hive-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From the...@apache.org
Subject svn commit: r1566401 [1/3] - in /hive/trunk: common/src/java/org/apache/hadoop/hive/conf/ conf/ data/conf/ itests/util/src/main/java/org/apache/hadoop/hive/ql/security/ metastore/src/java/org/apache/hadoop/hive/metastore/ ql/src/java/org/apache/hadoop/...
Date Sun, 09 Feb 2014 20:43:38 GMT
Author: thejas
Date: Sun Feb  9 20:43:37 2014
New Revision: 1566401

URL: http://svn.apache.org/r1566401
Log:
HIVE-5953 : SQL std auth - authorize grant/revoke on table/views (Thejas Nair reviwed by Ashutosh Chauhan)

Added:
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzPluginException.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/package-info.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/RequiredPrivileges.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/RevokePrivAuthUtils.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLAuthorizationUtils.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLPrivTypeGrant.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLPrivilegeType.java
    hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/plugin/
    hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/plugin/sqlstd/
    hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/plugin/sqlstd/TestOperation2Privilege.java
    hive/trunk/ql/src/test/queries/clientnegative/authorization_grant_table_allpriv.q
    hive/trunk/ql/src/test/queries/clientnegative/authorization_grant_table_fail1.q
    hive/trunk/ql/src/test/queries/clientnegative/authorization_grant_table_fail_nogrant.q
    hive/trunk/ql/src/test/queries/clientnegative/authorization_revoke_table_fail1.q
    hive/trunk/ql/src/test/queries/clientnegative/authorization_revoke_table_fail2.q
    hive/trunk/ql/src/test/queries/clientpositive/authorization_create_table_owner_privs.q
    hive/trunk/ql/src/test/queries/clientpositive/authorization_grant_table_priv.q
    hive/trunk/ql/src/test/queries/clientpositive/authorization_revoke_table_priv.q
    hive/trunk/ql/src/test/results/clientnegative/authorization_grant_table_allpriv.q.out
    hive/trunk/ql/src/test/results/clientnegative/authorization_grant_table_fail1.q.out
    hive/trunk/ql/src/test/results/clientnegative/authorization_grant_table_fail_nogrant.q.out
    hive/trunk/ql/src/test/results/clientnegative/authorization_revoke_table_fail1.q.out
    hive/trunk/ql/src/test/results/clientnegative/authorization_revoke_table_fail2.q.out
    hive/trunk/ql/src/test/results/clientpositive/authorization_create_table_owner_privs.q.out
    hive/trunk/ql/src/test/results/clientpositive/authorization_grant_table_priv.q.out
    hive/trunk/ql/src/test/results/clientpositive/authorization_revoke_table_priv.q.out
Removed:
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationPluginException.java
Modified:
    hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
    hive/trunk/conf/hive-default.xml.template
    hive/trunk/data/conf/hive-site.xml
    hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java
    hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java
    hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/Driver.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeType.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactory.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactoryImpl.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeInfo.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRole.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizerFactory.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/session/SessionState.java
    hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/metadata/TestHive.java
    hive/trunk/ql/src/test/org/apache/hadoop/hive/ql/parse/authorization/TestSessionUserName.java
    hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q
    hive/trunk/ql/src/test/results/clientnegative/authorization_invalid_priv_v2.q.out
    hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out
    hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out
    hive/trunk/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out

Modified: hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
URL: http://svn.apache.org/viewvc/hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java (original)
+++ hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java Sun Feb  9 20:43:37 2014
@@ -830,7 +830,7 @@ public class HiveConf extends Configurat
 
     HIVE_SECURITY_COMMAND_WHITELIST("hive.security.command.whitelist", "set,reset,dfs,add,delete,compile"),
 
-    HIVE_CONF_RESTRICTED_LIST("hive.conf.restricted.list", ""),
+    HIVE_CONF_RESTRICTED_LIST("hive.conf.restricted.list", "hive.security.authenticator.manager,hive.security.authorization.manager"),
 
     // If this is set all move tasks at the end of a multi-insert query will only begin once all
     // outputs are ready
@@ -880,7 +880,7 @@ public class HiveConf extends Configurat
     HIVE_VECTORIZATION_GROUPBY_CHECKINTERVAL("hive.vectorized.groupby.checkinterval", 100000),
     HIVE_VECTORIZATION_GROUPBY_MAXENTRIES("hive.vectorized.groupby.maxentries", 1000000),
     HIVE_VECTORIZATION_GROUPBY_FLUSH_PERCENT("hive.vectorized.groupby.flush.percent", (float) 0.1),
-    
+
 
     HIVE_TYPE_CHECK_ON_INSERT("hive.typecheck.on.insert", true),
 
@@ -895,7 +895,7 @@ public class HiveConf extends Configurat
     HIVEEXPLAINDEPENDENCYAPPENDTASKTYPES("hive.explain.dependency.append.tasktype", false),
 
     HIVECOUNTERGROUP("hive.counters.group.name", "HIVE"),
-    
+
     // none, column
     // none is the default(past) behavior. Implies only alphaNumeric and underscore are valid characters in identifiers.
     // column: implies column names can contain any character.

Modified: hive/trunk/conf/hive-default.xml.template
URL: http://svn.apache.org/viewvc/hive/trunk/conf/hive-default.xml.template?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/conf/hive-default.xml.template (original)
+++ hive/trunk/conf/hive-default.xml.template Sun Feb  9 20:43:37 2014
@@ -1656,7 +1656,7 @@
 
 <property>
   <name>hive.conf.restricted.list</name>
-  <value></value>
+  <value>hive.security.authenticator.manager,hive.security.authorization.manager</value>
   <description>Comma separated list of configuration options which are immutable at runtime</description>
 </property>
 

Modified: hive/trunk/data/conf/hive-site.xml
URL: http://svn.apache.org/viewvc/hive/trunk/data/conf/hive-site.xml?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/data/conf/hive-site.xml (original)
+++ hive/trunk/data/conf/hive-site.xml Sun Feb  9 20:43:37 2014
@@ -197,4 +197,10 @@
   <value>0</value>
 </property>
 
+<property>
+  <name>hive.conf.restricted.list</name>
+  <value>dummy.config.value</value>
+  <description>Using dummy config value above because you cannot override config with empty value</description>
+</property>
+
 </configuration>

Modified: hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java
URL: http://svn.apache.org/viewvc/hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java (original)
+++ hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/DummyAuthenticator.java Sun Feb  9 20:43:37 2014
@@ -22,11 +22,12 @@ import java.util.List;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.session.SessionState;
 
 public class DummyAuthenticator implements HiveAuthenticationProvider {
 
-  private List<String> groupNames;
-  private String userName;
+  private final List<String> groupNames;
+  private final String userName;
   private Configuration conf;
 
   public DummyAuthenticator() {
@@ -56,8 +57,14 @@ public class DummyAuthenticator implemen
     this.conf = conf;
   }
 
+  @Override
   public Configuration getConf() {
     return this.conf;
   }
 
+  @Override
+  public void setSessionState(SessionState ss) {
+    //no op
+  }
+
 }

Modified: hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java
URL: http://svn.apache.org/viewvc/hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java (original)
+++ hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/security/InjectableDummyAuthenticator.java Sun Feb  9 20:43:37 2014
@@ -22,6 +22,7 @@ import java.util.List;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hive.metastore.HiveMetaStore.HMSHandler;
 import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.session.SessionState;
 
 /**
  *
@@ -80,7 +81,7 @@ public class InjectableDummyAuthenticato
   @Override
   public void setConf(Configuration config) {
     try {
-      hmap = (HiveMetastoreAuthenticationProvider) hmapClass.newInstance();
+      hmap = hmapClass.newInstance();
     } catch (InstantiationException e) {
       throw new RuntimeException("Whoops, could not create an Authenticator of class " +
           hmapClass.getName());
@@ -102,4 +103,9 @@ public class InjectableDummyAuthenticato
     hmap.destroy();
   }
 
+  @Override
+  public void setSessionState(SessionState arg0) {
+    //no-op
+  }
+
 }

Modified: hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java (original)
+++ hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java Sun Feb  9 20:43:37 2014
@@ -20,7 +20,6 @@ package org.apache.hadoop.hive.metastore
 
 import java.util.List;
 import java.util.Map;
-import java.util.Set;
 
 import org.apache.hadoop.hive.metastore.api.AlreadyExistsException;
 import org.apache.hadoop.hive.metastore.api.ColumnStatistics;
@@ -931,6 +930,8 @@ public interface IMetaStoreClient {
       throws MetaException, TException;
 
   /**
+   * Return the privileges that the user, group have directly and indirectly through roles
+   * on the given hiveObject
    * @param hiveObject
    * @param user_name
    * @param group_names
@@ -943,6 +944,7 @@ public interface IMetaStoreClient {
       TException;
 
   /**
+   * Return the privileges that this principal has directly over the object (not through roles).
    * @param principal_name
    * @param principal_type
    * @param hiveObject

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/Driver.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/Driver.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/Driver.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/Driver.java Sun Feb  9 20:43:37 2014
@@ -55,6 +55,7 @@ import org.apache.hadoop.hive.ql.exec.Ta
 import org.apache.hadoop.hive.ql.exec.Utilities;
 import org.apache.hadoop.hive.ql.history.HiveHistory.Keys;
 import org.apache.hadoop.hive.ql.hooks.Entity;
+import org.apache.hadoop.hive.ql.hooks.Entity.Type;
 import org.apache.hadoop.hive.ql.hooks.ExecuteWithHookContext;
 import org.apache.hadoop.hive.ql.hooks.Hook;
 import org.apache.hadoop.hive.ql.hooks.HookContext;
@@ -185,6 +186,7 @@ public class Driver implements CommandPr
     }
   }
 
+  @Override
   public void init() {
     Operator.resetId();
   }
@@ -728,7 +730,7 @@ public class Driver implements CommandPr
 
       //support for authorization on partitions or uri needs to be added
       HivePrivilegeObject hPrivObject = new HivePrivilegeObject(privObjType,
-          privObject.getDatabase() == null ? null : privObject.getDatabase().getName(),
+          getDataBaseName(privObject),
               privObject.getTable() == null ? null : privObject.getTable().getTableName());
       hivePrivobjs.add(hPrivObject);
     }
@@ -736,6 +738,13 @@ public class Driver implements CommandPr
   }
 
 
+  private String getDataBaseName(Entity privObject) {
+    if(privObject.getType() == Type.DATABASE){
+      return privObject.getDatabase() == null ? null : privObject.getDatabase().getName();
+    } else {
+      return privObject.getTable() == null ? null : privObject.getTable().getDbName();
+    }
+  }
 
   private HiveOperationType getHiveOperationType(HiveOperation op) {
     return HiveOperationType.valueOf(op.name());
@@ -967,6 +976,7 @@ public class Driver implements CommandPr
     perfLogger.PerfLogEnd(CLASS_NAME, PerfLogger.RELEASE_LOCKS);
   }
 
+  @Override
   public CommandProcessorResponse run(String command)
       throws CommandNeedRetryException {
     return run(command, false);

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HadoopDefaultAuthenticator.java Sun Feb  9 20:43:37 2014
@@ -23,6 +23,7 @@ import java.util.List;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.session.SessionState;
 import org.apache.hadoop.hive.shims.ShimLoader;
 import org.apache.hadoop.security.UserGroupInformation;
 
@@ -30,7 +31,7 @@ public class HadoopDefaultAuthenticator 
 
   protected String userName;
   protected List<String> groupNames;
-  
+
   protected Configuration conf;
 
   @Override
@@ -74,4 +75,9 @@ public class HadoopDefaultAuthenticator 
     return this.conf;
   }
 
+  @Override
+  public void setSessionState(SessionState ss) {
+    //no op
+  }
+
 }

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/HiveAuthenticationProvider.java Sun Feb  9 20:43:37 2014
@@ -22,17 +22,20 @@ import java.util.List;
 
 import org.apache.hadoop.conf.Configurable;
 import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.session.SessionState;
 
 /**
  * HiveAuthenticationProvider is an interface for authentication. The
  * implementation should return userNames and groupNames.
  */
 public interface HiveAuthenticationProvider extends Configurable{
-  
+
   public String getUserName();
-  
+
   public List<String> getGroupNames();
-  
+
   public void destroy() throws HiveException;
 
+  public void setSessionState(SessionState ss);
+
 }

Added: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java?rev=1566401&view=auto
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java (added)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateConfigUserAuthenticator.java Sun Feb  9 20:43:37 2014
@@ -0,0 +1,70 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.session.SessionState;
+
+/**
+ * Authenticator to be used for testing and debugging. This picks the user.name
+ * set in SessionState config, if that is null, it returns value of
+ * System property user.name
+ */
+public class SessionStateConfigUserAuthenticator implements HiveAuthenticationProvider {
+
+  private final List<String> groupNames = new ArrayList<String>();
+
+  protected Configuration conf;
+  private SessionState sessionState;
+
+  @Override
+  public List<String> getGroupNames() {
+    return groupNames;
+  }
+
+  @Override
+  public String getUserName() {
+    String newUserName = sessionState.getConf().get("user.name");
+    return newUserName != null ? newUserName : System.getProperty("user.name");
+  }
+
+  @Override
+  public void destroy() throws HiveException {
+    return;
+  }
+
+  @Override
+  public Configuration getConf() {
+    return null;
+  }
+
+  @Override
+  public void setConf(Configuration arg0) {
+  }
+
+  @Override
+  public void setSessionState(SessionState sessionState) {
+    this.sessionState = sessionState;
+  }
+
+}

Added: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java?rev=1566401&view=auto
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java (added)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/SessionStateUserAuthenticator.java Sun Feb  9 20:43:37 2014
@@ -0,0 +1,72 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.session.SessionState;
+
+/**
+ * Authenticator that returns the userName set in SessionState. For use when authorizing with HS2
+ * so that HS2 can set the user for the session through SessionState
+ */
+public class SessionStateUserAuthenticator implements HiveAuthenticationProvider {
+
+  private final List<String> groupNames = new ArrayList<String>();
+
+  protected Configuration conf;
+  private SessionState sessionState;
+
+  public SessionStateUserAuthenticator(SessionState sessionState){
+    this.sessionState = sessionState;
+  }
+
+  @Override
+  public List<String> getGroupNames() {
+    return groupNames;
+  }
+
+  @Override
+  public String getUserName() {
+    return sessionState.getUserName();
+  }
+
+  @Override
+  public void destroy() throws HiveException {
+    return;
+  }
+
+  @Override
+  public Configuration getConf() {
+    return null;
+  }
+
+  @Override
+  public void setConf(Configuration arg0) {
+  }
+
+  @Override
+  public void setSessionState(SessionState sessionState) {
+    this.sessionState = sessionState;
+  }
+
+}

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeRegistry.java Sun Feb  9 20:43:37 2014
@@ -30,31 +30,16 @@ import org.apache.hadoop.hive.ql.session
 public class PrivilegeRegistry {
 
   protected static Map<PrivilegeType, Privilege> Registry = null;
+  protected static Map<PrivilegeType, Privilege> RegistryV2 = null;
 
   public static Privilege getPrivilege(PrivilegeType privilegeType) {
-    initializeRegistry();
     return Registry.get(privilegeType);
   }
 
-  private static void initializeRegistry() {
-    if(Registry != null){
-      //already initialized, nothing to do
-      return;
-    }
-    //population of registry done in separate synchronized call
-    populateRegistry();
-  }
-
   /**
-   * Add entries to registry. This needs to be synchronized to avoid Registry being populated
-   * multiple times.
+   * Add entries to registry.
    */
-  private static synchronized void populateRegistry() {
-    //do check again in synchronized block
-    if(Registry != null){
-      //already initialized, nothing to do
-      return;
-    }
+  static {
     Registry = new HashMap<PrivilegeType, Privilege>();
 
     //add the privileges supported in authorization mode V1
@@ -68,23 +53,28 @@ public class PrivilegeRegistry {
     Registry.put(Privilege.SELECT.getPriv(), Privilege.SELECT);
     Registry.put(Privilege.SHOW_DATABASE.getPriv(),
         Privilege.SHOW_DATABASE);
-    if(SessionState.get().isAuthorizationModeV2()){
-      //add the privileges not supported in V1
-      //The list of privileges supported in V2 is implementation defined,
-      //so just pass everything that syntax supports.
-      Registry.put(Privilege.INSERT.getPriv(), Privilege.INSERT);
-      Registry.put(Privilege.DELETE.getPriv(), Privilege.DELETE);
-    }
+
+    //add the privileges not supported in V1
+    //The list of privileges supported in V2 is implementation defined,
+    //so just pass everything that syntax supports.
+    RegistryV2 = new HashMap<PrivilegeType, Privilege>();
+    RegistryV2.putAll(Registry);
+    RegistryV2.put(Privilege.INSERT.getPriv(), Privilege.INSERT);
+    RegistryV2.put(Privilege.DELETE.getPriv(), Privilege.DELETE);
   }
 
   public static Privilege getPrivilege(int privilegeToken) {
-    initializeRegistry();
-    return Registry.get(PrivilegeType.getPrivTypeByToken(privilegeToken));
+    PrivilegeType ptype = PrivilegeType.getPrivTypeByToken(privilegeToken);
+    return getPrivilegeFromRegistry(ptype);
   }
 
   public static Privilege getPrivilege(String privilegeName) {
-    initializeRegistry();
-    return Registry.get(PrivilegeType.getPrivTypeByName(privilegeName));
+    PrivilegeType ptype = PrivilegeType.getPrivTypeByName(privilegeName);
+    return getPrivilegeFromRegistry(ptype);
+  }
+
+  private static Privilege getPrivilegeFromRegistry(PrivilegeType ptype) {
+    return SessionState.get().isAuthorizationModeV2() ? RegistryV2.get(ptype) : Registry.get(ptype);
   }
 
 }

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeType.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeType.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeType.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/PrivilegeType.java Sun Feb  9 20:43:37 2014
@@ -67,9 +67,7 @@ public enum PrivilegeType {
    * @return corresponding PrivilegeType
    */
   public static PrivilegeType getPrivTypeByToken(int token) {
-    if(token2Type == null){
-      populateToken2Type();
-    }
+    populateToken2Type();
     PrivilegeType privType = token2Type.get(token);
     if(privType != null){
       return privType;
@@ -93,9 +91,7 @@ public enum PrivilegeType {
    * @return corresponding PrivilegeType
    */
   public static PrivilegeType getPrivTypeByName(String privilegeName) {
-    if(name2Type == null){
-      populateName2Type();
-    }
+    populateName2Type();
     String canonicalizedName = privilegeName.toLowerCase();
     PrivilegeType privType = name2Type.get(canonicalizedName);
     if(privType != null){

Added: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java?rev=1566401&view=auto
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java (added)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java Sun Feb  9 20:43:37 2014
@@ -0,0 +1,51 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
+
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
+import org.apache.hadoop.hive.ql.metadata.HiveException;
+
+/**
+ * Exception thrown by the Authorization plugin api (v2). Indicates
+ * an error while performing authorization, and not a authorization being
+ * denied.
+ */
+@LimitedPrivate(value = { "" })
+@Evolving
+public class HiveAccessControlException extends HiveException{
+
+  private static final long serialVersionUID = 1L;
+
+  public HiveAccessControlException(){
+  }
+
+  public HiveAccessControlException(String msg){
+    super(msg);
+  }
+
+  public HiveAccessControlException(String msg, Throwable cause){
+    super(msg, cause);
+  }
+
+  public HiveAccessControlException(Throwable cause){
+    super(cause);
+  }
+
+}

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java Sun Feb  9 20:43:37 2014
@@ -19,47 +19,50 @@ package org.apache.hadoop.hive.ql.securi
 
 import java.util.List;
 
-import org.apache.hadoop.hive.metastore.api.Role;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
 
 /**
  * Interface that is invoked by access control commands, including grant/revoke role/privileges,
  * create/drop roles, and commands to read the state of authorization rules.
  * Methods here have corresponding methods in HiveAuthorizer, check method documentation there.
  */
+@LimitedPrivate(value = { "" })
+@Evolving
 public interface HiveAccessController {
 
   void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,
       HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption)
-          throws HiveAuthorizationPluginException;;
+          throws HiveAuthzPluginException, HiveAccessControlException;
 
   void revokePrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,
       HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption)
-          throws HiveAuthorizationPluginException;;
+          throws HiveAuthzPluginException, HiveAccessControlException;
 
   void createRole(String roleName, HivePrincipal adminGrantor)
-      throws HiveAuthorizationPluginException;
+      throws HiveAuthzPluginException, HiveAccessControlException;
 
   void dropRole(String roleName)
-      throws HiveAuthorizationPluginException;
+      throws HiveAuthzPluginException, HiveAccessControlException;
 
   List<HiveRole> getRoles(HivePrincipal hivePrincipal)
-      throws HiveAuthorizationPluginException;
+      throws HiveAuthzPluginException, HiveAccessControlException;
 
   void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption,
       HivePrincipal grantorPrinc)
-          throws HiveAuthorizationPluginException;
+          throws HiveAuthzPluginException, HiveAccessControlException;
 
   void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption,
       HivePrincipal grantorPrinc)
-          throws HiveAuthorizationPluginException;
+          throws HiveAuthzPluginException, HiveAccessControlException;
 
   List<String> getAllRoles()
-      throws HiveAuthorizationPluginException;
+      throws HiveAuthzPluginException, HiveAccessControlException;
 
   List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
-      throws HiveAuthorizationPluginException;
+      throws HiveAuthzPluginException, HiveAccessControlException;
 
-  void setCurrentRole(String roleName) throws HiveAuthorizationPluginException;
+  void setCurrentRole(String roleName) throws HiveAuthzPluginException;
 
-  List<HiveRole> getCurrentRoles() throws HiveAuthorizationPluginException;
+  List<HiveRole> getCurrentRoles() throws HiveAuthzPluginException;
 }

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizationValidator.java Sun Feb  9 20:43:37 2014
@@ -19,24 +19,28 @@ package org.apache.hadoop.hive.ql.securi
 
 import java.util.List;
 
-import org.apache.hadoop.hive.common.classification.InterfaceAudience.Public;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
 import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
 
 /**
  * Interface used to check if user has privileges to perform certain action.
  * Methods here have corresponding methods in HiveAuthorizer, check method documentation there.
  */
-@Public
+@LimitedPrivate(value = { "" })
 @Evolving
 public interface HiveAuthorizationValidator {
+
   /**
-   * Check if current user has privileges to perform given operation type hiveOpType on the given
-   * input and output objects
+   * Check if current user has privileges to perform given operation type
+   * hiveOpType on the given input and output objects
+   *
    * @param hiveOpType
    * @param inputHObjs
    * @param outputHObjs
+   * @throws HiveAuthzPluginException
+   * @throws HiveAccessControlException
    */
   void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs,
-      List<HivePrivilegeObject> outputHObjs) throws HiveAuthorizationPluginException;
+      List<HivePrivilegeObject> outputHObjs) throws HiveAuthzPluginException, HiveAccessControlException;
 
 }

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java Sun Feb  9 20:43:37 2014
@@ -19,9 +19,8 @@ package org.apache.hadoop.hive.ql.securi
 
 import java.util.List;
 
-import org.apache.hadoop.hive.common.classification.InterfaceAudience.Public;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
 import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
-import org.apache.hadoop.hive.metastore.api.Role;
 import org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider;
 
 /**
@@ -34,7 +33,7 @@ import org.apache.hadoop.hive.ql.securit
  *  statements and does not make assumptions about the privileges needed for a hive operation.
  * This is referred to as V2 authorizer in other parts of the code.
  */
-@Public
+@LimitedPrivate(value = { "" })
 @Evolving
 public interface HiveAuthorizer {
 
@@ -52,11 +51,12 @@ public interface HiveAuthorizer {
    * @param hivePrivObject
    * @param grantorPrincipal
    * @param grantOption
-   * @throws HiveAuthorizationPluginException
+   * @throws HiveAuthzPluginException
+   * @throws HiveAccessControlException
    */
   void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,
       HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption)
-      throws HiveAuthorizationPluginException;
+      throws HiveAuthzPluginException, HiveAccessControlException;
 
   /**
    * Revoke privileges for principals on the object
@@ -65,38 +65,42 @@ public interface HiveAuthorizer {
    * @param hivePrivObject
    * @param grantorPrincipal
    * @param grantOption
-   * @throws HiveAuthorizationPluginException
+   * @throws HiveAuthzPluginException
+   * @throws HiveAccessControlException
    */
   void revokePrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,
       HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption)
-      throws HiveAuthorizationPluginException;
+      throws HiveAuthzPluginException, HiveAccessControlException;
 
 
   /**
    * Create role
    * @param roleName
    * @param adminGrantor - The user in "[ WITH ADMIN <user> ]" clause of "create role"
-   * @throws HiveAuthorizationPluginException
+   * @throws HiveAuthzPluginException
+   * @throws HiveAccessControlException
    */
   void createRole(String roleName, HivePrincipal adminGrantor)
-      throws HiveAuthorizationPluginException;
+      throws HiveAuthzPluginException, HiveAccessControlException;
 
   /**
    * Drop role
    * @param roleName
-   * @throws HiveAuthorizationPluginException
+   * @throws HiveAuthzPluginException
+   * @throws HiveAccessControlException
    */
   void dropRole(String roleName)
-      throws HiveAuthorizationPluginException;
+      throws HiveAuthzPluginException, HiveAccessControlException;
 
   /**
    * Get roles that this user/role belongs to
    * @param hivePrincipal - user or role
    * @return list of roles
-   * @throws HiveAuthorizationPluginException
+   * @throws HiveAuthzPluginException
+   * @throws HiveAccessControlException
    */
   List<HiveRole> getRoles(HivePrincipal hivePrincipal)
-      throws HiveAuthorizationPluginException;
+      throws HiveAuthzPluginException, HiveAccessControlException;
 
   /**
    * Grant roles in given roles list to principals in given hivePrincipals list
@@ -104,11 +108,12 @@ public interface HiveAuthorizer {
    * @param roles
    * @param grantOption
    * @param grantorPrinc
-   * @throws HiveAuthorizationPluginException
+   * @throws HiveAuthzPluginException
+   * @throws HiveAccessControlException
    */
   void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption,
       HivePrincipal grantorPrinc)
-      throws HiveAuthorizationPluginException;
+      throws HiveAuthzPluginException, HiveAccessControlException;
 
 
   /**
@@ -117,43 +122,47 @@ public interface HiveAuthorizer {
    * @param roles
    * @param grantOption
    * @param grantorPrinc
-   * @throws HiveAuthorizationPluginException
+   * @throws HiveAuthzPluginException
+   * @throws HiveAccessControlException
    */
   void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption,
       HivePrincipal grantorPrinc)
-      throws HiveAuthorizationPluginException;
+      throws HiveAuthzPluginException, HiveAccessControlException;
 
   /**
    * Check if user has privileges to do this action on these objects
    * @param hiveOpType
    * @param inputsHObjs
    * @param outputHObjs
-   * @throws HiveAuthorizationPluginException
+   * @throws HiveAuthzPluginException
+   * @throws HiveAccessControlException
    */
   void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputsHObjs,
       List<HivePrivilegeObject> outputHObjs)
-      throws HiveAuthorizationPluginException;
+      throws HiveAuthzPluginException, HiveAccessControlException;
 
   /**
    * @return all existing roles
-   * @throws HiveAuthorizationPluginException
+   * @throws HiveAuthzPluginException
+   * @throws HiveAccessControlException
    */
   List<String> getAllRoles()
-      throws HiveAuthorizationPluginException;
+      throws HiveAuthzPluginException, HiveAccessControlException;
 
   /**
    * Show privileges for given principal on given object
    * @param principal
    * @param privObj
    * @return
-   * @throws HiveAuthorizationPluginException
+   * @throws HiveAuthzPluginException
+   * @throws HiveAccessControlException
    */
   List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
-      throws HiveAuthorizationPluginException;
+      throws HiveAuthzPluginException, HiveAccessControlException;
 
-  void setCurrentRole(String roleName) throws HiveAuthorizationPluginException;
+  void setCurrentRole(String roleName) throws HiveAuthzPluginException;
 
-  List<HiveRole> getCurrentRoles() throws HiveAuthorizationPluginException;
+  List<HiveRole> getCurrentRoles() throws HiveAuthzPluginException;
   //other functions to be added -
   //showUsersInRole(rolename)
   //isSuperuser(username)

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerFactory.java Sun Feb  9 20:43:37 2014
@@ -17,16 +17,17 @@
  */
 package org.apache.hadoop.hive.ql.security.authorization.plugin;
 
-import org.apache.hadoop.hive.common.classification.InterfaceAudience.Public;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
 import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
 import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
 
 /**
  * Implementation of this interface specified through hive configuration will be used to
  * create  {@link HiveAuthorizer} instance used for hive authorization.
  *
  */
-@Public
+@LimitedPrivate(value = { "" })
 @Evolving
 public interface HiveAuthorizerFactory {
   /**
@@ -35,9 +36,10 @@ public interface HiveAuthorizerFactory {
    *  for the current thread. Each invocation of method in HiveAuthorizer can happen in
    *  different thread, so get the current instance in each method invocation.
    * @param conf - current HiveConf
-   * @param hiveCurrentUser - user for current session
+   * @param hiveAuthenticator - authenticator, provides user name
    * @return new instance of HiveAuthorizer
+   * @throws HiveAuthzPluginException
    */
   HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
-      HiveConf conf, String hiveCurrentUser) throws HiveAuthorizationPluginException;
+      HiveConf conf, HiveAuthenticationProvider hiveAuthenticator) throws HiveAuthzPluginException;
 }

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java Sun Feb  9 20:43:37 2014
@@ -19,9 +19,8 @@ package org.apache.hadoop.hive.ql.securi
 
 import java.util.List;
 
-import org.apache.hadoop.hive.common.classification.InterfaceAudience.Public;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
 import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
-import org.apache.hadoop.hive.metastore.api.Role;
 
 /**
  * Convenience implementation of HiveAuthorizer.
@@ -29,7 +28,7 @@ import org.apache.hadoop.hive.metastore.
  * {@link HiveAccessController} and {@link HiveAuthorizationValidator} to constructor.
  *
  */
-@Public
+@LimitedPrivate(value = { "" })
 @Evolving
 public class HiveAuthorizerImpl implements HiveAuthorizer {
   HiveAccessController accessController;
@@ -43,7 +42,7 @@ public class HiveAuthorizerImpl implemen
   @Override
   public void grantPrivileges(List<HivePrincipal> hivePrincipals,
       List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
-      HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthorizationPluginException {
+      HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException {
     accessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
         grantorPrincipal, grantOption);
   }
@@ -51,52 +50,52 @@ public class HiveAuthorizerImpl implemen
   @Override
   public void revokePrivileges(List<HivePrincipal> hivePrincipals,
       List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
-      HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthorizationPluginException {
+      HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException, HiveAccessControlException {
     accessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
         grantorPrincipal, grantOption);
   }
 
   @Override
-  public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthorizationPluginException {
+  public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException, HiveAccessControlException {
     accessController.createRole(roleName, adminGrantor);
   }
 
   @Override
-  public void dropRole(String roleName) throws HiveAuthorizationPluginException {
+  public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException {
     accessController.dropRole(roleName);
   }
 
   @Override
-  public List<HiveRole> getRoles(HivePrincipal hivePrincipal) throws HiveAuthorizationPluginException {
+  public List<HiveRole> getRoles(HivePrincipal hivePrincipal) throws HiveAuthzPluginException, HiveAccessControlException {
     return accessController.getRoles(hivePrincipal);
   }
 
   @Override
   public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles,
-      boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthorizationPluginException {
+      boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException {
     accessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc);
   }
 
   @Override
   public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles,
-      boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthorizationPluginException {
+      boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException {
     accessController.revokeRole(hivePrincipals, roles, grantOption, grantorPrinc);
   }
 
   @Override
   public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs,
-      List<HivePrivilegeObject> outputHObjs) throws HiveAuthorizationPluginException {
+      List<HivePrivilegeObject> outputHObjs) throws HiveAuthzPluginException, HiveAccessControlException {
     authValidator.checkPrivileges(hiveOpType, inputHObjs, outputHObjs);
   }
 
   @Override
-  public List<String> getAllRoles() throws HiveAuthorizationPluginException {
+  public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException {
     return accessController.getAllRoles();
   }
 
   @Override
   public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal,
-      HivePrivilegeObject privObj) throws HiveAuthorizationPluginException {
+      HivePrivilegeObject privObj) throws HiveAuthzPluginException, HiveAccessControlException {
     return accessController.showPrivileges(principal, privObj);
   }
 
@@ -106,12 +105,12 @@ public class HiveAuthorizerImpl implemen
   }
 
   @Override
-  public void setCurrentRole(String roleName) throws HiveAuthorizationPluginException {
+  public void setCurrentRole(String roleName) throws HiveAuthzPluginException {
     accessController.setCurrentRole(roleName);
   }
 
   @Override
-  public List<HiveRole> getCurrentRoles() throws HiveAuthorizationPluginException {
+  public List<HiveRole> getCurrentRoles() throws HiveAuthzPluginException {
     return accessController.getCurrentRoles();
   }
 

Added: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzPluginException.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzPluginException.java?rev=1566401&view=auto
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzPluginException.java (added)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthzPluginException.java Sun Feb  9 20:43:37 2014
@@ -0,0 +1,51 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin;
+
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
+import org.apache.hadoop.hive.ql.metadata.HiveException;
+
+/**
+ * Exception thrown by the Authorization plugin api (v2). Indicates
+ * an error while performing authorization, and not a authorization being
+ * denied.
+ */
+@LimitedPrivate(value = { "" })
+@Evolving
+public class HiveAuthzPluginException extends HiveException{
+
+  private static final long serialVersionUID = 1L;
+
+  public HiveAuthzPluginException(){
+  }
+
+  public HiveAuthzPluginException(String msg){
+    super(msg);
+  }
+
+  public HiveAuthzPluginException(String msg, Throwable cause){
+    super(msg, cause);
+  }
+
+  public HiveAuthzPluginException(Throwable cause){
+    super(cause);
+  }
+
+}

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactory.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactory.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactory.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactory.java Sun Feb  9 20:43:37 2014
@@ -17,14 +17,14 @@
  */
 package org.apache.hadoop.hive.ql.security.authorization.plugin;
 
-import java.io.IOException;
-
-import org.apache.hadoop.hive.common.classification.InterfaceAudience.Public;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
 import org.apache.hadoop.hive.metastore.IMetaStoreClient;
 /**
  * Factory for getting current valid instance of IMetaStoreClient
  */
-@Public
+@LimitedPrivate(value = { "" })
+@Evolving
 public interface HiveMetastoreClientFactory {
-  IMetaStoreClient getHiveMetastoreClient() throws IOException;
+  IMetaStoreClient getHiveMetastoreClient() throws HiveAuthzPluginException;
 }

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactoryImpl.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactoryImpl.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactoryImpl.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveMetastoreClientFactoryImpl.java Sun Feb  9 20:43:37 2014
@@ -18,8 +18,6 @@
 package org.apache.hadoop.hive.ql.security.authorization.plugin;
 
 
-import java.io.IOException;
-
 import org.apache.hadoop.hive.common.classification.InterfaceAudience.Private;
 import org.apache.hadoop.hive.metastore.IMetaStoreClient;
 import org.apache.hadoop.hive.metastore.api.MetaException;
@@ -32,13 +30,14 @@ import org.apache.hadoop.hive.ql.metadat
 public class HiveMetastoreClientFactoryImpl implements HiveMetastoreClientFactory{
 
   @Override
-  public IMetaStoreClient getHiveMetastoreClient() throws IOException {
+  public IMetaStoreClient getHiveMetastoreClient() throws HiveAuthzPluginException {
+    String errMsg = "Error getting metastore client";
     try {
       return Hive.get().getMSC();
     } catch (MetaException e) {
-      throw new IOException(e);
+      throw new HiveAuthzPluginException(errMsg, e);
     } catch (HiveException e) {
-      throw new IOException(e);
+      throw new HiveAuthzPluginException(errMsg, e);
     }
   }
 

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveOperationType.java Sun Feb  9 20:43:37 2014
@@ -17,12 +17,14 @@
  */
 package org.apache.hadoop.hive.ql.security.authorization.plugin;
 
-import org.apache.hadoop.hive.common.classification.InterfaceAudience.Public;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
 
 /**
  * List of hive operations types.
  */
-@Public
+@LimitedPrivate(value = { "" })
+@Evolving
 public enum HiveOperationType {
   EXPLAIN,
   LOAD,

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java Sun Feb  9 20:43:37 2014
@@ -17,15 +17,25 @@
  */
 package org.apache.hadoop.hive.ql.security.authorization.plugin;
 
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
+
 /**
  * Represents the user or role in grant/revoke statements
  */
+@LimitedPrivate(value = { "" })
+@Evolving
 public class HivePrincipal {
 
   public enum HivePrincipalType{
     USER, ROLE, UNKNOWN
   }
 
+  @Override
+  public String toString() {
+    return "Principal [name=" + name + ", type=" + type + "]";
+  }
+
   private final String name;
   private final HivePrincipalType type;
 
@@ -40,4 +50,32 @@ public class HivePrincipal {
     return type;
   }
 
+  @Override
+  public int hashCode() {
+    final int prime = 31;
+    int result = 1;
+    result = prime * result + ((name == null) ? 0 : name.hashCode());
+    result = prime * result + ((type == null) ? 0 : type.hashCode());
+    return result;
+  }
+
+  @Override
+  public boolean equals(Object obj) {
+    if (this == obj)
+      return true;
+    if (obj == null)
+      return false;
+    if (getClass() != obj.getClass())
+      return false;
+    HivePrincipal other = (HivePrincipal) obj;
+    if (name == null) {
+      if (other.name != null)
+        return false;
+    } else if (!name.equals(other.name))
+      return false;
+    if (type != other.type)
+      return false;
+    return true;
+  }
+
 }

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilege.java Sun Feb  9 20:43:37 2014
@@ -18,16 +18,27 @@
 package org.apache.hadoop.hive.ql.security.authorization.plugin;
 
 import java.util.List;
+import java.util.Locale;
+
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
 
 /**
  * Represents the hive privilege being granted/revoked
  */
+@LimitedPrivate(value = { "" })
+@Evolving
 public class HivePrivilege {
+  @Override
+  public String toString() {
+    return "Privilege [name=" + name + ", columns=" + columns + "]";
+  }
+
   private final String name;
   private final List<String> columns;
 
   public HivePrivilege(String name, List<String> columns){
-    this.name = name;
+    this.name = name.toUpperCase(Locale.US);
     this.columns = columns;
   }
 
@@ -39,4 +50,37 @@ public class HivePrivilege {
     return columns;
   }
 
+  @Override
+  public int hashCode() {
+    final int prime = 31;
+    int result = 1;
+    result = prime * result + ((columns == null) ? 0 : columns.hashCode());
+    result = prime * result + ((name == null) ? 0 : name.hashCode());
+    return result;
+  }
+
+  @Override
+  public boolean equals(Object obj) {
+    if (this == obj)
+      return true;
+    if (obj == null)
+      return false;
+    if (getClass() != obj.getClass())
+      return false;
+    HivePrivilege other = (HivePrivilege) obj;
+    if (columns == null) {
+      if (other.columns != null)
+        return false;
+    } else if (!columns.equals(other.columns))
+      return false;
+    if (name == null) {
+      if (other.name != null)
+        return false;
+    } else if (!name.equals(other.name))
+      return false;
+    return true;
+  }
+
+
+
 }

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeInfo.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeInfo.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeInfo.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeInfo.java Sun Feb  9 20:43:37 2014
@@ -17,15 +17,14 @@
  */
 package org.apache.hadoop.hive.ql.security.authorization.plugin;
 
-import org.apache.hadoop.hive.common.classification.InterfaceAudience.Public;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
 import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
 
 /**
  * Represents a privilege granted for an object to a principal
  */
-@Public
+@LimitedPrivate(value = { "" })
 @Evolving
-
 public class HivePrivilegeInfo{
   private final HivePrincipal principal;
   private final HivePrivilege privilege;

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrivilegeObject.java Sun Feb  9 20:43:37 2014
@@ -17,16 +17,22 @@
  */
 package org.apache.hadoop.hive.ql.security.authorization.plugin;
 
-import org.apache.hadoop.hive.common.classification.InterfaceAudience.Public;
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
 import org.apache.hadoop.hive.common.classification.InterfaceStability.Unstable;
 
 /**
  * Represents the object on which privilege is being granted/revoked
  */
-@Public
+@LimitedPrivate(value = { "" })
 @Unstable
 public class HivePrivilegeObject {
 
+  @Override
+  public String toString() {
+    return "Hive Object [type=" + type + ", dbname=" + dbname + ", table/viewname="
+        + tableviewname + "]";
+  }
+
   public enum HivePrivilegeObjectType { DATABASE, TABLE, VIEW, PARTITION, URI};
   private final HivePrivilegeObjectType type;
   private final String dbname;

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRole.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRole.java?rev=1566401&r1=1566400&r2=1566401&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRole.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveRole.java Sun Feb  9 20:43:37 2014
@@ -17,9 +17,13 @@
  */
 package org.apache.hadoop.hive.ql.security.authorization.plugin;
 
+import org.apache.hadoop.hive.common.classification.InterfaceAudience.LimitedPrivate;
+import org.apache.hadoop.hive.common.classification.InterfaceStability.Evolving;
 import org.apache.hadoop.hive.metastore.api.Role;
 
 // same with thrift.Role
+@LimitedPrivate(value = { "" })
+@Evolving
 public class HiveRole {
 
   private String roleName;

Added: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/package-info.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/package-info.java?rev=1566401&view=auto
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/package-info.java (added)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/package-info.java Sun Feb  9 20:43:37 2014
@@ -0,0 +1,49 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/*
+ * This package provides interfaces and classes that can be used to implement custom authorization for hive.
+ *
+ * How hive code uses this interface:
+ * The interface that hive code invokes is HiveAuthorizer class.
+ * The classes HivePrincipal, HivePrivilege, HivePrivilegeObject, HivePrivilegeInfo, HiveOperationType
+ * are arguments used in the authorization interface.
+ * The methods in the interface throws two types of exceptions - HiveAuthzPluginException (in
+ * case of internal errors), and HiveAuthzPluginDeniedException (when action is not permitted
+ * because authorization has failed).
+ *
+ * Hive uses the HiveAuthorizerFactory interface, whose implementing class is configurable through
+ * hive configuration, to instantiate an instance of this interface.
+ *
+ *
+ * Guide on implementing the interface:
+ * There are two categories of operations to be done by the authorization interface, one is the
+ * actions performed by the access control statements, which updates the privileges that have
+ * been granted (and stores in some where like metastore database), and also retrieves the current
+ * state of privileges. You may choose not to implement this part and juse a no-op implementation
+ * if you are going to manage the authorization externally (eg, if you base it on mapping to
+ *  file system permissions).
+ * The 2nd category of operation is authorizing the hive actions by checking against the privileges
+ * the user has on the objects.
+ * HiveAccessController has the interface for the first type of operations and
+ *  HiveAuthorizationValidator has interface for second type of operations.
+ *
+ * HiveAuthorizerImpl is a convenience class that you can use by just passing the implementations
+ * of these two interfaces (HiveAuthorizerImpl, HiveAuthorizationValidator) in the constructor.
+ *
+ */
+package org.apache.hadoop.hive.ql.security.authorization.plugin;

Added: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java?rev=1566401&view=auto
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java (added)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/GrantPrivAuthUtils.java Sun Feb  9 20:43:37 2014
@@ -0,0 +1,88 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd;
+
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.hadoop.hive.metastore.IMetaStoreClient;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+
+/**
+ * Utility class to authorize grant/revoke privileges
+ */
+public class GrantPrivAuthUtils {
+
+  static void authorize(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,
+      HivePrivilegeObject hivePrivObject, boolean grantOption, IMetaStoreClient metastoreClient,
+      String userName)
+          throws HiveAuthzPluginException, HiveAccessControlException {
+
+    // check if this user has grant privileges for this privileges on this
+    // object
+
+    // map priv being granted to required privileges
+    RequiredPrivileges reqPrivs = getGrantRequiredPrivileges(hivePrivileges);
+
+    // api for checking required privileges for a user
+    checkRequiredPrivileges(hivePrincipals, reqPrivs, hivePrivObject, metastoreClient, userName);
+  }
+
+  private static void checkRequiredPrivileges(List<HivePrincipal> hivePrincipals,
+      RequiredPrivileges reqPrivs, HivePrivilegeObject hivePrivObject,
+      IMetaStoreClient metastoreClient, String userName)
+          throws HiveAuthzPluginException, HiveAccessControlException {
+
+  for (HivePrincipal hivePrincipal : hivePrincipals) {
+      checkRequiredPrivileges(hivePrincipal, reqPrivs, hivePrivObject, metastoreClient, userName);
+    }
+  }
+
+  private static void checkRequiredPrivileges(HivePrincipal hivePrincipal,
+      RequiredPrivileges reqPrivileges, HivePrivilegeObject hivePrivObject,
+      IMetaStoreClient metastoreClient, String userName)
+          throws HiveAuthzPluginException, HiveAccessControlException {
+
+    // keep track of the principals on which privileges have been checked for
+    // this object
+
+    // get privileges for this user and its roles on this object
+    RequiredPrivileges availPrivs = SQLAuthorizationUtils.getPrivilegesFromMetaStore(
+        metastoreClient, userName, hivePrivObject);
+
+    // check if required privileges is subset of available privileges
+    Collection<SQLPrivTypeGrant> missingPrivs = reqPrivileges.findMissingPrivs(availPrivs);
+    SQLAuthorizationUtils.assertNoMissingPrivilege(missingPrivs, new HivePrincipal(userName,
+        HivePrincipalType.USER), hivePrivObject);
+  }
+
+  private static RequiredPrivileges getGrantRequiredPrivileges(List<HivePrivilege> hivePrivileges)
+      throws HiveAuthzPluginException {
+    RequiredPrivileges reqPrivs = new RequiredPrivileges();
+    for (HivePrivilege hivePriv : hivePrivileges) {
+      reqPrivs.addPrivilege(hivePriv.getName(), true /* grant priv required */);
+    }
+    return reqPrivs;
+  }
+
+}

Added: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java?rev=1566401&view=auto
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java (added)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/Operation2Privilege.java Sun Feb  9 20:43:37 2014
@@ -0,0 +1,204 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+
+/**
+ * Mapping of operation to its required input and output privileges
+ */
+public class Operation2Privilege {
+
+  private static class InOutPrivs {
+    private final SQLPrivTypeGrant[] inputPrivs;
+    private final SQLPrivTypeGrant[] outputPrivs;
+
+    InOutPrivs(SQLPrivTypeGrant[] inputPrivs, SQLPrivTypeGrant[] outputPrivs) {
+      this.inputPrivs = inputPrivs;
+      this.outputPrivs = outputPrivs;
+    }
+
+    private SQLPrivTypeGrant[] getInputPrivs() {
+      return inputPrivs;
+    }
+
+    private SQLPrivTypeGrant[] getOutputPrivs() {
+      return outputPrivs;
+    }
+  }
+
+  private static Map<HiveOperationType, InOutPrivs> op2Priv;
+
+  private static SQLPrivTypeGrant[] OWNER_PRIV_AR = arr(SQLPrivTypeGrant.OWNER_PRIV);
+  private static SQLPrivTypeGrant[] SEL_NOGRANT_AR = arr(SQLPrivTypeGrant.SELECT_NOGRANT);
+  private static SQLPrivTypeGrant[] SEL_GRANT_AR = arr(SQLPrivTypeGrant.SELECT_WGRANT);
+  private static SQLPrivTypeGrant[] ADMIN_PRIV_AR = arr(SQLPrivTypeGrant.ADMIN_PRIV);
+
+  static {
+    op2Priv = new HashMap<HiveOperationType, InOutPrivs>();
+
+    op2Priv.put(HiveOperationType.EXPLAIN, new InOutPrivs(SEL_NOGRANT_AR,
+        SEL_NOGRANT_AR)); //??
+    op2Priv.put(HiveOperationType.LOAD, new InOutPrivs(ADMIN_PRIV_AR, null));
+    // select with grant for exporting contents
+    op2Priv.put(HiveOperationType.EXPORT, new InOutPrivs(SEL_GRANT_AR, null));
+
+    op2Priv.put(HiveOperationType.IMPORT, new InOutPrivs(ADMIN_PRIV_AR, null));
+
+    op2Priv.put(HiveOperationType.CREATEDATABASE, new InOutPrivs(ADMIN_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.DROPDATABASE, new InOutPrivs(ADMIN_PRIV_AR, null));
+    //this should be database usage privilege once it is supported
+    op2Priv.put(HiveOperationType.SWITCHDATABASE, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.LOCKDB, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.UNLOCKDB, new InOutPrivs(null, null));
+
+    op2Priv.put(HiveOperationType.DROPTABLE, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.DESCTABLE, new InOutPrivs(SEL_NOGRANT_AR, null));
+    op2Priv.put(HiveOperationType.DESCFUNCTION, new InOutPrivs(null, null));
+
+    //meta store check command - require admin priv
+    op2Priv.put(HiveOperationType.MSCK, new InOutPrivs(ADMIN_PRIV_AR, null));
+
+    //alter table commands require table ownership
+    op2Priv.put(HiveOperationType.ALTERTABLE_ADDCOLS, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_REPLACECOLS, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_RENAMECOL, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_RENAMEPART, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_RENAME, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_DROPPARTS, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_ADDPARTS, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_TOUCH, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_ARCHIVE, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_UNARCHIVE, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_PROPERTIES, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_SERIALIZER, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_PARTCOLTYPE, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERPARTITION_SERIALIZER, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_SERDEPROPERTIES, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERPARTITION_SERDEPROPERTIES, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_CLUSTER_SORT, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_BUCKETNUM, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERPARTITION_BUCKETNUM, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_PROTECTMODE, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERPARTITION_PROTECTMODE, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_FILEFORMAT, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERPARTITION_FILEFORMAT, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_LOCATION, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERPARTITION_LOCATION, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_MERGEFILES, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.ALTERPARTITION_MERGEFILES, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.ALTERTABLE_SKEWED, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.ALTERTBLPART_SKEWED_LOCATION, new InOutPrivs(null, null));
+
+    op2Priv.put(HiveOperationType.ANALYZE_TABLE, new InOutPrivs(arr(SQLPrivTypeGrant.SELECT_NOGRANT, SQLPrivTypeGrant.INSERT_NOGRANT), null));
+    op2Priv.put(HiveOperationType.SHOWDATABASES, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.SHOWTABLES, new InOutPrivs(null, null));
+
+    op2Priv.put(HiveOperationType.SHOWCOLUMNS, new InOutPrivs(SEL_NOGRANT_AR, null));
+    op2Priv.put(HiveOperationType.SHOW_TABLESTATUS, new InOutPrivs(SEL_NOGRANT_AR, null));
+    op2Priv.put(HiveOperationType.SHOW_TBLPROPERTIES, new InOutPrivs(SEL_NOGRANT_AR, null));
+
+    //show create table is more sensitive information, includes table properties etc
+    // for now require select WITH GRANT
+    op2Priv.put(HiveOperationType.SHOW_CREATETABLE, new InOutPrivs(SEL_GRANT_AR, null));
+
+    op2Priv.put(HiveOperationType.SHOWFUNCTIONS, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.SHOWINDEXES, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.SHOWPARTITIONS, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.SHOWLOCKS, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.CREATEFUNCTION, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.DROPFUNCTION, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.CREATEMACRO, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.DROPMACRO, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.CREATEVIEW, new InOutPrivs(SEL_GRANT_AR, null));
+
+    // require view ownership
+    op2Priv.put(HiveOperationType.DROPVIEW, new InOutPrivs(OWNER_PRIV_AR, null));
+
+    //table ownership for create/drop/alter index
+    op2Priv.put(HiveOperationType.CREATEINDEX, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.DROPINDEX, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERINDEX_REBUILD, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERINDEX_PROPS, new InOutPrivs(OWNER_PRIV_AR, null));
+
+    // require view ownership for alter/drop view
+    op2Priv.put(HiveOperationType.ALTERVIEW_PROPERTIES, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.DROPVIEW_PROPERTIES, new InOutPrivs(OWNER_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.ALTERVIEW_RENAME, new InOutPrivs(OWNER_PRIV_AR, null));
+
+    op2Priv.put(HiveOperationType.LOCKTABLE, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.UNLOCKTABLE, new InOutPrivs(null, null));
+
+    // require db ownership
+    op2Priv.put(HiveOperationType.CREATETABLE, new InOutPrivs(OWNER_PRIV_AR, null));
+
+    // require table ownership
+    op2Priv.put(HiveOperationType.TRUNCATETABLE, new InOutPrivs(OWNER_PRIV_AR, null));
+
+    op2Priv.put(HiveOperationType.CREATETABLE_AS_SELECT, new InOutPrivs(OWNER_PRIV_AR, SEL_NOGRANT_AR));
+    op2Priv.put(HiveOperationType.QUERY, new InOutPrivs(SEL_NOGRANT_AR, null));
+
+    op2Priv.put(HiveOperationType.ALTERDATABASE, new InOutPrivs(ADMIN_PRIV_AR, null));
+    op2Priv.put(HiveOperationType.DESCDATABASE, new InOutPrivs(null, null));
+
+    // The following actions are authorized through SQLStdHiveAccessController,
+    // and it is not using this privilege mapping, but it might make sense to move it here
+    op2Priv.put(HiveOperationType.CREATEROLE, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.DROPROLE, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.GRANT_PRIVILEGE, new InOutPrivs(null,
+        null));
+    op2Priv.put(HiveOperationType.REVOKE_PRIVILEGE, new InOutPrivs(null,
+        null));
+    op2Priv.put(HiveOperationType.SHOW_GRANT, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.GRANT_ROLE, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.REVOKE_ROLE, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.SHOW_ROLES, new InOutPrivs(null, null));
+    op2Priv.put(HiveOperationType.SHOW_ROLE_GRANT, new InOutPrivs(null,
+        null));
+
+  }
+
+  /**
+   * Convenience method so that creation of this array in InOutPrivs constructor
+   * is not too verbose
+   *
+   * @param grantList
+   * @return grantList
+   */
+  private static SQLPrivTypeGrant[] arr(SQLPrivTypeGrant... grantList) {
+    return grantList;
+  }
+
+  public static SQLPrivTypeGrant[] getInputPrivs(HiveOperationType opType) {
+    return op2Priv.get(opType).getInputPrivs();
+  }
+
+  public static SQLPrivTypeGrant[] getOutputPrivs(HiveOperationType opType) {
+    return op2Priv.get(opType).getOutputPrivs();
+  }
+
+  // for unit tests
+  public static Set<HiveOperationType> getOperationTypes() {
+    return op2Priv.keySet();
+  }
+
+}



Mime
View raw message