hive-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From hashut...@apache.org
Subject svn commit: r1570405 - in /hive/trunk/ql/src: java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/ test/queries/clientnegative/ test/queries/clientpositive/ test/results/clientnegative/ test/results/clientpositive/
Date Fri, 21 Feb 2014 00:46:54 GMT
Author: hashutosh
Date: Fri Feb 21 00:46:53 2014
New Revision: 1570405

URL: http://svn.apache.org/r1570405
Log:
HIVE-6433 : SQL std auth - allow grant/revoke roles if user has ADMIN OPTION (Ashutosh Chauhan
via Thejas Nair)

Added:
    hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant.q
    hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q
    hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant.q.out
    hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out
Modified:
    hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
    hive/trunk/ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java?rev=1570405&r1=1570404&r2=1570405&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
(original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
Fri Feb 21 00:46:53 2014
@@ -62,6 +62,8 @@ public class SQLStdHiveAccessController 
   private HiveRole adminRole;
   private final String ADMIN_ONLY_MSG = "User has to belong to ADMIN role and "
       + "have it as current role, for this action.";
+  private final String HAS_ADMIN_PRIV_MSG = "grantor need to have ADMIN privileges on role
being"
+      + " granted and have it as a current role for this action.";
 
   SQLStdHiveAccessController(HiveMetastoreClientFactory metastoreClientFactory, HiveConf
conf,
       HiveAuthenticationProvider authenticator) throws HiveAuthzPluginException {
@@ -275,9 +277,9 @@ public class SQLStdHiveAccessController 
   public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roleNames,
     boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
     HiveAccessControlException {
-    if (!isUserAdmin()) {
+    if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) {
       throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
-        + " allowed to grant role. Currently " + ADMIN_ONLY_MSG);
+        + " allowed to grant role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG);
     }
     for (HivePrincipal hivePrincipal : hivePrincipals) {
       for (String roleName : roleNames) {
@@ -307,9 +309,9 @@ public class SQLStdHiveAccessController 
       throw new HiveAuthzPluginException("Revoking only the admin privileges on "
         + "role is not currently supported");
     }
-    if (!isUserAdmin()) {
+    if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) {
       throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
-          + " allowed to revoke role. " + ADMIN_ONLY_MSG);
+          + " allowed to revoke role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG);
     }
     for (HivePrincipal hivePrincipal : hivePrincipals) {
       for (String roleName : roleNames) {
@@ -404,6 +406,7 @@ public class SQLStdHiveAccessController 
   public void setCurrentRole(String roleName) throws HiveAccessControlException,
     HiveAuthzPluginException {
 
+    initUserRoles();
     if ("NONE".equalsIgnoreCase(roleName)) {
       // for set role NONE, reset roles to default roles.
       currentRoles.clear();
@@ -453,4 +456,30 @@ public class SQLStdHiveAccessController 
     }
     return false;
   }
+
+  private boolean doesUserHasAdminOption(List<String> roleNames) throws HiveAuthzPluginException
{
+    List<HiveRole> currentRoles;
+    try {
+      currentRoles = getCurrentRoles();
+    } catch (Exception e) {
+        throw new HiveAuthzPluginException(e);
+    }
+    for (String roleName : roleNames) {
+      boolean roleFound = false;
+      for (HiveRole currentRole : currentRoles) {
+        if (roleName.equalsIgnoreCase(currentRole.getRoleName())) {
+          roleFound = true;
+          if (!currentRole.isGrantOption()) {
+            return false;
+          } else {
+              break;
+          }
+        }
+      }
+      if (!roleFound) {
+        return false;
+      }
+    }
+    return true;
+  }
 }

Added: hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant.q?rev=1570405&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant.q (added)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant.q Fri Feb 21 00:46:53
2014
@@ -0,0 +1,22 @@
+set hive.users.in.admin.role=hive_admin_user;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
+
+set role ADMIN;
+
+----------------------------------------
+-- role granting with admin option
+-- since user2 doesn't have admin option for role_noadmin, last grant should fail
+----------------------------------------
+
+create role role_noadmin;
+create role src_role_wadmin;
+grant  src_role_wadmin to user user2 with admin option;
+grant  role_noadmin to user user2;
+show role grant user user2;
+
+
+set user.name=user2;
+set role role_noadmin;
+grant  src_role_wadmin to user user3;

Added: hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q?rev=1570405&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q (added)
+++ hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q Fri Feb 21 00:46:53
2014
@@ -0,0 +1,21 @@
+set hive.users.in.admin.role=hive_admin_user;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
+
+set role ADMIN;
+
+----------------------------------------
+-- role granting with admin option
+----------------------------------------
+
+create role src_role_wadmin;
+grant  src_role_wadmin to user user2 with admin option;
+show role grant user user2;
+
+set user.name=user2;
+set role src_role_wadmin;
+grant  src_role_wadmin to user user3;
+show role grant user user3;
+revoke src_role_wadmin from user user3;
+show role grant user user3;

Added: hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant.q.out?rev=1570405&view=auto
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant.q.out (added)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant.q.out Fri Feb 21
00:46:53 2014
@@ -0,0 +1,44 @@
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: ----------------------------------------
+-- role granting with admin option
+-- since user2 doesn't have admin option for role_noadmin, last grant should fail
+----------------------------------------
+
+create role role_noadmin
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: ----------------------------------------
+-- role granting with admin option
+-- since user2 doesn't have admin option for role_noadmin, last grant should fail
+----------------------------------------
+
+create role role_noadmin
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: create role src_role_wadmin
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: create role src_role_wadmin
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: grant  src_role_wadmin to user user2 with admin option
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant  src_role_wadmin to user user2 with admin option
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: grant  role_noadmin to user user2
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant  role_noadmin to user user2
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: show role grant user user2
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user user2
+POSTHOOK: type: SHOW_ROLE_GRANT
+PUBLIC	-1			false	-1	
+role_noadmin	-1	user2	USER	false	-1	hive_admin_user
+src_role_wadmin	-1	user2	USER	true	-1	hive_admin_user
+PREHOOK: query: set role role_noadmin
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role role_noadmin
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: grant  src_role_wadmin to user user3
+PREHOOK: type: GRANT_ROLE
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
Current user : user2 is not allowed to grant role. User has to belong to ADMIN role and have
it as current role, for this action. Otherwise, grantor need to have ADMIN privileges on role
being granted and have it as a current role for this action.

Modified: hive/trunk/ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out?rev=1570405&r1=1570404&r2=1570405&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out (original)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_set_role_neg2.q.out Fri Feb
21 00:46:53 2014
@@ -16,4 +16,12 @@ POSTHOOK: query: grant role rset_role_ne
 POSTHOOK: type: GRANT_ROLE
 PREHOOK: query: set role rset_role_neg
 PREHOOK: type: SHOW_ROLES
-FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. hive_admin_user
doesn't belong to role rset_role_neg
+POSTHOOK: query: set role rset_role_neg
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: set role public
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role public
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: set role nosuchroleexists
+PREHOOK: type: SHOW_ROLES
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. user2
doesn't belong to role nosuchroleexists

Added: hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out?rev=1570405&view=auto
==============================================================================
--- hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out (added)
+++ hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out Fri Feb
21 00:46:53 2014
@@ -0,0 +1,49 @@
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: ----------------------------------------
+-- role granting with admin option
+----------------------------------------
+
+create role src_role_wadmin
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: ----------------------------------------
+-- role granting with admin option
+----------------------------------------
+
+create role src_role_wadmin
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: grant  src_role_wadmin to user user2 with admin option
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant  src_role_wadmin to user user2 with admin option
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: show role grant user user2
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user user2
+POSTHOOK: type: SHOW_ROLE_GRANT
+PUBLIC	-1			false	-1	
+src_role_wadmin	-1	user2	USER	true	-1	hive_admin_user
+PREHOOK: query: set role src_role_wadmin
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role src_role_wadmin
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: grant  src_role_wadmin to user user3
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant  src_role_wadmin to user user3
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: show role grant user user3
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user user3
+POSTHOOK: type: SHOW_ROLE_GRANT
+PUBLIC	-1			false	-1	
+src_role_wadmin	-1	user3	USER	false	-1	user2
+PREHOOK: query: revoke src_role_wadmin from user user3
+PREHOOK: type: REVOKE_ROLE
+POSTHOOK: query: revoke src_role_wadmin from user user3
+POSTHOOK: type: REVOKE_ROLE
+PREHOOK: query: show role grant user user3
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user user3
+POSTHOOK: type: SHOW_ROLE_GRANT
+PUBLIC	-1			false	-1	



Mime
View raw message