You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by de...@apache.org on 2023/08/16 00:45:45 UTC
[hive] branch master updated: HIVE-27304: Exclude CTAS condition while forming storage handler url permissions in HS2 authorizer (Sai Hemanth Gantasala, reviewed by Attila Turoczy, Zhihua Deng, Janos Kovacs)
This is an automated email from the ASF dual-hosted git repository.
dengzh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push:
new e4348422c6f HIVE-27304: Exclude CTAS condition while forming storage handler url permissions in HS2 authorizer (Sai Hemanth Gantasala, reviewed by Attila Turoczy, Zhihua Deng, Janos Kovacs)
e4348422c6f is described below
commit e4348422c6f3b1910a8600ea7c7bd839894dcd6f
Author: Sai Hemanth Gantasala <68...@users.noreply.github.com>
AuthorDate: Tue Aug 15 17:45:38 2023 -0700
HIVE-27304: Exclude CTAS condition while forming storage handler url permissions in HS2 authorizer (Sai Hemanth Gantasala, reviewed by Attila Turoczy, Zhihua Deng, Janos Kovacs)
Closes #4276
---
.../authorization/command/CommandAuthorizerV2.java | 5 +-
.../authorization_privilege_objects.q | 45 ++++++
.../llap/authorization_privilege_objects.q.out | 177 +++++++++++++++++++++
3 files changed, 225 insertions(+), 2 deletions(-)
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java
index c21dca345ef..08e016223e4 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java
@@ -200,9 +200,10 @@ final class CommandAuthorizerV2 {
if (table.getStorageHandler() != null && HiveConf.getBoolVar(SessionState.getSessionConf(),
HiveConf.ConfVars.HIVE_AUTHORIZATION_TABLES_ON_STORAGEHANDLERS)) {
//TODO: add hive privilege object for storage based handlers for create and alter table commands.
- if (hiveOpType == HiveOperationType.CREATETABLE ||
+ if (privObject instanceof WriteEntity &&
+ (hiveOpType == HiveOperationType.CREATETABLE ||
hiveOpType == HiveOperationType.ALTERTABLE_PROPERTIES ||
- hiveOpType == HiveOperationType.CREATETABLE_AS_SELECT) {
+ hiveOpType == HiveOperationType.CREATETABLE_AS_SELECT)) {
try {
String storageUri = table.getStorageHandler().getURIForAuth(table.getTTable()).toString();
hivePrivObjs.add(new HivePrivilegeObject(HivePrivilegeObjectType.STORAGEHANDLER_URI, null, storageUri, null, null,
diff --git a/ql/src/test/queries/clientpositive/authorization_privilege_objects.q b/ql/src/test/queries/clientpositive/authorization_privilege_objects.q
index 79f8c90a492..2f80064c7e7 100644
--- a/ql/src/test/queries/clientpositive/authorization_privilege_objects.q
+++ b/ql/src/test/queries/clientpositive/authorization_privilege_objects.q
@@ -19,3 +19,48 @@ DROP TABLE test_auth_obj_db.test_privs2;
set user.name=testuser;
DROP TABLE test_auth_obj_db.test_privs;
DROP DATABASE test_auth_obj_db;
+
+set user.name=hive_admin_user;
+set role admin;
+
+CREATE TEMPORARY FUNCTION dboutput AS 'org.apache.hadoop.hive.contrib.genericudf.example.GenericUDFDBOutput';
+
+SELECT
+dboutput ( 'jdbc:derby:;databaseName=${system:test.tmp.dir}/test_derby_as_external_table_db;create=true','','',
+'CREATE TABLE SIMPLE_DERBY_TABLE1 ("ikey" INTEGER, "bkey" BIGINT, "fkey" REAL, "dkey" DOUBLE)' );
+
+CREATE EXTERNAL TABLE ext_simple_derby_table_src
+(
+ ikey int,
+ bkey bigint,
+ fkey float,
+ dkey double
+)
+STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
+TBLPROPERTIES (
+ "hive.sql.database.type" = "DERBY",
+ "hive.sql.jdbc.driver" = "org.apache.derby.jdbc.EmbeddedDriver",
+ "hive.sql.jdbc.url" = "jdbc:derby:;databaseName=${system:test.tmp.dir}/test_derby_as_external_table_db;create=true;collation=TERRITORY_BASED:PRIMARY",
+ "hive.sql.dbcp.username" = "APP",
+ "hive.sql.dbcp.password" = "mine",
+ "hive.sql.table" = "SIMPLE_DERBY_TABLE1",
+ "hive.sql.dbcp.maxActive" = "1"
+);
+
+create table ext_simple_derby_table_ctas as select * from ext_simple_derby_table_src;
+
+CREATE EXTERNAL TABLE default.jdbctable_from_ctas
+STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
+TBLPROPERTIES (
+ "hive.sql.database.type" = "DERBY",
+ "hive.sql.jdbc.driver" = "org.apache.derby.jdbc.EmbeddedDriver",
+ "hive.sql.jdbc.url" = "jdbc:derby:;databaseName=${system:test.tmp.dir}/test_derby_as_external_table_db;create=true;collation=TERRITORY_BASED:PRIMARY",
+ "hive.sql.dbcp.username" = "APP",
+ "hive.sql.dbcp.password" = "mine",
+ "hive.sql.table" = "SIMPLE_DERBY_TABLE1",
+ "hive.sql.dbcp.maxActive" = "1"
+) as select * from default.ext_simple_derby_table_ctas;
+
+drop table default.jdbctable_from_ctas;
+drop table default.ext_simple_derby_table_ctas;
+drop table default.ext_simple_derby_table_src;
diff --git a/ql/src/test/results/clientpositive/llap/authorization_privilege_objects.q.out b/ql/src/test/results/clientpositive/llap/authorization_privilege_objects.q.out
index aad682f2465..7fc7b371c31 100644
--- a/ql/src/test/results/clientpositive/llap/authorization_privilege_objects.q.out
+++ b/ql/src/test/results/clientpositive/llap/authorization_privilege_objects.q.out
@@ -225,3 +225,180 @@ POSTHOOK: query: DROP DATABASE test_auth_obj_db
POSTHOOK: type: DROPDATABASE
POSTHOOK: Input: database:test_auth_obj_db
POSTHOOK: Output: database:test_auth_obj_db
+PREHOOK: query: set role admin
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role admin
+POSTHOOK: type: SHOW_ROLES
+outputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: dboutput type: FUNCTION actionType: OTHER}
+PREHOOK: query: CREATE TEMPORARY FUNCTION dboutput AS 'org.apache.hadoop.hive.contrib.genericudf.example.GenericUDFDBOutput'
+PREHOOK: type: CREATEFUNCTION
+PREHOOK: Output: dboutput
+POSTHOOK: query: CREATE TEMPORARY FUNCTION dboutput AS 'org.apache.hadoop.hive.contrib.genericudf.example.GenericUDFDBOutput'
+POSTHOOK: type: CREATEFUNCTION
+POSTHOOK: Output: dboutput
+PREHOOK: query: SELECT
+#### A masked pattern was here ####
+'CREATE TABLE SIMPLE_DERBY_TABLE1 ("ikey" INTEGER, "bkey" BIGINT, "fkey" REAL, "dkey" DOUBLE)' )
+PREHOOK: type: QUERY
+PREHOOK: Input: _dummy_database@_dummy_table
+#### A masked pattern was here ####
+POSTHOOK: query: SELECT
+#### A masked pattern was here ####
+'CREATE TABLE SIMPLE_DERBY_TABLE1 ("ikey" INTEGER, "bkey" BIGINT, "fkey" REAL, "dkey" DOUBLE)' )
+POSTHOOK: type: QUERY
+POSTHOOK: Input: _dummy_database@_dummy_table
+#### A masked pattern was here ####
+0
+outputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_src type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER}
+#### A masked pattern was here ####
+HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default OWNER: public OWNERTYPE: ROLE}
+PREHOOK: query: CREATE EXTERNAL TABLE ext_simple_derby_table_src
+(
+ ikey int,
+ bkey bigint,
+ fkey float,
+ dkey double
+)
+STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
+TBLPROPERTIES (
+ "hive.sql.database.type" = "DERBY",
+ "hive.sql.jdbc.driver" = "org.apache.derby.jdbc.EmbeddedDriver",
+#### A masked pattern was here ####
+ "hive.sql.dbcp.username" = "APP",
+ "hive.sql.dbcp.password" = "mine",
+ "hive.sql.table" = "SIMPLE_DERBY_TABLE1",
+ "hive.sql.dbcp.maxActive" = "1"
+)
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:default
+PREHOOK: Output: default@ext_simple_derby_table_src
+POSTHOOK: query: CREATE EXTERNAL TABLE ext_simple_derby_table_src
+(
+ ikey int,
+ bkey bigint,
+ fkey float,
+ dkey double
+)
+STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
+TBLPROPERTIES (
+ "hive.sql.database.type" = "DERBY",
+ "hive.sql.jdbc.driver" = "org.apache.derby.jdbc.EmbeddedDriver",
+#### A masked pattern was here ####
+ "hive.sql.dbcp.username" = "APP",
+ "hive.sql.dbcp.password" = "mine",
+ "hive.sql.table" = "SIMPLE_DERBY_TABLE1",
+ "hive.sql.dbcp.maxActive" = "1"
+)
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@ext_simple_derby_table_src
+applyRowFilterAndColumnMasking:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_src type: TABLE_OR_VIEW actionType: OTHER dbName: default columns: [ikey, bkey, fkey, dkey]}
+inputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_src type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER columns: [bkey, dkey, fkey, ikey]}
+outputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_ctas type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER}
+HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default OWNER: public OWNERTYPE: ROLE}
+PREHOOK: query: create table ext_simple_derby_table_ctas as select * from ext_simple_derby_table_src
+PREHOOK: type: CREATETABLE_AS_SELECT
+PREHOOK: Input: default@ext_simple_derby_table_src
+PREHOOK: Output: database:default
+PREHOOK: Output: default@ext_simple_derby_table_ctas
+POSTHOOK: query: create table ext_simple_derby_table_ctas as select * from ext_simple_derby_table_src
+POSTHOOK: type: CREATETABLE_AS_SELECT
+POSTHOOK: Input: default@ext_simple_derby_table_src
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@ext_simple_derby_table_ctas
+POSTHOOK: Lineage: ext_simple_derby_table_ctas.bkey SIMPLE [(ext_simple_derby_table_src)ext_simple_derby_table_src.FieldSchema(name:bkey, type:bigint, comment:from deserializer), ]
+POSTHOOK: Lineage: ext_simple_derby_table_ctas.dkey SIMPLE [(ext_simple_derby_table_src)ext_simple_derby_table_src.FieldSchema(name:dkey, type:double, comment:from deserializer), ]
+POSTHOOK: Lineage: ext_simple_derby_table_ctas.fkey SIMPLE [(ext_simple_derby_table_src)ext_simple_derby_table_src.FieldSchema(name:fkey, type:float, comment:from deserializer), ]
+POSTHOOK: Lineage: ext_simple_derby_table_ctas.ikey SIMPLE [(ext_simple_derby_table_src)ext_simple_derby_table_src.FieldSchema(name:ikey, type:int, comment:from deserializer), ]
+applyRowFilterAndColumnMasking:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_ctas type: TABLE_OR_VIEW actionType: OTHER dbName: default columns: [bkey, dkey, fkey, ikey]}
+inputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_ctas type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER columns: [bkey, dkey, fkey, ikey]}
+outputHObjs:
+#### A masked pattern was here ####
+HIVE PRIVILEGE OBJECT { objectName: jdbctable_from_ctas type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER}
+HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default OWNER: public OWNERTYPE: ROLE}
+PREHOOK: query: CREATE EXTERNAL TABLE default.jdbctable_from_ctas
+STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
+TBLPROPERTIES (
+ "hive.sql.database.type" = "DERBY",
+ "hive.sql.jdbc.driver" = "org.apache.derby.jdbc.EmbeddedDriver",
+#### A masked pattern was here ####
+ "hive.sql.dbcp.username" = "APP",
+ "hive.sql.dbcp.password" = "mine",
+ "hive.sql.table" = "SIMPLE_DERBY_TABLE1",
+ "hive.sql.dbcp.maxActive" = "1"
+) as select * from default.ext_simple_derby_table_ctas
+PREHOOK: type: CREATETABLE_AS_SELECT
+PREHOOK: Input: default@ext_simple_derby_table_ctas
+PREHOOK: Output: database:default
+PREHOOK: Output: default@jdbctable_from_ctas
+POSTHOOK: query: CREATE EXTERNAL TABLE default.jdbctable_from_ctas
+STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
+TBLPROPERTIES (
+ "hive.sql.database.type" = "DERBY",
+ "hive.sql.jdbc.driver" = "org.apache.derby.jdbc.EmbeddedDriver",
+#### A masked pattern was here ####
+ "hive.sql.dbcp.username" = "APP",
+ "hive.sql.dbcp.password" = "mine",
+ "hive.sql.table" = "SIMPLE_DERBY_TABLE1",
+ "hive.sql.dbcp.maxActive" = "1"
+) as select * from default.ext_simple_derby_table_ctas
+POSTHOOK: type: CREATETABLE_AS_SELECT
+POSTHOOK: Input: default@ext_simple_derby_table_ctas
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@jdbctable_from_ctas
+POSTHOOK: Lineage: jdbctable_from_ctas.bkey SIMPLE [(ext_simple_derby_table_ctas)ext_simple_derby_table_ctas.FieldSchema(name:bkey, type:bigint, comment:null), ]
+POSTHOOK: Lineage: jdbctable_from_ctas.dkey SIMPLE [(ext_simple_derby_table_ctas)ext_simple_derby_table_ctas.FieldSchema(name:dkey, type:double, comment:null), ]
+POSTHOOK: Lineage: jdbctable_from_ctas.fkey SIMPLE [(ext_simple_derby_table_ctas)ext_simple_derby_table_ctas.FieldSchema(name:fkey, type:float, comment:null), ]
+POSTHOOK: Lineage: jdbctable_from_ctas.ikey SIMPLE [(ext_simple_derby_table_ctas)ext_simple_derby_table_ctas.FieldSchema(name:ikey, type:int, comment:null), ]
+inputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: jdbctable_from_ctas type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER}
+outputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: jdbctable_from_ctas type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER}
+HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default OWNER: public OWNERTYPE: ROLE}
+PREHOOK: query: drop table default.jdbctable_from_ctas
+PREHOOK: type: DROPTABLE
+PREHOOK: Input: default@jdbctable_from_ctas
+PREHOOK: Output: database:default
+PREHOOK: Output: default@jdbctable_from_ctas
+POSTHOOK: query: drop table default.jdbctable_from_ctas
+POSTHOOK: type: DROPTABLE
+POSTHOOK: Input: default@jdbctable_from_ctas
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@jdbctable_from_ctas
+inputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_ctas type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER}
+outputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_ctas type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER}
+HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default OWNER: public OWNERTYPE: ROLE}
+PREHOOK: query: drop table default.ext_simple_derby_table_ctas
+PREHOOK: type: DROPTABLE
+PREHOOK: Input: default@ext_simple_derby_table_ctas
+PREHOOK: Output: database:default
+PREHOOK: Output: default@ext_simple_derby_table_ctas
+POSTHOOK: query: drop table default.ext_simple_derby_table_ctas
+POSTHOOK: type: DROPTABLE
+POSTHOOK: Input: default@ext_simple_derby_table_ctas
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@ext_simple_derby_table_ctas
+inputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_src type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER}
+outputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_src type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER}
+HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default OWNER: public OWNERTYPE: ROLE}
+PREHOOK: query: drop table default.ext_simple_derby_table_src
+PREHOOK: type: DROPTABLE
+PREHOOK: Input: default@ext_simple_derby_table_src
+PREHOOK: Output: database:default
+PREHOOK: Output: default@ext_simple_derby_table_src
+POSTHOOK: query: drop table default.ext_simple_derby_table_src
+POSTHOOK: type: DROPTABLE
+POSTHOOK: Input: default@ext_simple_derby_table_src
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@ext_simple_derby_table_src