You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by pr...@apache.org on 2014/09/19 07:49:02 UTC
git commit: SENTRY-423: Hive command "SHOW TABLE EXTENDED LIKE... "
failed with NPE (Chaoyu Tang via Prasad Mujumdar)
Repository: incubator-sentry
Updated Branches:
refs/heads/master fa5f81c77 -> 1e5826f85
SENTRY-423: Hive command "SHOW TABLE EXTENDED LIKE... " failed with NPE (Chaoyu Tang via Prasad Mujumdar)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/1e5826f8
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/1e5826f8
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/1e5826f8
Branch: refs/heads/master
Commit: 1e5826f85601319a2ef9c4bdab999ff1db697668
Parents: fa5f81c
Author: Prasad Mujumdar <pr...@cloudera.com>
Authored: Thu Sep 18 22:48:56 2014 -0700
Committer: Prasad Mujumdar <pr...@cloudera.com>
Committed: Thu Sep 18 22:48:56 2014 -0700
----------------------------------------------------------------------
.../binding/hive/HiveAuthzBindingHook.java | 15 ++++-
.../sentry/tests/e2e/hive/TestOperations.java | 7 +++
.../e2e/hive/TestRuntimeMetadataRetrieval.java | 62 ++++++++++++++++++++
3 files changed, 83 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1e5826f8/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index 6a00dc9..0546e6a 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -151,7 +151,6 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook {
break;
case HiveParser.TOK_DROPTABLE:
case HiveParser.TOK_DROPVIEW:
- case HiveParser.TOK_SHOW_TABLESTATUS:
case HiveParser.TOK_SHOW_CREATETABLE:
case HiveParser.TOK_ALTERTABLE_SERIALIZER:
case HiveParser.TOK_ALTERVIEW_ADDPARTS:
@@ -166,6 +165,20 @@ public class HiveAuthzBindingHook extends AbstractSemanticAnalyzerHook {
case HiveParser.TOK_ALTERINDEX_REBUILD:
currTab = extractTable((ASTNode)ast.getChild(0)); //type is not TOK_TABNAME
currDB = extractDatabase((ASTNode) ast.getChild(0));
+ case HiveParser.TOK_SHOW_TABLESTATUS:
+ currDB = extractDatabase((ASTNode)ast.getChild(0));
+ int children = ast.getChildCount();
+ for (int i = 1; i < children; i++) {
+ ASTNode child = (ASTNode) ast.getChild(i);
+ if (child.getToken().getType() == HiveParser.Identifier) {
+ currDB = new Database(child.getText());
+ break;
+ }
+ }
+ //loosing the requested privileges for possible wildcard tables, since
+ //further authorization will be done at the filter step and those unwanted will
+ //eventually be filtered out from the output
+ currTab = Table.ALL;
break;
case HiveParser.TOK_ALTERTABLE_RENAME:
case HiveParser.TOK_ALTERTABLE_PROPERTIES:
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1e5826f8/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java
index c59b2db..89d7b2a 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java
@@ -326,6 +326,7 @@ public class TestOperations extends AbstractTestWithStaticConfiguration {
6. Describe tb1 : HiveOperation.DESCTABLE5.
7. HiveOperation.SHOWPARTITIONS
8. TODO: show functions?
+ 9. HiveOperation.SHOW_TABLESTATUS
*/
@Test
public void testSelectOnTable() throws Exception {
@@ -347,6 +348,7 @@ public class TestOperations extends AbstractTestWithStaticConfiguration {
statement.executeQuery("SHOW indexes on tb1");
statement.executeQuery("SHOW COLUMNS from tb1");
statement.executeQuery("SHOW functions '.*'");
+ statement.executeQuery("SHOW TABLE EXTENDED IN " + DB1 + " LIKE 'tb*'");
statement.executeQuery("DESCRIBE tb1");
statement.executeQuery("DESCRIBE tb1 PARTITION (b=1)");
@@ -355,6 +357,7 @@ public class TestOperations extends AbstractTestWithStaticConfiguration {
connection.close();
//Negative case
+ adminCreate(DB2, tableName);
policyFile
.addPermissionsToRole("insert_db1_tb1", privileges.get("insert_db1_tb1"))
.addRolesToGroup(USERGROUP3, "insert_db1_tb1");
@@ -363,6 +366,8 @@ public class TestOperations extends AbstractTestWithStaticConfiguration {
statement = context.createStatement(connection);
statement.execute("Use " + DB1);
context.assertSentrySemanticException(statement, "select * from tb1", semanticException);
+ context.assertSentrySemanticException(statement,
+ "SHOW TABLE EXTENDED IN " + DB2 + " LIKE 'tb*'", semanticException);
statement.close();
connection.close();
@@ -379,6 +384,7 @@ public class TestOperations extends AbstractTestWithStaticConfiguration {
6. HiveOperation.SHOWPARTITIONS
7. TODO: show functions?
8. TODO: lock, unlock, Show locks
+ 9. HiveOperation.SHOW_TABLESTATUS
*/
@Test
public void testInsertOnTable() throws Exception {
@@ -401,6 +407,7 @@ public class TestOperations extends AbstractTestWithStaticConfiguration {
statement.executeQuery("SHOW COLUMNS from tb1");
statement.executeQuery("SHOW functions '.*'");
//statement.executeQuery("SHOW LOCKS tb1");
+ statement.executeQuery("SHOW TABLE EXTENDED IN " + DB1 + " LIKE 'tb*'");
//NoViableAltException
//statement.executeQuery("SHOW transactions");
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/1e5826f8/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java
index 4eb1fdf..e103465 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestRuntimeMetadataRetrieval.java
@@ -251,6 +251,52 @@ public class TestRuntimeMetadataRetrieval extends AbstractTestWithStaticConfigur
}
/**
+ * Steps: 1. admin create db_1 and tb_1, tb_2, tb_3, tb_4 and table_5
+ * 2. admin should see all tables except table_5 which does not match tb*
+ * 3. user1 should only see the matched tables it has any level of privilege
+ */
+ @Test
+ public void testShowTablesExtended() throws Exception {
+ // tables visible to user1 (not access to tb_4
+ String tableNames[] = {"tb_1", "tb_2", "tb_3", "tb_4", "table_5"};
+ List<String> tableNamesValidation = new ArrayList<String>();
+
+ policyFile
+ .addRolesToGroup(USERGROUP1, "tab1_priv,tab2_priv,tab3_priv")
+ .addPermissionsToRole("tab1_priv", "server=server1->db=" + DB1 + "->table="
+ + tableNames[0] + "->action=select")
+ .addPermissionsToRole("tab2_priv", "server=server1->db=" + DB1 + "->table="
+ + tableNames[1] + "->action=insert")
+ .addPermissionsToRole("tab3_priv", "server=server1->db=" + DB1 + "->table="
+ + tableNames[2] + "->action=select")
+ .setUserGroupMapping(StaticUserGroup.getStaticMapping());
+ writePolicyFile(policyFile);
+
+ String user1TableNames[] = {"tb_1", "tb_2", "tb_3"};
+
+ Connection connection = context.createConnection(ADMIN1);
+ Statement statement = context.createStatement(connection);
+ statement.execute("DROP DATABASE IF EXISTS " + DB1 + " CASCADE");
+ statement.execute("CREATE DATABASE " + DB1);
+ statement.execute("USE " + DB1);
+ createTabs(statement, DB1, tableNames);
+ // Admin should see all tables except table_5, the one does not match the pattern
+ ResultSet rs = statement.executeQuery("SHOW TABLE EXTENDED IN " + DB1 + " LIKE 'tb*'");
+ tableNamesValidation.addAll(Arrays.asList(tableNames).subList(0, 4));
+ validateTablesInRs(rs, DB1, tableNamesValidation);
+ statement.close();
+
+ connection = context.createConnection(USER1_1);
+ statement = context.createStatement(connection);
+ statement.execute("USE " + DB1);
+ // User1 should see tables with any level of access
+ rs = statement.executeQuery("SHOW TABLE EXTENDED IN " + DB1 + " LIKE 'tb*'");
+ tableNamesValidation.addAll(Arrays.asList(user1TableNames));
+ validateTablesInRs(rs, DB1, tableNamesValidation);
+ statement.close();
+ }
+
+ /**
* Steps: 1. admin create few dbs
* 2. admin can do show databases
* 3. users with db level permissions should only those dbs on 'show database'
@@ -359,4 +405,20 @@ public class TestRuntimeMetadataRetrieval extends AbstractTestWithStaticConfigur
Assert.assertTrue(tableNames.toString(), tableNames.isEmpty());
rs.close();
}
+
+ // compare the tables in resultset with given array of table names
+ // for some hive query like 'show table extended ...', the resultset does
+ // not only contains tableName (See HIVE-8109)
+ private void validateTablesInRs(ResultSet rs, String dbName,
+ List<String> tableNames) throws SQLException {
+ while (rs.next()) {
+ String tableName = rs.getString(1);
+ if (tableName.startsWith("tableName:")) {
+ Assert.assertTrue("Expected table " + tableName.substring(10),
+ tableNames.remove(tableName.substring(10).toLowerCase()));
+ }
+ }
+ Assert.assertTrue(tableNames.toString(), tableNames.isEmpty());
+ rs.close();
+ }
}