You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by th...@apache.org on 2014/10/14 01:51:40 UTC
svn commit: r1631602 - in /hive/branches/branch-0.14/ql/src:
java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/
test/queries/clientpositive/ test/results/clientnegative/
test/results/clientpositive/
Author: thejas
Date: Mon Oct 13 23:51:39 2014
New Revision: 1631602
URL: http://svn.apache.org/r1631602
Log:
HIVE-7919 : sql std auth: user with 'admin option' for role should be able to list all users in the role (Thejas Nair, reviewed by Jason Dere)
Modified:
hive/branches/branch-0.14/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
hive/branches/branch-0.14/ql/src/test/queries/clientpositive/authorization_role_grant2.q
hive/branches/branch-0.14/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out
hive/branches/branch-0.14/ql/src/test/results/clientpositive/authorization_role_grant2.q.out
Modified: hive/branches/branch-0.14/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java?rev=1631602&r1=1631601&r2=1631602&view=diff
==============================================================================
--- hive/branches/branch-0.14/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java (original)
+++ hive/branches/branch-0.14/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java Mon Oct 13 23:51:39 2014
@@ -18,6 +18,7 @@
package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
@@ -350,9 +351,9 @@ public class SQLStdHiveAccessController
@Override
public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException {
// only user belonging to admin role can list role
- if (!isUserAdmin()) {
+ if (!isUserAdmin() && !doesUserHasAdminOption(Arrays.asList(roleName))) {
throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
- + " allowed get principals in a role. " + ADMIN_ONLY_MSG);
+ + " allowed get principals in a role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG);
}
try {
return getHiveRoleGrants(metastoreClientFactory.getHiveMetastoreClient(), roleName);
Modified: hive/branches/branch-0.14/ql/src/test/queries/clientpositive/authorization_role_grant2.q
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/ql/src/test/queries/clientpositive/authorization_role_grant2.q?rev=1631602&r1=1631601&r2=1631602&view=diff
==============================================================================
--- hive/branches/branch-0.14/ql/src/test/queries/clientpositive/authorization_role_grant2.q (original)
+++ hive/branches/branch-0.14/ql/src/test/queries/clientpositive/authorization_role_grant2.q Mon Oct 13 23:51:39 2014
@@ -20,6 +20,7 @@ show principals src_role_wadmin;
set user.name=user2;
set role src_role_WadMin;
+show principals src_role_wadmin;
-- grant role to another user
grant src_Role_wadmin to user user3;
Modified: hive/branches/branch-0.14/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out?rev=1631602&r1=1631601&r2=1631602&view=diff
==============================================================================
--- hive/branches/branch-0.14/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out (original)
+++ hive/branches/branch-0.14/ql/src/test/results/clientnegative/authorization_show_role_principals_no_admin.q.out Mon Oct 13 23:51:39 2014
@@ -1,4 +1,4 @@
PREHOOK: query: -- This test will fail because hive_test_user is not in admin role
show principals role1
PREHOOK: type: SHOW_ROLE_PRINCIPALS
-FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_test_user is not allowed get principals in a role. User has to belong to ADMIN role and have it as current role, for this action.
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive_test_user is not allowed get principals in a role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action.
Modified: hive/branches/branch-0.14/ql/src/test/results/clientpositive/authorization_role_grant2.q.out
URL: http://svn.apache.org/viewvc/hive/branches/branch-0.14/ql/src/test/results/clientpositive/authorization_role_grant2.q.out?rev=1631602&r1=1631601&r2=1631602&view=diff
==============================================================================
--- hive/branches/branch-0.14/ql/src/test/results/clientpositive/authorization_role_grant2.q.out (original)
+++ hive/branches/branch-0.14/ql/src/test/results/clientpositive/authorization_role_grant2.q.out Mon Oct 13 23:51:39 2014
@@ -41,6 +41,12 @@ PREHOOK: query: set role src_role_WadMin
PREHOOK: type: SHOW_ROLES
POSTHOOK: query: set role src_role_WadMin
POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: show principals src_role_wadmin
+PREHOOK: type: SHOW_ROLE_PRINCIPALS
+POSTHOOK: query: show principals src_role_wadmin
+POSTHOOK: type: SHOW_ROLE_PRINCIPALS
+principal_name principal_type grant_option grantor grantor_type grant_time
+user2 USER true hive_admin_user USER -1
PREHOOK: query: -- grant role to another user
grant src_Role_wadmin to user user3
PREHOOK: type: GRANT_ROLE