: HIVE-6433
>     https://issues.apache.org/jira/browse/HIVE-6433
> 
> 
> Repository: hive-git
> 
> 
> Description
> -------
> 
> SQL std auth - allow grant/revoke roles if user has ADMIN OPTION
> 
> 
> Diffs
> -----
> 
>   ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java c1afaee 
>   ql/src/test/queries/clientpositive/authorization_role_grant2.q PRE-CREATION 
>   ql/src/test/results/clientpositive/authorization_role_grant2.q.out PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/18250/diff/
> 
> 
> Testing
> -------
> 
> Added new test
> 
> 
> Thanks,
> 
> Ashutosh Chauhan
> 
>

Re: Review Request 18250: SQL std auth - allow grant/revoke roles if user has ADMIN OPTION

Posted by Navis Ryu <na...@nexr.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18250/#review34828
-----------------------------------------------------------



ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
<https://reviews.apache.org/r/18250/#comment65193>

    should this be doesUserHasGrantOption?



ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
<https://reviews.apache.org/r/18250/#comment65194>

    nit. indent


- Navis Ryu


On Feb. 19, 2014, 12:28 a.m., Ashutosh Chauhan wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/18250/
> -----------------------------------------------------------
> 
> (Updated Feb. 19, 2014, 12:28 a.m.)
> 
> 
> Review request for hive.
> 
> 
> Bugs: HIVE-6433
>     https://issues.apache.org/jira/browse/HIVE-6433
> 
> 
> Repository: hive-git
> 
> 
> Description
> -------
> 
> SQL std auth - allow grant/revoke roles if user has ADMIN OPTION
> 
> 
> Diffs
> -----
> 
>   ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java c1afaee 
>   ql/src/test/queries/clientpositive/authorization_role_grant2.q PRE-CREATION 
>   ql/src/test/results/clientpositive/authorization_role_grant2.q.out PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/18250/diff/
> 
> 
> Testing
> -------
> 
> Added new test
> 
> 
> Thanks,
> 
> Ashutosh Chauhan
> 
>