hive-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From hashut...@apache.org
Subject svn commit: r1567695 - in /hive/trunk: common/src/java/org/apache/hadoop/hive/conf/ itests/util/src/main/java/org/apache/hadoop/hive/ql/ ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/ ql/src/java/org/apache/hadoop/hive/ql/security...
Date Wed, 12 Feb 2014 17:34:07 GMT
Author: hashutosh
Date: Wed Feb 12 17:34:06 2014
New Revision: 1567695

URL: http://svn.apache.org/r1567695
Log:
HIVE-5944 : SQL std auth - authorize show all roles, create role, drop role (Ashutosh Chauhan
via Thejas Nair)

Added:
    hive/trunk/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q
    hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q
    hive/trunk/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q
    hive/trunk/ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out
    hive/trunk/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out
    hive/trunk/ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out
Modified:
    hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
    hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
    hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles1.q
    hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles2.q
    hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q
    hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q
    hive/trunk/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q
    hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out
    hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out
    hive/trunk/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out
    hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out
    hive/trunk/ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out

Modified: hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
URL: http://svn.apache.org/viewvc/hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java (original)
+++ hive/trunk/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java Wed Feb 12 17:34:06
2014
@@ -135,7 +135,8 @@ public class HiveConf extends Configurat
       HiveConf.ConfVars.HMSHANDLERFORCERELOADCONF,
       HiveConf.ConfVars.METASTORE_PARTITION_NAME_WHITELIST_PATTERN,
       HiveConf.ConfVars.METASTORE_DISALLOW_INCOMPATIBLE_COL_TYPE_CHANGES,
-      HiveConf.ConfVars.USERS_IN_ADMIN_ROLE
+      HiveConf.ConfVars.USERS_IN_ADMIN_ROLE,
+      HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER
       };
 
   /**

Modified: hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java
URL: http://svn.apache.org/viewvc/hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java (original)
+++ hive/trunk/itests/util/src/main/java/org/apache/hadoop/hive/ql/QTestUtil.java Wed Feb
12 17:34:06 2014
@@ -267,7 +267,7 @@ public class QTestUtil {
                   (new Path(dfsUriString,
                             "/build/ql/test/data/warehouse/")).toString());
     }
-    
+
     // Windows paths should be converted after MiniMrShim.setupConfiguration()
     // since setupConfiguration may overwrite configuration values.
     if (Shell.WINDOWS) {
@@ -330,12 +330,12 @@ public class QTestUtil {
     }
   }
 
-  public QTestUtil(String outDir, String logDir, MiniClusterType clusterType, String hadoopVer)

+  public QTestUtil(String outDir, String logDir, MiniClusterType clusterType, String hadoopVer)
     throws Exception {
     this(outDir, logDir, clusterType, null, hadoopVer);
   }
 
-  public QTestUtil(String outDir, String logDir, MiniClusterType clusterType, 
+  public QTestUtil(String outDir, String logDir, MiniClusterType clusterType,
       String confDir, String hadoopVer)
     throws Exception {
     this.outDir = outDir;
@@ -589,7 +589,7 @@ public class QTestUtil {
 
     List<String> roleNames = db.getAllRoleNames();
       for (String roleName : roleNames) {
-        if (!"PUBLIC".equals(roleName)) {
+        if (!"PUBLIC".equalsIgnoreCase(roleName) && !"ADMIN".equalsIgnoreCase(roleName))
{
           db.dropRole(roleName);
         }
     }
@@ -1376,7 +1376,7 @@ public class QTestUtil {
   }
 
   private static int executeCmd(Collection<String> args, String outFile, String errFile)
throws Exception {
-    String[] cmdArray = (String[]) args.toArray(new String[args.size()]);
+    String[] cmdArray = args.toArray(new String[args.size()]);
     return executeCmd(cmdArray, outFile, errFile);
   }
 
@@ -1520,6 +1520,7 @@ public class QTestUtil {
       this.fname = fname;
     }
 
+    @Override
     public void run() {
       try {
         // assumption is that environment has already been cleaned once globally

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java
(original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessControlException.java
Wed Feb 12 17:34:06 2014
@@ -47,5 +47,4 @@ public class HiveAccessControlException 
   public HiveAccessControlException(Throwable cause){
     super(cause);
   }
-
 }

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java
(original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAccessController.java
Wed Feb 12 17:34:06 2014
@@ -62,7 +62,7 @@ public interface HiveAccessController {
   List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject
privObj)
       throws HiveAuthzPluginException, HiveAccessControlException;
 
-  void setCurrentRole(String roleName) throws HiveAuthzPluginException;
+  void setCurrentRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException;
 
   List<HiveRole> getCurrentRoles() throws HiveAuthzPluginException;
 }

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
(original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizer.java
Wed Feb 12 17:34:06 2014
@@ -160,13 +160,11 @@ public interface HiveAuthorizer {
   List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject
privObj)
       throws HiveAuthzPluginException, HiveAccessControlException;
 
-  void setCurrentRole(String roleName) throws HiveAuthzPluginException;
+  void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException;
 
   List<HiveRole> getCurrentRoles() throws HiveAuthzPluginException;
+
   //other functions to be added -
   //showUsersInRole(rolename)
-  //isSuperuser(username)
-
-
 }
 

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java
(original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HiveAuthorizerImpl.java
Wed Feb 12 17:34:06 2014
@@ -105,7 +105,7 @@ public class HiveAuthorizerImpl implemen
   }
 
   @Override
-  public void setCurrentRole(String roleName) throws HiveAuthzPluginException {
+  public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException
{
     accessController.setCurrentRole(roleName);
   }
 
@@ -113,10 +113,7 @@ public class HiveAuthorizerImpl implemen
   public List<HiveRole> getCurrentRoles() throws HiveAuthzPluginException {
     return accessController.getCurrentRoles();
   }
-
-
  // other access control functions
-
 //   void validateAuthority(HiveAction, inputs, outputs){
 //     authValidator.validateAuthority(HiveAction, inputs, outputs);
 //   }

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
(original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
Wed Feb 12 17:34:06 2014
@@ -42,6 +42,7 @@ import org.apache.hadoop.hive.ql.securit
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
@@ -220,7 +221,12 @@ public class SQLStdHiveAccessController 
 
   @Override
   public void createRole(String roleName, HivePrincipal adminGrantor)
-      throws HiveAuthzPluginException {
+      throws HiveAuthzPluginException, HiveAccessControlException {
+    // only user belonging to admin role can create new roles.
+    if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) {
+      throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
+      + " allowed to add roles. Only users belonging to admin role can add new roles.");
+    }
     try {
       String grantorName = adminGrantor == null ? null : adminGrantor.getName();
       metastoreClientFactory.getHiveMetastoreClient().create_role(
@@ -231,7 +237,12 @@ public class SQLStdHiveAccessController 
   }
 
   @Override
-  public void dropRole(String roleName) throws HiveAuthzPluginException {
+  public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException
{
+    // only user belonging to admin role can drop existing role
+    if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) {
+      throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
+      + " allowed to drop role. Only users belonging to admin role can drop roles.");
+    }
     try {
       metastoreClientFactory.getHiveMetastoreClient().drop_role(roleName);
     } catch (Exception e) {
@@ -257,7 +268,12 @@ public class SQLStdHiveAccessController 
 
   @Override
   public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roleNames,
-      boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException {
+    boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
+    HiveAccessControlException {
+    if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) {
+      throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
+        + " allowed to grant role. Currently only users belonging to admin role can grant
roles.");
+    }
     for (HivePrincipal hivePrincipal : hivePrincipals) {
       for (String roleName : roleNames) {
         try {
@@ -279,11 +295,16 @@ public class SQLStdHiveAccessController 
 
   @Override
   public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roleNames,
-      boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException {
+    boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
+    HiveAccessControlException {
     if (grantOption) {
       // removing grant privileges only is not supported in metastore api
       throw new HiveAuthzPluginException("Revoking only the admin privileges on "
-          + "role is not currently supported");
+        + "role is not currently supported");
+    }
+    if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) {
+      throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
+          + " allowed to revoke role. Currently only users belonging to admin role can revoke
roles.");
     }
     for (HivePrincipal hivePrincipal : hivePrincipals) {
       for (String roleName : roleNames) {
@@ -301,7 +322,12 @@ public class SQLStdHiveAccessController 
   }
 
   @Override
-  public List<String> getAllRoles() throws HiveAuthzPluginException {
+  public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException
{
+    // only user belonging to admin role can list role
+    if (!this.isUserAdmin(new HivePrincipal(currentUserName,HivePrincipalType.USER))) {
+      throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
+        + " allowed to list roles. Only users belonging to admin role can list roles.");
+    }
     try {
       return metastoreClientFactory.getHiveMetastoreClient().listRoleNames();
     } catch (Exception e) {
@@ -370,7 +396,8 @@ public class SQLStdHiveAccessController 
   }
 
   @Override
-  public void setCurrentRole(String roleName) throws HiveAuthzPluginException {
+  public void setCurrentRole(String roleName) throws HiveAccessControlException,
+    HiveAuthzPluginException {
 
     if ("NONE".equalsIgnoreCase(roleName)) {
       // for set role NONE, reset roles to default roles.
@@ -393,7 +420,7 @@ public class SQLStdHiveAccessController 
       return;
     }
     // If we are here it means, user is requesting a role he doesn't belong to.
-    throw new HiveAuthzPluginException(currentUserName +" doesn't belong to role "
+    throw new HiveAccessControlException(currentUserName +" doesn't belong to role "
       +roleName);
   }
 
@@ -402,4 +429,24 @@ public class SQLStdHiveAccessController 
     initUserRoles();
     return currentRoles;
   }
+
+  /**
+   * @param principal
+   * @return true only if current role of user is Admin
+   * @throws HiveAuthzPluginException
+   */
+  private boolean isUserAdmin(HivePrincipal principal) throws HiveAuthzPluginException {
+    List<HiveRole> roles;
+    try {
+      roles = getCurrentRoles();
+    } catch (Exception e) {
+        throw new HiveAuthzPluginException(e);
+    }
+    for (HiveRole role : roles){
+    if (role.getRoleName().equalsIgnoreCase(HiveMetaStore.ADMIN)) {
+        return true;
+      }
+    }
+    return false;
+  }
 }

Added: hive/trunk/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q?rev=1567695&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q (added)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_create_role_no_admin.q Wed
Feb 12 17:34:06 2014
@@ -0,0 +1,3 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+-- this test will fail because hive_test_user is not in admin role.
+create role r1;

Added: hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q?rev=1567695&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q (added)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_drop_role_no_admin.q Wed Feb
12 17:34:06 2014
@@ -0,0 +1,10 @@
+set hive.users.in.admin.role=hive_admin_user;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
+set role ADMIN;
+show current roles;
+create role r1;
+set role NONE;
+show current roles;
+drop role r1;

Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles1.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles1.q?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles1.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles1.q Wed Feb 12
17:34:06 2014
@@ -1,8 +1,12 @@
+set hive.users.in.admin.role=hive_admin_user;
 set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
+set role ADMIN;
 -- this is applicable to any security mode as check is in metastore
 create role role1;
 create role role2;
 grant role role1 to role role2;
 
 -- this will create a cycle
-grant role role2 to role role1;
\ No newline at end of file
+grant role role2 to role role1;

Modified: hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles2.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles2.q?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles2.q (original)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_role_cycles2.q Wed Feb 12
17:34:06 2014
@@ -1,4 +1,9 @@
+set hive.users.in.admin.role=hive_admin_user;
 set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+
+set user.name=hive_admin_user;
+set role ADMIN;
 -- this is applicable to any security mode as check is in metastore
 
 create role role1;

Added: hive/trunk/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q?rev=1567695&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q (added)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_show_roles_no_admin.q Wed
Feb 12 17:34:06 2014
@@ -0,0 +1,3 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+-- This test will fail because hive_test_user is not in admin role
+show roles; 

Modified: hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q (original)
+++ hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q Wed Feb 12 17:34:06
2014
@@ -1,9 +1,12 @@
+set hive.users.in.admin.role=hive_admin_user;
 set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
 
 create table src_autho_test (key STRING, value STRING) ;
 
 set hive.security.authorization.enabled=true;
-
+set  role ADMIN; 
 --table grant to user
 
 grant select on table src_autho_test to user user_sauth;
@@ -30,4 +33,4 @@ revoke select on table src_autho_test fr
 drop role src_role;
 
 set hive.security.authorization.enabled=false;
-drop table src_autho_test;
\ No newline at end of file
+drop table src_autho_test;

Modified: hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q (original)
+++ hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q Wed Feb 12 17:34:06
2014
@@ -1,7 +1,11 @@
+set hive.users.in.admin.role=hive_admin_user;
 set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
--- enable sql standard authorization
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
 
+-- enable sql standard authorization
 -- role granting without role keyword
+set role ADMIN;
 create role src_role2;
 grant  src_role2 to user user2 ;
 show role grant user user2;

Modified: hive/trunk/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q (original)
+++ hive/trunk/ql/src/test/queries/clientpositive/authorization_set_show_current_role.q Wed
Feb 12 17:34:06 2014
@@ -1,9 +1,12 @@
+set hive.users.in.admin.role=hive_admin_user;
 set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
-
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
+set role ADMIN;
 show current roles;
 
 create role r1;
-grant role r1 to user hive_test_user;
+grant role r1 to user hive_admin_user;
 set role r1;
 show current roles;
 
@@ -13,5 +16,6 @@ show current roles;
 set role NONE;
 show current roles;
 
+set role ADMIN;
 drop role r1;
 

Added: hive/trunk/ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out?rev=1567695&view=auto
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out
(added)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_create_role_no_admin.q.out
Wed Feb 12 17:34:06 2014
@@ -0,0 +1,4 @@
+PREHOOK: query: -- this test will fail because hive_test_user is not in admin role.
+create role r1
+PREHOOK: type: CREATEROLE
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current
user : hive_test_user is not allowed to add roles. Only users belonging to admin role can
add new roles.

Added: hive/trunk/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out?rev=1567695&view=auto
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out (added)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_drop_role_no_admin.q.out Wed
Feb 12 17:34:06 2014
@@ -0,0 +1,27 @@
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: show current roles
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: show current roles
+POSTHOOK: type: SHOW_ROLES
+ADMIN
+
+PREHOOK: query: create role r1
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: create role r1
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: set role NONE
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role NONE
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: show current roles
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: show current roles
+POSTHOOK: type: SHOW_ROLES
+PUBLIC
+
+PREHOOK: query: drop role r1
+PREHOOK: type: DROPROLE
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current
user : hive_admin_user is not allowed to drop role. Only users belonging to admin role can
drop roles.

Modified: hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out (original)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles1.q.out Wed Feb
12 17:34:06 2014
@@ -1,3 +1,7 @@
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
 PREHOOK: query: -- this is applicable to any security mode as check is in metastore
 create role role1
 PREHOOK: type: CREATEROLE

Modified: hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out (original)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_role_cycles2.q.out Wed Feb
12 17:34:06 2014
@@ -1,3 +1,7 @@
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
 PREHOOK: query: -- this is applicable to any security mode as check is in metastore
 
 create role role1

Added: hive/trunk/ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out?rev=1567695&view=auto
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out
(added)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_show_roles_no_admin.q.out
Wed Feb 12 17:34:06 2014
@@ -0,0 +1,4 @@
+PREHOOK: query: -- This test will fail because hive_test_user is not in admin role
+show roles
+PREHOOK: type: SHOW_ROLES
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current
user : hive_test_user is not allowed to list roles. Only users belonging to admin role can
list roles.

Modified: hive/trunk/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out (original)
+++ hive/trunk/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out Wed Feb 12
17:34:06 2014
@@ -3,6 +3,10 @@ PREHOOK: type: CREATETABLE
 POSTHOOK: query: create table src_autho_test (key STRING, value STRING)
 POSTHOOK: type: CREATETABLE
 POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: set  role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set  role ADMIN
+POSTHOOK: type: SHOW_ROLES
 PREHOOK: query: --table grant to user
 
 grant select on table src_autho_test to user user_sauth
@@ -17,7 +21,7 @@ PREHOOK: query: show grant user user_sau
 PREHOOK: type: SHOW_GRANT
 POSTHOOK: query: show grant user user_sauth on table src_autho_test
 POSTHOOK: type: SHOW_GRANT
-default	src_autho_test			user_sauth	USER	SELECT	false	-1	hive_test_user
+default	src_autho_test			user_sauth	USER	SELECT	false	-1	hive_admin_user
 PREHOOK: query: revoke select on table src_autho_test from user user_sauth
 PREHOOK: type: REVOKE_PRIVILEGE
 PREHOOK: Output: default@src_autho_test
@@ -42,7 +46,7 @@ PREHOOK: query: show role grant user use
 PREHOOK: type: SHOW_ROLE_GRANT
 POSTHOOK: query: show role grant user user_sauth
 POSTHOOK: type: SHOW_ROLE_GRANT
-src_role	-1	user_sauth	USER	false	-1	hive_test_user
+src_role	-1	user_sauth	USER	false	-1	hive_admin_user
 PUBLIC	-1			false	-1	
 PREHOOK: query: --table grant to role
 
@@ -58,7 +62,7 @@ PREHOOK: query: show grant role src_role
 PREHOOK: type: SHOW_GRANT
 POSTHOOK: query: show grant role src_role on table src_autho_test
 POSTHOOK: type: SHOW_GRANT
-default	src_autho_test			src_role	ROLE	SELECT	false	-1	hive_test_user
+default	src_autho_test			src_role	ROLE	SELECT	false	-1	hive_admin_user
 PREHOOK: query: revoke select on table src_autho_test from role src_role
 PREHOOK: type: REVOKE_PRIVILEGE
 PREHOOK: Output: default@src_autho_test

Modified: hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out (original)
+++ hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out Wed Feb
12 17:34:06 2014
@@ -1,12 +1,14 @@
 PREHOOK: query: -- enable sql standard authorization
-
 -- role granting without role keyword
-create role src_role2
-PREHOOK: type: CREATEROLE
+set role ADMIN
+PREHOOK: type: SHOW_ROLES
 POSTHOOK: query: -- enable sql standard authorization
-
 -- role granting without role keyword
-create role src_role2
+set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: create role src_role2
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: create role src_role2
 POSTHOOK: type: CREATEROLE
 PREHOOK: query: grant  src_role2 to user user2
 PREHOOK: type: GRANT_ROLE
@@ -16,12 +18,14 @@ PREHOOK: query: show role grant user use
 PREHOOK: type: SHOW_ROLE_GRANT
 POSTHOOK: query: show role grant user user2
 POSTHOOK: type: SHOW_ROLE_GRANT
-src_role2	-1	user2	USER	false	-1	hive_test_user
+src_role2	-1	user2	USER	false	-1	hive_admin_user
 PUBLIC	-1			false	-1	
 PREHOOK: query: show roles
 PREHOOK: type: SHOW_ROLES
 POSTHOOK: query: show roles
 POSTHOOK: type: SHOW_ROLES
+ADMIN
+PUBLIC
 src_role2
 
 PREHOOK: query: -- revoke role without role keyword
@@ -39,6 +43,8 @@ PREHOOK: query: show roles
 PREHOOK: type: SHOW_ROLES
 POSTHOOK: query: show roles
 POSTHOOK: type: SHOW_ROLES
+ADMIN
+PUBLIC
 src_role2
 
 PREHOOK: query: ----------------------------------------
@@ -61,7 +67,7 @@ PREHOOK: query: show role grant user use
 PREHOOK: type: SHOW_ROLE_GRANT
 POSTHOOK: query: show role grant user user2
 POSTHOOK: type: SHOW_ROLE_GRANT
-src_role_wadmin	-1	user2	USER	false	-1	hive_test_user
+src_role_wadmin	-1	user2	USER	false	-1	hive_admin_user
 PUBLIC	-1			false	-1	
 PREHOOK: query: -- revoke role without role keyword
 revoke src_role_wadmin from user user2 with admin option
@@ -80,6 +86,8 @@ PREHOOK: type: SHOW_ROLES
 POSTHOOK: query: -- drop roles
 show roles
 POSTHOOK: type: SHOW_ROLES
+ADMIN
+PUBLIC
 src_role2
 src_role_wadmin
 
@@ -91,6 +99,8 @@ PREHOOK: query: show roles
 PREHOOK: type: SHOW_ROLES
 POSTHOOK: query: show roles
 POSTHOOK: type: SHOW_ROLES
+ADMIN
+PUBLIC
 src_role_wadmin
 
 PREHOOK: query: drop role src_role_wadmin
@@ -101,3 +111,6 @@ PREHOOK: query: show roles
 PREHOOK: type: SHOW_ROLES
 POSTHOOK: query: show roles
 POSTHOOK: type: SHOW_ROLES
+ADMIN
+PUBLIC
+

Modified: hive/trunk/ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out?rev=1567695&r1=1567694&r2=1567695&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out
(original)
+++ hive/trunk/ql/src/test/results/clientpositive/authorization_set_show_current_role.q.out
Wed Feb 12 17:34:06 2014
@@ -1,16 +1,20 @@
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
 PREHOOK: query: show current roles
 PREHOOK: type: SHOW_ROLES
 POSTHOOK: query: show current roles
 POSTHOOK: type: SHOW_ROLES
-PUBLIC
+ADMIN
 
 PREHOOK: query: create role r1
 PREHOOK: type: CREATEROLE
 POSTHOOK: query: create role r1
 POSTHOOK: type: CREATEROLE
-PREHOOK: query: grant role r1 to user hive_test_user
+PREHOOK: query: grant role r1 to user hive_admin_user
 PREHOOK: type: GRANT_ROLE
-POSTHOOK: query: grant role r1 to user hive_test_user
+POSTHOOK: query: grant role r1 to user hive_admin_user
 POSTHOOK: type: GRANT_ROLE
 PREHOOK: query: set role r1
 PREHOOK: type: SHOW_ROLES
@@ -43,6 +47,10 @@ POSTHOOK: type: SHOW_ROLES
 r1
 PUBLIC
 
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
 PREHOOK: query: drop role r1
 PREHOOK: type: DROPROLE
 POSTHOOK: query: drop role r1



Mime
View raw message