Repository: hive
Updated Branches:
  refs/heads/branch-2.3 2fe5186a3 -> 12d2b2dbf


HIVE-20420: Provide a fallback authorizer when no other authorizer is in use 
(Daniel Dai, reviewed by Laszlo Pinter, Thejas Nair)

Signed-off-by: Thejas M Nair <the...@hortonworks.com>


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/12d2b2db
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/12d2b2db
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/12d2b2db

Branch: refs/heads/branch-2.3
Commit: 12d2b2dbf56d9a41d954487a70e99e9cdbcd8884
Parents: 2fe5186
Author: Daniel Dai <dai...@gmail.com>
Authored: Tue Oct 23 16:30:41 2018 -0700
Committer: Daniel Dai <dai...@gmail.com>
Committed: Tue Oct 23 16:35:15 2018 -0700

----------------------------------------------------------------------
 ql/pom.xml                                      |  13 +
 .../plugin/SettableConfigUpdater.java           |   2 +-
 .../plugin/fallback/FallbackHiveAuthorizer.java | 253 +++++++++++++++++++
 .../fallback/FallbackHiveAuthorizerFactory.java |  36 +++
 .../clientnegative/fallbackauth_addjar.q        |   4 +
 .../clientnegative/fallbackauth_compile.q       |   9 +
 .../clientnegative/fallbackauth_create_func1.q  |   5 +
 .../clientnegative/fallbackauth_create_func2.q  |   6 +
 .../queries/clientnegative/fallbackauth_dfs.q   |   4 +
 .../fallbackauth_disallow_transform.q           |   6 +
 .../queries/clientnegative/fallbackauth_load.q  |  15 ++
 .../fallbackauth_set_invalidconf.q              |   8 +
 .../clientnegative/fallbackauth_addjar.q.out    |   1 +
 .../clientnegative/fallbackauth_compile.q.out   |   1 +
 .../fallbackauth_create_func1.q.out             |   1 +
 .../fallbackauth_create_func2.q.out             |   1 +
 .../clientnegative/fallbackauth_dfs.q.out       |   1 +
 .../fallbackauth_disallow_transform.q.out       |  16 ++
 .../clientnegative/fallbackauth_load.q.out      |   9 +
 .../fallbackauth_set_invalidconf.q.out          |   7 +
 20 files changed, 397 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/pom.xml
----------------------------------------------------------------------
diff --git a/ql/pom.xml b/ql/pom.xml
index 773aed2..6b7e999 100644
--- a/ql/pom.xml
+++ b/ql/pom.xml
@@ -812,6 +812,19 @@
               <classifier>core</classifier>
             </configuration>
           </execution>
+          <execution>
+            <id>fallbackauthorizer-jar</id>
+            <phase>package</phase>
+            <goals>
+              <goal>jar</goal>
+            </goals>
+            <configuration>
+              <classifier>fallbackauthorizer</classifier>
+              <includes>
+                
<include>org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/*.class</include>
+              </includes>
+            </configuration>
+          </execution>
         </executions>
       </plugin>
       <plugin>

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java
----------------------------------------------------------------------
diff --git 
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java
 
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java
index 3d8b0cf..7f6f84b 100644
--- 
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java
+++ 
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java
@@ -63,7 +63,7 @@ public class SettableConfigUpdater {
     // if admin has already customized this list, honor that
     String curBlackList = 
hiveConf.getVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST);
     if (curBlackList == null || curBlackList.trim().isEmpty()) {
-      hiveConf.setVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST, 
"reflect,reflect2,java_method");
+      hiveConf.setVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST, 
"reflect,reflect2,java_method,in_file");
     }
   }
 

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java
----------------------------------------------------------------------
diff --git 
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java
 
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java
new file mode 100644
index 0000000..10cf4d4
--- /dev/null
+++ 
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java
@@ -0,0 +1,253 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.fallback;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.parse.SemanticException;
+import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.AbstractHiveAuthorizer;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.SettableConfigUpdater;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.Operation2Privilege;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLAuthorizationUtils;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLPrivTypeGrant;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+public class FallbackHiveAuthorizer extends AbstractHiveAuthorizer {
+  private static final Log LOG = 
LogFactory.getLog(FallbackHiveAuthorizer.class);
+
+  private final HiveAuthzSessionContext sessionCtx;
+  private final HiveAuthenticationProvider authenticator;
+  private String[] admins = null;
+
+  FallbackHiveAuthorizer(HiveConf hiveConf, HiveAuthenticationProvider 
hiveAuthenticator,
+                                HiveAuthzSessionContext ctx) {
+    this.authenticator = hiveAuthenticator;
+    this.sessionCtx = applyTestSettings(ctx, hiveConf);
+    String adminString = 
hiveConf.getVar(HiveConf.ConfVars.USERS_IN_ADMIN_ROLE);
+    if (adminString != null) {
+      admins = 
hiveConf.getVar(HiveConf.ConfVars.USERS_IN_ADMIN_ROLE).split(",");
+    }
+  }
+
+  /**
+   * Change the session context based on configuration to aid in testing of sql
+   * std auth
+   *
+   * @param ctx
+   * @param conf
+   * @return
+   */
+  static HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext 
ctx, HiveConf conf) {
+    if 
(conf.getBoolVar(HiveConf.ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE)
+            && ctx.getClientType() == 
HiveAuthzSessionContext.CLIENT_TYPE.HIVECLI) {
+      // create new session ctx object with HS2 as client type
+      HiveAuthzSessionContext.Builder ctxBuilder = new 
HiveAuthzSessionContext.Builder(ctx);
+      
ctxBuilder.setClientType(HiveAuthzSessionContext.CLIENT_TYPE.HIVESERVER2);
+      return ctxBuilder.build();
+    }
+    return ctx;
+  }
+
+  @Override
+  public VERSION getVersion() {
+    return VERSION.V1;
+  }
+
+  @Override
+  public void grantPrivileges(List<HivePrincipal> hivePrincipals, 
List<HivePrivilege> hivePrivileges,
+                              HivePrivilegeObject hivePrivObject, 
HivePrincipal grantorPrincipal, boolean
+                                        grantOption) throws 
HiveAuthzPluginException {
+    throw new HiveAuthzPluginException("grantPrivileges not implemented in 
FallbackHiveAuthorizer");
+  }
+
+  @Override
+  public void revokePrivileges(List<HivePrincipal> hivePrincipals, 
List<HivePrivilege> hivePrivileges,
+                               HivePrivilegeObject hivePrivObject, 
HivePrincipal grantorPrincipal, boolean
+                                         grantOption) throws 
HiveAuthzPluginException {
+    throw new HiveAuthzPluginException("revokePrivileges not implemented in 
FallbackHiveAuthorizer");
+  }
+
+  @Override
+  public void createRole(String roleName, HivePrincipal adminGrantor) throws 
HiveAuthzPluginException {
+    throw new HiveAuthzPluginException("createRole not implemented in 
FallbackHiveAuthorizer");
+  }
+
+  @Override
+  public void dropRole(String roleName) throws HiveAuthzPluginException, 
HiveAccessControlException {
+    throw new HiveAuthzPluginException("dropRole not implemented in 
FallbackHiveAuthorizer");
+  }
+
+  @Override
+  public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) 
throws HiveAuthzPluginException,
+          HiveAccessControlException {
+    throw new HiveAuthzPluginException("getPrincipalGrantInfoForRole not 
implemented in FallbackHiveAuthorizer");
+  }
+
+  @Override
+  public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal 
principal) throws HiveAuthzPluginException,
+          HiveAccessControlException {
+    throw new HiveAuthzPluginException("getRoleGrantInfoForPrincipal not 
implemented in FallbackHiveAuthorizer");
+  }
+
+  @Override
+  public void grantRole(List<HivePrincipal> hivePrincipals, List<String> 
roles, boolean grantOption, HivePrincipal
+          grantorPrinc) throws HiveAuthzPluginException, 
HiveAccessControlException {
+    throw new HiveAuthzPluginException("grantRole not implemented in 
FallbackHiveAuthorizer");
+  }
+
+  @Override
+  public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> 
roles, boolean grantOption, HivePrincipal
+          grantorPrinc) throws HiveAuthzPluginException, 
HiveAccessControlException {
+    throw new HiveAuthzPluginException("revokeRole not implemented in 
FallbackHiveAuthorizer");
+  }
+
+  @Override
+  public void checkPrivileges(HiveOperationType hiveOpType, 
List<HivePrivilegeObject> inputHObjs,
+                              List<HivePrivilegeObject> outputHObjs, 
HiveAuthzContext context) throws
+          HiveAuthzPluginException, HiveAccessControlException {
+    String userName = authenticator.getUserName();
+    // check privileges on input and output objects
+    List<String> deniedMessages = new ArrayList<>();
+    checkPrivileges(hiveOpType, inputHObjs, userName, 
Operation2Privilege.IOType.INPUT, deniedMessages);
+    checkPrivileges(hiveOpType, outputHObjs, userName, 
Operation2Privilege.IOType.OUTPUT, deniedMessages);
+
+    SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName,
+            HivePrincipal.HivePrincipalType.USER), hiveOpType, deniedMessages);
+  }
+
+  // Adapted from SQLStdHiveAuthorizationValidator, only check privileges for 
LOAD/ADD/DFS/COMPILE and admin privileges
+  private void checkPrivileges(HiveOperationType hiveOpType, 
List<HivePrivilegeObject> hiveObjects,
+                               String userName, Operation2Privilege.IOType 
ioType, List<String> deniedMessages) {
+
+    if (hiveObjects == null) {
+      return;
+    }
+    if (admins != null && Arrays.stream(admins).parallel().anyMatch(n -> 
n.equals(userName))) {
+      return; // Skip rest of checks if user is admin
+    }
+
+    // Special-casing for ADMIN-level operations that do not require object 
checking.
+    if (Operation2Privilege.isAdminPrivOperation(hiveOpType)) {
+      // Require ADMIN privilege
+      deniedMessages.add(SQLPrivTypeGrant.ADMIN_PRIV.toString() + " on " + 
ioType);
+      return; // Ignore object, fail if not admin, succeed if admin.
+    }
+
+    boolean needAdmin = false;
+    for (HivePrivilegeObject hiveObj : hiveObjects) {
+      // If involving local file system
+      if (hiveObj.getType() == 
HivePrivilegeObject.HivePrivilegeObjectType.LOCAL_URI) {
+        needAdmin = true;
+        break;
+      }
+    }
+    if (!needAdmin) {
+      switch (hiveOpType) {
+        case ADD:
+        case DFS:
+        case COMPILE:
+          needAdmin = true;
+          break;
+        default:
+          break;
+      }
+    }
+    if (needAdmin) {
+      deniedMessages.add("ADMIN");
+    }
+  }
+
+  @Override
+  public List<HivePrivilegeObject> 
filterListCmdObjects(List<HivePrivilegeObject> listObjs, HiveAuthzContext 
context) {
+    return listObjs;
+  }
+
+  @Override
+  public List<String> getAllRoles() throws HiveAuthzPluginException {
+    throw new HiveAuthzPluginException("getAllRoles not implemented in 
FallbackHiveAuthorizer");
+  }
+
+  @Override
+  public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, 
HivePrivilegeObject privObj) throws
+          HiveAuthzPluginException {
+    throw new HiveAuthzPluginException("showPrivileges not implemented in 
FallbackHiveAuthorizer");
+  }
+
+  @Override
+  public void setCurrentRole(String roleName) throws HiveAuthzPluginException {
+    throw new HiveAuthzPluginException("setCurrentRole not implemented in 
FallbackHiveAuthorizer");
+  }
+
+  @Override
+  public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
+    throw new HiveAuthzPluginException("getCurrentRoleNames not implemented in 
FallbackHiveAuthorizer");
+  }
+
+  @Override
+  public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws 
HiveAuthzPluginException {
+    // from SQLStdHiveAccessController.applyAuthorizationConfigPolicy()
+    if (sessionCtx.getClientType() == 
HiveAuthzSessionContext.CLIENT_TYPE.HIVESERVER2
+            && 
hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
+
+      // Configure PREEXECHOOKS with DisallowTransformHook to disallow 
transform queries
+      String hooks = hiveConf.getVar(HiveConf.ConfVars.PREEXECHOOKS).trim();
+      if (hooks.isEmpty()) {
+        hooks = DisallowTransformHook.class.getName();
+      } else {
+        hooks = hooks + "," + DisallowTransformHook.class.getName();
+      }
+      LOG.debug("Configuring hooks : " + hooks);
+      hiveConf.setVar(HiveConf.ConfVars.PREEXECHOOKS, hooks);
+
+      SettableConfigUpdater.setHiveConfWhiteList(hiveConf);
+      String curBlackList = 
hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST);
+      if (curBlackList != null && 
curBlackList.trim().equals("reflect,reflect2,java_method")) {
+        hiveConf.setVar(HiveConf.ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST, 
"reflect,reflect2,java_method,in_file");
+      }
+
+    }
+  }
+
+  @Override
+  public List<HivePrivilegeObject> 
applyRowFilterAndColumnMasking(HiveAuthzContext context, 
List<HivePrivilegeObject>
+          privObjs) throws SemanticException {
+    return privObjs;
+  }
+
+  @Override
+  public boolean needTransform() {
+    return false;
+  }
+}

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizerFactory.java
----------------------------------------------------------------------
diff --git 
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizerFactory.java
 
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizerFactory.java
new file mode 100644
index 0000000..4dae8d3
--- /dev/null
+++ 
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizerFactory.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.ql.security.authorization.plugin.fallback;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+import 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
+
+public class FallbackHiveAuthorizerFactory implements HiveAuthorizerFactory {
+  @Override
+  public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory 
metastoreClientFactory,
+                                             HiveConf conf, 
HiveAuthenticationProvider authenticator,
+                                             HiveAuthzSessionContext ctx) {
+    return new FallbackHiveAuthorizer(conf, authenticator, ctx);
+  }
+}

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/queries/clientnegative/fallbackauth_addjar.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/fallbackauth_addjar.q 
b/ql/src/test/queries/clientnegative/fallbackauth_addjar.q
new file mode 100644
index 0000000..c91d28f
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/fallbackauth_addjar.q
@@ -0,0 +1,4 @@
+set hive.security.authorization.enabled=true;
+set 
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
+
+add jar dummy.jar

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/queries/clientnegative/fallbackauth_compile.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/fallbackauth_compile.q 
b/ql/src/test/queries/clientnegative/fallbackauth_compile.q
new file mode 100644
index 0000000..bf62264
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/fallbackauth_compile.q
@@ -0,0 +1,9 @@
+set hive.security.authorization.enabled=true;
+set 
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
+
+compile `import org.apache.hadoop.hive.ql.exec.UDF \;
+public class Pyth extends UDF {
+  public double evaluate(double a, double b){
+    return Math.sqrt((a*a) + (b*b)) \;
+  }
+} ` AS GROOVY NAMED Pyth.groovy;

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/queries/clientnegative/fallbackauth_create_func1.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/fallbackauth_create_func1.q 
b/ql/src/test/queries/clientnegative/fallbackauth_create_func1.q
new file mode 100644
index 0000000..7d4fd42
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/fallbackauth_create_func1.q
@@ -0,0 +1,5 @@
+set hive.security.authorization.enabled=true;
+set 
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
+
+-- permanent function creation should fail for non-admin roles
+create function perm_fn as 'org.apache.hadoop.hive.ql.udf.UDFAscii';

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/queries/clientnegative/fallbackauth_create_func2.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/fallbackauth_create_func2.q 
b/ql/src/test/queries/clientnegative/fallbackauth_create_func2.q
new file mode 100644
index 0000000..fc371d9
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/fallbackauth_create_func2.q
@@ -0,0 +1,6 @@
+set hive.security.authorization.enabled=true;
+set 
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
+
+-- temp function creation should fail for non-admin roles
+create temporary function temp_fn as 'org.apache.hadoop.hive.ql.udf.UDFAscii';
+

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/queries/clientnegative/fallbackauth_dfs.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/fallbackauth_dfs.q 
b/ql/src/test/queries/clientnegative/fallbackauth_dfs.q
new file mode 100644
index 0000000..da0ac80
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/fallbackauth_dfs.q
@@ -0,0 +1,4 @@
+set hive.security.authorization.enabled=true;
+set 
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
+
+dfs -ls;

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/queries/clientnegative/fallbackauth_disallow_transform.q
----------------------------------------------------------------------
diff --git 
a/ql/src/test/queries/clientnegative/fallbackauth_disallow_transform.q 
b/ql/src/test/queries/clientnegative/fallbackauth_disallow_transform.q
new file mode 100644
index 0000000..eb9f680
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/fallbackauth_disallow_transform.q
@@ -0,0 +1,6 @@
+set hive.test.authz.sstd.hs2.mode=true;
+set hive.security.authorization.enabled=true;
+set 
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
+
+create table t1(i int);
+SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM t1;

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/queries/clientnegative/fallbackauth_load.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/fallbackauth_load.q 
b/ql/src/test/queries/clientnegative/fallbackauth_load.q
new file mode 100644
index 0000000..10db24c
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/fallbackauth_load.q
@@ -0,0 +1,15 @@
+set hive.security.authorization.enabled=true;
+set 
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
+
+!cp ../../data/files/kv1.txt .;
+
+create table fallbackauthload(c1 string, c2 string);
+
+!chmod 777 kv1.txt;
+load data local inpath 'kv1.txt' into table fallbackauthload;
+
+!chmod 755 kv1.txt;
+load data local inpath 'kv1.txt' into table fallbackauthload;
+
+!rm kv1.txt;
+drop table fallbackauthload;

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/queries/clientnegative/fallbackauth_set_invalidconf.q
----------------------------------------------------------------------
diff --git a/ql/src/test/queries/clientnegative/fallbackauth_set_invalidconf.q 
b/ql/src/test/queries/clientnegative/fallbackauth_set_invalidconf.q
new file mode 100644
index 0000000..4ebf276
--- /dev/null
+++ b/ql/src/test/queries/clientnegative/fallbackauth_set_invalidconf.q
@@ -0,0 +1,8 @@
+set hive.test.authz.sstd.hs2.mode=true;
+set hive.security.authorization.enabled=true;
+set 
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory;
+
+-- run a sql query to initialize authorization, then try setting a allowed 
config and then a disallowed config param
+use default;
+set hive.optimize.listbucketing=true;
+set hive.security.authorization.enabled=true;

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/results/clientnegative/fallbackauth_addjar.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/fallbackauth_addjar.q.out 
b/ql/src/test/results/clientnegative/fallbackauth_addjar.q.out
new file mode 100644
index 0000000..2aae669
--- /dev/null
+++ b/ql/src/test/results/clientnegative/fallbackauth_addjar.q.out
@@ -0,0 +1 @@
+Query returned non-zero code: 1, cause: Permission denied: Principal 
[name=hive_test_user, type=USER] does not have following privileges for 
operation ADD [ADMIN]

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/results/clientnegative/fallbackauth_compile.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/fallbackauth_compile.q.out 
b/ql/src/test/results/clientnegative/fallbackauth_compile.q.out
new file mode 100644
index 0000000..5699efe
--- /dev/null
+++ b/ql/src/test/results/clientnegative/fallbackauth_compile.q.out
@@ -0,0 +1 @@
+Query returned non-zero code: 1, cause: Permission denied: Principal 
[name=hive_test_user, type=USER] does not have following privileges for 
operation COMPILE [ADMIN]

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/results/clientnegative/fallbackauth_create_func1.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/fallbackauth_create_func1.q.out 
b/ql/src/test/results/clientnegative/fallbackauth_create_func1.q.out
new file mode 100644
index 0000000..b2532eb
--- /dev/null
+++ b/ql/src/test/results/clientnegative/fallbackauth_create_func1.q.out
@@ -0,0 +1 @@
+FAILED: HiveAccessControlException Permission denied: Principal 
[name=hive_test_user, type=USER] does not have following privileges for 
operation CREATEFUNCTION [ADMIN PRIVILEGE on INPUT, ADMIN PRIVILEGE on OUTPUT]

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/results/clientnegative/fallbackauth_create_func2.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/fallbackauth_create_func2.q.out 
b/ql/src/test/results/clientnegative/fallbackauth_create_func2.q.out
new file mode 100644
index 0000000..b2532eb
--- /dev/null
+++ b/ql/src/test/results/clientnegative/fallbackauth_create_func2.q.out
@@ -0,0 +1 @@
+FAILED: HiveAccessControlException Permission denied: Principal 
[name=hive_test_user, type=USER] does not have following privileges for 
operation CREATEFUNCTION [ADMIN PRIVILEGE on INPUT, ADMIN PRIVILEGE on OUTPUT]

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/results/clientnegative/fallbackauth_dfs.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/fallbackauth_dfs.q.out 
b/ql/src/test/results/clientnegative/fallbackauth_dfs.q.out
new file mode 100644
index 0000000..9f4a71b
--- /dev/null
+++ b/ql/src/test/results/clientnegative/fallbackauth_dfs.q.out
@@ -0,0 +1 @@
+Query returned non-zero code: 1, cause: Permission denied: Principal 
[name=hive_test_user, type=USER] does not have following privileges for 
operation DFS [ADMIN]

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/results/clientnegative/fallbackauth_disallow_transform.q.out
----------------------------------------------------------------------
diff --git 
a/ql/src/test/results/clientnegative/fallbackauth_disallow_transform.q.out 
b/ql/src/test/results/clientnegative/fallbackauth_disallow_transform.q.out
new file mode 100644
index 0000000..1ac04db
--- /dev/null
+++ b/ql/src/test/results/clientnegative/fallbackauth_disallow_transform.q.out
@@ -0,0 +1,16 @@
+PREHOOK: query: create table t1(i int)
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:default
+PREHOOK: Output: default@t1
+POSTHOOK: query: create table t1(i int)
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@t1
+PREHOOK: query: SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM t1
+PREHOOK: type: QUERY
+PREHOOK: Input: default@t1
+#### A masked pattern was here ####
+FAILED: Hive Internal Error: 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException(Query
 with transform clause is disallowed in current configuration.)
+org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
 Query with transform clause is disallowed in current configuration.
+#### A masked pattern was here ####
+

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/results/clientnegative/fallbackauth_load.q.out
----------------------------------------------------------------------
diff --git a/ql/src/test/results/clientnegative/fallbackauth_load.q.out 
b/ql/src/test/results/clientnegative/fallbackauth_load.q.out
new file mode 100644
index 0000000..d2bcafc
--- /dev/null
+++ b/ql/src/test/results/clientnegative/fallbackauth_load.q.out
@@ -0,0 +1,9 @@
+PREHOOK: query: create table fallbackauthload(c1 string, c2 string)
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:default
+PREHOOK: Output: default@fallbackauthload
+POSTHOOK: query: create table fallbackauthload(c1 string, c2 string)
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@fallbackauthload
+FAILED: HiveAccessControlException Permission denied: Principal 
[name=hive_test_user, type=USER] does not have following privileges for 
operation LOAD [ADMIN]

http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/results/clientnegative/fallbackauth_set_invalidconf.q.out
----------------------------------------------------------------------
diff --git 
a/ql/src/test/results/clientnegative/fallbackauth_set_invalidconf.q.out 
b/ql/src/test/results/clientnegative/fallbackauth_set_invalidconf.q.out
new file mode 100644
index 0000000..dd6092b
--- /dev/null
+++ b/ql/src/test/results/clientnegative/fallbackauth_set_invalidconf.q.out
@@ -0,0 +1,7 @@
+PREHOOK: query: use default
+PREHOOK: type: SWITCHDATABASE
+PREHOOK: Input: database:default
+POSTHOOK: query: use default
+POSTHOOK: type: SWITCHDATABASE
+POSTHOOK: Input: database:default
+Query returned non-zero code: 1, cause: Cannot modify 
hive.security.authorization.enabled at runtime. It is not in list of params 
that are allowed to be modified at runtime

Reply via email to