hive-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pxi...@apache.org
Subject hive git commit: HIVE-13095: Support view column authorization (Pengcheng Xiong, reviewed by Ashutosh Chauhan)
Date Mon, 29 Feb 2016 22:40:26 GMT
Repository: hive
Updated Branches:
  refs/heads/master aaa356932 -> 90a9a90ed


HIVE-13095: Support view column authorization (Pengcheng Xiong, reviewed by Ashutosh Chauhan)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/90a9a90e
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/90a9a90e
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/90a9a90e

Branch: refs/heads/master
Commit: 90a9a90edc6e5229b5030d655ffa19427779158b
Parents: aaa3569
Author: Pengcheng Xiong <pxiong@apache.org>
Authored: Mon Feb 29 14:40:01 2016 -0800
Committer: Pengcheng Xiong <pxiong@apache.org>
Committed: Mon Feb 29 14:40:01 2016 -0800

----------------------------------------------------------------------
 .../java/org/apache/hadoop/hive/ql/Driver.java  |   6 +
 .../hadoop/hive/ql/optimizer/ColumnPruner.java  |   4 +
 .../ql/optimizer/ColumnPrunerProcFactory.java   |  12 +
 .../calcite/rules/HiveRelFieldTrimmer.java      |  38 ++-
 .../hadoop/hive/ql/parse/CalcitePlanner.java    |  40 ++-
 .../hadoop/hive/ql/parse/ParseContext.java      |  35 ++-
 .../org/apache/hadoop/hive/ql/parse/QB.java     |  14 +-
 .../hadoop/hive/ql/parse/SemanticAnalyzer.java  |  34 +-
 .../hadoop/hive/ql/parse/TaskCompiler.java      |   2 +-
 .../clientnegative/authorization_view_1.q       |  13 +
 .../clientnegative/authorization_view_2.q       |  17 +
 .../clientnegative/authorization_view_3.q       |  15 +
 .../clientnegative/authorization_view_4.q       |  23 ++
 .../authorization_view_disable_cbo_1.q          |  14 +
 .../authorization_view_disable_cbo_2.q          |  17 +
 .../authorization_view_disable_cbo_3.q          |  16 +
 .../authorization_view_disable_cbo_4.q          |  24 ++
 .../clientpositive/authorization_view_1.q       |  59 ++++
 .../authorization_view_disable_cbo_1.q          |  70 +++++
 .../clientnegative/authorization_view_1.q.out   |  31 ++
 .../clientnegative/authorization_view_2.q.out   |  37 +++
 .../clientnegative/authorization_view_3.q.out   |  37 +++
 .../clientnegative/authorization_view_4.q.out   |  69 +++++
 .../authorization_view_disable_cbo_1.q.out      |  31 ++
 .../authorization_view_disable_cbo_2.q.out      |  37 +++
 .../authorization_view_disable_cbo_3.q.out      |  37 +++
 .../authorization_view_disable_cbo_4.q.out      |  69 +++++
 .../clientpositive/authorization_view_1.q.out   | 261 ++++++++++++++++
 .../authorization_view_disable_cbo_1.q.out      | 309 +++++++++++++++++++
 29 files changed, 1357 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/Driver.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java
index 10bd97b..3253146 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java
@@ -38,6 +38,7 @@ import java.util.concurrent.locks.ReentrantLock;
 
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Sets;
+
 import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.mapreduce.MRJobConfig;
 import org.slf4j.Logger;
@@ -85,6 +86,7 @@ import org.apache.hadoop.hive.ql.metadata.formatting.MetaDataFormatter;
 import org.apache.hadoop.hive.ql.optimizer.ppr.PartitionPruner;
 import org.apache.hadoop.hive.ql.parse.ASTNode;
 import org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer;
+import org.apache.hadoop.hive.ql.parse.CalcitePlanner;
 import org.apache.hadoop.hive.ql.parse.ColumnAccessInfo;
 import org.apache.hadoop.hive.ql.parse.HiveSemanticAnalyzerHook;
 import org.apache.hadoop.hive.ql.parse.HiveSemanticAnalyzerHookContext;
@@ -747,6 +749,10 @@ public class Driver implements CommandProcessor {
           continue;
         }
         Table tbl = read.getTable();
+        if (tbl.isView() && sem instanceof SemanticAnalyzer) {
+          tab2Cols.put(tbl,
+              sem.getColumnAccessInfo().getTableToColumnAccessMap().get(tbl.getTableName()));
+        }
         if (read.getPartition() != null) {
           Partition partition = read.getPartition();
           tbl = partition.getTable();

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPruner.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPruner.java b/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPruner.java
index c353e3e..7e39d77 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPruner.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPruner.java
@@ -44,6 +44,7 @@ import org.apache.hadoop.hive.ql.lib.Node;
 import org.apache.hadoop.hive.ql.lib.NodeProcessor;
 import org.apache.hadoop.hive.ql.lib.Rule;
 import org.apache.hadoop.hive.ql.lib.RuleRegExp;
+import org.apache.hadoop.hive.ql.parse.ColumnAccessInfo;
 import org.apache.hadoop.hive.ql.parse.ParseContext;
 import org.apache.hadoop.hive.ql.parse.SemanticException;
 
@@ -133,6 +134,9 @@ public class ColumnPruner extends Transform {
     ArrayList<Node> topNodes = new ArrayList<Node>();
     topNodes.addAll(pGraphContext.getTopOps().values());
     ogw.startWalking(topNodes, null);
+    // set it back so that column pruner in the optimizer will not do the
+    // view column authorization again even if it is triggered again.
+    pGraphContext.setNeedViewColumnAuthorization(false);
     return pGraphContext;
   }
 

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPrunerProcFactory.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPrunerProcFactory.java b/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPrunerProcFactory.java
index 78bce23..7638ba0 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPrunerProcFactory.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/optimizer/ColumnPrunerProcFactory.java
@@ -52,6 +52,7 @@ import org.apache.hadoop.hive.ql.exec.Utilities;
 import org.apache.hadoop.hive.ql.lib.Node;
 import org.apache.hadoop.hive.ql.lib.NodeProcessor;
 import org.apache.hadoop.hive.ql.lib.NodeProcessorCtx;
+import org.apache.hadoop.hive.ql.metadata.Table;
 import org.apache.hadoop.hive.ql.metadata.VirtualColumn;
 import org.apache.hadoop.hive.ql.parse.RowResolver;
 import org.apache.hadoop.hive.ql.parse.SemanticException;
@@ -781,6 +782,17 @@ public final class ColumnPrunerProcFactory {
       // by now, 'prunedCols' are columns used by child operators, and 'columns'
       // are columns used by this select operator.
       List<String> originalOutputColumnNames = conf.getOutputColumnNames();
+      // get view column authorization.
+      if (cppCtx.getParseContext().getColumnAccessInfo() != null
+          && cppCtx.getParseContext().getViewProjectToTableSchema() != null
+          && cppCtx.getParseContext().getViewProjectToTableSchema().containsKey(op)) {
+        for (String col : cols) {
+          int index = originalOutputColumnNames.indexOf(col);
+          Table tab = cppCtx.getParseContext().getViewProjectToTableSchema().get(op);
+          cppCtx.getParseContext().getColumnAccessInfo()
+              .add(tab.getTableName(), tab.getCols().get(index).getName());
+        }
+      }
       if (cols.size() < originalOutputColumnNames.size()) {
         ArrayList<ExprNodeDesc> newColList = new ArrayList<ExprNodeDesc>();
         ArrayList<String> newOutputColumnNames = new ArrayList<String>();

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/rules/HiveRelFieldTrimmer.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/rules/HiveRelFieldTrimmer.java b/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/rules/HiveRelFieldTrimmer.java
index 18145ae..997b82c 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/rules/HiveRelFieldTrimmer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/optimizer/calcite/rules/HiveRelFieldTrimmer.java
@@ -21,8 +21,10 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.LinkedHashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
+import org.apache.calcite.linq4j.Ord;
 import org.apache.calcite.plan.RelOptCluster;
 import org.apache.calcite.plan.RelOptUtil;
 import org.apache.calcite.rel.RelCollation;
@@ -50,7 +52,6 @@ import org.apache.calcite.sql2rel.CorrelationReferenceFinder;
 import org.apache.calcite.sql2rel.RelFieldTrimmer;
 import org.apache.calcite.tools.RelBuilder;
 import org.apache.calcite.util.ImmutableBitSet;
-import org.apache.calcite.util.Stacks;
 import org.apache.calcite.util.Util;
 import org.apache.calcite.util.mapping.IntPair;
 import org.apache.calcite.util.mapping.Mapping;
@@ -58,8 +59,11 @@ import org.apache.calcite.util.mapping.MappingType;
 import org.apache.calcite.util.mapping.Mappings;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.hive.ql.metadata.Table;
 import org.apache.hadoop.hive.ql.optimizer.calcite.reloperators.HiveMultiJoin;
+import org.apache.hadoop.hive.ql.optimizer.calcite.reloperators.HiveProject;
 import org.apache.hadoop.hive.ql.optimizer.calcite.reloperators.HiveSortLimit;
+import org.apache.hadoop.hive.ql.parse.ColumnAccessInfo;
 
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.Lists;
@@ -70,11 +74,23 @@ public class HiveRelFieldTrimmer extends RelFieldTrimmer {
 
   private RelBuilder relBuilder;
 
+  private ColumnAccessInfo columnAccessInfo;
+
+  private Map<HiveProject, Table> viewProjectToTableSchema;
+
   public HiveRelFieldTrimmer(SqlValidator validator, RelBuilder relBuilder) {
     super(validator, relBuilder);
     this.relBuilder = relBuilder;
   }
 
+  public HiveRelFieldTrimmer(SqlValidator validator, RelBuilder relBuilder,
+      ColumnAccessInfo columnAccessInfo, Map<HiveProject, Table> viewToTableSchema) {
+    super(validator, relBuilder);
+    this.relBuilder = relBuilder;
+    this.columnAccessInfo = columnAccessInfo;
+    this.viewProjectToTableSchema = viewToTableSchema;
+  }
+
   /**
    * Variant of {@link #trimFields(RelNode, ImmutableBitSet, Set)} for
    * {@link org.apache.hadoop.hive.ql.optimizer.calcite.reloperators.HiveMultiJoin}.
@@ -358,4 +374,24 @@ public class HiveRelFieldTrimmer extends RelFieldTrimmer {
     }
     return new TrimResult(r, mapping);
   }
+
+  /**
+   * Variant of {@link #trimFields(RelNode, ImmutableBitSet, Set)} for
+   * {@link org.apache.calcite.rel.logical.LogicalProject}.
+   */
+  public TrimResult trimFields(Project project, ImmutableBitSet fieldsUsed,
+      Set<RelDataTypeField> extraFields) {
+    // set columnAccessInfo for ViewColumnAuthorization
+    for (Ord<RexNode> ord : Ord.zip(project.getProjects())) {
+      if (fieldsUsed.get(ord.i)) {
+        if (this.columnAccessInfo != null && this.viewProjectToTableSchema != null
+            && this.viewProjectToTableSchema.containsKey(project)) {
+          Table tab = this.viewProjectToTableSchema.get(project);
+          this.columnAccessInfo.add(tab.getTableName(), tab.getCols().get(ord.i).getName());
+        }
+      }
+    }
+    return super.trimFields(project, fieldsUsed, extraFields);
+  }
+
 }

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/parse/CalcitePlanner.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/CalcitePlanner.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/CalcitePlanner.java
index f928a58..d056c5d 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/parse/CalcitePlanner.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/CalcitePlanner.java
@@ -695,7 +695,12 @@ public class CalcitePlanner extends SemanticAnalyzer {
   ASTNode getOptimizedAST() throws SemanticException {
     ASTNode optiqOptimizedAST = null;
     RelNode optimizedOptiqPlan = null;
-    CalcitePlannerAction calcitePlannerAction = new CalcitePlannerAction(prunedPartitions);
+
+    CalcitePlannerAction calcitePlannerAction = null;
+    if (this.columnAccessInfo == null) {
+      this.columnAccessInfo = new ColumnAccessInfo();
+    }
+    calcitePlannerAction = new CalcitePlannerAction(prunedPartitions, this.columnAccessInfo);
 
     try {
       optimizedOptiqPlan = Frameworks.withPlanner(calcitePlannerAction, Frameworks
@@ -717,7 +722,11 @@ public class CalcitePlanner extends SemanticAnalyzer {
    */
   Operator getOptimizedHiveOPDag() throws SemanticException {
     RelNode optimizedOptiqPlan = null;
-    CalcitePlannerAction calcitePlannerAction = new CalcitePlannerAction(prunedPartitions);
+    CalcitePlannerAction calcitePlannerAction = null;
+    if (this.columnAccessInfo == null) {
+      this.columnAccessInfo = new ColumnAccessInfo();
+    }
+    calcitePlannerAction = new CalcitePlannerAction(prunedPartitions, this.columnAccessInfo);
 
     try {
       optimizedOptiqPlan = Frameworks.withPlanner(calcitePlannerAction, Frameworks
@@ -879,14 +888,17 @@ public class CalcitePlanner extends SemanticAnalyzer {
     private RelOptCluster                                 cluster;
     private RelOptSchema                                  relOptSchema;
     private final Map<String, PrunedPartitionList>        partitionCache;
+    private final ColumnAccessInfo columnAccessInfo;
+    private Map<HiveProject, Table> viewProjectToTableSchema;
 
     // TODO: Do we need to keep track of RR, ColNameToPosMap for every op or
     // just last one.
     LinkedHashMap<RelNode, RowResolver>                   relToHiveRR                   = new LinkedHashMap<RelNode, RowResolver>();
     LinkedHashMap<RelNode, ImmutableMap<String, Integer>> relToHiveColNameCalcitePosMap = new LinkedHashMap<RelNode, ImmutableMap<String, Integer>>();
 
-    CalcitePlannerAction(Map<String, PrunedPartitionList> partitionCache) {
+    CalcitePlannerAction(Map<String, PrunedPartitionList> partitionCache, ColumnAccessInfo columnAccessInfo) {
       this.partitionCache = partitionCache;
+      this.columnAccessInfo = columnAccessInfo;
     }
 
     @Override
@@ -928,6 +940,12 @@ public class CalcitePlanner extends SemanticAnalyzer {
       }
       perfLogger.PerfLogEnd(this.getClass().getName(), PerfLogger.OPTIMIZER, "Calcite: Plan generation");
 
+      // We need to get the ColumnAccessInfo and viewToTableSchema for views.
+      HiveRelFieldTrimmer fieldTrimmer = new HiveRelFieldTrimmer(null,
+          HiveRelFactories.HIVE_BUILDER.create(cluster, null), this.columnAccessInfo,
+          this.viewProjectToTableSchema);
+      fieldTrimmer.trim(calciteGenPlan);
+
       // Create MD provider
       HiveDefaultRelMetadataProvider mdProvider = new HiveDefaultRelMetadataProvider(conf);
 
@@ -1048,7 +1066,7 @@ public class CalcitePlanner extends SemanticAnalyzer {
                 HiveJoinToMultiJoinRule.INSTANCE, HiveProjectMergeRule.INSTANCE);
         // The previous rules can pull up projections through join operators,
         // thus we run the field trimmer again to push them back down
-        HiveRelFieldTrimmer fieldTrimmer = new HiveRelFieldTrimmer(null,
+        fieldTrimmer = new HiveRelFieldTrimmer(null,
             HiveRelFactories.HIVE_BUILDER.create(cluster, null));
         calciteOptimizedPlan = fieldTrimmer.trim(calciteOptimizedPlan);
         calciteOptimizedPlan = hepPlan(calciteOptimizedPlan, false, mdProvider.getMetadataProvider(), null,
@@ -3020,7 +3038,19 @@ public class CalcitePlanner extends SemanticAnalyzer {
       // 1.1. Recurse over the subqueries to fill the subquery part of the plan
       for (String subqAlias : qb.getSubqAliases()) {
         QBExpr qbexpr = qb.getSubqForAlias(subqAlias);
-        aliasToRel.put(subqAlias, genLogicalPlan(qbexpr));
+        RelNode relNode = genLogicalPlan(qbexpr);
+        aliasToRel.put(subqAlias, relNode);
+        if (qb.getViewToTabSchema().containsKey(subqAlias)) {
+          if (relNode instanceof HiveProject) {
+            if (this.viewProjectToTableSchema == null) {
+              this.viewProjectToTableSchema = new LinkedHashMap<>();
+            }
+            viewProjectToTableSchema.put((HiveProject) relNode, qb.getViewToTabSchema().get(subqAlias));
+          } else {
+            throw new SemanticException("View " + subqAlias + " is corresponding to "
+                + relNode.toString() + ", rather than a HiveProject.");
+          }
+        }
       }
 
       // 1.2 Recurse over all the source tables

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/parse/ParseContext.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/ParseContext.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/ParseContext.java
index 642c227..4f784d1 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/parse/ParseContext.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/ParseContext.java
@@ -36,10 +36,12 @@ import org.apache.hadoop.hive.ql.exec.MapJoinOperator;
 import org.apache.hadoop.hive.ql.exec.Operator;
 import org.apache.hadoop.hive.ql.exec.ReduceSinkOperator;
 import org.apache.hadoop.hive.ql.exec.SMBMapJoinOperator;
+import org.apache.hadoop.hive.ql.exec.SelectOperator;
 import org.apache.hadoop.hive.ql.exec.TableScanOperator;
 import org.apache.hadoop.hive.ql.exec.Task;
 import org.apache.hadoop.hive.ql.hooks.LineageInfo;
 import org.apache.hadoop.hive.ql.hooks.ReadEntity;
+import org.apache.hadoop.hive.ql.metadata.Table;
 import org.apache.hadoop.hive.ql.optimizer.ppr.PartitionPruner;
 import org.apache.hadoop.hive.ql.optimizer.unionproc.UnionProcContext;
 import org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer.AnalyzeRewriteContext;
@@ -107,6 +109,9 @@ public class ParseContext {
   private CreateTableDesc createTableDesc;
   private boolean reduceSinkAddedBySortedDynPartition;
 
+  private Map<SelectOperator, Table> viewProjectToViewSchema;  
+  private ColumnAccessInfo columnAccessInfo;
+  private boolean needViewColumnAuthorization;
 
   public ParseContext() {
   }
@@ -165,7 +170,7 @@ public class ParseContext {
       Map<String, ReadEntity> viewAliasToInput,
       List<ReduceSinkOperator> reduceSinkOperatorsAddedByEnforceBucketingSorting,
       AnalyzeRewriteContext analyzeRewrite, CreateTableDesc createTableDesc,
-      QueryProperties queryProperties) {
+      QueryProperties queryProperties, Map<SelectOperator, Table> viewProjectToTableSchema) {
     this.conf = conf;
     this.opToPartPruner = opToPartPruner;
     this.opToPartList = opToPartList;
@@ -192,6 +197,14 @@ public class ParseContext {
     this.analyzeRewrite = analyzeRewrite;
     this.createTableDesc = createTableDesc;
     this.queryProperties = queryProperties;
+    this.viewProjectToViewSchema = viewProjectToTableSchema;
+    this.needViewColumnAuthorization = viewProjectToTableSchema != null
+        && !viewProjectToTableSchema.isEmpty();
+    if (this.needViewColumnAuthorization) {
+      // this will trigger the column pruner to collect view column
+      // authorization info.
+      this.columnAccessInfo = new ColumnAccessInfo();
+    }
   }
 
   /**
@@ -539,4 +552,24 @@ public class ParseContext {
   public boolean isReduceSinkAddedBySortedDynPartition() {
     return reduceSinkAddedBySortedDynPartition;
   }
+
+  public Map<SelectOperator, Table> getViewProjectToTableSchema() {
+    return viewProjectToViewSchema;
+  }
+
+  public ColumnAccessInfo getColumnAccessInfo() {
+    return columnAccessInfo;
+  }
+
+  public void setColumnAccessInfo(ColumnAccessInfo columnAccessInfo) {
+    this.columnAccessInfo = columnAccessInfo;
+  }
+
+  public boolean isNeedViewColumnAuthorization() {
+    return needViewColumnAuthorization;
+  }
+
+  public void setNeedViewColumnAuthorization(boolean needViewColumnAuthorization) {
+    this.needViewColumnAuthorization = needViewColumnAuthorization;
+  }
 }

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/parse/QB.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/QB.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/QB.java
index f04b493..91352b2 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/parse/QB.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/QB.java
@@ -47,6 +47,7 @@ public class QB {
   private int numSelDi = 0;
   private HashMap<String, String> aliasToTabs;
   private HashMap<String, QBExpr> aliasToSubq;
+  private HashMap<String, Table> viewAliasToViewSchema;
   private HashMap<String, Map<String, String>> aliasToProps;
   private List<String> aliases;
   private QBParseInfo qbp;
@@ -110,6 +111,7 @@ public class QB {
     // Must be deterministic order maps - see HIVE-8707
     aliasToTabs = new LinkedHashMap<String, String>();
     aliasToSubq = new LinkedHashMap<String, QBExpr>();
+    viewAliasToViewSchema = new LinkedHashMap<String, Table>();
     aliasToProps = new LinkedHashMap<String, Map<String, String>>();
     aliases = new ArrayList<String>();
     if (alias != null) {
@@ -231,15 +233,18 @@ public class QB {
     return aliasToProps.get(alias.toLowerCase());
   }
 
-  public void rewriteViewToSubq(String alias, String viewName, QBExpr qbexpr) {
+  public void rewriteViewToSubq(String alias, String viewName, QBExpr qbexpr, Table tab) {
     alias = alias.toLowerCase();
     String tableName = aliasToTabs.remove(alias);
     assert (viewName.equals(tableName));
     aliasToSubq.put(alias, qbexpr);
+    if (tab != null) {
+      viewAliasToViewSchema.put(alias, tab);
+    }
   }
 
   public void rewriteCTEToSubq(String alias, String cteName, QBExpr qbexpr) {
-    rewriteViewToSubq(alias, cteName, qbexpr);
+    rewriteViewToSubq(alias, cteName, qbexpr, null);
   }
 
   public QBJoinTree getQbJoinTree() {
@@ -406,4 +411,9 @@ public class QB {
     }
     return encryptedTargetTablePaths;
   }
+
+  public HashMap<String, Table> getViewToTabSchema() {
+    return viewAliasToViewSchema;
+  }
+
 }

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
index 7d2595d..0db1dab 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/SemanticAnalyzer.java
@@ -117,6 +117,7 @@ import org.apache.hadoop.hive.ql.metadata.Partition;
 import org.apache.hadoop.hive.ql.metadata.SessionHiveMetaStoreClient;
 import org.apache.hadoop.hive.ql.metadata.Table;
 import org.apache.hadoop.hive.ql.metadata.VirtualColumn;
+import org.apache.hadoop.hive.ql.optimizer.ColumnPruner;
 import org.apache.hadoop.hive.ql.optimizer.Optimizer;
 import org.apache.hadoop.hive.ql.optimizer.Transform;
 import org.apache.hadoop.hive.ql.optimizer.calcite.CalciteSemanticException;
@@ -262,6 +263,7 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer {
   List<AbstractMapJoinOperator<? extends MapJoinDesc>> listMapJoinOpsNoReducer;
   private HashMap<TableScanOperator, SampleDesc> opToSamplePruner;
   private final Map<TableScanOperator, Map<String, ExprNodeDesc>> opToPartToSkewedPruner;
+  private Map<SelectOperator, Table> viewProjectToTableSchema;
   /**
    * a map for the split sampling, from alias to an instance of SplitSample
    * that describes percentage and number.
@@ -427,7 +429,7 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer {
         listMapJoinOpsNoReducer, prunedPartitions,
         opToSamplePruner, globalLimitCtx, nameToSplitSample, inputs, rootTasks,
         opToPartToSkewedPruner, viewAliasToInput, reduceSinkOperatorsAddedByEnforceBucketingSorting,
-        analyzeRewrite, tableDesc, queryProperties);
+        analyzeRewrite, tableDesc, queryProperties, viewProjectToTableSchema);
   }
 
   public CompilationOpContext getOpContext() {
@@ -2303,7 +2305,13 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer {
     }
     QBExpr qbexpr = new QBExpr(alias);
     doPhase1QBExpr(viewTree, qbexpr, qb.getId(), alias);
-    qb.rewriteViewToSubq(alias, tab_name, qbexpr);
+    if (!this.skipAuthorization()
+        && HiveConf.getBoolVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
+      qb.rewriteViewToSubq(alias, tab_name, qbexpr, tab);
+    }
+    else{
+      qb.rewriteViewToSubq(alias, tab_name, qbexpr, null);
+    }
   }
 
   private boolean isPresent(String[] list, String elem) {
@@ -9855,7 +9863,21 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer {
     // Recurse over the subqueries to fill the subquery part of the plan
     for (String alias : qb.getSubqAliases()) {
       QBExpr qbexpr = qb.getSubqForAlias(alias);
-      aliasToOpInfo.put(alias, genPlan(qb, qbexpr));
+      Operator operator = genPlan(qb, qbexpr);
+      aliasToOpInfo.put(alias, operator);
+      if (qb.getViewToTabSchema().containsKey(alias)) {
+        // we set viewProjectToTableSchema so that we can leverage ColumnPruner.
+        if (operator instanceof SelectOperator) {
+          if (this.viewProjectToTableSchema == null) {
+            this.viewProjectToTableSchema = new LinkedHashMap<>();
+          }
+          viewProjectToTableSchema.put((SelectOperator) operator, qb.getViewToTabSchema()
+              .get(alias));
+        } else {
+          throw new SemanticException("View " + alias + " is corresponding to "
+              + operator.getType().name() + ", rather than a SelectOperator.");
+        }
+      }
     }
 
     // Recurse over all the source tables
@@ -10376,7 +10398,7 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer {
         listMapJoinOpsNoReducer, prunedPartitions, opToSamplePruner,
         globalLimitCtx, nameToSplitSample, inputs, rootTasks, opToPartToSkewedPruner,
         viewAliasToInput, reduceSinkOperatorsAddedByEnforceBucketingSorting,
-        analyzeRewrite, tableDesc, queryProperties);
+        analyzeRewrite, tableDesc, queryProperties, viewProjectToTableSchema);
 
     // 5. Take care of view creation
     if (createVwDesc != null) {
@@ -10426,6 +10448,10 @@ public class SemanticAnalyzer extends BaseSemanticAnalyzer {
     optm.setPctx(pCtx);
     optm.initialize(conf);
     pCtx = optm.optimize();
+    if (pCtx.getColumnAccessInfo() != null) {
+      // set ColumnAccessInfo for view column authorization
+      setColumnAccessInfo(pCtx.getColumnAccessInfo());
+    }
     FetchTask origFetchTask = pCtx.getFetchTask();
     if (LOG.isDebugEnabled()) {
       LOG.debug("After logical optimization\n" + Operator.toString(pCtx.getTopOps().values()));

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/java/org/apache/hadoop/hive/ql/parse/TaskCompiler.java
----------------------------------------------------------------------
diff --git a/ql/src/java/org/apache/hadoop/hive/ql/parse/TaskCompiler.java b/ql/src/java/org/apache/hadoop/hive/ql/parse/TaskCompiler.java
index fc555ca..7415078 100644
--- a/ql/src/java/org/apache/hadoop/hive/ql/parse/TaskCompiler.java
+++ b/ql/src/java/org/apache/hadoop/hive/ql/parse/TaskCompiler.java
@@ -402,7 +402,7 @@ public abstract class TaskCompiler {
         pCtx.getNameToSplitSample(), pCtx.getSemanticInputs(), rootTasks,
         pCtx.getOpToPartToSkewedPruner(), pCtx.getViewAliasToInput(),
         pCtx.getReduceSinkOperatorsAddedByEnforceBucketingSorting(),
-        pCtx.getAnalyzeRewrite(), pCtx.getCreateTable(), pCtx.getQueryProperties());
+        pCtx.getAnalyzeRewrite(), pCtx.getCreateTable(), pCtx.getQueryProperties(), pCtx.getViewProjectToTableSchema());
     clone.setFetchTask(pCtx.getFetchTask());
     clone.setLineageInfo(pCtx.getLineageInfo());
     clone.setMapJoinOps(pCtx.getMapJoinOps());

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientnegative/authorization_view_1.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/authorization_view_1.q b/ql/src/test/queries/clientnegative/authorization_view_1.q
new file mode 100644
index 0000000..d37b406
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/authorization_view_1.q
@@ -0,0 +1,13 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider;
+
+create table src_autho_test as select * from src;
+
+create view v as select * from src_autho_test;
+
+set hive.security.authorization.enabled=true;
+
+--table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user;
+
+select * from v order by key limit 1;

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientnegative/authorization_view_2.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/authorization_view_2.q b/ql/src/test/queries/clientnegative/authorization_view_2.q
new file mode 100644
index 0000000..37297c8
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/authorization_view_2.q
@@ -0,0 +1,17 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider;
+
+create table src_autho_test as select * from src;
+
+create view v as select * from src_autho_test;
+
+set hive.security.authorization.enabled=true;
+
+--table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user;
+
+grant select(key) on table v to user hive_test_user;
+
+select key from
+(select v.key from src_autho_test join v on src_autho_test.value=v.value)subq 
+order by key limit 10;

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientnegative/authorization_view_3.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/authorization_view_3.q b/ql/src/test/queries/clientnegative/authorization_view_3.q
new file mode 100644
index 0000000..abcd877
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/authorization_view_3.q
@@ -0,0 +1,15 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider;
+
+create table src_autho_test as select * from src;
+
+create view v as select * from src_autho_test;
+
+set hive.security.authorization.enabled=true;
+
+--table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user;
+
+grant select(key) on v to user hive_test_user;
+
+select * from v order by key limit 1;

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientnegative/authorization_view_4.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/authorization_view_4.q b/ql/src/test/queries/clientnegative/authorization_view_4.q
new file mode 100644
index 0000000..c51bdae
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/authorization_view_4.q
@@ -0,0 +1,23 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider;
+
+create table src_autho_test as select * from src;
+
+create view v as select * from src_autho_test;
+
+create view v1 as select * from src_autho_test;
+
+create view v2 as select * from src_autho_test;
+
+set hive.security.authorization.enabled=true;
+
+--table grant to user
+
+grant select on table src_autho_test to user hive_test_user;
+
+grant select on table v to user hive_test_user;
+grant select on table v1 to user hive_test_user;
+grant select(key) on table v2 to user hive_test_user;
+
+select key from
+(select value as key from v1 union select value as key from v2 union all select key from v)subq
+limit 10;

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_1.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_1.q b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_1.q
new file mode 100644
index 0000000..7c4b343
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_1.q
@@ -0,0 +1,14 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider;
+set hive.cbo.enable=false;
+
+create table src_autho_test as select * from src;
+
+create view v as select * from src_autho_test;
+
+set hive.security.authorization.enabled=true;
+
+--table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user;
+
+select * from v order by key limit 1;

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_2.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_2.q b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_2.q
new file mode 100644
index 0000000..37297c8
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_2.q
@@ -0,0 +1,17 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider;
+
+create table src_autho_test as select * from src;
+
+create view v as select * from src_autho_test;
+
+set hive.security.authorization.enabled=true;
+
+--table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user;
+
+grant select(key) on table v to user hive_test_user;
+
+select key from
+(select v.key from src_autho_test join v on src_autho_test.value=v.value)subq 
+order by key limit 10;

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_3.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_3.q b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_3.q
new file mode 100644
index 0000000..954072d
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_3.q
@@ -0,0 +1,16 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider;
+set hive.cbo.enable=false;
+
+create table src_autho_test as select * from src;
+
+create view v as select * from src_autho_test;
+
+set hive.security.authorization.enabled=true;
+
+--table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user;
+
+grant select(key) on v to user hive_test_user;
+
+select * from v order by key limit 1;

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_4.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_4.q b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_4.q
new file mode 100644
index 0000000..11cedcf
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/authorization_view_disable_cbo_4.q
@@ -0,0 +1,24 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider;
+set hive.cbo.enable=false;
+
+create table src_autho_test as select * from src;
+
+create view v as select * from src_autho_test;
+
+create view v1 as select * from src_autho_test;
+
+create view v2 as select * from src_autho_test;
+
+set hive.security.authorization.enabled=true;
+
+--table grant to user
+
+grant select on table src_autho_test to user hive_test_user;
+
+grant select on table v to user hive_test_user;
+grant select on table v1 to user hive_test_user;
+grant select(key) on table v2 to user hive_test_user;
+
+select key from
+(select value as key from v1 union select value as key from v2 union all select key from v)subq
+limit 10;

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientpositive/authorization_view_1.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientpositive/authorization_view_1.q b/ql/src/test/queries/clientpositive/authorization_view_1.q
new file mode 100644
index 0000000..86accdc
--- /dev/null
+++ b/ql/src/test/queries/clientpositive/authorization_view_1.q
@@ -0,0 +1,59 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider;
+
+create table src_autho_test as select * from src;
+
+create view v as select * from src_autho_test;
+
+create view v1 as select * from src_autho_test;
+
+create view v2 as select * from src_autho_test;
+
+set hive.security.authorization.enabled=true;
+
+--table grant to user
+
+grant select on table src_autho_test to user hive_test_user;
+
+grant select on table v to user hive_test_user;
+grant select on table v1 to user hive_test_user;
+grant select on table v2 to user hive_test_user;
+
+show grant user hive_test_user on table v;
+show grant user hive_test_user on v;
+show grant user hive_test_user on v(key);
+
+select * from v order by key limit 10;
+
+revoke select on table src_autho_test from user hive_test_user;
+
+show grant user hive_test_user on table v;
+show grant user hive_test_user on v;
+show grant user hive_test_user on v(key);
+
+revoke select on table v from user hive_test_user;
+
+show grant user hive_test_user on table v;
+show grant user hive_test_user on v;
+show grant user hive_test_user on v(key);
+
+--column grant to user
+
+grant select on table src_autho_test to user hive_test_user;
+grant select(key) on table v to user hive_test_user;
+
+show grant user hive_test_user on table v;
+show grant user hive_test_user on v(key);
+
+select key from v order by key limit 10;
+
+select key from
+(select v.key from src_autho_test join v on src_autho_test.key=v.key)subq 
+order by key limit 10;
+
+select key from
+(select key as key from src_autho_test union all select key from v)subq 
+limit 10;
+
+select key from
+(select value as key from v2 union select value as key from v1 union all select key from v)subq
+limit 10;

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/queries/clientpositive/authorization_view_disable_cbo_1.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientpositive/authorization_view_disable_cbo_1.q b/ql/src/test/queries/clientpositive/authorization_view_disable_cbo_1.q
new file mode 100644
index 0000000..42652ea
--- /dev/null
+++ b/ql/src/test/queries/clientpositive/authorization_view_disable_cbo_1.q
@@ -0,0 +1,70 @@
+set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider;
+set hive.cbo.enable=false;
+
+create table src_autho_test as select * from src;
+
+create view v as select * from src_autho_test;
+
+create view v1 as select * from src_autho_test;
+
+create view v2 as select * from src_autho_test;
+
+set hive.security.authorization.enabled=true;
+
+--table grant to user
+
+grant select on table src_autho_test to user hive_test_user;
+
+grant select on table v to user hive_test_user;
+grant select on table v1 to user hive_test_user;
+grant select on table v2 to user hive_test_user;
+
+show grant user hive_test_user on table v;
+show grant user hive_test_user on v;
+show grant user hive_test_user on v(key);
+
+select * from v order by key limit 10;
+
+revoke select on table src_autho_test from user hive_test_user;
+
+show grant user hive_test_user on table v;
+show grant user hive_test_user on v;
+show grant user hive_test_user on v(key);
+
+revoke select on table v from user hive_test_user;
+
+show grant user hive_test_user on table v;
+show grant user hive_test_user on v;
+show grant user hive_test_user on v(key);
+
+--column grant to user
+
+grant select on table src_autho_test to user hive_test_user;
+grant select(key) on table v to user hive_test_user;
+
+show grant user hive_test_user on table v;
+show grant user hive_test_user on v(key);
+
+select key from v order by key limit 10;
+
+select key from
+(select v.key from src_autho_test join v on src_autho_test.key=v.key)subq 
+order by key limit 10;
+
+select key from
+(select key as key from src_autho_test union all select key from v)subq 
+limit 10;
+
+select key from
+(select value as key from v2 union select value as key from v1 union all select key from v)subq
+limit 10;
+
+set hive.cbo.enable=true;
+
+--although cbo is enabled, it will not succeed.
+
+select key from v sort by key limit 10;
+
+select key from
+(select key as key from src_autho_test union all select key from v cluster by key)subq
+limit 10;

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientnegative/authorization_view_1.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/authorization_view_1.q.out b/ql/src/test/results/clientnegative/authorization_view_1.q.out
new file mode 100644
index 0000000..2feb0d8
--- /dev/null
+++ b/ql/src/test/results/clientnegative/authorization_view_1.q.out
@@ -0,0 +1,31 @@
+PREHOOK: query: create table src_autho_test as select * from src
+PREHOOK: type: CREATETABLE_AS_SELECT
+PREHOOK: Input: default@src
+PREHOOK: Output: database:default
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: create table src_autho_test as select * from src
+POSTHOOK: type: CREATETABLE_AS_SELECT
+POSTHOOK: Input: default@src
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: create view v as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v
+POSTHOOK: query: create view v as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v
+PREHOOK: query: --table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: --table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@src_autho_test
+Authorization failed:No privilege 'Select' found for inputs { database:default, table:v, columnName:key}. Use SHOW GRANT to get more details.

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientnegative/authorization_view_2.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/authorization_view_2.q.out b/ql/src/test/results/clientnegative/authorization_view_2.q.out
new file mode 100644
index 0000000..0f8bd13
--- /dev/null
+++ b/ql/src/test/results/clientnegative/authorization_view_2.q.out
@@ -0,0 +1,37 @@
+PREHOOK: query: create table src_autho_test as select * from src
+PREHOOK: type: CREATETABLE_AS_SELECT
+PREHOOK: Input: default@src
+PREHOOK: Output: database:default
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: create table src_autho_test as select * from src
+POSTHOOK: type: CREATETABLE_AS_SELECT
+POSTHOOK: Input: default@src
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: create view v as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v
+POSTHOOK: query: create view v as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v
+PREHOOK: query: --table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: --table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: grant select(key) on table v to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v
+POSTHOOK: query: grant select(key) on table v to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v
+Authorization failed:No privilege 'Select' found for inputs { database:default, table:src_autho_test, columnName:value}. Use SHOW GRANT to get more details.

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientnegative/authorization_view_3.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/authorization_view_3.q.out b/ql/src/test/results/clientnegative/authorization_view_3.q.out
new file mode 100644
index 0000000..e6d2352
--- /dev/null
+++ b/ql/src/test/results/clientnegative/authorization_view_3.q.out
@@ -0,0 +1,37 @@
+PREHOOK: query: create table src_autho_test as select * from src
+PREHOOK: type: CREATETABLE_AS_SELECT
+PREHOOK: Input: default@src
+PREHOOK: Output: database:default
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: create table src_autho_test as select * from src
+POSTHOOK: type: CREATETABLE_AS_SELECT
+POSTHOOK: Input: default@src
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: create view v as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v
+POSTHOOK: query: create view v as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v
+PREHOOK: query: --table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: --table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: grant select(key) on v to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v
+POSTHOOK: query: grant select(key) on v to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v
+Authorization failed:No privilege 'Select' found for inputs { database:default, table:v, columnName:value}. Use SHOW GRANT to get more details.

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientnegative/authorization_view_4.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/authorization_view_4.q.out b/ql/src/test/results/clientnegative/authorization_view_4.q.out
new file mode 100644
index 0000000..371d407
--- /dev/null
+++ b/ql/src/test/results/clientnegative/authorization_view_4.q.out
@@ -0,0 +1,69 @@
+PREHOOK: query: create table src_autho_test as select * from src
+PREHOOK: type: CREATETABLE_AS_SELECT
+PREHOOK: Input: default@src
+PREHOOK: Output: database:default
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: create table src_autho_test as select * from src
+POSTHOOK: type: CREATETABLE_AS_SELECT
+POSTHOOK: Input: default@src
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: create view v as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v
+POSTHOOK: query: create view v as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v
+PREHOOK: query: create view v1 as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v1
+POSTHOOK: query: create view v1 as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v1
+PREHOOK: query: create view v2 as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v2
+POSTHOOK: query: create view v2 as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v2
+PREHOOK: query: --table grant to user
+
+grant select on table src_autho_test to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: --table grant to user
+
+grant select on table src_autho_test to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: grant select on table v to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v
+POSTHOOK: query: grant select on table v to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v
+PREHOOK: query: grant select on table v1 to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v1
+POSTHOOK: query: grant select on table v1 to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v1
+PREHOOK: query: grant select(key) on table v2 to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v2
+POSTHOOK: query: grant select(key) on table v2 to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v2
+Authorization failed:No privilege 'Select' found for inputs { database:default, table:v2, columnName:value}. Use SHOW GRANT to get more details.

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientnegative/authorization_view_disable_cbo_1.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/authorization_view_disable_cbo_1.q.out b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_1.q.out
new file mode 100644
index 0000000..2feb0d8
--- /dev/null
+++ b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_1.q.out
@@ -0,0 +1,31 @@
+PREHOOK: query: create table src_autho_test as select * from src
+PREHOOK: type: CREATETABLE_AS_SELECT
+PREHOOK: Input: default@src
+PREHOOK: Output: database:default
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: create table src_autho_test as select * from src
+POSTHOOK: type: CREATETABLE_AS_SELECT
+POSTHOOK: Input: default@src
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: create view v as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v
+POSTHOOK: query: create view v as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v
+PREHOOK: query: --table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: --table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@src_autho_test
+Authorization failed:No privilege 'Select' found for inputs { database:default, table:v, columnName:key}. Use SHOW GRANT to get more details.

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientnegative/authorization_view_disable_cbo_2.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/authorization_view_disable_cbo_2.q.out b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_2.q.out
new file mode 100644
index 0000000..0f8bd13
--- /dev/null
+++ b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_2.q.out
@@ -0,0 +1,37 @@
+PREHOOK: query: create table src_autho_test as select * from src
+PREHOOK: type: CREATETABLE_AS_SELECT
+PREHOOK: Input: default@src
+PREHOOK: Output: database:default
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: create table src_autho_test as select * from src
+POSTHOOK: type: CREATETABLE_AS_SELECT
+POSTHOOK: Input: default@src
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: create view v as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v
+POSTHOOK: query: create view v as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v
+PREHOOK: query: --table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: --table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: grant select(key) on table v to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v
+POSTHOOK: query: grant select(key) on table v to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v
+Authorization failed:No privilege 'Select' found for inputs { database:default, table:src_autho_test, columnName:value}. Use SHOW GRANT to get more details.

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientnegative/authorization_view_disable_cbo_3.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/authorization_view_disable_cbo_3.q.out b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_3.q.out
new file mode 100644
index 0000000..e6d2352
--- /dev/null
+++ b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_3.q.out
@@ -0,0 +1,37 @@
+PREHOOK: query: create table src_autho_test as select * from src
+PREHOOK: type: CREATETABLE_AS_SELECT
+PREHOOK: Input: default@src
+PREHOOK: Output: database:default
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: create table src_autho_test as select * from src
+POSTHOOK: type: CREATETABLE_AS_SELECT
+POSTHOOK: Input: default@src
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: create view v as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v
+POSTHOOK: query: create view v as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v
+PREHOOK: query: --table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: --table grant to user
+
+grant select(key) on table src_autho_test to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: grant select(key) on v to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v
+POSTHOOK: query: grant select(key) on v to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v
+Authorization failed:No privilege 'Select' found for inputs { database:default, table:v, columnName:value}. Use SHOW GRANT to get more details.

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientnegative/authorization_view_disable_cbo_4.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/authorization_view_disable_cbo_4.q.out b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_4.q.out
new file mode 100644
index 0000000..371d407
--- /dev/null
+++ b/ql/src/test/results/clientnegative/authorization_view_disable_cbo_4.q.out
@@ -0,0 +1,69 @@
+PREHOOK: query: create table src_autho_test as select * from src
+PREHOOK: type: CREATETABLE_AS_SELECT
+PREHOOK: Input: default@src
+PREHOOK: Output: database:default
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: create table src_autho_test as select * from src
+POSTHOOK: type: CREATETABLE_AS_SELECT
+POSTHOOK: Input: default@src
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: create view v as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v
+POSTHOOK: query: create view v as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v
+PREHOOK: query: create view v1 as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v1
+POSTHOOK: query: create view v1 as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v1
+PREHOOK: query: create view v2 as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v2
+POSTHOOK: query: create view v2 as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v2
+PREHOOK: query: --table grant to user
+
+grant select on table src_autho_test to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: --table grant to user
+
+grant select on table src_autho_test to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: grant select on table v to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v
+POSTHOOK: query: grant select on table v to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v
+PREHOOK: query: grant select on table v1 to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v1
+POSTHOOK: query: grant select on table v1 to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v1
+PREHOOK: query: grant select(key) on table v2 to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v2
+POSTHOOK: query: grant select(key) on table v2 to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v2
+Authorization failed:No privilege 'Select' found for inputs { database:default, table:v2, columnName:value}. Use SHOW GRANT to get more details.

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientpositive/authorization_view_1.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientpositive/authorization_view_1.q.out b/ql/src/test/results/clientpositive/authorization_view_1.q.out
new file mode 100644
index 0000000..0703c4f
--- /dev/null
+++ b/ql/src/test/results/clientpositive/authorization_view_1.q.out
@@ -0,0 +1,261 @@
+PREHOOK: query: create table src_autho_test as select * from src
+PREHOOK: type: CREATETABLE_AS_SELECT
+PREHOOK: Input: default@src
+PREHOOK: Output: database:default
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: create table src_autho_test as select * from src
+POSTHOOK: type: CREATETABLE_AS_SELECT
+POSTHOOK: Input: default@src
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: create view v as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v
+POSTHOOK: query: create view v as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v
+PREHOOK: query: create view v1 as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v1
+POSTHOOK: query: create view v1 as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v1
+PREHOOK: query: create view v2 as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v2
+POSTHOOK: query: create view v2 as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v2
+PREHOOK: query: --table grant to user
+
+grant select on table src_autho_test to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: --table grant to user
+
+grant select on table src_autho_test to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: grant select on table v to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v
+POSTHOOK: query: grant select on table v to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v
+PREHOOK: query: grant select on table v1 to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v1
+POSTHOOK: query: grant select on table v1 to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v1
+PREHOOK: query: grant select on table v2 to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v2
+POSTHOOK: query: grant select on table v2 to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v2
+PREHOOK: query: show grant user hive_test_user on table v
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on table v
+POSTHOOK: type: SHOW_GRANT
+default	v			hive_test_user	USER	SELECT	false	-1	hive_test_user
+PREHOOK: query: show grant user hive_test_user on v
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on v
+POSTHOOK: type: SHOW_GRANT
+default	v			hive_test_user	USER	SELECT	false	-1	hive_test_user
+PREHOOK: query: show grant user hive_test_user on v(key)
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on v(key)
+POSTHOOK: type: SHOW_GRANT
+PREHOOK: query: select * from v order by key limit 10
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v
+#### A masked pattern was here ####
+POSTHOOK: query: select * from v order by key limit 10
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v
+#### A masked pattern was here ####
+0	val_0
+0	val_0
+0	val_0
+10	val_10
+100	val_100
+100	val_100
+103	val_103
+103	val_103
+104	val_104
+104	val_104
+PREHOOK: query: revoke select on table src_autho_test from user hive_test_user
+PREHOOK: type: REVOKE_PRIVILEGE
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: revoke select on table src_autho_test from user hive_test_user
+POSTHOOK: type: REVOKE_PRIVILEGE
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: show grant user hive_test_user on table v
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on table v
+POSTHOOK: type: SHOW_GRANT
+default	v			hive_test_user	USER	SELECT	false	-1	hive_test_user
+PREHOOK: query: show grant user hive_test_user on v
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on v
+POSTHOOK: type: SHOW_GRANT
+default	v			hive_test_user	USER	SELECT	false	-1	hive_test_user
+PREHOOK: query: show grant user hive_test_user on v(key)
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on v(key)
+POSTHOOK: type: SHOW_GRANT
+PREHOOK: query: revoke select on table v from user hive_test_user
+PREHOOK: type: REVOKE_PRIVILEGE
+PREHOOK: Output: default@v
+POSTHOOK: query: revoke select on table v from user hive_test_user
+POSTHOOK: type: REVOKE_PRIVILEGE
+POSTHOOK: Output: default@v
+PREHOOK: query: show grant user hive_test_user on table v
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on table v
+POSTHOOK: type: SHOW_GRANT
+PREHOOK: query: show grant user hive_test_user on v
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on v
+POSTHOOK: type: SHOW_GRANT
+PREHOOK: query: show grant user hive_test_user on v(key)
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on v(key)
+POSTHOOK: type: SHOW_GRANT
+PREHOOK: query: --column grant to user
+
+grant select on table src_autho_test to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: --column grant to user
+
+grant select on table src_autho_test to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: grant select(key) on table v to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v
+POSTHOOK: query: grant select(key) on table v to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v
+PREHOOK: query: show grant user hive_test_user on table v
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on table v
+POSTHOOK: type: SHOW_GRANT
+PREHOOK: query: show grant user hive_test_user on v(key)
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on v(key)
+POSTHOOK: type: SHOW_GRANT
+default	v		[key]	hive_test_user	USER	SELECT	false	-1	hive_test_user
+PREHOOK: query: select key from v order by key limit 10
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v
+#### A masked pattern was here ####
+POSTHOOK: query: select key from v order by key limit 10
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v
+#### A masked pattern was here ####
+0
+0
+0
+10
+100
+100
+103
+103
+104
+104
+PREHOOK: query: select key from
+(select v.key from src_autho_test join v on src_autho_test.key=v.key)subq 
+order by key limit 10
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v
+#### A masked pattern was here ####
+POSTHOOK: query: select key from
+(select v.key from src_autho_test join v on src_autho_test.key=v.key)subq 
+order by key limit 10
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v
+#### A masked pattern was here ####
+0
+0
+0
+0
+0
+0
+0
+0
+0
+10
+PREHOOK: query: select key from
+(select key as key from src_autho_test union all select key from v)subq 
+limit 10
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v
+#### A masked pattern was here ####
+POSTHOOK: query: select key from
+(select key as key from src_autho_test union all select key from v)subq 
+limit 10
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v
+#### A masked pattern was here ####
+238
+238
+86
+86
+311
+311
+27
+27
+165
+165
+PREHOOK: query: select key from
+(select value as key from v2 union select value as key from v1 union all select key from v)subq
+limit 10
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v
+PREHOOK: Input: default@v1
+PREHOOK: Input: default@v2
+#### A masked pattern was here ####
+POSTHOOK: query: select key from
+(select value as key from v2 union select value as key from v1 union all select key from v)subq
+limit 10
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v
+POSTHOOK: Input: default@v1
+POSTHOOK: Input: default@v2
+#### A masked pattern was here ####
+val_0
+val_10
+val_100
+val_103
+val_104
+val_105
+val_11
+val_111
+val_113
+val_114

http://git-wip-us.apache.org/repos/asf/hive/blob/90a9a90e/ql/src/test/results/clientpositive/authorization_view_disable_cbo_1.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientpositive/authorization_view_disable_cbo_1.q.out b/ql/src/test/results/clientpositive/authorization_view_disable_cbo_1.q.out
new file mode 100644
index 0000000..0341f0b
--- /dev/null
+++ b/ql/src/test/results/clientpositive/authorization_view_disable_cbo_1.q.out
@@ -0,0 +1,309 @@
+PREHOOK: query: create table src_autho_test as select * from src
+PREHOOK: type: CREATETABLE_AS_SELECT
+PREHOOK: Input: default@src
+PREHOOK: Output: database:default
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: create table src_autho_test as select * from src
+POSTHOOK: type: CREATETABLE_AS_SELECT
+POSTHOOK: Input: default@src
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: create view v as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v
+POSTHOOK: query: create view v as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v
+PREHOOK: query: create view v1 as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v1
+POSTHOOK: query: create view v1 as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v1
+PREHOOK: query: create view v2 as select * from src_autho_test
+PREHOOK: type: CREATEVIEW
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Output: database:default
+PREHOOK: Output: default@v2
+POSTHOOK: query: create view v2 as select * from src_autho_test
+POSTHOOK: type: CREATEVIEW
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@v2
+PREHOOK: query: --table grant to user
+
+grant select on table src_autho_test to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: --table grant to user
+
+grant select on table src_autho_test to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: grant select on table v to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v
+POSTHOOK: query: grant select on table v to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v
+PREHOOK: query: grant select on table v1 to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v1
+POSTHOOK: query: grant select on table v1 to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v1
+PREHOOK: query: grant select on table v2 to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v2
+POSTHOOK: query: grant select on table v2 to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v2
+PREHOOK: query: show grant user hive_test_user on table v
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on table v
+POSTHOOK: type: SHOW_GRANT
+default	v			hive_test_user	USER	SELECT	false	-1	hive_test_user
+PREHOOK: query: show grant user hive_test_user on v
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on v
+POSTHOOK: type: SHOW_GRANT
+default	v			hive_test_user	USER	SELECT	false	-1	hive_test_user
+PREHOOK: query: show grant user hive_test_user on v(key)
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on v(key)
+POSTHOOK: type: SHOW_GRANT
+PREHOOK: query: select * from v order by key limit 10
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v
+#### A masked pattern was here ####
+POSTHOOK: query: select * from v order by key limit 10
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v
+#### A masked pattern was here ####
+0	val_0
+0	val_0
+0	val_0
+10	val_10
+100	val_100
+100	val_100
+103	val_103
+103	val_103
+104	val_104
+104	val_104
+PREHOOK: query: revoke select on table src_autho_test from user hive_test_user
+PREHOOK: type: REVOKE_PRIVILEGE
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: revoke select on table src_autho_test from user hive_test_user
+POSTHOOK: type: REVOKE_PRIVILEGE
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: show grant user hive_test_user on table v
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on table v
+POSTHOOK: type: SHOW_GRANT
+default	v			hive_test_user	USER	SELECT	false	-1	hive_test_user
+PREHOOK: query: show grant user hive_test_user on v
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on v
+POSTHOOK: type: SHOW_GRANT
+default	v			hive_test_user	USER	SELECT	false	-1	hive_test_user
+PREHOOK: query: show grant user hive_test_user on v(key)
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on v(key)
+POSTHOOK: type: SHOW_GRANT
+PREHOOK: query: revoke select on table v from user hive_test_user
+PREHOOK: type: REVOKE_PRIVILEGE
+PREHOOK: Output: default@v
+POSTHOOK: query: revoke select on table v from user hive_test_user
+POSTHOOK: type: REVOKE_PRIVILEGE
+POSTHOOK: Output: default@v
+PREHOOK: query: show grant user hive_test_user on table v
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on table v
+POSTHOOK: type: SHOW_GRANT
+PREHOOK: query: show grant user hive_test_user on v
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on v
+POSTHOOK: type: SHOW_GRANT
+PREHOOK: query: show grant user hive_test_user on v(key)
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on v(key)
+POSTHOOK: type: SHOW_GRANT
+PREHOOK: query: --column grant to user
+
+grant select on table src_autho_test to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@src_autho_test
+POSTHOOK: query: --column grant to user
+
+grant select on table src_autho_test to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@src_autho_test
+PREHOOK: query: grant select(key) on table v to user hive_test_user
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@v
+POSTHOOK: query: grant select(key) on table v to user hive_test_user
+POSTHOOK: type: GRANT_PRIVILEGE
+POSTHOOK: Output: default@v
+PREHOOK: query: show grant user hive_test_user on table v
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on table v
+POSTHOOK: type: SHOW_GRANT
+PREHOOK: query: show grant user hive_test_user on v(key)
+PREHOOK: type: SHOW_GRANT
+POSTHOOK: query: show grant user hive_test_user on v(key)
+POSTHOOK: type: SHOW_GRANT
+default	v		[key]	hive_test_user	USER	SELECT	false	-1	hive_test_user
+PREHOOK: query: select key from v order by key limit 10
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v
+#### A masked pattern was here ####
+POSTHOOK: query: select key from v order by key limit 10
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v
+#### A masked pattern was here ####
+0
+0
+0
+10
+100
+100
+103
+103
+104
+104
+PREHOOK: query: select key from
+(select v.key from src_autho_test join v on src_autho_test.key=v.key)subq 
+order by key limit 10
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v
+#### A masked pattern was here ####
+POSTHOOK: query: select key from
+(select v.key from src_autho_test join v on src_autho_test.key=v.key)subq 
+order by key limit 10
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v
+#### A masked pattern was here ####
+0
+0
+0
+0
+0
+0
+0
+0
+0
+10
+PREHOOK: query: select key from
+(select key as key from src_autho_test union all select key from v)subq 
+limit 10
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v
+#### A masked pattern was here ####
+POSTHOOK: query: select key from
+(select key as key from src_autho_test union all select key from v)subq 
+limit 10
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v
+#### A masked pattern was here ####
+238
+238
+86
+86
+311
+311
+27
+27
+165
+165
+PREHOOK: query: select key from
+(select value as key from v2 union select value as key from v1 union all select key from v)subq
+limit 10
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v
+PREHOOK: Input: default@v1
+PREHOOK: Input: default@v2
+#### A masked pattern was here ####
+POSTHOOK: query: select key from
+(select value as key from v2 union select value as key from v1 union all select key from v)subq
+limit 10
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v
+POSTHOOK: Input: default@v1
+POSTHOOK: Input: default@v2
+#### A masked pattern was here ####
+val_0
+val_10
+val_100
+val_103
+val_104
+val_105
+val_11
+val_111
+val_113
+val_114
+PREHOOK: query: --although cbo is enabled, it will not succeed.
+
+select key from v sort by key limit 10
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v
+#### A masked pattern was here ####
+POSTHOOK: query: --although cbo is enabled, it will not succeed.
+
+select key from v sort by key limit 10
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v
+#### A masked pattern was here ####
+0
+0
+0
+10
+100
+100
+103
+103
+104
+104
+PREHOOK: query: select key from
+(select key as key from src_autho_test union all select key from v cluster by key)subq
+limit 10
+PREHOOK: type: QUERY
+PREHOOK: Input: default@src_autho_test
+PREHOOK: Input: default@v
+#### A masked pattern was here ####
+POSTHOOK: query: select key from
+(select key as key from src_autho_test union all select key from v cluster by key)subq
+limit 10
+POSTHOOK: type: QUERY
+POSTHOOK: Input: default@src_autho_test
+POSTHOOK: Input: default@v
+#### A masked pattern was here ####
+0
+0
+0
+0
+0
+0
+10
+10
+100
+100


Mime
View raw message