HIVE-11498: HIVE Authorization v2 should not check permission for dummy entity (Dapeng Sun via Dong Chen)
Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/70631bb4 Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/70631bb4 Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/70631bb4 Branch: refs/heads/hbase-metastore Commit: 70631bb4cff0c0cbd7055e843e091bfd4fae8e4e Parents: 7f3e481 Author: Dapeng Sun <s...@apache.org> Authored: Tue Aug 11 00:56:13 2015 -0400 Committer: Dong Chen <dong1.c...@intel.com> Committed: Tue Aug 11 01:37:16 2015 -0400 ---------------------------------------------------------------------- ql/src/java/org/apache/hadoop/hive/ql/Driver.java | 5 ++++- .../queries/clientpositive/authorization_1_sql_std.q | 4 ++++ .../results/clientpositive/authorization_1_sql_std.q.out | 11 +++++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/70631bb4/ql/src/java/org/apache/hadoop/hive/ql/Driver.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java index cc85f31..e7b7b55 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/Driver.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/Driver.java @@ -787,7 +787,10 @@ public class Driver implements CommandProcessor { for(Entity privObject : privObjects){ HivePrivilegeObjectType privObjType = AuthorizationUtils.getHivePrivilegeObjectType(privObject.getType()); - + if(privObject.isDummy()) { + //do not authorize dummy readEntity or writeEntity + continue; + } if(privObject instanceof ReadEntity && !((ReadEntity)privObject).isDirect()){ // In case of views, the underlying views or tables are not direct dependencies // and are not used for authorization checks. http://git-wip-us.apache.org/repos/asf/hive/blob/70631bb4/ql/src/test/queries/clientpositive/authorization_1_sql_std.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientpositive/authorization_1_sql_std.q b/ql/src/test/queries/clientpositive/authorization_1_sql_std.q index 82896a4..b7b6710 100644 --- a/ql/src/test/queries/clientpositive/authorization_1_sql_std.q +++ b/ql/src/test/queries/clientpositive/authorization_1_sql_std.q @@ -6,6 +6,10 @@ set user.name=hive_admin_user; create table src_autho_test (key STRING, value STRING) ; set hive.security.authorization.enabled=true; + +--select dummy table +select 1; + set role ADMIN; --table grant to user http://git-wip-us.apache.org/repos/asf/hive/blob/70631bb4/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out b/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out index 44c2fbd..2315fd4 100644 --- a/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out +++ b/ql/src/test/results/clientpositive/authorization_1_sql_std.q.out @@ -6,6 +6,17 @@ POSTHOOK: query: create table src_autho_test (key STRING, value STRING) POSTHOOK: type: CREATETABLE POSTHOOK: Output: database:default POSTHOOK: Output: default@src_autho_test +PREHOOK: query: --select dummy table +select 1 +PREHOOK: type: QUERY +PREHOOK: Input: _dummy_database@_dummy_table +#### A masked pattern was here #### +POSTHOOK: query: --select dummy table +select 1 +POSTHOOK: type: QUERY +POSTHOOK: Input: _dummy_database@_dummy_table +#### A masked pattern was here #### +1 PREHOOK: query: set role ADMIN PREHOOK: type: SHOW_ROLES POSTHOOK: query: set role ADMIN
