hive-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From the...@apache.org
Subject svn commit: r1609876 [8/8] - in /hive/trunk: itests/hive-unit/src/test/java/org/apache/hadoop/hive/metastore/ metastore/if/ metastore/src/gen/thrift/gen-cpp/ metastore/src/gen/thrift/gen-javabean/org/apache/hadoop/hive/metastore/api/ metastore/src/gen/...
Date Sat, 12 Jul 2014 01:59:47 GMT
Modified: hive/trunk/metastore/src/gen/thrift/gen-php/metastore/Types.php
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/gen/thrift/gen-php/metastore/Types.php?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/metastore/src/gen/thrift/gen-php/metastore/Types.php (original)
+++ hive/trunk/metastore/src/gen/thrift/gen-php/metastore/Types.php Sat Jul 12 01:59:45 2014
@@ -104,6 +104,15 @@ final class CompactionType {
   );
 }
 
+final class GrantRevokeType {
+  const GRANT = 1;
+  const REVOKE = 2;
+  static public $__names = array(
+    1 => 'GRANT',
+    2 => 'REVOKE',
+  );
+}
+
 final class FunctionType {
   const JAVA = 1;
   static public $__names = array(
@@ -2015,6 +2024,270 @@ class GetPrincipalsInRoleResponse {
 
 }
 
+class GrantRevokeRoleRequest {
+  static $_TSPEC;
+
+  public $requestType = null;
+  public $roleName = null;
+  public $principalName = null;
+  public $principalType = null;
+  public $grantor = null;
+  public $grantorType = null;
+  public $grantOption = null;
+
+  public function __construct($vals=null) {
+    if (!isset(self::$_TSPEC)) {
+      self::$_TSPEC = array(
+        1 => array(
+          'var' => 'requestType',
+          'type' => TType::I32,
+          ),
+        2 => array(
+          'var' => 'roleName',
+          'type' => TType::STRING,
+          ),
+        3 => array(
+          'var' => 'principalName',
+          'type' => TType::STRING,
+          ),
+        4 => array(
+          'var' => 'principalType',
+          'type' => TType::I32,
+          ),
+        5 => array(
+          'var' => 'grantor',
+          'type' => TType::STRING,
+          ),
+        6 => array(
+          'var' => 'grantorType',
+          'type' => TType::I32,
+          ),
+        7 => array(
+          'var' => 'grantOption',
+          'type' => TType::BOOL,
+          ),
+        );
+    }
+    if (is_array($vals)) {
+      if (isset($vals['requestType'])) {
+        $this->requestType = $vals['requestType'];
+      }
+      if (isset($vals['roleName'])) {
+        $this->roleName = $vals['roleName'];
+      }
+      if (isset($vals['principalName'])) {
+        $this->principalName = $vals['principalName'];
+      }
+      if (isset($vals['principalType'])) {
+        $this->principalType = $vals['principalType'];
+      }
+      if (isset($vals['grantor'])) {
+        $this->grantor = $vals['grantor'];
+      }
+      if (isset($vals['grantorType'])) {
+        $this->grantorType = $vals['grantorType'];
+      }
+      if (isset($vals['grantOption'])) {
+        $this->grantOption = $vals['grantOption'];
+      }
+    }
+  }
+
+  public function getName() {
+    return 'GrantRevokeRoleRequest';
+  }
+
+  public function read($input)
+  {
+    $xfer = 0;
+    $fname = null;
+    $ftype = 0;
+    $fid = 0;
+    $xfer += $input->readStructBegin($fname);
+    while (true)
+    {
+      $xfer += $input->readFieldBegin($fname, $ftype, $fid);
+      if ($ftype == TType::STOP) {
+        break;
+      }
+      switch ($fid)
+      {
+        case 1:
+          if ($ftype == TType::I32) {
+            $xfer += $input->readI32($this->requestType);
+          } else {
+            $xfer += $input->skip($ftype);
+          }
+          break;
+        case 2:
+          if ($ftype == TType::STRING) {
+            $xfer += $input->readString($this->roleName);
+          } else {
+            $xfer += $input->skip($ftype);
+          }
+          break;
+        case 3:
+          if ($ftype == TType::STRING) {
+            $xfer += $input->readString($this->principalName);
+          } else {
+            $xfer += $input->skip($ftype);
+          }
+          break;
+        case 4:
+          if ($ftype == TType::I32) {
+            $xfer += $input->readI32($this->principalType);
+          } else {
+            $xfer += $input->skip($ftype);
+          }
+          break;
+        case 5:
+          if ($ftype == TType::STRING) {
+            $xfer += $input->readString($this->grantor);
+          } else {
+            $xfer += $input->skip($ftype);
+          }
+          break;
+        case 6:
+          if ($ftype == TType::I32) {
+            $xfer += $input->readI32($this->grantorType);
+          } else {
+            $xfer += $input->skip($ftype);
+          }
+          break;
+        case 7:
+          if ($ftype == TType::BOOL) {
+            $xfer += $input->readBool($this->grantOption);
+          } else {
+            $xfer += $input->skip($ftype);
+          }
+          break;
+        default:
+          $xfer += $input->skip($ftype);
+          break;
+      }
+      $xfer += $input->readFieldEnd();
+    }
+    $xfer += $input->readStructEnd();
+    return $xfer;
+  }
+
+  public function write($output) {
+    $xfer = 0;
+    $xfer += $output->writeStructBegin('GrantRevokeRoleRequest');
+    if ($this->requestType !== null) {
+      $xfer += $output->writeFieldBegin('requestType', TType::I32, 1);
+      $xfer += $output->writeI32($this->requestType);
+      $xfer += $output->writeFieldEnd();
+    }
+    if ($this->roleName !== null) {
+      $xfer += $output->writeFieldBegin('roleName', TType::STRING, 2);
+      $xfer += $output->writeString($this->roleName);
+      $xfer += $output->writeFieldEnd();
+    }
+    if ($this->principalName !== null) {
+      $xfer += $output->writeFieldBegin('principalName', TType::STRING, 3);
+      $xfer += $output->writeString($this->principalName);
+      $xfer += $output->writeFieldEnd();
+    }
+    if ($this->principalType !== null) {
+      $xfer += $output->writeFieldBegin('principalType', TType::I32, 4);
+      $xfer += $output->writeI32($this->principalType);
+      $xfer += $output->writeFieldEnd();
+    }
+    if ($this->grantor !== null) {
+      $xfer += $output->writeFieldBegin('grantor', TType::STRING, 5);
+      $xfer += $output->writeString($this->grantor);
+      $xfer += $output->writeFieldEnd();
+    }
+    if ($this->grantorType !== null) {
+      $xfer += $output->writeFieldBegin('grantorType', TType::I32, 6);
+      $xfer += $output->writeI32($this->grantorType);
+      $xfer += $output->writeFieldEnd();
+    }
+    if ($this->grantOption !== null) {
+      $xfer += $output->writeFieldBegin('grantOption', TType::BOOL, 7);
+      $xfer += $output->writeBool($this->grantOption);
+      $xfer += $output->writeFieldEnd();
+    }
+    $xfer += $output->writeFieldStop();
+    $xfer += $output->writeStructEnd();
+    return $xfer;
+  }
+
+}
+
+class GrantRevokeRoleResponse {
+  static $_TSPEC;
+
+  public $success = null;
+
+  public function __construct($vals=null) {
+    if (!isset(self::$_TSPEC)) {
+      self::$_TSPEC = array(
+        1 => array(
+          'var' => 'success',
+          'type' => TType::BOOL,
+          ),
+        );
+    }
+    if (is_array($vals)) {
+      if (isset($vals['success'])) {
+        $this->success = $vals['success'];
+      }
+    }
+  }
+
+  public function getName() {
+    return 'GrantRevokeRoleResponse';
+  }
+
+  public function read($input)
+  {
+    $xfer = 0;
+    $fname = null;
+    $ftype = 0;
+    $fid = 0;
+    $xfer += $input->readStructBegin($fname);
+    while (true)
+    {
+      $xfer += $input->readFieldBegin($fname, $ftype, $fid);
+      if ($ftype == TType::STOP) {
+        break;
+      }
+      switch ($fid)
+      {
+        case 1:
+          if ($ftype == TType::BOOL) {
+            $xfer += $input->readBool($this->success);
+          } else {
+            $xfer += $input->skip($ftype);
+          }
+          break;
+        default:
+          $xfer += $input->skip($ftype);
+          break;
+      }
+      $xfer += $input->readFieldEnd();
+    }
+    $xfer += $input->readStructEnd();
+    return $xfer;
+  }
+
+  public function write($output) {
+    $xfer = 0;
+    $xfer += $output->writeStructBegin('GrantRevokeRoleResponse');
+    if ($this->success !== null) {
+      $xfer += $output->writeFieldBegin('success', TType::BOOL, 1);
+      $xfer += $output->writeBool($this->success);
+      $xfer += $output->writeFieldEnd();
+    }
+    $xfer += $output->writeFieldStop();
+    $xfer += $output->writeStructEnd();
+    return $xfer;
+  }
+
+}
+
 class Database {
   static $_TSPEC;
 

Modified: hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore-remote
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore-remote?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore-remote (original)
+++ hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore-remote Sat Jul 12 01:59:45 2014
@@ -107,6 +107,7 @@ if len(sys.argv) <= 1 or sys.argv[1] == 
   print '  bool grant_role(string role_name, string principal_name, PrincipalType principal_type, string grantor, PrincipalType grantorType, bool grant_option)'
   print '  bool revoke_role(string role_name, string principal_name, PrincipalType principal_type)'
   print '   list_roles(string principal_name, PrincipalType principal_type)'
+  print '  GrantRevokeRoleResponse grant_revoke_role(GrantRevokeRoleRequest request)'
   print '  GetPrincipalsInRoleResponse get_principals_in_role(GetPrincipalsInRoleRequest request)'
   print '  GetRoleGrantsForPrincipalResponse get_role_grants_for_principal(GetRoleGrantsForPrincipalRequest request)'
   print '  PrincipalPrivilegeSet get_privilege_set(HiveObjectRef hiveObject, string user_name,  group_names)'
@@ -685,6 +686,12 @@ elif cmd == 'list_roles':
     sys.exit(1)
   pp.pprint(client.list_roles(args[0],eval(args[1]),))
 
+elif cmd == 'grant_revoke_role':
+  if len(args) != 1:
+    print 'grant_revoke_role requires 1 args'
+    sys.exit(1)
+  pp.pprint(client.grant_revoke_role(eval(args[0]),))
+
 elif cmd == 'get_principals_in_role':
   if len(args) != 1:
     print 'get_principals_in_role requires 1 args'

Modified: hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore.py
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore.py?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore.py (original)
+++ hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ThriftHiveMetastore.py Sat Jul 12 01:59:45 2014
@@ -738,6 +738,13 @@ class Iface(fb303.FacebookService.Iface)
     """
     pass
 
+  def grant_revoke_role(self, request):
+    """
+    Parameters:
+     - request
+    """
+    pass
+
   def get_principals_in_role(self, request):
     """
     Parameters:
@@ -4039,6 +4046,38 @@ class Client(fb303.FacebookService.Clien
       raise result.o1
     raise TApplicationException(TApplicationException.MISSING_RESULT, "list_roles failed: unknown result");
 
+  def grant_revoke_role(self, request):
+    """
+    Parameters:
+     - request
+    """
+    self.send_grant_revoke_role(request)
+    return self.recv_grant_revoke_role()
+
+  def send_grant_revoke_role(self, request):
+    self._oprot.writeMessageBegin('grant_revoke_role', TMessageType.CALL, self._seqid)
+    args = grant_revoke_role_args()
+    args.request = request
+    args.write(self._oprot)
+    self._oprot.writeMessageEnd()
+    self._oprot.trans.flush()
+
+  def recv_grant_revoke_role(self, ):
+    (fname, mtype, rseqid) = self._iprot.readMessageBegin()
+    if mtype == TMessageType.EXCEPTION:
+      x = TApplicationException()
+      x.read(self._iprot)
+      self._iprot.readMessageEnd()
+      raise x
+    result = grant_revoke_role_result()
+    result.read(self._iprot)
+    self._iprot.readMessageEnd()
+    if result.success is not None:
+      return result.success
+    if result.o1 is not None:
+      raise result.o1
+    raise TApplicationException(TApplicationException.MISSING_RESULT, "grant_revoke_role failed: unknown result");
+
   def get_principals_in_role(self, request):
     """
     Parameters:
@@ -4853,6 +4892,7 @@ class Processor(fb303.FacebookService.Pr
     self._processMap["grant_role"] = Processor.process_grant_role
     self._processMap["revoke_role"] = Processor.process_revoke_role
     self._processMap["list_roles"] = Processor.process_list_roles
+    self._processMap["grant_revoke_role"] = Processor.process_grant_revoke_role
     self._processMap["get_principals_in_role"] = Processor.process_get_principals_in_role
     self._processMap["get_role_grants_for_principal"] = Processor.process_get_role_grants_for_principal
     self._processMap["get_privilege_set"] = Processor.process_get_privilege_set
@@ -6288,6 +6328,20 @@ class Processor(fb303.FacebookService.Pr
     oprot.writeMessageEnd()
     oprot.trans.flush()
 
+  def process_grant_revoke_role(self, seqid, iprot, oprot):
+    args = grant_revoke_role_args()
+    args.read(iprot)
+    iprot.readMessageEnd()
+    result = grant_revoke_role_result()
+    try:
+      result.success = self._handler.grant_revoke_role(args.request)
+    except MetaException as o1:
+      result.o1 = o1
+    oprot.writeMessageBegin("grant_revoke_role", TMessageType.REPLY, seqid)
+    result.write(oprot)
+    oprot.writeMessageEnd()
+    oprot.trans.flush()
+
   def process_get_principals_in_role(self, seqid, iprot, oprot):
     args = get_principals_in_role_args()
     args.read(iprot)
@@ -20963,6 +21017,140 @@ class list_roles_result:
   def __ne__(self, other):
     return not (self == other)
 
+class grant_revoke_role_args:
+  """
+  Attributes:
+   - request
+  """
+
+  thrift_spec = (
+    None, # 0
+    (1, TType.STRUCT, 'request', (GrantRevokeRoleRequest, GrantRevokeRoleRequest.thrift_spec), None, ), # 1
+  )
+
+  def __init__(self, request=None,):
+    self.request = request
+
+  def read(self, iprot):
+    if iprot.__class__ == TBinaryProtocol.TBinaryProtocolAccelerated and isinstance(iprot.trans, TTransport.CReadableTransport) and self.thrift_spec is not None and fastbinary is not None:
+      fastbinary.decode_binary(self, iprot.trans, (self.__class__, self.thrift_spec))
+      return
+    iprot.readStructBegin()
+    while True:
+      (fname, ftype, fid) = iprot.readFieldBegin()
+      if ftype == TType.STOP:
+        break
+      if fid == 1:
+        if ftype == TType.STRUCT:
+          self.request = GrantRevokeRoleRequest()
+          self.request.read(iprot)
+        else:
+          iprot.skip(ftype)
+      else:
+        iprot.skip(ftype)
+      iprot.readFieldEnd()
+    iprot.readStructEnd()
+
+  def write(self, oprot):
+    if oprot.__class__ == TBinaryProtocol.TBinaryProtocolAccelerated and self.thrift_spec is not None and fastbinary is not None:
+      oprot.trans.write(fastbinary.encode_binary(self, (self.__class__, self.thrift_spec)))
+      return
+    oprot.writeStructBegin('grant_revoke_role_args')
+    if self.request is not None:
+      oprot.writeFieldBegin('request', TType.STRUCT, 1)
+      self.request.write(oprot)
+      oprot.writeFieldEnd()
+    oprot.writeFieldStop()
+    oprot.writeStructEnd()
+
+  def validate(self):
+    return
+
+
+  def __repr__(self):
+    L = ['%s=%r' % (key, value)
+      for key, value in self.__dict__.iteritems()]
+    return '%s(%s)' % (self.__class__.__name__, ', '.join(L))
+
+  def __eq__(self, other):
+    return isinstance(other, self.__class__) and self.__dict__ == other.__dict__
+
+  def __ne__(self, other):
+    return not (self == other)
+
+class grant_revoke_role_result:
+  """
+  Attributes:
+   - success
+   - o1
+  """
+
+  thrift_spec = (
+    (0, TType.STRUCT, 'success', (GrantRevokeRoleResponse, GrantRevokeRoleResponse.thrift_spec), None, ), # 0
+    (1, TType.STRUCT, 'o1', (MetaException, MetaException.thrift_spec), None, ), # 1
+  )
+
+  def __init__(self, success=None, o1=None,):
+    self.success = success
+    self.o1 = o1
+
+  def read(self, iprot):
+    if iprot.__class__ == TBinaryProtocol.TBinaryProtocolAccelerated and isinstance(iprot.trans, TTransport.CReadableTransport) and self.thrift_spec is not None and fastbinary is not None:
+      fastbinary.decode_binary(self, iprot.trans, (self.__class__, self.thrift_spec))
+      return
+    iprot.readStructBegin()
+    while True:
+      (fname, ftype, fid) = iprot.readFieldBegin()
+      if ftype == TType.STOP:
+        break
+      if fid == 0:
+        if ftype == TType.STRUCT:
+          self.success = GrantRevokeRoleResponse()
+          self.success.read(iprot)
+        else:
+          iprot.skip(ftype)
+      elif fid == 1:
+        if ftype == TType.STRUCT:
+          self.o1 = MetaException()
+          self.o1.read(iprot)
+        else:
+          iprot.skip(ftype)
+      else:
+        iprot.skip(ftype)
+      iprot.readFieldEnd()
+    iprot.readStructEnd()
+
+  def write(self, oprot):
+    if oprot.__class__ == TBinaryProtocol.TBinaryProtocolAccelerated and self.thrift_spec is not None and fastbinary is not None:
+      oprot.trans.write(fastbinary.encode_binary(self, (self.__class__, self.thrift_spec)))
+      return
+    oprot.writeStructBegin('grant_revoke_role_result')
+    if self.success is not None:
+      oprot.writeFieldBegin('success', TType.STRUCT, 0)
+      self.success.write(oprot)
+      oprot.writeFieldEnd()
+    if self.o1 is not None:
+      oprot.writeFieldBegin('o1', TType.STRUCT, 1)
+      self.o1.write(oprot)
+      oprot.writeFieldEnd()
+    oprot.writeFieldStop()
+    oprot.writeStructEnd()
+
+  def validate(self):
+    return
+
+
+  def __repr__(self):
+    L = ['%s=%r' % (key, value)
+      for key, value in self.__dict__.iteritems()]
+    return '%s(%s)' % (self.__class__.__name__, ', '.join(L))
+
+  def __eq__(self, other):
+    return isinstance(other, self.__class__) and self.__dict__ == other.__dict__
+
+  def __ne__(self, other):
+    return not (self == other)
+
 class get_principals_in_role_args:
   """
   Attributes:

Modified: hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ttypes.py
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ttypes.py?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ttypes.py (original)
+++ hive/trunk/metastore/src/gen/thrift/gen-py/hive_metastore/ttypes.py Sat Jul 12 01:59:45 2014
@@ -154,6 +154,20 @@ class CompactionType:
     "MAJOR": 2,
   }
 
+class GrantRevokeType:
+  GRANT = 1
+  REVOKE = 2
+
+  _VALUES_TO_NAMES = {
+    1: "GRANT",
+    2: "REVOKE",
+  }
+
+  _NAMES_TO_VALUES = {
+    "GRANT": 1,
+    "REVOKE": 2,
+  }
+
 class FunctionType:
   JAVA = 1
 
@@ -1472,6 +1486,198 @@ class GetPrincipalsInRoleResponse:
   def __ne__(self, other):
     return not (self == other)
 
+class GrantRevokeRoleRequest:
+  """
+  Attributes:
+   - requestType
+   - roleName
+   - principalName
+   - principalType
+   - grantor
+   - grantorType
+   - grantOption
+  """
+
+  thrift_spec = (
+    None, # 0
+    (1, TType.I32, 'requestType', None, None, ), # 1
+    (2, TType.STRING, 'roleName', None, None, ), # 2
+    (3, TType.STRING, 'principalName', None, None, ), # 3
+    (4, TType.I32, 'principalType', None, None, ), # 4
+    (5, TType.STRING, 'grantor', None, None, ), # 5
+    (6, TType.I32, 'grantorType', None, None, ), # 6
+    (7, TType.BOOL, 'grantOption', None, None, ), # 7
+  )
+
+  def __init__(self, requestType=None, roleName=None, principalName=None, principalType=None, grantor=None, grantorType=None, grantOption=None,):
+    self.requestType = requestType
+    self.roleName = roleName
+    self.principalName = principalName
+    self.principalType = principalType
+    self.grantor = grantor
+    self.grantorType = grantorType
+    self.grantOption = grantOption
+
+  def read(self, iprot):
+    if iprot.__class__ == TBinaryProtocol.TBinaryProtocolAccelerated and isinstance(iprot.trans, TTransport.CReadableTransport) and self.thrift_spec is not None and fastbinary is not None:
+      fastbinary.decode_binary(self, iprot.trans, (self.__class__, self.thrift_spec))
+      return
+    iprot.readStructBegin()
+    while True:
+      (fname, ftype, fid) = iprot.readFieldBegin()
+      if ftype == TType.STOP:
+        break
+      if fid == 1:
+        if ftype == TType.I32:
+          self.requestType = iprot.readI32();
+        else:
+          iprot.skip(ftype)
+      elif fid == 2:
+        if ftype == TType.STRING:
+          self.roleName = iprot.readString();
+        else:
+          iprot.skip(ftype)
+      elif fid == 3:
+        if ftype == TType.STRING:
+          self.principalName = iprot.readString();
+        else:
+          iprot.skip(ftype)
+      elif fid == 4:
+        if ftype == TType.I32:
+          self.principalType = iprot.readI32();
+        else:
+          iprot.skip(ftype)
+      elif fid == 5:
+        if ftype == TType.STRING:
+          self.grantor = iprot.readString();
+        else:
+          iprot.skip(ftype)
+      elif fid == 6:
+        if ftype == TType.I32:
+          self.grantorType = iprot.readI32();
+        else:
+          iprot.skip(ftype)
+      elif fid == 7:
+        if ftype == TType.BOOL:
+          self.grantOption = iprot.readBool();
+        else:
+          iprot.skip(ftype)
+      else:
+        iprot.skip(ftype)
+      iprot.readFieldEnd()
+    iprot.readStructEnd()
+
+  def write(self, oprot):
+    if oprot.__class__ == TBinaryProtocol.TBinaryProtocolAccelerated and self.thrift_spec is not None and fastbinary is not None:
+      oprot.trans.write(fastbinary.encode_binary(self, (self.__class__, self.thrift_spec)))
+      return
+    oprot.writeStructBegin('GrantRevokeRoleRequest')
+    if self.requestType is not None:
+      oprot.writeFieldBegin('requestType', TType.I32, 1)
+      oprot.writeI32(self.requestType)
+      oprot.writeFieldEnd()
+    if self.roleName is not None:
+      oprot.writeFieldBegin('roleName', TType.STRING, 2)
+      oprot.writeString(self.roleName)
+      oprot.writeFieldEnd()
+    if self.principalName is not None:
+      oprot.writeFieldBegin('principalName', TType.STRING, 3)
+      oprot.writeString(self.principalName)
+      oprot.writeFieldEnd()
+    if self.principalType is not None:
+      oprot.writeFieldBegin('principalType', TType.I32, 4)
+      oprot.writeI32(self.principalType)
+      oprot.writeFieldEnd()
+    if self.grantor is not None:
+      oprot.writeFieldBegin('grantor', TType.STRING, 5)
+      oprot.writeString(self.grantor)
+      oprot.writeFieldEnd()
+    if self.grantorType is not None:
+      oprot.writeFieldBegin('grantorType', TType.I32, 6)
+      oprot.writeI32(self.grantorType)
+      oprot.writeFieldEnd()
+    if self.grantOption is not None:
+      oprot.writeFieldBegin('grantOption', TType.BOOL, 7)
+      oprot.writeBool(self.grantOption)
+      oprot.writeFieldEnd()
+    oprot.writeFieldStop()
+    oprot.writeStructEnd()
+
+  def validate(self):
+    return
+
+
+  def __repr__(self):
+    L = ['%s=%r' % (key, value)
+      for key, value in self.__dict__.iteritems()]
+    return '%s(%s)' % (self.__class__.__name__, ', '.join(L))
+
+  def __eq__(self, other):
+    return isinstance(other, self.__class__) and self.__dict__ == other.__dict__
+
+  def __ne__(self, other):
+    return not (self == other)
+
+class GrantRevokeRoleResponse:
+  """
+  Attributes:
+   - success
+  """
+
+  thrift_spec = (
+    None, # 0
+    (1, TType.BOOL, 'success', None, None, ), # 1
+  )
+
+  def __init__(self, success=None,):
+    self.success = success
+
+  def read(self, iprot):
+    if iprot.__class__ == TBinaryProtocol.TBinaryProtocolAccelerated and isinstance(iprot.trans, TTransport.CReadableTransport) and self.thrift_spec is not None and fastbinary is not None:
+      fastbinary.decode_binary(self, iprot.trans, (self.__class__, self.thrift_spec))
+      return
+    iprot.readStructBegin()
+    while True:
+      (fname, ftype, fid) = iprot.readFieldBegin()
+      if ftype == TType.STOP:
+        break
+      if fid == 1:
+        if ftype == TType.BOOL:
+          self.success = iprot.readBool();
+        else:
+          iprot.skip(ftype)
+      else:
+        iprot.skip(ftype)
+      iprot.readFieldEnd()
+    iprot.readStructEnd()
+
+  def write(self, oprot):
+    if oprot.__class__ == TBinaryProtocol.TBinaryProtocolAccelerated and self.thrift_spec is not None and fastbinary is not None:
+      oprot.trans.write(fastbinary.encode_binary(self, (self.__class__, self.thrift_spec)))
+      return
+    oprot.writeStructBegin('GrantRevokeRoleResponse')
+    if self.success is not None:
+      oprot.writeFieldBegin('success', TType.BOOL, 1)
+      oprot.writeBool(self.success)
+      oprot.writeFieldEnd()
+    oprot.writeFieldStop()
+    oprot.writeStructEnd()
+
+  def validate(self):
+    return
+
+
+  def __repr__(self):
+    L = ['%s=%r' % (key, value)
+      for key, value in self.__dict__.iteritems()]
+    return '%s(%s)' % (self.__class__.__name__, ', '.join(L))
+
+  def __eq__(self, other):
+    return isinstance(other, self.__class__) and self.__dict__ == other.__dict__
+
+  def __ne__(self, other):
+    return not (self == other)
+
 class Database:
   """
   Attributes:

Modified: hive/trunk/metastore/src/gen/thrift/gen-rb/hive_metastore_types.rb
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/gen/thrift/gen-rb/hive_metastore_types.rb?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/metastore/src/gen/thrift/gen-rb/hive_metastore_types.rb (original)
+++ hive/trunk/metastore/src/gen/thrift/gen-rb/hive_metastore_types.rb Sat Jul 12 01:59:45 2014
@@ -72,6 +72,13 @@ module CompactionType
   VALID_VALUES = Set.new([MINOR, MAJOR]).freeze
 end
 
+module GrantRevokeType
+  GRANT = 1
+  REVOKE = 2
+  VALUE_MAP = {1 => "GRANT", 2 => "REVOKE"}
+  VALID_VALUES = Set.new([GRANT, REVOKE]).freeze
+end
+
 module FunctionType
   JAVA = 1
   VALUE_MAP = {1 => "JAVA"}
@@ -389,6 +396,59 @@ class GetPrincipalsInRoleResponse
   ::Thrift::Struct.generate_accessors self
 end
 
+class GrantRevokeRoleRequest
+  include ::Thrift::Struct, ::Thrift::Struct_Union
+  REQUESTTYPE = 1
+  ROLENAME = 2
+  PRINCIPALNAME = 3
+  PRINCIPALTYPE = 4
+  GRANTOR = 5
+  GRANTORTYPE = 6
+  GRANTOPTION = 7
+
+  FIELDS = {
+    REQUESTTYPE => {:type => ::Thrift::Types::I32, :name => 'requestType', :enum_class => ::GrantRevokeType},
+    ROLENAME => {:type => ::Thrift::Types::STRING, :name => 'roleName'},
+    PRINCIPALNAME => {:type => ::Thrift::Types::STRING, :name => 'principalName'},
+    PRINCIPALTYPE => {:type => ::Thrift::Types::I32, :name => 'principalType', :enum_class => ::PrincipalType},
+    GRANTOR => {:type => ::Thrift::Types::STRING, :name => 'grantor', :optional => true},
+    GRANTORTYPE => {:type => ::Thrift::Types::I32, :name => 'grantorType', :optional => true, :enum_class => ::PrincipalType},
+    GRANTOPTION => {:type => ::Thrift::Types::BOOL, :name => 'grantOption', :optional => true}
+  }
+
+  def struct_fields; FIELDS; end
+
+  def validate
+    unless @requestType.nil? || ::GrantRevokeType::VALID_VALUES.include?(@requestType)
+      raise ::Thrift::ProtocolException.new(::Thrift::ProtocolException::UNKNOWN, 'Invalid value of field requestType!')
+    end
+    unless @principalType.nil? || ::PrincipalType::VALID_VALUES.include?(@principalType)
+      raise ::Thrift::ProtocolException.new(::Thrift::ProtocolException::UNKNOWN, 'Invalid value of field principalType!')
+    end
+    unless @grantorType.nil? || ::PrincipalType::VALID_VALUES.include?(@grantorType)
+      raise ::Thrift::ProtocolException.new(::Thrift::ProtocolException::UNKNOWN, 'Invalid value of field grantorType!')
+    end
+  end
+
+  ::Thrift::Struct.generate_accessors self
+end
+
+class GrantRevokeRoleResponse
+  include ::Thrift::Struct, ::Thrift::Struct_Union
+  SUCCESS = 1
+
+  FIELDS = {
+    SUCCESS => {:type => ::Thrift::Types::BOOL, :name => 'success', :optional => true}
+  }
+
+  def struct_fields; FIELDS; end
+
+  def validate
+  end
+
+  ::Thrift::Struct.generate_accessors self
+end
+
 class Database
   include ::Thrift::Struct, ::Thrift::Struct_Union
   NAME = 1

Modified: hive/trunk/metastore/src/gen/thrift/gen-rb/thrift_hive_metastore.rb
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/gen/thrift/gen-rb/thrift_hive_metastore.rb?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/metastore/src/gen/thrift/gen-rb/thrift_hive_metastore.rb (original)
+++ hive/trunk/metastore/src/gen/thrift/gen-rb/thrift_hive_metastore.rb Sat Jul 12 01:59:45 2014
@@ -1448,6 +1448,22 @@ module ThriftHiveMetastore
       raise ::Thrift::ApplicationException.new(::Thrift::ApplicationException::MISSING_RESULT, 'list_roles failed: unknown result')
     end
 
+    def grant_revoke_role(request)
+      send_grant_revoke_role(request)
+      return recv_grant_revoke_role()
+    end
+
+    def send_grant_revoke_role(request)
+      send_message('grant_revoke_role', Grant_revoke_role_args, :request => request)
+    end
+
+    def recv_grant_revoke_role()
+      result = receive_message(Grant_revoke_role_result)
+      return result.success unless result.success.nil?
+      raise result.o1 unless result.o1.nil?
+      raise ::Thrift::ApplicationException.new(::Thrift::ApplicationException::MISSING_RESULT, 'grant_revoke_role failed: unknown result')
+    end
+
     def get_principals_in_role(request)
       send_get_principals_in_role(request)
       return recv_get_principals_in_role()
@@ -2959,6 +2975,17 @@ module ThriftHiveMetastore
       write_result(result, oprot, 'list_roles', seqid)
     end
 
+    def process_grant_revoke_role(seqid, iprot, oprot)
+      args = read_args(iprot, Grant_revoke_role_args)
+      result = Grant_revoke_role_result.new()
+      begin
+        result.success = @handler.grant_revoke_role(args.request)
+      rescue ::MetaException => o1
+        result.o1 = o1
+      end
+      write_result(result, oprot, 'grant_revoke_role', seqid)
+    end
+
     def process_get_principals_in_role(seqid, iprot, oprot)
       args = read_args(iprot, Get_principals_in_role_args)
       result = Get_principals_in_role_result.new()
@@ -6530,6 +6557,40 @@ module ThriftHiveMetastore
     ::Thrift::Struct.generate_accessors self
   end
 
+  class Grant_revoke_role_args
+    include ::Thrift::Struct, ::Thrift::Struct_Union
+    REQUEST = 1
+
+    FIELDS = {
+      REQUEST => {:type => ::Thrift::Types::STRUCT, :name => 'request', :class => ::GrantRevokeRoleRequest}
+    }
+
+    def struct_fields; FIELDS; end
+
+    def validate
+    end
+
+    ::Thrift::Struct.generate_accessors self
+  end
+
+  class Grant_revoke_role_result
+    include ::Thrift::Struct, ::Thrift::Struct_Union
+    SUCCESS = 0
+    O1 = 1
+
+    FIELDS = {
+      SUCCESS => {:type => ::Thrift::Types::STRUCT, :name => 'success', :class => ::GrantRevokeRoleResponse},
+      O1 => {:type => ::Thrift::Types::STRUCT, :name => 'o1', :class => ::MetaException}
+    }
+
+    def struct_fields; FIELDS; end
+
+    def validate
+    end
+
+    ::Thrift::Struct.generate_accessors self
+  end
+
   class Get_principals_in_role_args
     include ::Thrift::Struct, ::Thrift::Struct_Union
     REQUEST = 1

Modified: hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java (original)
+++ hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java Sat Jul 12 01:59:45 2014
@@ -85,6 +85,9 @@ import org.apache.hadoop.hive.metastore.
 import org.apache.hadoop.hive.metastore.api.GetPrincipalsInRoleResponse;
 import org.apache.hadoop.hive.metastore.api.GetRoleGrantsForPrincipalRequest;
 import org.apache.hadoop.hive.metastore.api.GetRoleGrantsForPrincipalResponse;
+import org.apache.hadoop.hive.metastore.api.GrantRevokeRoleRequest;
+import org.apache.hadoop.hive.metastore.api.GrantRevokeRoleResponse;
+import org.apache.hadoop.hive.metastore.api.GrantRevokeType;
 import org.apache.hadoop.hive.metastore.api.HeartbeatRequest;
 import org.apache.hadoop.hive.metastore.api.HeartbeatTxnRangeRequest;
 import org.apache.hadoop.hive.metastore.api.HeartbeatTxnRangeResponse;
@@ -4073,6 +4076,11 @@ public class HiveMetaStore extends Thrif
     @Override
     public boolean revoke_role(final String roleName, final String userName,
         final PrincipalType principalType) throws MetaException, TException {
+      return revoke_role(roleName, userName, principalType, false);
+    }
+
+    private boolean revoke_role(final String roleName, final String userName,
+        final PrincipalType principalType, boolean grantOption) throws MetaException, TException {
       incrementCounter("remove_role_member");
       firePreEvent(new PreAuthorizationCallEvent(this));
       if (PUBLIC.equals(roleName)) {
@@ -4082,7 +4090,7 @@ public class HiveMetaStore extends Thrif
       try {
         RawStore ms = getMS();
         Role mRole = ms.getRole(roleName);
-        ret = ms.revokeRole(mRole, userName, principalType);
+        ret = ms.revokeRole(mRole, userName, principalType, grantOption);
       } catch (MetaException e) {
         throw e;
       } catch (Exception e) {
@@ -4091,6 +4099,34 @@ public class HiveMetaStore extends Thrif
       return ret;
     }
 
+    public GrantRevokeRoleResponse grant_revoke_role(GrantRevokeRoleRequest request)
+        throws MetaException, org.apache.thrift.TException {
+      GrantRevokeRoleResponse response = new GrantRevokeRoleResponse();
+      boolean grantOption = false;
+      if (request.isSetGrantOption()) {
+        grantOption = request.isGrantOption();
+      }
+      switch (request.getRequestType()) {
+        case GRANT: {
+          boolean result = grant_role(request.getRoleName(),
+              request.getPrincipalName(), request.getPrincipalType(),
+              request.getGrantor(), request.getGrantorType(), grantOption);
+          response.setSuccess(result);
+          break;
+        }
+        case REVOKE: {
+          boolean result = revoke_role(request.getRoleName(), request.getPrincipalName(),
+              request.getPrincipalType(), grantOption);
+          response.setSuccess(result);
+          break;
+        }
+        default:
+          throw new MetaException("Unknown request type " + request.getRequestType());
+      }
+
+      return response;
+    }
+
     @Override
     public boolean revoke_privileges(final PrivilegeBag privileges)
         throws MetaException, TException {

Modified: hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java (original)
+++ hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java Sat Jul 12 01:59:45 2014
@@ -73,6 +73,9 @@ import org.apache.hadoop.hive.metastore.
 import org.apache.hadoop.hive.metastore.api.GetPrincipalsInRoleResponse;
 import org.apache.hadoop.hive.metastore.api.GetRoleGrantsForPrincipalRequest;
 import org.apache.hadoop.hive.metastore.api.GetRoleGrantsForPrincipalResponse;
+import org.apache.hadoop.hive.metastore.api.GrantRevokeRoleRequest;
+import org.apache.hadoop.hive.metastore.api.GrantRevokeRoleResponse;
+import org.apache.hadoop.hive.metastore.api.GrantRevokeType;
 import org.apache.hadoop.hive.metastore.api.HeartbeatRequest;
 import org.apache.hadoop.hive.metastore.api.HeartbeatTxnRangeRequest;
 import org.apache.hadoop.hive.metastore.api.HeartbeatTxnRangeResponse;
@@ -1443,8 +1446,19 @@ public class HiveMetaStoreClient impleme
   public boolean grant_role(String roleName, String userName,
       PrincipalType principalType, String grantor, PrincipalType grantorType,
       boolean grantOption) throws MetaException, TException {
-    return client.grant_role(roleName, userName, principalType, grantor,
-        grantorType, grantOption);
+    GrantRevokeRoleRequest req = new GrantRevokeRoleRequest();
+    req.setRequestType(GrantRevokeType.GRANT);
+    req.setRoleName(roleName);
+    req.setPrincipalName(userName);
+    req.setPrincipalType(principalType);
+    req.setGrantor(grantor);
+    req.setGrantorType(grantorType);
+    req.setGrantOption(grantOption);
+    GrantRevokeRoleResponse res = client.grant_revoke_role(req);
+    if (!res.isSetSuccess()) {
+      throw new MetaException("GrantRevokeResponse missing success field");
+    }
+    return res.isSuccess();
   }
 
   @Override
@@ -1489,8 +1503,18 @@ public class HiveMetaStoreClient impleme
 
   @Override
   public boolean revoke_role(String roleName, String userName,
-      PrincipalType principalType) throws MetaException, TException {
-    return client.revoke_role(roleName, userName, principalType);
+      PrincipalType principalType, boolean grantOption) throws MetaException, TException {
+    GrantRevokeRoleRequest req = new GrantRevokeRoleRequest();
+    req.setRequestType(GrantRevokeType.REVOKE);
+    req.setRoleName(roleName);
+    req.setPrincipalName(userName);
+    req.setPrincipalType(principalType);
+    req.setGrantOption(grantOption);
+    GrantRevokeRoleResponse res = client.grant_revoke_role(req);
+    if (!res.isSetSuccess()) {
+      throw new MetaException("GrantRevokeResponse missing success field");
+    }
+    return res.isSuccess();
   }
 
   @Override

Modified: hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java (original)
+++ hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/IMetaStoreClient.java Sat Jul 12 01:59:45 2014
@@ -955,7 +955,7 @@ public interface IMetaStoreClient {
    * @throws TException
    */
   public boolean revoke_role(String role_name, String user_name,
-      PrincipalType principalType) throws MetaException, TException;
+      PrincipalType principalType, boolean grantOption) throws MetaException, TException;
 
   /**
    *

Modified: hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java (original)
+++ hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java Sat Jul 12 01:59:45 2014
@@ -3083,13 +3083,25 @@ public class ObjectStore implements RawS
   }
 
   @Override
-  public boolean revokeRole(Role role, String userName, PrincipalType principalType) throws MetaException, NoSuchObjectException {
+  public boolean revokeRole(Role role, String userName, PrincipalType principalType,
+      boolean grantOption) throws MetaException, NoSuchObjectException {
     boolean success = false;
     try {
       openTransaction();
       MRoleMap roleMember = getMSecurityUserRoleMap(userName, principalType,
           role.getRoleName());
-      pm.deletePersistent(roleMember);
+      if (grantOption) {
+        // Revoke with grant option - only remove the grant option but keep the role.
+        if (roleMember.getGrantOption()) {
+          roleMember.setGrantOption(false);
+        } else {
+          throw new MetaException("User " + userName
+              + " does not have grant option with role " + role.getRoleName());
+        }
+      } else {
+        // No grant option in revoke, remove the whole role.
+        pm.deletePersistent(roleMember);
+      }
       success = commitTransaction();
     } finally {
       if (!success) {

Modified: hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/RawStore.java
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/RawStore.java?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/RawStore.java (original)
+++ hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/RawStore.java Sat Jul 12 01:59:45 2014
@@ -230,8 +230,8 @@ public interface RawStore extends Config
       String grantor, PrincipalType grantorType, boolean grantOption)
       throws MetaException, NoSuchObjectException, InvalidObjectException;
 
-  public abstract boolean revokeRole(Role role, String userName, PrincipalType principalType)
-      throws MetaException, NoSuchObjectException;
+  public abstract boolean revokeRole(Role role, String userName, PrincipalType principalType,
+      boolean grantOption) throws MetaException, NoSuchObjectException;
 
   public abstract PrincipalPrivilegeSet getUserPrivilegeSet(String userName,
       List<String> groupNames) throws InvalidObjectException, MetaException;

Modified: hive/trunk/metastore/src/test/org/apache/hadoop/hive/metastore/DummyRawStoreControlledCommit.java
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/test/org/apache/hadoop/hive/metastore/DummyRawStoreControlledCommit.java?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/metastore/src/test/org/apache/hadoop/hive/metastore/DummyRawStoreControlledCommit.java (original)
+++ hive/trunk/metastore/src/test/org/apache/hadoop/hive/metastore/DummyRawStoreControlledCommit.java Sat Jul 12 01:59:45 2014
@@ -349,9 +349,9 @@ public class DummyRawStoreControlledComm
   }
 
   @Override
-  public boolean revokeRole(Role role, String userName, PrincipalType principalType)
+  public boolean revokeRole(Role role, String userName, PrincipalType principalType, boolean grantOption)
       throws MetaException, NoSuchObjectException {
-    return objectStore.revokeRole(role, userName, principalType);
+    return objectStore.revokeRole(role, userName, principalType, grantOption);
   }
 
   @Override

Modified: hive/trunk/metastore/src/test/org/apache/hadoop/hive/metastore/DummyRawStoreForJdoConnection.java
URL: http://svn.apache.org/viewvc/hive/trunk/metastore/src/test/org/apache/hadoop/hive/metastore/DummyRawStoreForJdoConnection.java?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/metastore/src/test/org/apache/hadoop/hive/metastore/DummyRawStoreForJdoConnection.java (original)
+++ hive/trunk/metastore/src/test/org/apache/hadoop/hive/metastore/DummyRawStoreForJdoConnection.java Sat Jul 12 01:59:45 2014
@@ -368,7 +368,7 @@ public class DummyRawStoreForJdoConnecti
   }
 
   @Override
-  public boolean revokeRole(Role role, String userName, PrincipalType principalType)
+  public boolean revokeRole(Role role, String userName, PrincipalType principalType, boolean grantOption)
       throws MetaException, NoSuchObjectException {
 
     return false;

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/exec/DDLTask.java Sat Jul 12 01:59:45 2014
@@ -542,7 +542,8 @@ public class DDLTask extends Task<DDLWor
                 grantOrRevokeRoleDDL.getGrantor(), grantOrRevokeRoleDDL
                 .getGrantorType(), grantOrRevokeRoleDDL.isGrantOption());
           } else {
-            db.revokeRole(roleName, userName, principal.getType());
+            db.revokeRole(roleName, userName, principal.getType(),
+                grantOrRevokeRoleDDL.isGrantOption());
           }
         }
       }

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/metadata/Hive.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/metadata/Hive.java?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/metadata/Hive.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/metadata/Hive.java Sat Jul 12 01:59:45 2014
@@ -2069,9 +2069,9 @@ private void constructOneLBLocationMap(F
   }
 
   public boolean revokeRole(String roleName, String userName,
-      PrincipalType principalType)  throws HiveException {
+      PrincipalType principalType, boolean grantOption)  throws HiveException {
     try {
-      return getMSC().revoke_role(roleName, userName, principalType);
+      return getMSC().revoke_role(roleName, userName, principalType, grantOption);
     } catch (Exception e) {
       throw new HiveException(e);
     }

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/HiveParser.g Sat Jul 12 01:59:45 2014
@@ -267,6 +267,7 @@ TOK_ROLE;
 TOK_RESOURCE_ALL;
 TOK_GRANT_WITH_OPTION;
 TOK_GRANT_WITH_ADMIN_OPTION;
+TOK_ADMIN_OPTION_FOR;
 TOK_PRIV_ALL;
 TOK_PRIV_ALTER_METADATA;
 TOK_PRIV_ALTER_DATA;
@@ -1409,8 +1410,8 @@ grantRole
 revokeRole
 @init {pushMsg("revoke role", state);}
 @after {popMsg(state);}
-    : KW_REVOKE KW_ROLE? identifier (COMMA identifier)* KW_FROM principalSpecification withAdminOption?
-    -> ^(TOK_REVOKE_ROLE principalSpecification withAdminOption? identifier+)
+    : KW_REVOKE adminOptionFor? KW_ROLE? identifier (COMMA identifier)* KW_FROM principalSpecification
+    -> ^(TOK_REVOKE_ROLE principalSpecification adminOptionFor? identifier+)
     ;
 
 showRoleGrants
@@ -1533,6 +1534,13 @@ withGrantOption
     -> ^(TOK_GRANT_WITH_OPTION)
     ;
 
+adminOptionFor
+@init {pushMsg("admin option for", state);}
+@after {popMsg(state);}
+    : KW_ADMIN KW_OPTION KW_FOR
+    -> ^(TOK_ADMIN_OPTION_FOR)
+;
+
 withAdminOption
 @init {pushMsg("with admin option", state);}
 @after {popMsg(state);}

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/parse/authorization/HiveAuthorizationTaskFactoryImpl.java Sat Jul 12 01:59:45 2014
@@ -212,7 +212,8 @@ public class HiveAuthorizationTaskFactor
     int rolesStartPos = 1;
     ASTNode wAdminOption = (ASTNode) ast.getChild(1);
     boolean isAdmin = false;
-    if(wAdminOption.getToken().getType() == HiveParser.TOK_GRANT_WITH_ADMIN_OPTION){
+    if((isGrant && wAdminOption.getToken().getType() == HiveParser.TOK_GRANT_WITH_ADMIN_OPTION) ||
+       (!isGrant && wAdminOption.getToken().getType() == HiveParser.TOK_ADMIN_OPTION_FOR)){
       rolesStartPos = 2; //start reading role names from next postion
       isAdmin = true;
     }

Modified: hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java (original)
+++ hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.java Sat Jul 12 01:59:45 2014
@@ -79,7 +79,7 @@ public class SQLStdHiveAccessController 
   private HiveRoleGrant adminRole;
   private final String ADMIN_ONLY_MSG = "User has to belong to ADMIN role and "
       + "have it as current role, for this action.";
-  private final String HAS_ADMIN_PRIV_MSG = "grantor need to have ADMIN privileges on role being"
+  private final String HAS_ADMIN_PRIV_MSG = "grantor need to have ADMIN OPTION on role being"
       + " granted and have it as a current role for this action.";
   public static final Log LOG = LogFactory.getLog(SQLStdHiveAccessController.class);
 
@@ -308,11 +308,6 @@ public class SQLStdHiveAccessController 
   public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roleNames,
     boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
     HiveAccessControlException {
-    if (grantOption) {
-      // removing grant privileges only is not supported in metastore api
-      throw new HiveAuthzPluginException("Revoking only the admin privileges on "
-        + "role is not currently supported");
-    }
     if (!(isUserAdmin() || doesUserHasAdminOption(roleNames))) {
       throw new HiveAccessControlException("Current user : " + currentUserName+ " is not"
           + " allowed to revoke role. " + ADMIN_ONLY_MSG + " Otherwise, " + HAS_ADMIN_PRIV_MSG);
@@ -322,7 +317,7 @@ public class SQLStdHiveAccessController 
         try {
           IMetaStoreClient mClient = metastoreClientFactory.getHiveMetastoreClient();
           mClient.revoke_role(roleName, hivePrincipal.getName(),
-              AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType()));
+              AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType()), grantOption);
         } catch (Exception e) {
           String msg = "Error revoking roles for " + hivePrincipal.getName() + " to role "
               + roleName + ": " + e.getMessage();

Added: hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant2.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant2.q?rev=1609876&view=auto
==============================================================================
--- hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant2.q (added)
+++ hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant2.q Sat Jul 12 01:59:45 2014
@@ -0,0 +1,30 @@
+set hive.users.in.admin.role=hive_admin_user;
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
+set hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
+
+set role ADMIN;
+
+----------------------------------------
+-- grant role with admin option, then revoke admin option
+-- once the admin option has been revoked, last grant should fail
+----------------------------------------
+
+create role src_role_wadmin;
+grant  src_role_wadmin to user user2 with admin option;
+show role grant user user2;
+
+
+set user.name=user2;
+set role src_role_wadmin;
+grant  src_role_wadmin to user user3;
+revoke src_role_wadmin from user user3;
+
+set user.name=hive_admin_user;
+set role ADMIN;
+revoke admin option for src_role_wadmin from user user2;
+show role grant user user2;
+set user.name=user2;
+set role src_role_wadmin;
+-- grant/revoke should now fail
+grant  src_role_wadmin to user user3;

Modified: hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q (original)
+++ hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q Sat Jul 12 01:59:45 2014
@@ -26,6 +26,10 @@ create role src_role_wadmin;
 grant src_role_wadmin to user user2 with admin option;
 show role grant user user2;
 
+-- revoke admin option
+revoke admin option for src_role_wadmin from user user2;
+show role grant user user2;
+
 -- revoke role without role keyword
 revoke src_role_wadmin from user user2;
 show role grant user user2;

Modified: hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant.q.out?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant.q.out (original)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant.q.out Sat Jul 12 01:59:45 2014
@@ -41,4 +41,4 @@ POSTHOOK: query: set role role_noadmin
 POSTHOOK: type: SHOW_ROLES
 PREHOOK: query: grant  src_role_wadmin to user user3
 PREHOOK: type: GRANT_ROLE
-FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Current user : user2 is not allowed to grant role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN privileges on role being granted and have it as a current role for this action.
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Current user : user2 is not allowed to grant role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action.

Added: hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant2.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant2.q.out?rev=1609876&view=auto
==============================================================================
--- hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant2.q.out (added)
+++ hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant2.q.out Sat Jul 12 01:59:45 2014
@@ -0,0 +1,62 @@
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: ----------------------------------------
+-- grant role with admin option, then revoke admin option
+-- once the admin option has been revoked, last grant should fail
+----------------------------------------
+
+create role src_role_wadmin
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: ----------------------------------------
+-- grant role with admin option, then revoke admin option
+-- once the admin option has been revoked, last grant should fail
+----------------------------------------
+
+create role src_role_wadmin
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: grant  src_role_wadmin to user user2 with admin option
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant  src_role_wadmin to user user2 with admin option
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: show role grant user user2
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user user2
+POSTHOOK: type: SHOW_ROLE_GRANT
+public	false	-1	
+src_role_wadmin	true	-1	hive_admin_user
+PREHOOK: query: set role src_role_wadmin
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role src_role_wadmin
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: grant  src_role_wadmin to user user3
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: grant  src_role_wadmin to user user3
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: revoke src_role_wadmin from user user3
+PREHOOK: type: REVOKE_ROLE
+POSTHOOK: query: revoke src_role_wadmin from user user3
+POSTHOOK: type: REVOKE_ROLE
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: revoke admin option for src_role_wadmin from user user2
+PREHOOK: type: REVOKE_ROLE
+POSTHOOK: query: revoke admin option for src_role_wadmin from user user2
+POSTHOOK: type: REVOKE_ROLE
+PREHOOK: query: show role grant user user2
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user user2
+POSTHOOK: type: SHOW_ROLE_GRANT
+public	false	-1	
+src_role_wadmin	false	-1	hive_admin_user
+PREHOOK: query: set role src_role_wadmin
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role src_role_wadmin
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: -- grant/revoke should now fail
+grant  src_role_wadmin to user user3
+PREHOOK: type: GRANT_ROLE
+FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Current user : user2 is not allowed to grant role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action.

Modified: hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out
URL: http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out?rev=1609876&r1=1609875&r2=1609876&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out (original)
+++ hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out Sat Jul 12 01:59:45 2014
@@ -71,6 +71,18 @@ POSTHOOK: query: show role grant user us
 POSTHOOK: type: SHOW_ROLE_GRANT
 public	false	-1	
 src_role_wadmin	true	-1	hive_admin_user
+PREHOOK: query: -- revoke admin option
+revoke admin option for src_role_wadmin from user user2
+PREHOOK: type: REVOKE_ROLE
+POSTHOOK: query: -- revoke admin option
+revoke admin option for src_role_wadmin from user user2
+POSTHOOK: type: REVOKE_ROLE
+PREHOOK: query: show role grant user user2
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant user user2
+POSTHOOK: type: SHOW_ROLE_GRANT
+public	false	-1	
+src_role_wadmin	false	-1	hive_admin_user
 PREHOOK: query: -- revoke role without role keyword
 revoke src_role_wadmin from user user2
 PREHOOK: type: REVOKE_ROLE



Mime
View raw message