You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by kg...@apache.org on 2021/10/13 11:54:24 UTC

[hive] branch master updated: HIVE-25532: Fixing authorization for Kill Query command. (#2649) (Abhay Chennagiri reviewed by Saihemanth Gantasala and Zoltan Haindrich)

This is an automated email from the ASF dual-hosted git repository.

kgyrtkirk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git


The following commit(s) were added to refs/heads/master by this push:
     new f53bb7c  HIVE-25532: Fixing authorization for Kill Query command. (#2649) (Abhay Chennagiri reviewed by Saihemanth Gantasala and Zoltan Haindrich)
f53bb7c is described below

commit f53bb7cefe64cd652b48bb802eaf0716f84fa592
Author: achennagiri <77...@users.noreply.github.com>
AuthorDate: Wed Oct 13 04:54:09 2021 -0700

    HIVE-25532: Fixing authorization for Kill Query command. (#2649) (Abhay Chennagiri reviewed by Saihemanth Gantasala and Zoltan Haindrich)
---
 .../plugin/TestHiveAuthorizerCheckInvocation.java  | 40 +++++++++++++++++++++-
 .../apache/hive/service/server/KillQueryImpl.java  |  7 +++-
 2 files changed, 45 insertions(+), 2 deletions(-)

diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java
index 13656c5..ee6925d 100644
--- a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java
+++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java
@@ -40,6 +40,7 @@ import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
 import org.apache.hadoop.hive.metastore.utils.TestTxnDbUtil;
 import org.apache.hadoop.hive.ql.Driver;
+import org.apache.hadoop.hive.ql.QueryState;
 import org.apache.hadoop.hive.ql.exec.Registry;
 import org.apache.hadoop.hive.ql.lockmgr.DbTxnManager;
 import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
@@ -47,6 +48,10 @@ import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
 import org.apache.hadoop.hive.ql.session.SessionState;
 import org.apache.hadoop.hive.ql.stats.StatsUtils;
+import org.apache.hive.service.cli.operation.OperationManager;
+import org.apache.hive.service.server.KillQueryImpl;
+import org.apache.hive.service.server.KillQueryZookeeperManager;
+
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
@@ -64,6 +69,7 @@ public class TestHiveAuthorizerCheckInvocation {
   private final Logger LOG = LoggerFactory.getLogger(this.getClass().getName());;
   protected static HiveConf conf;
   protected static Driver driver;
+  protected static SessionState ss;
   private static final String tableName = TestHiveAuthorizerCheckInvocation.class.getSimpleName()
       + "Table";
   private static final String viewName = TestHiveAuthorizerCheckInvocation.class.getSimpleName()
@@ -102,10 +108,17 @@ public class TestHiveAuthorizerCheckInvocation {
     conf.setVar(ConfVars.HIVE_TXN_MANAGER, DbTxnManager.class.getName());
     conf.setBoolVar(ConfVars.HIVE_QUERY_RESULTS_CACHE_ENABLED, true);
     conf.setVar(HiveConf.ConfVars.HIVEMAPREDMODE, "nonstrict");
+    conf.setBoolVar(ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE, true);
+    conf.setBoolVar(ConfVars.HIVE_ZOOKEEPER_KILLQUERY_ENABLE, false);
 
     TestTxnDbUtil.prepDb(conf);
 
-    SessionState.start(conf);
+    SessionState ss = SessionState.start(conf);
+    OperationManager operationManager = Mockito.mock(OperationManager.class);
+    KillQueryZookeeperManager killQueryZookeeperManager = Mockito.mock(KillQueryZookeeperManager.class);
+    KillQueryImpl killQueryImpl = new KillQueryImpl(operationManager, killQueryZookeeperManager);
+    ss.setKillQuery(killQueryImpl);
+
     driver = new Driver(conf);
     runCmd("create table " + tableName
         + " (i int, j int, k string) partitioned by (city string, `date` string) ");
@@ -676,4 +689,29 @@ public class TestHiveAuthorizerCheckInvocation {
         inputsCapturer.getValue(), outputsCapturer.getValue());
   }
 
+  /**
+   * Unit test for HIVE-25532.
+   * Checks if the right privilege objects are being sent when a kill query call is made.
+   * @throws Exception
+   */
+  @Test
+  public void testKillQueryAuthorization() throws Exception {
+    int queryStatus = driver.compile("select " + viewName + ".i, " + tableName + ".city from "
+            + viewName + " join " + tableName + " on " + viewName + ".city = " + tableName
+            + ".city where " + tableName + ".k = 'X'", true);
+    assertEquals(0, queryStatus);
+
+    resetAuthorizer();
+    QueryState queryState = driver.getQueryState();
+    String queryId = queryState.getQueryId();
+    int killQueryStatus = driver.compile("kill query '" + queryId + "'", true);
+    assertEquals(0, killQueryStatus);
+    driver.run();
+
+    List<HivePrivilegeObject> inputs = getHivePrivilegeObjectInputs().getLeft();
+    HivePrivilegeObject dbObj = inputs.get(0);
+    assertEquals("input type", HivePrivilegeObjectType.SERVICE_NAME, dbObj.getType());
+    assertEquals("object name","hiveservice", dbObj.getObjectName());
+  }
+
 }
diff --git a/service/src/java/org/apache/hive/service/server/KillQueryImpl.java b/service/src/java/org/apache/hive/service/server/KillQueryImpl.java
index bd54026..c4196cb 100644
--- a/service/src/java/org/apache/hive/service/server/KillQueryImpl.java
+++ b/service/src/java/org/apache/hive/service/server/KillQueryImpl.java
@@ -18,6 +18,8 @@
 
 package org.apache.hive.service.server;
 
+import java.util.Arrays;
+
 import org.apache.commons.lang3.StringUtils;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hive.conf.HiveConf;
@@ -26,6 +28,7 @@ import org.apache.hadoop.hive.ql.ddl.process.kill.KillQueriesOperation;
 import org.apache.hadoop.hive.ql.metadata.HiveException;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
 import org.apache.hadoop.hive.ql.session.KillQuery;
 import org.apache.hadoop.hive.ql.session.SessionState;
 import org.apache.hadoop.security.UserGroupInformation;
@@ -116,6 +119,8 @@ public class KillQueryImpl implements KillQuery {
 
   private static boolean isAdmin() {
     boolean isAdmin = false;
+    // RANGER-1851
+    HivePrivilegeObject serviceNameObj = new HivePrivilegeObject(HivePrivilegeObject.HivePrivilegeObjectType.SERVICE_NAME, null, "hiveservice");
     SessionState ss = SessionState.get();
     if (!HiveConf.getBoolVar(ss.getConf(), HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
       // If authorization is disabled, hs2 process owner should have kill privileges
@@ -128,7 +133,7 @@ public class KillQueryImpl implements KillQuery {
     }
     if (ss.getAuthorizerV2() != null) {
       try {
-        ss.getAuthorizerV2().checkPrivileges(HiveOperationType.KILL_QUERY, new ArrayList<>(), new ArrayList<>(),
+        ss.getAuthorizerV2().checkPrivileges(HiveOperationType.KILL_QUERY, Arrays.asList(serviceNameObj), new ArrayList<HivePrivilegeObject>(),
             new HiveAuthzContext.Builder().build());
         isAdmin = true;
       } catch (Exception e) {