You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by th...@apache.org on 2014/08/15 23:44:50 UTC
svn commit: r1618283 [1/2] - in /hive/trunk:
common/src/java/org/apache/hadoop/hive/conf/
itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/
itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/ itests/...
Author: thejas
Date: Fri Aug 15 21:44:48 2014
New Revision: 1618283
URL: http://svn.apache.org/r1618283
Log:
HIVE-7533 : sql std auth - set authorization privileges for tables when created from hive cli (Thejas Nair, reviewed by Jason Dere)
Added:
hive/trunk/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestCLIAuthzSessionContext.java
hive/trunk/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzSessionContext.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzSessionContext.java
hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerCLI.java
hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerHS2.java
hive/trunk/ql/src/test/queries/clientnegative/authorization_cli_auth_enable.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_cli_createtab.q
hive/trunk/ql/src/test/results/clientnegative/authorization_cli_auth_enable.q.out
hive/trunk/ql/src/test/results/clientpositive/authorization_cli_createtab.q.out
Modified:
hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
hive/trunk/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java
hive/trunk/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java
hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/Driver.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzContext.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java
hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestSessionUserName.java
hive/trunk/ql/src/test/queries/clientnegative/authorization_addjar.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_addpartition.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_alter_db_owner.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_alter_db_owner_default.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_cannot_create_all_role.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_cannot_create_default_role.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_cannot_create_none_role.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_caseinsensitivity.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_compile.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_create_func1.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_create_func2.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_create_index.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_create_macro1.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_createview.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_ctas.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_deletejar.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_dfs.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_disallow_transform.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_admin_role.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_db_cascade.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_db_empty.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_index.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_droppartition.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_fail_8.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_grant_table_allpriv.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_grant_table_dup.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_grant_table_fail1.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_grant_table_fail_nogrant.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_insert_noinspriv.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_insert_noselectpriv.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_insertoverwrite_nodel.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_invalid_priv_v2.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_rename.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_not_owner_alter_tab_serdeprop.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_not_owner_drop_tab.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_not_owner_drop_view.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_priv_current_role_neg.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_revoke_table_fail1.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_revoke_table_fail2.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles1.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles2.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant2.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant_nosuchrole.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant_otherrole.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant_otheruser.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_rolehierarchy_privs.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_select.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_select_view.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_set_role_neg1.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_set_role_neg2.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_show_grant_otherrole.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_all.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_alltabs.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_show_grant_otheruser_wtab.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_show_parts_nosel.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_show_role_principals_no_admin.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_table_grant_nosuchrole.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_truncate.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_uri_add_partition.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_uri_alterpart_loc.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_uri_altertab_setloc.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_uri_create_table1.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_uri_create_table_ext.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_uri_createdb.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_uri_index.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_uri_insert.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_uri_insert_local.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_uri_load_data.q
hive/trunk/ql/src/test/queries/clientnegative/authorize_create_tbl.q
hive/trunk/ql/src/test/queries/clientnegative/temp_table_authorize_create_tbl.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_admin_almighty1.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_admin_almighty2.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_create_func1.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_create_macro1.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_create_table_owner_privs.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_create_temp_table.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_grant_public_role.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_index.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_insert.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_owner_actions.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_owner_actions_db.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_parts.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_reset.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_show_grant.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_view_sqlstd.q
Modified: hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
URL: http://svn.apache.org/viewvc/hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java (original)
+++ hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java Fri Aug 15 21:44:48 2014
@@ -36,12 +36,14 @@ import java.util.regex.Pattern;
import javax.security.auth.login.LoginException;
-import static org.apache.hadoop.hive.conf.Validator.*;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.conf.Validator.PatternSet;
+import org.apache.hadoop.hive.conf.Validator.RangeValidator;
+import org.apache.hadoop.hive.conf.Validator.StringSet;
import org.apache.hadoop.hive.shims.ShimLoader;
import org.apache.hadoop.mapred.JobConf;
import org.apache.hadoop.security.UserGroupInformation;
@@ -296,9 +298,9 @@ public class HiveConf extends Configurat
LOCALMODEAUTO("hive.exec.mode.local.auto", false,
"Let Hive determine whether to run in local mode automatically"),
- LOCALMODEMAXBYTES("hive.exec.mode.local.auto.inputbytes.max", 134217728L,
+ LOCALMODEMAXBYTES("hive.exec.mode.local.auto.inputbytes.max", 134217728L,
"When hive.exec.mode.local.auto is true, input bytes should less than this for local mode."),
- LOCALMODEMAXINPUTFILES("hive.exec.mode.local.auto.input.files.max", 4,
+ LOCALMODEMAXINPUTFILES("hive.exec.mode.local.auto.input.files.max", 4,
"When hive.exec.mode.local.auto is true, the number of tasks should less than this for local mode."),
DROPIGNORESNONEXISTENT("hive.exec.drop.ignorenonexistent", true,
@@ -369,7 +371,7 @@ public class HiveConf extends Configurat
"The number of times to retry a HMSHandler call if there were a connection error"),
HMSHANDLERINTERVAL("hive.hmshandler.retry.interval", 1000,
"The number of milliseconds between HMSHandler retry attempts"),
- HMSHANDLERFORCERELOADCONF("hive.hmshandler.force.reload.conf", false,
+ HMSHANDLERFORCERELOADCONF("hive.hmshandler.force.reload.conf", false,
"Whether to force reloading of the HMSHandler configuration (including\n" +
"the connection URL, before the next metastore query that accesses the\n" +
"datastore. Once reloaded, this value is reset to false. Used for\n" +
@@ -382,7 +384,7 @@ public class HiveConf extends Configurat
"Whether to enable TCP keepalive for the metastore server. Keepalive will prevent accumulation of half-open connections."),
METASTORE_INT_ORIGINAL("hive.metastore.archive.intermediate.original",
- "_INTERMEDIATE_ORIGINAL",
+ "_INTERMEDIATE_ORIGINAL",
"Intermediate dir suffixes used for archiving. Not important what they\n" +
"are, as long as collisions are avoided"),
METASTORE_INT_ARCHIVED("hive.metastore.archive.intermediate.archived",
@@ -558,7 +560,7 @@ public class HiveConf extends Configurat
HIVE_SESSION_HISTORY_ENABLED("hive.session.history.enabled", false,
"Whether to log Hive query, query plan, runtime statistics etc."),
- HIVEQUERYSTRING("hive.query.string", "",
+ HIVEQUERYSTRING("hive.query.string", "",
"Query being executed (might be multiple per a session)"),
HIVEQUERYID("hive.query.id", "",
@@ -797,7 +799,7 @@ public class HiveConf extends Configurat
" for small ORC files. Note that enabling this config will not honor padding tolerance\n" +
" config (hive.exec.orc.block.padding.tolerance)."),
HIVEMERGEINPUTFORMATSTRIPELEVEL("hive.merge.input.format.stripe.level",
- "org.apache.hadoop.hive.ql.io.orc.OrcFileStripeMergeInputFormat",
+ "org.apache.hadoop.hive.ql.io.orc.OrcFileStripeMergeInputFormat",
"Input file format to use for ORC stripe level merging (for internal use only)"),
HIVEMERGECURRENTJOBHASDYNAMICPARTITIONS(
"hive.merge.current.job.has.dynamic.partitions", false, ""),
@@ -813,7 +815,7 @@ public class HiveConf extends Configurat
HIVE_RCFILE_TOLERATE_CORRUPTIONS("hive.io.rcfile.tolerate.corruptions", false, ""),
HIVE_RCFILE_RECORD_BUFFER_SIZE("hive.io.rcfile.record.buffer.size", 4194304, ""), // 4M
- HIVE_ORC_FILE_MEMORY_POOL("hive.exec.orc.memory.pool", 0.5f,
+ HIVE_ORC_FILE_MEMORY_POOL("hive.exec.orc.memory.pool", 0.5f,
"Maximum fraction of heap that can be used by ORC file writers"),
HIVE_ORC_WRITE_FORMAT("hive.exec.orc.write.format", null,
"Define the version of the file to write"),
@@ -1099,8 +1101,8 @@ public class HiveConf extends Configurat
"The Java class (implementing the StatsAggregator interface) that is used by default if hive.stats.dbclass is custom type."),
HIVE_STATS_JDBC_TIMEOUT("hive.stats.jdbc.timeout", 30,
"Timeout value (number of seconds) used by JDBC connection and statements."),
- HIVE_STATS_ATOMIC("hive.stats.atomic", false,
- "whether to update metastore stats only if all stats are available"),
+ HIVE_STATS_ATOMIC("hive.stats.atomic", false,
+ "whether to update metastore stats only if all stats are available"),
HIVE_STATS_RETRIES_MAX("hive.stats.retries.max", 0,
"Maximum number of retries when stats publisher/aggregator got an exception updating intermediate database. \n" +
"Default is no tries on failures."),
@@ -1328,6 +1330,8 @@ public class HiveConf extends Configurat
"Enables type checking for registered Hive configurations"),
SEMANTIC_ANALYZER_HOOK("hive.semantic.analyzer.hook", "", ""),
+ HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE(
+ "hive.test.authz.sstd.hs2.mode", false, "test hs2 mode from .q tests", true),
HIVE_AUTHORIZATION_ENABLED("hive.security.authorization.enabled", false,
"enable or disable the Hive client authorization"),
HIVE_AUTHORIZATION_MANAGER("hive.security.authorization.manager",
@@ -1661,7 +1665,7 @@ public class HiveConf extends Configurat
"Exceeding this will trigger a flush irrelevant of memory pressure condition."),
HIVE_VECTORIZATION_GROUPBY_FLUSH_PERCENT("hive.vectorized.groupby.flush.percent", (float) 0.1,
"Percent of entries in the group by aggregation hash flushed when the memory threshold is exceeded."),
-
+
HIVE_TYPE_CHECK_ON_INSERT("hive.typecheck.on.insert", true, ""),
Modified: hive/trunk/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java
URL: http://svn.apache.org/viewvc/hive/trunk/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java (original)
+++ hive/trunk/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java Fri Aug 15 21:44:48 2014
@@ -62,7 +62,7 @@ public class TestHiveAuthorizerCheckInvo
static class MockedHiveAuthorizerFactory implements HiveAuthorizerFactory {
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
- HiveConf conf, HiveAuthenticationProvider authenticator) {
+ HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) {
TestHiveAuthorizerCheckInvocation.mockedAuthorizer = Mockito.mock(HiveAuthorizer.class);
return TestHiveAuthorizerCheckInvocation.mockedAuthorizer;
}
Added: hive/trunk/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestCLIAuthzSessionContext.java
URL: http://svn.apache.org/viewvc/hive/trunk/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestCLIAuthzSessionContext.java?rev=1618283&view=auto
==============================================================================
--- hive/trunk/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestCLIAuthzSessionContext.java (added)
+++ hive/trunk/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestCLIAuthzSessionContext.java Fri Aug 15 21:44:48 2014
@@ -0,0 +1,88 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.jdbc.authorization;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import org.apache.hadoop.hive.cli.CliDriver;
+import org.apache.hadoop.hive.cli.CliSessionState;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
+import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
+import org.apache.hadoop.hive.ql.session.SessionState;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.mockito.Mockito;
+/**
+ * Test context information that gets passed to authorization factory
+ */
+public class TestCLIAuthzSessionContext {
+ private static HiveAuthzSessionContext sessionCtx;
+ private static CliDriver driver;
+
+ /**
+ * This factory captures the HiveAuthzSessionContext argument and returns mocked
+ * HiveAuthorizer class
+ */
+ static class MockedHiveAuthorizerFactory implements HiveAuthorizerFactory {
+ @Override
+ public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
+ HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) {
+ TestCLIAuthzSessionContext.sessionCtx = ctx;
+ HiveAuthorizer mockedAuthorizer = Mockito.mock(HiveAuthorizer.class);
+ return mockedAuthorizer;
+ }
+ }
+
+ @BeforeClass
+ public static void beforeTest() throws Exception {
+ HiveConf conf = new HiveConf();
+ conf.setVar(ConfVars.HIVE_AUTHORIZATION_MANAGER, MockedHiveAuthorizerFactory.class.getName());
+ conf.setVar(ConfVars.HIVE_AUTHENTICATOR_MANAGER, SessionStateUserAuthenticator.class.getName());
+ conf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, true);
+ conf.setBoolVar(ConfVars.HIVE_SUPPORT_CONCURRENCY, false);
+
+ // once SessionState for thread is set, CliDriver picks conf from it
+ CliSessionState ss = new CliSessionState(conf);
+ ss.err = System.err;
+ ss.out = System.out;
+ SessionState.start(ss);
+ TestCLIAuthzSessionContext.driver = new CliDriver();
+ }
+
+ @AfterClass
+ public static void afterTest() throws Exception {
+ }
+
+ @Test
+ public void testAuthzSessionContextContents() throws Exception {
+ driver.processCmd("show tables");
+ // session string is supposed to be unique, so its got to be of some reasonable size
+ assertTrue("session string size check", sessionCtx.getSessionString().length() > 10);
+ assertEquals("Client type ", HiveAuthzSessionContext.CLIENT_TYPE.HIVECLI, sessionCtx.getClientType());
+ }
+
+}
Modified: hive/trunk/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java
URL: http://svn.apache.org/viewvc/hive/trunk/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java (original)
+++ hive/trunk/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzContext.java Fri Aug 15 21:44:48 2014
@@ -33,9 +33,12 @@ import org.apache.hadoop.hive.conf.HiveC
import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
@@ -60,7 +63,7 @@ public class TestHS2AuthzContext {
static class MockedHiveAuthorizerFactory implements HiveAuthorizerFactory {
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
- HiveConf conf, HiveAuthenticationProvider authenticator) {
+ HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) {
TestHS2AuthzContext.mockedAuthorizer = Mockito.mock(HiveAuthorizer.class);
return TestHS2AuthzContext.mockedAuthorizer;
}
@@ -88,12 +91,21 @@ public class TestHS2AuthzContext {
}
@Test
- public void testAuthzContextContents() throws Exception {
+ public void testAuthzContextContentsDriverCmd() throws Exception {
+ String cmd = "show tables";
+ verifyContextContents(cmd, cmd);
+ }
+
+ @Test
+ public void testAuthzContextContentsCmdProcessorCmd() throws Exception {
+ verifyContextContents("dfs -ls /", "-ls /");
+ }
+ private void verifyContextContents(final String cmd, String ctxCmd) throws SQLException,
+ HiveAuthzPluginException, HiveAccessControlException {
Connection hs2Conn = getConnection("user1");
Statement stmt = hs2Conn.createStatement();
- final String cmd = "show tables";
stmt.execute(cmd);
stmt.close();
hs2Conn.close();
@@ -107,13 +119,10 @@ public class TestHS2AuthzContext {
HiveAuthzContext context = contextCapturer.getValue();
- assertEquals("Command ", cmd, context.getCommandString());
+ assertEquals("Command ", ctxCmd, context.getCommandString());
assertTrue("ip address pattern check", context.getIpAddress().contains("."));
// ip address size check - check for something better than non zero
assertTrue("ip address size check", context.getIpAddress().length() > 7);
- // session string is supposed to be unique, so its got to be of some reasonable size
- assertTrue("session string size check", context.getSessionString().length() > 10);
- assertEquals("Client type ", HiveAuthzContext.CLIENT_TYPE.HIVESERVER2, context.getClientType());
}
private Connection getConnection(String userName) throws SQLException {
Added: hive/trunk/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzSessionContext.java
URL: http://svn.apache.org/viewvc/hive/trunk/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzSessionContext.java?rev=1618283&view=auto
==============================================================================
--- hive/trunk/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzSessionContext.java (added)
+++ hive/trunk/itests/hive-unit/src/test/java/org/apache/hive/jdbc/authorization/TestHS2AuthzSessionContext.java Fri Aug 15 21:44:48 2014
@@ -0,0 +1,88 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.jdbc.authorization;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.util.HashMap;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
+import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
+import org.apache.hive.jdbc.miniHS2.MiniHS2;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.mockito.Mockito;
+/**
+ * Test context information that gets passed to authorization factory
+ */
+public class TestHS2AuthzSessionContext {
+ private static MiniHS2 miniHS2 = null;
+ private static HiveAuthzSessionContext sessionCtx;
+
+ /**
+ * This factory captures the HiveAuthzSessionContext argument and returns mocked
+ * HiveAuthorizer class
+ */
+ static class MockedHiveAuthorizerFactory implements HiveAuthorizerFactory {
+ @Override
+ public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
+ HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) {
+ TestHS2AuthzSessionContext.sessionCtx = ctx;
+ HiveAuthorizer mockedAuthorizer = Mockito.mock(HiveAuthorizer.class);
+ return mockedAuthorizer;
+ }
+ }
+
+ @BeforeClass
+ public static void beforeTest() throws Exception {
+ Class.forName(MiniHS2.getJdbcDriverName());
+ HiveConf conf = new HiveConf();
+ conf.setVar(ConfVars.HIVE_AUTHORIZATION_MANAGER, MockedHiveAuthorizerFactory.class.getName());
+ conf.setVar(ConfVars.HIVE_AUTHENTICATOR_MANAGER, SessionStateUserAuthenticator.class.getName());
+ conf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, true);
+ conf.setBoolVar(ConfVars.HIVE_SUPPORT_CONCURRENCY, false);
+ conf.setBoolVar(ConfVars.HIVE_SERVER2_ENABLE_DOAS, false);
+
+ miniHS2 = new MiniHS2(conf);
+ miniHS2.start(new HashMap<String, String>());
+ }
+
+ @AfterClass
+ public static void afterTest() throws Exception {
+ if (miniHS2.isStarted()) {
+ miniHS2.stop();
+ }
+ }
+
+ @Test
+ public void testAuthzSessionContextContents() throws Exception {
+ // session string is supposed to be unique, so its got to be of some reasonable size
+ assertTrue("session string size check", sessionCtx.getSessionString().length() > 10);
+ assertEquals("Client type ", HiveAuthzSessionContext.CLIENT_TYPE.HIVESERVER2, sessionCtx.getClientType());
+ }
+
+}
Modified: hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java
URL: http://svn.apache.org/viewvc/hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java (original)
+++ hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessControllerForTest.java Fri Aug 15 21:44:48 2014
@@ -21,6 +21,7 @@ import org.apache.hadoop.classification.
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
/**
@@ -32,8 +33,8 @@ import org.apache.hadoop.hive.ql.securit
public class SQLStdHiveAccessControllerForTest extends SQLStdHiveAccessController {
SQLStdHiveAccessControllerForTest(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf,
- HiveAuthenticationProvider authenticator) throws HiveAuthzPluginException {
- super(metastoreClientFactory, conf, authenticator);
+ HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
+ super(metastoreClientFactory, conf, authenticator, ctx);
}
Modified: hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java
URL: http://svn.apache.org/viewvc/hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java (original)
+++ hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactoryForTest.java Fri Aug 15 21:44:48 2014
@@ -24,15 +24,16 @@ import org.apache.hadoop.hive.ql.securit
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerImpl;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
@Private
public class SQLStdHiveAuthorizerFactoryForTest implements HiveAuthorizerFactory{
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
- HiveConf conf, HiveAuthenticationProvider authenticator) throws HiveAuthzPluginException {
+ HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
SQLStdHiveAccessController privilegeManager =
- new SQLStdHiveAccessControllerForTest(metastoreClientFactory, conf, authenticator);
+ new SQLStdHiveAccessControllerForTest(metastoreClientFactory, conf, authenticator, ctx);
return new HiveAuthorizerImpl(
privilegeManager,
new SQLStdHiveAuthorizationValidatorForTest(metastoreClientFactory, conf, authenticator,
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/Driver.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/Driver.java?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/Driver.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/Driver.java Fri Aug 15 21:44:48 2014
@@ -103,7 +103,6 @@ import org.apache.hadoop.hive.ql.process
import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils;
import org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext.CLIENT_TYPE;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType;
@@ -703,11 +702,7 @@ public class Driver implements CommandPr
HashSet<WriteEntity> outputs, String command, Map<String, List<String>> tab2cols) throws HiveException {
HiveAuthzContext.Builder authzContextBuilder = new HiveAuthzContext.Builder();
-
- authzContextBuilder.setClientType(ss.isHiveServerQuery() ? CLIENT_TYPE.HIVESERVER2
- : CLIENT_TYPE.HIVECLI);
authzContextBuilder.setUserIpAddress(ss.getUserIpAddress());
- authzContextBuilder.setSessionString(ss.getSessionId());
authzContextBuilder.setCommandString(command);
HiveOperationType hiveOpType = getHiveOperationType(op);
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/processors/CommandUtil.java Fri Aug 15 21:44:48 2014
@@ -22,11 +22,14 @@ import java.util.Arrays;
import java.util.List;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import org.apache.hadoop.hive.ql.session.SessionState;
+import com.google.common.base.Joiner;
+
class CommandUtil {
/**
@@ -68,7 +71,10 @@ class CommandUtil {
static void authorizeCommandThrowEx(SessionState ss, HiveOperationType type,
List<String> command) throws HiveAuthzPluginException, HiveAccessControlException {
HivePrivilegeObject commandObj = HivePrivilegeObject.createHivePrivilegeObject(command);
- ss.getAuthorizerV2().checkPrivileges(type, Arrays.asList(commandObj), null, null);
+ HiveAuthzContext.Builder ctxBuilder = new HiveAuthzContext.Builder();
+ ctxBuilder.setCommandString(Joiner.on(' ').join(command));
+ ctxBuilder.setUserIpAddress(ss.getUserIpAddress());
+ ss.getAuthorizerV2().checkPrivileges(type, Arrays.asList(commandObj), null, ctxBuilder.build());
}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java Fri Aug 15 21:44:48 2014
@@ -37,9 +37,11 @@ public interface HiveAuthorizerFactory {
* different thread, so get the current instance in each method invocation.
* @param conf - current HiveConf
* @param hiveAuthenticator - authenticator, provides user name
+ * @param ctx - session context information
* @return new instance of HiveAuthorizer
* @throws HiveAuthzPluginException
*/
HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
- HiveConf conf, HiveAuthenticationProvider hiveAuthenticator) throws HiveAuthzPluginException;
+ HiveConf conf, HiveAuthenticationProvider hiveAuthenticator, HiveAuthzSessionContext ctx)
+ throws HiveAuthzPluginException;
}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzContext.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzContext.java?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzContext.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzContext.java Fri Aug 15 21:44:48 2014
@@ -29,14 +29,8 @@ import org.apache.hadoop.hive.common.cla
@Evolving
public final class HiveAuthzContext {
- public enum CLIENT_TYPE {
- HIVESERVER2, HIVECLI
- };
-
public static class Builder {
private String userIpAddress;
- private String sessionString;
- private CLIENT_TYPE clientType;
private String commandString;
/**
@@ -50,18 +44,6 @@ public final class HiveAuthzContext {
public void setUserIpAddress(String userIpAddress) {
this.userIpAddress = userIpAddress;
}
- public String getSessionString() {
- return sessionString;
- }
- public void setSessionString(String sessionString) {
- this.sessionString = sessionString;
- }
- public CLIENT_TYPE getClientType() {
- return clientType;
- }
- public void setClientType(CLIENT_TYPE clientType) {
- this.clientType = clientType;
- }
public String getCommandString() {
return commandString;
}
@@ -76,14 +58,10 @@ public final class HiveAuthzContext {
}
private final String userIpAddress;
- private final String sessionString;
- private final CLIENT_TYPE clientType;
private final String commandString;
private HiveAuthzContext(Builder builder) {
this.userIpAddress = builder.userIpAddress;
- this.sessionString = builder.sessionString;
- this.clientType = builder.clientType;
this.commandString = builder.commandString;
}
@@ -92,22 +70,14 @@ public final class HiveAuthzContext {
return userIpAddress;
}
- public String getSessionString() {
- return sessionString;
- }
-
- public CLIENT_TYPE getClientType() {
- return clientType;
- }
-
public String getCommandString() {
return commandString;
}
@Override
public String toString() {
- return "HiveAuthzContext [userIpAddress=" + userIpAddress + ", sessionString=" + sessionString
- + ", clientType=" + clientType + ", commandString=" + commandString + "]";
+ return "HiveAuthzContext [userIpAddress=" + userIpAddress + ", commandString=" + commandString
+ + "]";
}
}
Added: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzSessionContext.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzSessionContext.java?rev=1618283&view=auto
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzSessionContext.java (added)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzSessionContext.java Fri Aug 15 21:44:48 2014
@@ -0,0 +1,89 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
+
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
+
+/**
+ * Provides session context information.
+ * It is an immutable class. Builder inner class is used instantiate it.
+ */
+@LimitedPrivate(value = { "" })
+@Evolving
+public final class HiveAuthzSessionContext {
+
+ public enum CLIENT_TYPE {
+ HIVESERVER2, HIVECLI
+ };
+
+ public static class Builder {
+ private String sessionString;
+ private CLIENT_TYPE clientType;
+
+ public Builder(){};
+
+ /**
+ * Builder that copies values from given instance of HiveAuthzSessionContext
+ * @param other
+ */
+ public Builder(HiveAuthzSessionContext other){
+ this.sessionString = other.getSessionString();
+ this.clientType = other.getClientType();
+ }
+
+ public String getSessionString() {
+ return sessionString;
+ }
+ public void setSessionString(String sessionString) {
+ this.sessionString = sessionString;
+ }
+ public CLIENT_TYPE getClientType() {
+ return clientType;
+ }
+ public void setClientType(CLIENT_TYPE clientType) {
+ this.clientType = clientType;
+ }
+ public HiveAuthzSessionContext build(){
+ return new HiveAuthzSessionContext(this);
+ }
+ }
+
+ private final String sessionString;
+ private final CLIENT_TYPE clientType;
+
+ private HiveAuthzSessionContext(Builder builder) {
+ this.sessionString = builder.sessionString;
+ this.clientType = builder.clientType;
+ }
+
+ public String getSessionString() {
+ return sessionString;
+ }
+
+ public CLIENT_TYPE getClientType() {
+ return clientType;
+ }
+
+ @Override
+ public String toString() {
+ return "HiveAuthzSessionContext [sessionString=" + sessionString + ", clientType=" + clientType
+ + "]";
+ }
+
+}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java Fri Aug 15 21:44:48 2014
@@ -50,6 +50,8 @@ import org.apache.hadoop.hive.ql.securit
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
@@ -81,13 +83,46 @@ public class SQLStdHiveAccessController
+ "have it as current role, for this action.";
private final String HAS_ADMIN_PRIV_MSG = "grantor need to have ADMIN OPTION on role being"
+ " granted and have it as a current role for this action.";
+ private final HiveAuthzSessionContext sessionCtx;
public static final Log LOG = LogFactory.getLog(SQLStdHiveAccessController.class);
public SQLStdHiveAccessController(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf,
- HiveAuthenticationProvider authenticator) throws HiveAuthzPluginException {
+ HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
this.metastoreClientFactory = metastoreClientFactory;
this.authenticator = authenticator;
+ this.sessionCtx = applyTestSettings(ctx, conf);
+
+ assertHiveCliAuthDisabled(conf);
initUserRoles();
+ LOG.info("Created SQLStdHiveAccessController for session context : " + sessionCtx);
+ }
+
+ /**
+ * Change the session context based on configuration to aid in testing of sql std auth
+ * @param ctx
+ * @param conf
+ * @return
+ */
+ private HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext ctx, HiveConf conf) {
+ if(conf.getBoolVar(ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE) &&
+ ctx.getClientType() == CLIENT_TYPE.HIVECLI
+ ){
+ // create new session ctx object with HS2 as client type
+ HiveAuthzSessionContext.Builder ctxBuilder = new HiveAuthzSessionContext.Builder(ctx);
+ ctxBuilder.setClientType(CLIENT_TYPE.HIVESERVER2);
+ return ctxBuilder.build();
+ }
+ return ctx;
+ }
+
+ private void assertHiveCliAuthDisabled(HiveConf conf) throws HiveAuthzPluginException {
+ if (sessionCtx.getClientType() == CLIENT_TYPE.HIVECLI
+ && conf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
+ throw new HiveAuthzPluginException(
+ "SQL standards based authorization should not be enabled from hive cli"
+ + "Instead the use of storage based authorization in hive metastore is reccomended. Set "
+ + ConfVars.HIVE_AUTHORIZATION_ENABLED.varname + "=false to disable authz within cli");
+ }
}
/**
@@ -671,31 +706,37 @@ public class SQLStdHiveAccessController
@Override
public void applyAuthorizationConfigPolicy(HiveConf hiveConf) {
- // grant all privileges for table to its owner
+ // First apply configuration applicable to both Hive Cli and HiveServer2
+ // Not adding any authorization related restrictions to hive cli
+ // grant all privileges for table to its owner - set this in cli as well so that owner
+ // has permissions via HiveServer2 as well.
hiveConf.setVar(ConfVars.HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS, "INSERT,SELECT,UPDATE,DELETE");
- // Configure PREEXECHOOKS with DisallowTransformHook to disallow transform queries
- String hooks = hiveConf.getVar(ConfVars.PREEXECHOOKS).trim();
- if (hooks.isEmpty()) {
- hooks = DisallowTransformHook.class.getName();
- } else {
- hooks = hooks + "," +DisallowTransformHook.class.getName();
- }
- LOG.debug("Configuring hooks : " + hooks);
- hiveConf.setVar(ConfVars.PREEXECHOOKS, hooks);
-
- // restrict the variables that can be set using set command to a list in whitelist
- hiveConf.setIsModWhiteListEnabled(true);
- String whiteListParamsStr = hiveConf.getVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST);
- if (whiteListParamsStr == null || whiteListParamsStr.trim().equals("")){
- // set the default configs in whitelist
- whiteListParamsStr = Joiner.on(",").join(defaultModWhiteListSqlStdAuth);
- hiveConf.setVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST, whiteListParamsStr);
- }
- for(String whiteListParam : whiteListParamsStr.split(",")){
- hiveConf.addToModifiableWhiteList(whiteListParam);
- }
+ // Apply rest of the configuration only to HiveServer2
+ if(sessionCtx.getClientType() == CLIENT_TYPE.HIVESERVER2) {
+ // Configure PREEXECHOOKS with DisallowTransformHook to disallow transform queries
+ String hooks = hiveConf.getVar(ConfVars.PREEXECHOOKS).trim();
+ if (hooks.isEmpty()) {
+ hooks = DisallowTransformHook.class.getName();
+ } else {
+ hooks = hooks + "," +DisallowTransformHook.class.getName();
+ }
+ LOG.debug("Configuring hooks : " + hooks);
+ hiveConf.setVar(ConfVars.PREEXECHOOKS, hooks);
+ // restrict the variables that can be set using set command to a list in whitelist
+ hiveConf.setIsModWhiteListEnabled(true);
+ String whiteListParamsStr = hiveConf.getVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST);
+ if (whiteListParamsStr == null || whiteListParamsStr.trim().equals("")){
+ // set the default configs in whitelist
+ whiteListParamsStr = Joiner.on(",").join(defaultModWhiteListSqlStdAuth);
+ hiveConf.setVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST, whiteListParamsStr);
+ }
+ for(String whiteListParam : whiteListParamsStr.split(",")){
+ hiveConf.addToModifiableWhiteList(whiteListParam);
+ }
+ }
}
+
}
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java Fri Aug 15 21:44:48 2014
@@ -24,15 +24,16 @@ import org.apache.hadoop.hive.ql.securit
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerImpl;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
@Private
public class SQLStdHiveAuthorizerFactory implements HiveAuthorizerFactory{
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
- HiveConf conf, HiveAuthenticationProvider authenticator) throws HiveAuthzPluginException {
+ HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws HiveAuthzPluginException {
SQLStdHiveAccessController privilegeManager =
- new SQLStdHiveAccessController(metastoreClientFactory, conf, authenticator);
+ new SQLStdHiveAccessController(metastoreClientFactory, conf, authenticator, ctx);
return new HiveAuthorizerImpl(
privilegeManager,
new SQLStdHiveAuthorizationValidator(metastoreClientFactory, conf, authenticator,
Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java Fri Aug 15 21:44:48 2014
@@ -62,6 +62,8 @@ import org.apache.hadoop.hive.ql.securit
import org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactoryImpl;
import org.apache.hadoop.hive.ql.util.DosToUnix;
import org.apache.hadoop.hive.shims.ShimLoader;
@@ -504,8 +506,13 @@ public class SessionState {
HiveAuthorizerFactory authorizerFactory = HiveUtils.getAuthorizerFactory(conf,
HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER);
+ HiveAuthzSessionContext.Builder authzContextBuilder = new HiveAuthzSessionContext.Builder();
+ authzContextBuilder.setClientType(isHiveServerQuery() ? CLIENT_TYPE.HIVESERVER2
+ : CLIENT_TYPE.HIVECLI);
+ authzContextBuilder.setSessionString(getSessionId());
+
authorizerV2 = authorizerFactory.createHiveAuthorizer(new HiveMetastoreClientFactoryImpl(),
- conf, authenticator);
+ conf, authenticator, authzContextBuilder.build());
authorizerV2.applyAuthorizationConfigPolicy(conf);
// create the create table grants with new config
Modified: hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestSessionUserName.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestSessionUserName.java?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestSessionUserName.java (original)
+++ hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestSessionUserName.java Fri Aug 15 21:44:48 2014
@@ -28,6 +28,7 @@ import org.apache.hadoop.hive.ql.securit
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerImpl;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.junit.Before;
@@ -111,7 +112,7 @@ public class TestSessionUserName {
@Override
public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
- HiveConf conf, HiveAuthenticationProvider authenticator) {
+ HiveConf conf, HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) {
username = authenticator.getUserName();
HiveAccessController acontroller = Mockito.mock(HiveAccessController.class);
return new HiveAuthorizerImpl(acontroller, null);
Added: hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerCLI.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerCLI.java?rev=1618283&view=auto
==============================================================================
--- hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerCLI.java (added)
+++ hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerCLI.java Fri Aug 15 21:44:48 2014
@@ -0,0 +1,89 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.hive.ql.security.HadoopDefaultAuthenticator;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.Builder;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE;
+import org.junit.Test;
+
+/**
+ * Test SQLStdHiveAccessController
+ */
+public class TestSQLStdHiveAccessControllerCLI {
+
+ /**
+ * Test that SQLStdHiveAccessController is not applying config restrictions on CLI
+ *
+ * @throws HiveAuthzPluginException
+ */
+ @Test
+ public void testConfigProcessing() throws HiveAuthzPluginException {
+ HiveConf processedConf = new HiveConf();
+ SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null,
+ processedConf, new HadoopDefaultAuthenticator(), getCLISessionCtx()
+ );
+ accessController.applyAuthorizationConfigPolicy(processedConf);
+
+ // check that hook to disable transforms has not been added
+ assertFalse("Check for transform query disabling hook",
+ processedConf.getVar(ConfVars.PREEXECHOOKS).contains(DisallowTransformHook.class.getName()));
+
+ // check that set param whitelist is not set
+ assertTrue(processedConf.getVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST) == null
+ || processedConf.getVar(ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST).trim()
+ .equals(""));
+
+ // verify that some dummy param can be set
+ processedConf.verifyAndSet("dummy.param", "dummy.val");
+ }
+
+ private HiveAuthzSessionContext getCLISessionCtx() {
+ Builder ctxBuilder = new HiveAuthzSessionContext.Builder();
+ ctxBuilder.setClientType(CLIENT_TYPE.HIVECLI);
+ return ctxBuilder.build();
+ }
+
+ /**
+ * Verify that exceptiion is thrown if authorization is enabled from hive cli,
+ * when sql std auth is used
+ */
+ @Test
+ public void testAuthEnableError() {
+ HiveConf processedConf = new HiveConf();
+ processedConf.setBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED, true);
+ try {
+ SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null,
+ processedConf, new HadoopDefaultAuthenticator(), getCLISessionCtx());
+ fail("Exception expected");
+ } catch (HiveAuthzPluginException e) {
+ assertTrue(e.getMessage().contains(
+ "SQL standards based authorization should not be enabled from hive cli"));
+ }
+ }
+
+}
Added: hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerHS2.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerHS2.java?rev=1618283&view=auto
==============================================================================
--- hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerHS2.java (added)
+++ hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/TestSQLStdHiveAccessControllerHS2.java Fri Aug 15 21:44:48 2014
@@ -0,0 +1,123 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.hive.ql.security.HadoopDefaultAuthenticator;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.Builder;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE;
+import org.junit.Test;
+
+import com.google.common.base.Joiner;
+
+/**
+ * Test SQLStdHiveAccessController
+ */
+public class TestSQLStdHiveAccessControllerHS2 {
+
+ /**
+ * Test if SQLStdHiveAccessController is applying configuration security
+ * policy on hiveconf correctly
+ *
+ * @throws HiveAuthzPluginException
+ */
+ @Test
+ public void testConfigProcessing() throws HiveAuthzPluginException {
+ HiveConf processedConf = new HiveConf();
+ SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null,
+ processedConf, new HadoopDefaultAuthenticator(), getHS2SessionCtx()
+ );
+ accessController.applyAuthorizationConfigPolicy(processedConf);
+
+ // check that hook to disable transforms has been added
+ assertTrue("Check for transform query disabling hook",
+ processedConf.getVar(ConfVars.PREEXECHOOKS).contains(DisallowTransformHook.class.getName()));
+
+ verifyParamSettability(SQLStdHiveAccessController.defaultModWhiteListSqlStdAuth, processedConf);
+
+ }
+
+ private HiveAuthzSessionContext getHS2SessionCtx() {
+ Builder ctxBuilder = new HiveAuthzSessionContext.Builder();
+ ctxBuilder.setClientType(CLIENT_TYPE.HIVESERVER2);
+ return ctxBuilder.build();
+ }
+
+ /**
+ * Verify that params in settableParams can be modified, and other random ones can't be modified
+ * @param settableParams
+ * @param processedConf
+ */
+ private void verifyParamSettability(String [] settableParams, HiveConf processedConf) {
+ // verify that the whitlelist params can be set
+ for (String param : settableParams) {
+ try {
+ processedConf.verifyAndSet(param, "dummy");
+ } catch (IllegalArgumentException e) {
+ fail("Unable to set value for parameter in whitelist " + param + " " + e);
+ }
+ }
+
+ // verify that non whitelist params can't be set
+ assertConfModificationException(processedConf, "dummy.param");
+ // does not make sense to have any of the metastore config variables to be
+ // modifiable
+ for (ConfVars metaVar : HiveConf.metaVars) {
+ assertConfModificationException(processedConf, metaVar.varname);
+ }
+ }
+
+ /**
+ * Test that modifying HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST config works
+ * @throws HiveAuthzPluginException
+ */
+ @Test
+ public void testConfigProcessingCustomSetWhitelist() throws HiveAuthzPluginException {
+
+ HiveConf processedConf = new HiveConf();
+ // add custom value, including one from the default, one new one
+ String[] settableParams = { SQLStdHiveAccessController.defaultModWhiteListSqlStdAuth[0],
+ "abcs.dummy.test.param" };
+ processedConf.setVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_SQL_STD_AUTH_CONFIG_WHITELIST,
+ Joiner.on(",").join(settableParams));
+
+ SQLStdHiveAccessController accessController = new SQLStdHiveAccessController(null,
+ processedConf, new HadoopDefaultAuthenticator(), getHS2SessionCtx());
+ accessController.applyAuthorizationConfigPolicy(processedConf);
+ verifyParamSettability(settableParams, processedConf);
+
+ }
+
+ private void assertConfModificationException(HiveConf processedConf, String param) {
+ boolean caughtEx = false;
+ try {
+ processedConf.verifyAndSet(param, "dummy");
+ } catch (IllegalArgumentException e) {
+ caughtEx = true;
+ }
+ assertTrue("Exception should be thrown while modifying the param " + param, caughtEx);
+ }
+
+}
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_addjar.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_addjar.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_addjar.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_addjar.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.enabled=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_addpartition.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_addpartition.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_addpartition.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_addpartition.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set hive.security.authorization.enabled=true;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_alter_db_owner.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_alter_db_owner.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_alter_db_owner.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_alter_db_owner.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set hive.security.authorization.enabled=true;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_alter_db_owner_default.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_alter_db_owner_default.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_alter_db_owner_default.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_alter_db_owner_default.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set hive.security.authorization.enabled=true;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_cannot_create_all_role.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_cannot_create_all_role.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_cannot_create_all_role.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_cannot_create_all_role.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set user.name=hive_admin_user;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_cannot_create_default_role.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_cannot_create_default_role.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_cannot_create_default_role.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_cannot_create_default_role.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set user.name=hive_admin_user;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_cannot_create_none_role.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_cannot_create_none_role.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_cannot_create_none_role.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_cannot_create_none_role.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set user.name=hive_admin_user;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_caseinsensitivity.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_caseinsensitivity.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_caseinsensitivity.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_caseinsensitivity.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set user.name=hive_admin_user;
Added: hive/trunk/ql/src/test/queries/clientnegative/authorization_cli_auth_enable.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_cli_auth_enable.q?rev=1618283&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_cli_auth_enable.q (added)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_cli_auth_enable.q Fri Aug 15 21:44:48 2014
@@ -0,0 +1,7 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_test_user;
+set hive.security.authorization.enabled=true;
+
+-- verify that sql std auth throws an error with hive cli, if auth is enabled
+show tables 'src';
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_compile.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_compile.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_compile.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_compile.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.enabled=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_create_func1.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_create_func1.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_create_func1.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_create_func1.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set hive.security.authorization.enabled=true;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_create_func2.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_create_func2.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_create_func2.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_create_func2.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set hive.security.authorization.enabled=true;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_create_index.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_create_index.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_create_index.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_create_index.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set hive.security.authorization.enabled=true;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_create_macro1.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_create_macro1.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_create_macro1.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_create_macro1.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set hive.security.authorization.enabled=true;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
-- this test will fail because hive_test_user is not in admin role.
create role r1;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_createview.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_createview.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_createview.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_createview.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set hive.security.authorization.enabled=true;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_ctas.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_ctas.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_ctas.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_ctas.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set hive.security.authorization.enabled=true;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_deletejar.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_deletejar.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_deletejar.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_deletejar.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.enabled=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_desc_table_nosel.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set hive.security.authorization.enabled=true;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_dfs.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_dfs.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_dfs.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_dfs.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.enabled=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_disallow_transform.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_disallow_transform.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_disallow_transform.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_disallow_transform.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set role ALL;
SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM src;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_admin_role.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_admin_role.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_admin_role.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_admin_role.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set user.name=hive_admin_user;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_db_cascade.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_db_cascade.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_db_cascade.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_db_cascade.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set hive.security.authorization.enabled=true;
Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_db_empty.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_db_empty.q?rev=1618283&r1=1618282&r2=1618283&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_db_empty.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_db_empty.q Fri Aug 15 21:44:48 2014
@@ -1,3 +1,4 @@
+set hive.test.authz.sstd.hs2.mode=true;
set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
set hive.security.authorization.enabled=true;