Author: hashutosh
Date: Tue May 13 16:11:11 2014
New Revision: 1594259
URL: http://svn.apache.org/r1594259
Log:
HIVE-7033 : grant statements should check if the role exists (Thejas Nair via
Ashutosh Chauhan)
Added:
hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant_nosuchrole.q
hive/trunk/ql/src/test/queries/clientnegative/authorization_table_grant_nosuchrole.q
hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out
hive/trunk/ql/src/test/results/clientnegative/authorization_table_grant_nosuchrole.q.out
Modified:
hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java
hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q
hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q
hive/trunk/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out
Modified:
hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java
URL:
http://svn.apache.org/viewvc/hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java?rev=1594259&r1=1594258&r2=1594259&view=diff
==============================================================================
---
hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java
(original)
+++
hive/trunk/metastore/src/java/org/apache/hadoop/hive/metastore/ObjectStore.java
Tue May 13 16:11:11 2014
@@ -3040,6 +3040,7 @@ public class ObjectStore implements RawS
boolean success = false;
boolean commited = false;
try {
+ openTransaction();
MRoleMap roleMap = null;
try {
roleMap = this.getMSecurityUserRoleMap(userName, principalType, role
@@ -3050,7 +3051,9 @@ public class ObjectStore implements RawS
throw new InvalidObjectException("Principal " + userName
+ " already has the role " + role.getRoleName());
}
- openTransaction();
+ if (principalType == PrincipalType.ROLE) {
+ validateRole(userName);
+ }
MRole mRole = getMRole(role.getRoleName());
long now = System.currentTimeMillis()/1000;
MRoleMap roleMember = new MRoleMap(userName, principalType.toString(),
@@ -3066,6 +3069,19 @@ public class ObjectStore implements RawS
return success;
}
+ /**
+ * Verify that role with given name exists, if not throw exception
+ * @param roleName
+ * @throws NoSuchObjectException
+ */
+ private void validateRole(String roleName) throws NoSuchObjectException {
+ // if grantee is a role, check if it exists
+ MRole granteeRole = getMRole(roleName);
+ if (granteeRole == null) {
+ throw new NoSuchObjectException("Role " + roleName + " does not exist");
+ }
+ }
+
@Override
public boolean revokeRole(Role role, String userName, PrincipalType
principalType) throws MetaException, NoSuchObjectException {
boolean success = false;
@@ -3698,6 +3714,10 @@ public class ObjectStore implements RawS
boolean grantOption = privDef.getGrantInfo().isGrantOption();
privSet.clear();
+ if(principalType == PrincipalType.ROLE){
+ validateRole(userName);
+ }
+
if (hiveObject.getObjectType() == HiveObjectType.GLOBAL) {
List<MGlobalPrivilege> globalPrivs = this
.listPrincipalGlobalGrants(userName, principalType);
Modified:
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java?rev=1594259&r1=1594258&r2=1594259&view=diff
==============================================================================
---
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java
(original)
+++
hive/trunk/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/HivePrincipal.java
Tue May 13 16:11:11 2014
@@ -40,8 +40,16 @@ public class HivePrincipal {
private final HivePrincipalType type;
public HivePrincipal(String name, HivePrincipalType type){
- this.name = name;
this.type = type;
+ if (type == HivePrincipalType.ROLE) {
+ // lower case role to make operations on it case insensitive
+ // when the old default authorization gets deprecated, this can move
+ // to ObjectStore code base
+ this.name = name.toLowerCase();
+ } else {
+ this.name = name;
+ }
+
}
public String getName() {
return name;
Added:
hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant_nosuchrole.q
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant_nosuchrole.q?rev=1594259&view=auto
==============================================================================
---
hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant_nosuchrole.q
(added)
+++
hive/trunk/ql/src/test/queries/clientnegative/authorization_role_grant_nosuchrole.q
Tue May 13 16:11:11 2014
@@ -0,0 +1,13 @@
+set hive.users.in.admin.role=hive_admin_user;
+set
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
+set
hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+set user.name=hive_admin_user;
+
+set role ADMIN;
+
+----------------------------------------
+-- granting role to a role that does not exist should fail
+----------------------------------------
+
+create role role1;
+grant role1 to role nosuchrole;
Added:
hive/trunk/ql/src/test/queries/clientnegative/authorization_table_grant_nosuchrole.q
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientnegative/authorization_table_grant_nosuchrole.q?rev=1594259&view=auto
==============================================================================
---
hive/trunk/ql/src/test/queries/clientnegative/authorization_table_grant_nosuchrole.q
(added)
+++
hive/trunk/ql/src/test/queries/clientnegative/authorization_table_grant_nosuchrole.q
Tue May 13 16:11:11 2014
@@ -0,0 +1,8 @@
+set
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactoryForTest;
+set
hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateConfigUserAuthenticator;
+
+----------------------------------------
+-- granting object privilege to a role that does not exist should fail
+----------------------------------------
+create table t1(i int);
+grant ALL on t1 to role nosuchrole;
Modified:
hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q?rev=1594259&r1=1594258&r2=1594259&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q
(original)
+++ hive/trunk/ql/src/test/queries/clientpositive/authorization_1_sql_std.q Tue
May 13 16:11:11 2014
@@ -24,13 +24,14 @@ show role grant user user_sauth;
--table grant to role
-grant select on table src_autho_test to role src_role;
+-- also verify case insesitive behavior of role name
+grant select on table src_autho_test to role Src_ROle;
show grant role src_role on table src_autho_test;
-revoke select on table src_autho_test from role src_role;
+revoke select on table src_autho_test from role src_rolE;
-- drop role
-drop role src_role;
+drop role SRc_role;
set hive.security.authorization.enabled=false;
drop table src_autho_test;
Modified:
hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q?rev=1594259&r1=1594258&r2=1594259&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q
(original)
+++ hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant1.q
Tue May 13 16:11:11 2014
@@ -5,14 +5,16 @@ set user.name=hive_admin_user;
-- enable sql standard authorization
-- role granting without role keyword
+-- also test role being treated as case insensitive
set role ADMIN;
-create role src_role2;
-grant src_role2 to user user2 ;
+create role src_Role2;
+
+grant SRC_role2 to user user2 ;
show role grant user user2;
show roles;
-- revoke role without role keyword
-revoke src_role2 from user user2;
+revoke src_rolE2 from user user2;
show role grant user user2;
show roles;
@@ -21,18 +23,16 @@ show roles;
----------------------------------------
create role src_role_wadmin;
-grant src_role_wadmin to user user2 with admin option;
+grant src_role_wadmin to user user2 with admin option;
show role grant user user2;
-- revoke role without role keyword
revoke src_role_wadmin from user user2;
show role grant user user2;
-
-
-- drop roles
show roles;
-drop role src_role2;
+drop role Src_role2;
show roles;
-drop role src_role_wadmin;
+drop role sRc_role_wadmin;
show roles;
Modified:
hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q?rev=1594259&r1=1594258&r2=1594259&view=diff
==============================================================================
--- hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q
(original)
+++ hive/trunk/ql/src/test/queries/clientpositive/authorization_role_grant2.q
Tue May 13 16:11:11 2014
@@ -9,25 +9,38 @@ set role ADMIN;
----------------------------------------
-- role granting with admin option
----------------------------------------
+-- Also test case sensitivity of role name
-create role src_role_wadmin;
-grant src_role_wadmin to user user2 with admin option;
+create role srC_role_wadmin;
+create role src_roLe2;
+grant src_role_wadmin to user user2 with admin option;
show role grant user user2;
show principals src_role_wadmin;
+
set user.name=user2;
-set role src_role_wadmin;
-grant src_role_wadmin to user user3;
+set role src_role_WadMin;
+-- grant role to another user
+grant src_Role_wadmin to user user3;
show role grant user user3;
+-- grant role to another role
+grant src_role_wadmin to role sRc_role2;;
+show role grant role src_Role2;;
+
+
set user.name=hive_admin_user;
set role ADMIN;
-show principals src_role_wadmin;
+show principals src_ROle_wadmin;
set user.name=user2;
set role src_role_wadmin;
-revoke src_role_wadmin from user user3;
+-- revoke user from role
+revoke src_rolE_wadmin from user user3;
show role grant user user3;
+-- revoke role from role
+revoke src_rolE_wadmin from role sRc_role2;
+show role grant role sRc_role2;
set user.name=hive_admin_user;
set role ADMIN;
Added:
hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out?rev=1594259&view=auto
==============================================================================
---
hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out
(added)
+++
hive/trunk/ql/src/test/results/clientnegative/authorization_role_grant_nosuchrole.q.out
Tue May 13 16:11:11 2014
@@ -0,0 +1,19 @@
+PREHOOK: query: set role ADMIN
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role ADMIN
+POSTHOOK: type: SHOW_ROLES
+PREHOOK: query: ----------------------------------------
+-- granting role to a role that does not exist should fail
+----------------------------------------
+
+create role role1
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: ----------------------------------------
+-- granting role to a role that does not exist should fail
+----------------------------------------
+
+create role role1
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: grant role1 to role nosuchrole
+PREHOOK: type: GRANT_ROLE
+FAILED: Execution Error, return code 1 from
org.apache.hadoop.hive.ql.exec.DDLTask.
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException:
Error granting roles for nosuchrole to role role1:
NoSuchObjectException(message:Role nosuchrole does not exist)
Added:
hive/trunk/ql/src/test/results/clientnegative/authorization_table_grant_nosuchrole.q.out
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientnegative/authorization_table_grant_nosuchrole.q.out?rev=1594259&view=auto
==============================================================================
---
hive/trunk/ql/src/test/results/clientnegative/authorization_table_grant_nosuchrole.q.out
(added)
+++
hive/trunk/ql/src/test/results/clientnegative/authorization_table_grant_nosuchrole.q.out
Tue May 13 16:11:11 2014
@@ -0,0 +1,17 @@
+PREHOOK: query: ----------------------------------------
+-- granting object privilege to a role that does not exist should fail
+----------------------------------------
+create table t1(i int)
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:default
+POSTHOOK: query: ----------------------------------------
+-- granting object privilege to a role that does not exist should fail
+----------------------------------------
+create table t1(i int)
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@t1
+PREHOOK: query: grant ALL on t1 to role nosuchrole
+PREHOOK: type: GRANT_PRIVILEGE
+PREHOOK: Output: default@t1
+FAILED: Execution Error, return code 1 from
org.apache.hadoop.hive.ql.exec.DDLTask. Error granting privileges:
NoSuchObjectException(message:Role nosuchrole does not exist)
Modified:
hive/trunk/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out?rev=1594259&r1=1594258&r2=1594259&view=diff
==============================================================================
--- hive/trunk/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out
(original)
+++ hive/trunk/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out
Tue May 13 16:11:11 2014
@@ -52,12 +52,14 @@ public false -1
src_role false -1 hive_admin_user
PREHOOK: query: --table grant to role
-grant select on table src_autho_test to role src_role
+-- also verify case insesitive behavior of role name
+grant select on table src_autho_test to role Src_ROle
PREHOOK: type: GRANT_PRIVILEGE
PREHOOK: Output: default@src_autho_test
POSTHOOK: query: --table grant to role
-grant select on table src_autho_test to role src_role
+-- also verify case insesitive behavior of role name
+grant select on table src_autho_test to role Src_ROle
POSTHOOK: type: GRANT_PRIVILEGE
POSTHOOK: Output: default@src_autho_test
PREHOOK: query: show grant role src_role on table src_autho_test
@@ -65,17 +67,17 @@ PREHOOK: type: SHOW_GRANT
POSTHOOK: query: show grant role src_role on table src_autho_test
POSTHOOK: type: SHOW_GRANT
default src_autho_test src_role ROLE SELECT
false -1 hive_admin_user
-PREHOOK: query: revoke select on table src_autho_test from role src_role
+PREHOOK: query: revoke select on table src_autho_test from role src_rolE
PREHOOK: type: REVOKE_PRIVILEGE
PREHOOK: Output: default@src_autho_test
-POSTHOOK: query: revoke select on table src_autho_test from role src_role
+POSTHOOK: query: revoke select on table src_autho_test from role src_rolE
POSTHOOK: type: REVOKE_PRIVILEGE
POSTHOOK: Output: default@src_autho_test
PREHOOK: query: -- drop role
-drop role src_role
+drop role SRc_role
PREHOOK: type: DROPROLE
POSTHOOK: query: -- drop role
-drop role src_role
+drop role SRc_role
POSTHOOK: type: DROPROLE
PREHOOK: query: drop table src_autho_test
PREHOOK: type: DROPTABLE
Modified:
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out?rev=1594259&r1=1594258&r2=1594259&view=diff
==============================================================================
---
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out
(original)
+++
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant1.q.out
Tue May 13 16:11:11 2014
@@ -1,18 +1,20 @@
PREHOOK: query: -- enable sql standard authorization
-- role granting without role keyword
+-- also test role being treated as case insensitive
set role ADMIN
PREHOOK: type: SHOW_ROLES
POSTHOOK: query: -- enable sql standard authorization
-- role granting without role keyword
+-- also test role being treated as case insensitive
set role ADMIN
POSTHOOK: type: SHOW_ROLES
-PREHOOK: query: create role src_role2
+PREHOOK: query: create role src_Role2
PREHOOK: type: CREATEROLE
-POSTHOOK: query: create role src_role2
+POSTHOOK: query: create role src_Role2
POSTHOOK: type: CREATEROLE
-PREHOOK: query: grant src_role2 to user user2
+PREHOOK: query: grant SRC_role2 to user user2
PREHOOK: type: GRANT_ROLE
-POSTHOOK: query: grant src_role2 to user user2
+POSTHOOK: query: grant SRC_role2 to user user2
POSTHOOK: type: GRANT_ROLE
PREHOOK: query: show role grant user user2
PREHOOK: type: SHOW_ROLE_GRANT
@@ -29,10 +31,10 @@ public
src_role2
PREHOOK: query: -- revoke role without role keyword
-revoke src_role2 from user user2
+revoke src_rolE2 from user user2
PREHOOK: type: REVOKE_ROLE
POSTHOOK: query: -- revoke role without role keyword
-revoke src_role2 from user user2
+revoke src_rolE2 from user user2
POSTHOOK: type: REVOKE_ROLE
PREHOOK: query: show role grant user user2
PREHOOK: type: SHOW_ROLE_GRANT
@@ -59,9 +61,9 @@ POSTHOOK: query: -----------------------
create role src_role_wadmin
POSTHOOK: type: CREATEROLE
-PREHOOK: query: grant src_role_wadmin to user user2 with admin option
+PREHOOK: query: grant src_role_wadmin to user user2 with admin option
PREHOOK: type: GRANT_ROLE
-POSTHOOK: query: grant src_role_wadmin to user user2 with admin option
+POSTHOOK: query: grant src_role_wadmin to user user2 with admin option
POSTHOOK: type: GRANT_ROLE
PREHOOK: query: show role grant user user2
PREHOOK: type: SHOW_ROLE_GRANT
@@ -91,9 +93,9 @@ public
src_role2
src_role_wadmin
-PREHOOK: query: drop role src_role2
+PREHOOK: query: drop role Src_role2
PREHOOK: type: DROPROLE
-POSTHOOK: query: drop role src_role2
+POSTHOOK: query: drop role Src_role2
POSTHOOK: type: DROPROLE
PREHOOK: query: show roles
PREHOOK: type: SHOW_ROLES
@@ -103,9 +105,9 @@ admin
public
src_role_wadmin
-PREHOOK: query: drop role src_role_wadmin
+PREHOOK: query: drop role sRc_role_wadmin
PREHOOK: type: DROPROLE
-POSTHOOK: query: drop role src_role_wadmin
+POSTHOOK: query: drop role sRc_role_wadmin
POSTHOOK: type: DROPROLE
PREHOOK: query: show roles
PREHOOK: type: SHOW_ROLES
Modified:
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out
URL:
http://svn.apache.org/viewvc/hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out?rev=1594259&r1=1594258&r2=1594259&view=diff
==============================================================================
---
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out
(original)
+++
hive/trunk/ql/src/test/results/clientpositive/authorization_role_grant2.q.out
Tue May 13 16:11:11 2014
@@ -5,18 +5,24 @@ POSTHOOK: type: SHOW_ROLES
PREHOOK: query: ----------------------------------------
-- role granting with admin option
----------------------------------------
+-- Also test case sensitivity of role name
-create role src_role_wadmin
+create role srC_role_wadmin
PREHOOK: type: CREATEROLE
POSTHOOK: query: ----------------------------------------
-- role granting with admin option
----------------------------------------
+-- Also test case sensitivity of role name
-create role src_role_wadmin
+create role srC_role_wadmin
POSTHOOK: type: CREATEROLE
-PREHOOK: query: grant src_role_wadmin to user user2 with admin option
+PREHOOK: query: create role src_roLe2
+PREHOOK: type: CREATEROLE
+POSTHOOK: query: create role src_roLe2
+POSTHOOK: type: CREATEROLE
+PREHOOK: query: grant src_role_wadmin to user user2 with admin option
PREHOOK: type: GRANT_ROLE
-POSTHOOK: query: grant src_role_wadmin to user user2 with admin option
+POSTHOOK: query: grant src_role_wadmin to user user2 with admin option
POSTHOOK: type: GRANT_ROLE
PREHOOK: query: show role grant user user2
PREHOOK: type: SHOW_ROLE_GRANT
@@ -31,13 +37,15 @@ POSTHOOK: query: show principals src_rol
POSTHOOK: type: SHOW_ROLE_PRINCIPALS
principal_name principal_type grant_option grantor grantor_type
grant_time
user2 USER true hive_admin_user USER -1
-PREHOOK: query: set role src_role_wadmin
+PREHOOK: query: set role src_role_WadMin
PREHOOK: type: SHOW_ROLES
-POSTHOOK: query: set role src_role_wadmin
+POSTHOOK: query: set role src_role_WadMin
POSTHOOK: type: SHOW_ROLES
-PREHOOK: query: grant src_role_wadmin to user user3
+PREHOOK: query: -- grant role to another user
+grant src_Role_wadmin to user user3
PREHOOK: type: GRANT_ROLE
-POSTHOOK: query: grant src_role_wadmin to user user3
+POSTHOOK: query: -- grant role to another user
+grant src_Role_wadmin to user user3
POSTHOOK: type: GRANT_ROLE
PREHOOK: query: show role grant user user3
PREHOOK: type: SHOW_ROLE_GRANT
@@ -46,24 +54,39 @@ POSTHOOK: type: SHOW_ROLE_GRANT
role grant_option grant_time grantor
public false -1
src_role_wadmin false -1 user2
+PREHOOK: query: -- grant role to another role
+grant src_role_wadmin to role sRc_role2
+PREHOOK: type: GRANT_ROLE
+POSTHOOK: query: -- grant role to another role
+grant src_role_wadmin to role sRc_role2
+POSTHOOK: type: GRANT_ROLE
+PREHOOK: query: show role grant role src_Role2
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant role src_Role2
+POSTHOOK: type: SHOW_ROLE_GRANT
+role grant_option grant_time grantor
+src_role_wadmin false -1 user2
PREHOOK: query: set role ADMIN
PREHOOK: type: SHOW_ROLES
POSTHOOK: query: set role ADMIN
POSTHOOK: type: SHOW_ROLES
-PREHOOK: query: show principals src_role_wadmin
+PREHOOK: query: show principals src_ROle_wadmin
PREHOOK: type: SHOW_ROLE_PRINCIPALS
-POSTHOOK: query: show principals src_role_wadmin
+POSTHOOK: query: show principals src_ROle_wadmin
POSTHOOK: type: SHOW_ROLE_PRINCIPALS
principal_name principal_type grant_option grantor grantor_type
grant_time
+src_role2 ROLE false user2 USER -1
user2 USER true hive_admin_user USER -1
user3 USER false user2 USER -1
PREHOOK: query: set role src_role_wadmin
PREHOOK: type: SHOW_ROLES
POSTHOOK: query: set role src_role_wadmin
POSTHOOK: type: SHOW_ROLES
-PREHOOK: query: revoke src_role_wadmin from user user3
+PREHOOK: query: -- revoke user from role
+revoke src_rolE_wadmin from user user3
PREHOOK: type: REVOKE_ROLE
-POSTHOOK: query: revoke src_role_wadmin from user user3
+POSTHOOK: query: -- revoke user from role
+revoke src_rolE_wadmin from user user3
POSTHOOK: type: REVOKE_ROLE
PREHOOK: query: show role grant user user3
PREHOOK: type: SHOW_ROLE_GRANT
@@ -71,6 +94,17 @@ POSTHOOK: query: show role grant user us
POSTHOOK: type: SHOW_ROLE_GRANT
role grant_option grant_time grantor
public false -1
+PREHOOK: query: -- revoke role from role
+revoke src_rolE_wadmin from role sRc_role2
+PREHOOK: type: REVOKE_ROLE
+POSTHOOK: query: -- revoke role from role
+revoke src_rolE_wadmin from role sRc_role2
+POSTHOOK: type: REVOKE_ROLE
+PREHOOK: query: show role grant role sRc_role2
+PREHOOK: type: SHOW_ROLE_GRANT
+POSTHOOK: query: show role grant role sRc_role2
+POSTHOOK: type: SHOW_ROLE_GRANT
+role grant_option grant_time grantor
PREHOOK: query: set role ADMIN
PREHOOK: type: SHOW_ROLES
POSTHOOK: query: set role ADMIN
