You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hive.apache.org by kg...@apache.org on 2021/10/13 11:54:24 UTC
[hive] branch master updated: HIVE-25532: Fixing authorization for
Kill Query command. (#2649) (Abhay Chennagiri reviewed by Saihemanth
Gantasala and Zoltan Haindrich)
This is an automated email from the ASF dual-hosted git repository.
kgyrtkirk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push:
new f53bb7c HIVE-25532: Fixing authorization for Kill Query command. (#2649) (Abhay Chennagiri reviewed by Saihemanth Gantasala and Zoltan Haindrich)
f53bb7c is described below
commit f53bb7cefe64cd652b48bb802eaf0716f84fa592
Author: achennagiri <77...@users.noreply.github.com>
AuthorDate: Wed Oct 13 04:54:09 2021 -0700
HIVE-25532: Fixing authorization for Kill Query command. (#2649) (Abhay Chennagiri reviewed by Saihemanth Gantasala and Zoltan Haindrich)
---
.../plugin/TestHiveAuthorizerCheckInvocation.java | 40 +++++++++++++++++++++-
.../apache/hive/service/server/KillQueryImpl.java | 7 +++-
2 files changed, 45 insertions(+), 2 deletions(-)
diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java
index 13656c5..ee6925d 100644
--- a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java
+++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java
@@ -40,6 +40,7 @@ import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
import org.apache.hadoop.hive.metastore.utils.TestTxnDbUtil;
import org.apache.hadoop.hive.ql.Driver;
+import org.apache.hadoop.hive.ql.QueryState;
import org.apache.hadoop.hive.ql.exec.Registry;
import org.apache.hadoop.hive.ql.lockmgr.DbTxnManager;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
@@ -47,6 +48,10 @@ import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.hadoop.hive.ql.stats.StatsUtils;
+import org.apache.hive.service.cli.operation.OperationManager;
+import org.apache.hive.service.server.KillQueryImpl;
+import org.apache.hive.service.server.KillQueryZookeeperManager;
+
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.Test;
@@ -64,6 +69,7 @@ public class TestHiveAuthorizerCheckInvocation {
private final Logger LOG = LoggerFactory.getLogger(this.getClass().getName());;
protected static HiveConf conf;
protected static Driver driver;
+ protected static SessionState ss;
private static final String tableName = TestHiveAuthorizerCheckInvocation.class.getSimpleName()
+ "Table";
private static final String viewName = TestHiveAuthorizerCheckInvocation.class.getSimpleName()
@@ -102,10 +108,17 @@ public class TestHiveAuthorizerCheckInvocation {
conf.setVar(ConfVars.HIVE_TXN_MANAGER, DbTxnManager.class.getName());
conf.setBoolVar(ConfVars.HIVE_QUERY_RESULTS_CACHE_ENABLED, true);
conf.setVar(HiveConf.ConfVars.HIVEMAPREDMODE, "nonstrict");
+ conf.setBoolVar(ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE, true);
+ conf.setBoolVar(ConfVars.HIVE_ZOOKEEPER_KILLQUERY_ENABLE, false);
TestTxnDbUtil.prepDb(conf);
- SessionState.start(conf);
+ SessionState ss = SessionState.start(conf);
+ OperationManager operationManager = Mockito.mock(OperationManager.class);
+ KillQueryZookeeperManager killQueryZookeeperManager = Mockito.mock(KillQueryZookeeperManager.class);
+ KillQueryImpl killQueryImpl = new KillQueryImpl(operationManager, killQueryZookeeperManager);
+ ss.setKillQuery(killQueryImpl);
+
driver = new Driver(conf);
runCmd("create table " + tableName
+ " (i int, j int, k string) partitioned by (city string, `date` string) ");
@@ -676,4 +689,29 @@ public class TestHiveAuthorizerCheckInvocation {
inputsCapturer.getValue(), outputsCapturer.getValue());
}
+ /**
+ * Unit test for HIVE-25532.
+ * Checks if the right privilege objects are being sent when a kill query call is made.
+ * @throws Exception
+ */
+ @Test
+ public void testKillQueryAuthorization() throws Exception {
+ int queryStatus = driver.compile("select " + viewName + ".i, " + tableName + ".city from "
+ + viewName + " join " + tableName + " on " + viewName + ".city = " + tableName
+ + ".city where " + tableName + ".k = 'X'", true);
+ assertEquals(0, queryStatus);
+
+ resetAuthorizer();
+ QueryState queryState = driver.getQueryState();
+ String queryId = queryState.getQueryId();
+ int killQueryStatus = driver.compile("kill query '" + queryId + "'", true);
+ assertEquals(0, killQueryStatus);
+ driver.run();
+
+ List<HivePrivilegeObject> inputs = getHivePrivilegeObjectInputs().getLeft();
+ HivePrivilegeObject dbObj = inputs.get(0);
+ assertEquals("input type", HivePrivilegeObjectType.SERVICE_NAME, dbObj.getType());
+ assertEquals("object name","hiveservice", dbObj.getObjectName());
+ }
+
}
diff --git a/service/src/java/org/apache/hive/service/server/KillQueryImpl.java b/service/src/java/org/apache/hive/service/server/KillQueryImpl.java
index bd54026..c4196cb 100644
--- a/service/src/java/org/apache/hive/service/server/KillQueryImpl.java
+++ b/service/src/java/org/apache/hive/service/server/KillQueryImpl.java
@@ -18,6 +18,8 @@
package org.apache.hive.service.server;
+import java.util.Arrays;
+
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.conf.HiveConf;
@@ -26,6 +28,7 @@ import org.apache.hadoop.hive.ql.ddl.process.kill.KillQueriesOperation;
import org.apache.hadoop.hive.ql.metadata.HiveException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import org.apache.hadoop.hive.ql.session.KillQuery;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.hadoop.security.UserGroupInformation;
@@ -116,6 +119,8 @@ public class KillQueryImpl implements KillQuery {
private static boolean isAdmin() {
boolean isAdmin = false;
+ // RANGER-1851
+ HivePrivilegeObject serviceNameObj = new HivePrivilegeObject(HivePrivilegeObject.HivePrivilegeObjectType.SERVICE_NAME, null, "hiveservice");
SessionState ss = SessionState.get();
if (!HiveConf.getBoolVar(ss.getConf(), HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
// If authorization is disabled, hs2 process owner should have kill privileges
@@ -128,7 +133,7 @@ public class KillQueryImpl implements KillQuery {
}
if (ss.getAuthorizerV2() != null) {
try {
- ss.getAuthorizerV2().checkPrivileges(HiveOperationType.KILL_QUERY, new ArrayList<>(), new ArrayList<>(),
+ ss.getAuthorizerV2().checkPrivileges(HiveOperationType.KILL_QUERY, Arrays.asList(serviceNameObj), new ArrayList<HivePrivilegeObject>(),
new HiveAuthzContext.Builder().build());
isAdmin = true;
} catch (Exception e) {