You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by th...@apache.org on 2014/08/16 01:49:51 UTC

svn commit: r1618293 - in /hive/trunk: itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestMetastoreAuthorizationProvider.java ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java

Author: thejas
Date: Fri Aug 15 23:49:50 2014
New Revision: 1618293

URL: http://svn.apache.org/r1618293
Log:
HIVE-6093 : table creation should fail when user does not have permissions on db (Thiruvel Thirumoolan via Thejas Nair)

Modified:
    hive/trunk/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestMetastoreAuthorizationProvider.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java

Modified: hive/trunk/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestMetastoreAuthorizationProvider.java
URL: http://svn.apache.org/viewvc/hive/trunk/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestMetastoreAuthorizationProvider.java?rev=1618293&r1=1618292&r2=1618293&view=diff
==============================================================================
--- hive/trunk/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestMetastoreAuthorizationProvider.java (original)
+++ hive/trunk/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/TestMetastoreAuthorizationProvider.java Fri Aug 15 23:49:50 2014
@@ -24,6 +24,7 @@ import java.util.List;
 
 import junit.framework.TestCase;
 
+import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.hive.cli.CliSessionState;
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.metastore.HiveMetaStoreClient;
@@ -172,6 +173,17 @@ public class TestMetastoreAuthorizationP
         String.format("create table %s (a string) partitioned by (b string)", tblName));
 
     assertEquals(1,ret.getResponseCode());
+
+    // Even if table location is specified table creation should fail
+    String tblNameLoc = tblName + "_loc";
+    String tblLocation = new Path(dbLocn).getParent().toUri() + "/" + tblNameLoc;
+
+    driver.run("use " + dbName);
+    ret = driver.run(
+        String.format("create table %s (a string) partitioned by (b string) location '" +
+            tblLocation + "'", tblNameLoc));
+    assertEquals(1, ret.getResponseCode());
+
     // failure from not having permissions to create table
 
     ArrayList<FieldSchema> fields = new ArrayList<FieldSchema>(2);
@@ -215,6 +227,15 @@ public class TestMetastoreAuthorizationP
 
     validateCreateTable(tbl,tblName, dbName);
 
+    // Table creation should succeed even if location is specified
+    driver.run("use " + dbName);
+    ret = driver.run(
+        String.format("create table %s (a string) partitioned by (b string) location '" +
+            tblLocation + "'", tblNameLoc));
+    assertEquals(0, ret.getResponseCode());
+    Table tblLoc = msc.getTable(dbName, tblNameLoc);
+    validateCreateTable(tblLoc, tblNameLoc, dbName);
+
     String fakeUser = "mal";
     List<String> fakeGroupNames = new ArrayList<String>();
     fakeGroupNames.add("groupygroup");

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java?rev=1618293&r1=1618292&r2=1618293&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.java Fri Aug 15 23:49:50 2014
@@ -148,22 +148,19 @@ public class StorageBasedAuthorizationPr
   public void authorize(Table table, Privilege[] readRequiredPriv, Privilege[] writeRequiredPriv)
       throws HiveException, AuthorizationException {
 
-    // Table path can be null in the case of a new create table - in this case,
-    // we try to determine what the path would be after the create table is issued.
-    Path path = null;
+    // To create/drop/alter a table, the owner should have WRITE permission on the database directory
+    authorize(hive_db.getDatabase(table.getDbName()), readRequiredPriv, writeRequiredPriv);
+
+    // If the user has specified a location - external or not, check if the user has the
     try {
       initWh();
       String location = table.getTTable().getSd().getLocation();
-      if (location == null || location.isEmpty()) {
-        path = wh.getTablePath(hive_db.getDatabase(table.getDbName()), table.getTableName());
-      } else {
-        path = new Path(location);
+      if (location != null && !location.isEmpty()) {
+        authorize(new Path(location), readRequiredPriv, writeRequiredPriv);
       }
     } catch (MetaException ex) {
       throw hiveException(ex);
     }
-
-    authorize(path, readRequiredPriv, writeRequiredPriv);
   }
 
   @Override