You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by li...@apache.org on 2018/05/11 16:21:04 UTC
sentry git commit: SENTRY-2226: Support Hive operation ALTER TABLE
EXCHANGE. (Na Li, reviewed by Sergio Pena, Kalyan Kumar Kalvagadda)
Repository: sentry
Updated Branches:
refs/heads/master af8ea0ac1 -> 7ac2b05e5
SENTRY-2226: Support Hive operation ALTER TABLE EXCHANGE. (Na Li, reviewed by Sergio Pena, Kalyan Kumar Kalvagadda)
Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/7ac2b05e
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/7ac2b05e
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/7ac2b05e
Branch: refs/heads/master
Commit: 7ac2b05e5681e902dc01fc0d4cc21ac9eb13ae43
Parents: af8ea0a
Author: lina.li <li...@cloudera.com>
Authored: Fri May 11 11:17:09 2018 -0500
Committer: lina.li <li...@cloudera.com>
Committed: Fri May 11 11:17:09 2018 -0500
----------------------------------------------------------------------
.../hive/authz/HiveAuthzPrivilegesMap.java | 12 ++
.../TestDbColumnLevelMetaDataOps.java | 124 +++++++++++++++++++
2 files changed, 136 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/sentry/blob/7ac2b05e/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
index ffa193f..4f932ea 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
@@ -112,6 +112,16 @@ public class HiveAuthzPrivilegesMap {
setOperationType(HiveOperationType.DDL).
build();
+ // input required privilege from Hive: SELECT on column level and DELETE on table level
+ // output required privilege from Hive: INSERT on table level
+ // Sentry makes it more restrictive, and requires ALL at input, INSERT and ALTER at output
+ HiveAuthzPrivileges alterTableExchangePrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder().
+ addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.ALL)).
+ addOutputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.INSERT, DBModelAction.ALTER)).
+ setOperationScope(HiveOperationScope.TABLE).
+ setOperationType(HiveOperationType.DDL).
+ build();
+
HiveAuthzPrivileges alterPartPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder().
addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.ALTER)).
setOperationScope(HiveOperationScope.TABLE).
@@ -240,6 +250,8 @@ public class HiveAuthzPrivilegesMap {
hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_ADDCOLS, alterTablePrivilege);
hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_REPLACECOLS, alterTablePrivilege);
hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_PARTCOLTYPE, alterPartPrivilege);
+ hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_EXCHANGEPARTITION, alterTableExchangePrivilege);
+
hiveAuthzStmtPrivMap.put(HiveOperation.ALTERTABLE_BUCKETNUM, alterPartPrivilege);
hiveAuthzStmtPrivMap.put(HiveOperation.ALTERPARTITION_BUCKETNUM, alterPartPrivilege);
http://git-wip-us.apache.org/repos/asf/sentry/blob/7ac2b05e/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbColumnLevelMetaDataOps.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbColumnLevelMetaDataOps.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbColumnLevelMetaDataOps.java
index 3735179..c065f7f 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbColumnLevelMetaDataOps.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbColumnLevelMetaDataOps.java
@@ -371,4 +371,128 @@ public class TestDbColumnLevelMetaDataOps extends AbstractTestWithStaticConfigur
String query = "SHOW TABLE EXTENDED IN " + TEST_COL_METADATA_OPS_DB + " LIKE " + TEST_COL_METADATA_OPS_TB;
validateSemanticException(query, USER1_1);
}
+
+ /**
+ * User cannot exchange partition of tables without any privilege on input table and output table
+ * @throws Exception
+ */
+ @Test
+ public void testAlterTableExchangeNoPrivilege() throws Exception {
+ final String PAR_ROLE_NAME = "config1_user_role";
+ final String PAR_GROUP_NAME = USERGROUP1;
+ final String PAR_DB_NAME = "config1_test_database1";
+ final String PAR_INPUT_TABLE_NAME = "aliens";
+ final String PAR_OUTPUT_TABLE_NAME = "movie_stars";
+
+ establishSession(ADMIN1);
+ statement.execute("DROP DATABASE IF EXISTS " + PAR_DB_NAME + " CASCADE");
+ statement.execute("CREATE DATABASE " + PAR_DB_NAME);
+ statement.execute("CREATE ROLE " + PAR_ROLE_NAME);
+ statement.execute("GRANT ROLE " + PAR_ROLE_NAME + " TO GROUP " + PAR_GROUP_NAME);
+ statement.execute("CREATE TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME + " (name string) PARTITIONED BY (home_planet string, diet string)");
+ statement.execute("CREATE TABLE " + PAR_DB_NAME + "." + PAR_OUTPUT_TABLE_NAME + " (name string) PARTITIONED BY (home_planet string, diet string)");
+ statement.execute("ALTER TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME + " ADD PARTITION (home_planet='earth', diet='milk shakes')");
+ statement.execute("ALTER TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME + " ADD PARTITION (home_planet='trapis-4', diet='sentient lifeforms with cheese')");
+
+ String query = "ALTER TABLE " + PAR_DB_NAME + "." + PAR_OUTPUT_TABLE_NAME + " EXCHANGE PARTITION (home_planet='earth', diet='milk shakes') WITH TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME;
+ validateSemanticException(query, USER1_1);
+ }
+
+ /**
+ * User cannot exchange partition of tables without input required privilege
+ * @throws Exception
+ */
+ @Test
+ public void testAlterTableExchangeNoPrivilegeOnInput() throws Exception {
+ final String PAR_ROLE_NAME = "config1_user_role";
+ final String PAR_GROUP_NAME = USERGROUP1;
+ final String PAR_DB_NAME = "config1_test_database2";
+ final String PAR_INPUT_TABLE_NAME = "aliens";
+ final String PAR_OUTPUT_TABLE_NAME = "movie_stars";
+
+ establishSession(ADMIN1);
+ statement.execute("DROP DATABASE IF EXISTS " + PAR_DB_NAME + " CASCADE");
+ statement.execute("CREATE DATABASE " + PAR_DB_NAME);
+ statement.execute("CREATE ROLE " + PAR_ROLE_NAME);
+ statement.execute("GRANT ROLE " + PAR_ROLE_NAME + " TO GROUP " + PAR_GROUP_NAME);
+ statement.execute("CREATE TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME + " (name string) PARTITIONED BY (home_planet string, diet string)");
+ statement.execute("CREATE TABLE " + PAR_DB_NAME + "." + PAR_OUTPUT_TABLE_NAME + " (name string) PARTITIONED BY (home_planet string, diet string)");
+ statement.execute("ALTER TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME + " ADD PARTITION (home_planet='earth', diet='milk shakes')");
+ statement.execute("ALTER TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME + " ADD PARTITION (home_planet='trapis-4', diet='sentient lifeforms with cheese')");
+
+ // grant propert privilege to output table
+ statement.execute("GRANT INSERT ON TABLE " + PAR_DB_NAME + "." + PAR_OUTPUT_TABLE_NAME + " TO ROLE " + PAR_ROLE_NAME);
+ statement.execute("GRANT ALTER ON TABLE " + PAR_DB_NAME + "." + PAR_OUTPUT_TABLE_NAME + " TO ROLE " + PAR_ROLE_NAME);
+
+ // move a partition from a source table to target table and alter each table's metadata.
+ // ALTER TABLE <dest_table> EXCHANGE PARTITION (<[partial] partition spec>) WITH TABLE <src_table>
+ String query = "ALTER TABLE " + PAR_DB_NAME + "." + PAR_OUTPUT_TABLE_NAME + " EXCHANGE PARTITION (home_planet='earth', diet='milk shakes') WITH TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME;
+ validateSemanticException(query, USER1_1);
+ }
+
+ /**
+ * User cannot exchange partition of tables without output required privilege
+ * @throws Exception
+ */
+ @Test
+ public void testAlterTableExchangeNoPrivilegeOnOutput() throws Exception {
+ final String PAR_ROLE_NAME = "config1_user_role";
+ final String PAR_GROUP_NAME = USERGROUP1;
+ final String PAR_DB_NAME = "config1_test_database3";
+ final String PAR_INPUT_TABLE_NAME = "aliens";
+ final String PAR_OUTPUT_TABLE_NAME = "movie_stars";
+
+ establishSession(ADMIN1);
+ statement.execute("DROP DATABASE IF EXISTS " + PAR_DB_NAME + " CASCADE");
+ statement.execute("CREATE DATABASE " + PAR_DB_NAME);
+ statement.execute("CREATE ROLE " + PAR_ROLE_NAME);
+ statement.execute("GRANT ROLE " + PAR_ROLE_NAME + " TO GROUP " + PAR_GROUP_NAME);
+ statement.execute("CREATE TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME + " (name string) PARTITIONED BY (home_planet string, diet string)");
+ statement.execute("CREATE TABLE " + PAR_DB_NAME + "." + PAR_OUTPUT_TABLE_NAME + " (name string) PARTITIONED BY (home_planet string, diet string)");
+ statement.execute("ALTER TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME + " ADD PARTITION (home_planet='earth', diet='milk shakes')");
+ statement.execute("ALTER TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME + " ADD PARTITION (home_planet='trapis-4', diet='sentient lifeforms with cheese')");
+
+ // grant propert privilege to input table
+ statement.execute("GRANT ALL ON TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME + " TO ROLE " + PAR_ROLE_NAME);
+
+ // move a partition from a source table to target table and alter each table's metadata.
+ // ALTER TABLE <dest_table> EXCHANGE PARTITION (<[partial] partition spec>) WITH TABLE <src_table>
+ String query = "ALTER TABLE " + PAR_DB_NAME + "." + PAR_OUTPUT_TABLE_NAME + " EXCHANGE PARTITION (home_planet='earth', diet='milk shakes') WITH TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME;
+ validateSemanticException(query, USER1_1);
+ }
+
+ /**
+ * User can exchange partition of tables with both input and output required privileges
+ * @throws Exception
+ */
+ @Test
+ public void testAlterTableExchangeWithPrivilege() throws Exception {
+ final String PAR_ROLE_NAME = "config1_user_role";
+ final String PAR_GROUP_NAME = USERGROUP1;
+ final String PAR_DB_NAME = "config1_test_database4";
+ final String PAR_INPUT_TABLE_NAME = "aliens";
+ final String PAR_OUTPUT_TABLE_NAME = "movie_stars";
+
+ establishSession(ADMIN1);
+ statement.execute("DROP DATABASE IF EXISTS " + PAR_DB_NAME + " CASCADE");
+ statement.execute("CREATE DATABASE " + PAR_DB_NAME);
+ statement.execute("CREATE ROLE " + PAR_ROLE_NAME);
+ statement.execute("GRANT ROLE " + PAR_ROLE_NAME + " TO GROUP " + PAR_GROUP_NAME);
+ statement.execute("CREATE TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME + " (name string) PARTITIONED BY (home_planet string, diet string)");
+ statement.execute("CREATE TABLE " + PAR_DB_NAME + "." + PAR_OUTPUT_TABLE_NAME + " (name string) PARTITIONED BY (home_planet string, diet string)");
+ statement.execute("ALTER TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME + " ADD PARTITION (home_planet='earth', diet='milk shakes')");
+ statement.execute("ALTER TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME + " ADD PARTITION (home_planet='trapis-4', diet='sentient lifeforms with cheese')");
+
+ // grant propert privilege to input table
+ statement.execute("GRANT ALL ON TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME + " TO ROLE " + PAR_ROLE_NAME);
+ // grant propert privilege to output table
+ statement.execute("GRANT INSERT ON TABLE " + PAR_DB_NAME + "." + PAR_OUTPUT_TABLE_NAME + " TO ROLE " + PAR_ROLE_NAME);
+ statement.execute("GRANT ALTER ON TABLE " + PAR_DB_NAME + "." + PAR_OUTPUT_TABLE_NAME + " TO ROLE " + PAR_ROLE_NAME);
+
+ // move a partition from a source table to target table and alter each table's metadata.
+ // ALTER TABLE <dest_table> EXCHANGE PARTITION (<[partial] partition spec>) WITH TABLE <src_table>
+ String query = "ALTER TABLE " + PAR_DB_NAME + "." + PAR_OUTPUT_TABLE_NAME + " EXCHANGE PARTITION (home_planet='earth', diet='milk shakes') WITH TABLE " + PAR_DB_NAME + "." + PAR_INPUT_TABLE_NAME;
+ establishSession(USER1_1);
+ statement.execute(query);
+ }
}