hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lantao Jin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-15687) SQL Standard auth: INSERT and DELETE privileges don't actually exist.
Date Fri, 17 Mar 2017 08:55:41 GMT

    [ https://issues.apache.org/jira/browse/HIVE-15687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15929598#comment-15929598
] 

Lantao Jin commented on HIVE-15687:
-----------------------------------

If you want to grant {{insert}} | {{delete}} to a role under default authorization provider.
You can run grant {{all}} for instead.

That's not a but. If you set {{hive.security.authorization.manager}} to {{DefaultHiveAuthorizationProvider}}(default)
or {{StorageBasedAuthorizationProvider}} which are the subclass of {{HiveAuthorizationProvider}}.
The privilege {{insert}} | {{delete}} aren't support. 
We can get the evidence from PrivilegeRegistry:
{code:java}
static {
    Registry = new HashMap<PrivilegeType, Privilege>();

    //add the privileges supported in authorization mode V1
    Registry.put(Privilege.ALL.getPriv(), Privilege.ALL);
    Registry.put(Privilege.ALTER_DATA.getPriv(), Privilege.ALTER_DATA);
    Registry.put(Privilege.ALTER_METADATA.getPriv(), Privilege.ALTER_METADATA);
    Registry.put(Privilege.CREATE.getPriv(), Privilege.CREATE);
    Registry.put(Privilege.DROP.getPriv(), Privilege.DROP);
    Registry.put(Privilege.INDEX.getPriv(), Privilege.INDEX);
    Registry.put(Privilege.LOCK.getPriv(), Privilege.LOCK);
    Registry.put(Privilege.SELECT.getPriv(), Privilege.SELECT);
    Registry.put(Privilege.SHOW_DATABASE.getPriv(),
        Privilege.SHOW_DATABASE);

    //add the privileges not supported in V1
    //The list of privileges supported in V2 is implementation defined,
    //so just pass everything that syntax supports.
    RegistryV2 = new HashMap<PrivilegeType, Privilege>();
    RegistryV2.putAll(Registry);
    RegistryV2.put(Privilege.INSERT.getPriv(), Privilege.INSERT);
    RegistryV2.put(Privilege.DELETE.getPriv(), Privilege.DELETE);
  }
{code} 

{code:java}
  private static Privilege getPrivilegeFromRegistry(PrivilegeType ptype) {
    return SessionState.get().isAuthorizationModeV2() ? RegistryV2.get(ptype) : Registry.get(ptype);
  }

  public boolean isAuthorizationModeV2(){
    return getAuthorizationMode() == AuthorizationMode.V2;
  }
  
  public AuthorizationMode getAuthorizationMode(){
    setupAuth();
    if(authorizer != null){
      return AuthorizationMode.V1;
    }else if(authorizerV2 != null){
      return AuthorizationMode.V2;
    }
    //should not happen - this should not get called before this.start() is called
    throw new AssertionError("Authorization plugins not initialized!");
  }
{code}

Only when object {{authorizer}} is null and {{authorizerV2}} isn't null, we can grant {{INSERT
| DELET}}, otherwise {{ALL}} instead.
For more details, Go into org.apache.hadoop.hive.ql.session.SessionState
{code:java}
   private void setupAuth() {
      String clsStr = HiveConf.getVar(conf, HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER);
      authorizer = HiveUtils.getAuthorizeProviderManager(conf,
          clsStr, authenticator, true);

      if (authorizer == null) {
        ..
        authorizerV2 = authorizerFactory.createHiveAuthorizer(new HiveMetastoreClientFactoryImpl(),
            conf, authenticator, authzContextBuilder.build());
      }
  }

  public static HiveAuthorizationProvider getAuthorizeProviderManager(
      Configuration conf, String authzClassName,
      HiveAuthenticationProvider authenticator, boolean nullIfOtherClass) throws HiveException
{

    HiveAuthorizationProvider ret = null;
    try {
      Class<? extends HiveAuthorizationProvider> cls = null;
      if (authzClassName == null || authzClassName.trim().equals("")) {
        cls = DefaultHiveAuthorizationProvider.class;
      } else {
        Class<?> configClass = Class.forName(authzClassName, true, JavaUtils.getClassLoader());
        if(nullIfOtherClass && !HiveAuthorizationProvider.class.isAssignableFrom(configClass)
){
          return null;        /*  ====>    notice the condition how to return null    
   <======*/
        }
        cls = (Class<? extends HiveAuthorizationProvider>)configClass;
      }
      if (cls != null) {
        ret = ReflectionUtils.newInstance(cls, conf);
      }
    } catch (Exception e) {
      throw new HiveException(e);
    }
    ret.setAuthenticator(authenticator);
    return ret;
  }
{code}
{{nullIfOtherClass}} is always true, and only the {{authzClassName}} which stand for the value
of {{hive.security.authorization.manager}} is not the subclass of {{HiveAuthorizationProvider}},
it will return null.

So please set {{hive.security.authorization.manager}} to {{org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory}}
to get v2 authorization to grant INSERT | DELETE.





> SQL Standard auth: INSERT and DELETE privileges don't actually exist.
> ---------------------------------------------------------------------
>
>                 Key: HIVE-15687
>                 URL: https://issues.apache.org/jira/browse/HIVE-15687
>             Project: Hive
>          Issue Type: Bug
>            Reporter: Carter Shanklin
>
> The documentation states https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization#SQLStandardBasedHiveAuthorization-ObjectPrivilegeCommands
that there are privilege types of INSERT | SELECT | UPDATE | DELETE | ALL.
> Experience suggests otherwise:
> {code}
> : jdbc:hive2://localhost:10000/default> grant select on table secured_table to role
my_role;
> No rows affected (0.034 seconds)
> 0: jdbc:hive2://localhost:10000/default> grant insert on table secured_table to role
my_role;
> Error: Error while compiling statement: FAILED: SemanticException Undefined privilege
Insert (state=42000,code=40000)
> 0: jdbc:hive2://localhost:10000/default> grant update on table secured_table to role
my_role;
> No rows affected (0.037 seconds)
> 0: jdbc:hive2://localhost:10000/default> grant delete on table secured_table to role
my_role;
> Error: Error while compiling statement: FAILED: SemanticException Undefined privilege
Delete (state=42000,code=40000)
> 0: jdbc:hive2://localhost:10000/default> select version();
> +--------------------------------------------------------------+--+
> |                             _c0                              |
> +--------------------------------------------------------------+--+
> | 2.1.0.2.6.0.0-369 r434bfeb707d21f6b44121ac7dfe5adbadb746387  |
> +--------------------------------------------------------------+--+
> {code}
> It would be good to support these, especially since Hive supports updates and deletions.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message