Repository: hive Updated Branches: refs/heads/branch-2.3 2fe5186a3 -> 12d2b2dbf
HIVE-20420: Provide a fallback authorizer when no other authorizer is in use (Daniel Dai, reviewed by Laszlo Pinter, Thejas Nair) Signed-off-by: Thejas M Nair <the...@hortonworks.com> Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/12d2b2db Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/12d2b2db Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/12d2b2db Branch: refs/heads/branch-2.3 Commit: 12d2b2dbf56d9a41d954487a70e99e9cdbcd8884 Parents: 2fe5186 Author: Daniel Dai <dai...@gmail.com> Authored: Tue Oct 23 16:30:41 2018 -0700 Committer: Daniel Dai <dai...@gmail.com> Committed: Tue Oct 23 16:35:15 2018 -0700 ---------------------------------------------------------------------- ql/pom.xml | 13 + .../plugin/SettableConfigUpdater.java | 2 +- .../plugin/fallback/FallbackHiveAuthorizer.java | 253 +++++++++++++++++++ .../fallback/FallbackHiveAuthorizerFactory.java | 36 +++ .../clientnegative/fallbackauth_addjar.q | 4 + .../clientnegative/fallbackauth_compile.q | 9 + .../clientnegative/fallbackauth_create_func1.q | 5 + .../clientnegative/fallbackauth_create_func2.q | 6 + .../queries/clientnegative/fallbackauth_dfs.q | 4 + .../fallbackauth_disallow_transform.q | 6 + .../queries/clientnegative/fallbackauth_load.q | 15 ++ .../fallbackauth_set_invalidconf.q | 8 + .../clientnegative/fallbackauth_addjar.q.out | 1 + .../clientnegative/fallbackauth_compile.q.out | 1 + .../fallbackauth_create_func1.q.out | 1 + .../fallbackauth_create_func2.q.out | 1 + .../clientnegative/fallbackauth_dfs.q.out | 1 + .../fallbackauth_disallow_transform.q.out | 16 ++ .../clientnegative/fallbackauth_load.q.out | 9 + .../fallbackauth_set_invalidconf.q.out | 7 + 20 files changed, 397 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/pom.xml ---------------------------------------------------------------------- diff --git a/ql/pom.xml b/ql/pom.xml index 773aed2..6b7e999 100644 --- a/ql/pom.xml +++ b/ql/pom.xml @@ -812,6 +812,19 @@ <classifier>core</classifier> </configuration> </execution> + <execution> + <id>fallbackauthorizer-jar</id> + <phase>package</phase> + <goals> + <goal>jar</goal> + </goals> + <configuration> + <classifier>fallbackauthorizer</classifier> + <includes> + <include>org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/*.class</include> + </includes> + </configuration> + </execution> </executions> </plugin> <plugin> http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java index 3d8b0cf..7f6f84b 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/SettableConfigUpdater.java @@ -63,7 +63,7 @@ public class SettableConfigUpdater { // if admin has already customized this list, honor that String curBlackList = hiveConf.getVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST); if (curBlackList == null || curBlackList.trim().isEmpty()) { - hiveConf.setVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST, "reflect,reflect2,java_method"); + hiveConf.setVar(ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST, "reflect,reflect2,java_method,in_file"); } } http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java new file mode 100644 index 0000000..10cf4d4 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizer.java @@ -0,0 +1,253 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hive.ql.security.authorization.plugin.fallback; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.parse.SemanticException; +import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.AbstractHiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant; +import org.apache.hadoop.hive.ql.security.authorization.plugin.SettableConfigUpdater; +import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.Operation2Privilege; +import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLAuthorizationUtils; +import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLPrivTypeGrant; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +public class FallbackHiveAuthorizer extends AbstractHiveAuthorizer { + private static final Log LOG = LogFactory.getLog(FallbackHiveAuthorizer.class); + + private final HiveAuthzSessionContext sessionCtx; + private final HiveAuthenticationProvider authenticator; + private String[] admins = null; + + FallbackHiveAuthorizer(HiveConf hiveConf, HiveAuthenticationProvider hiveAuthenticator, + HiveAuthzSessionContext ctx) { + this.authenticator = hiveAuthenticator; + this.sessionCtx = applyTestSettings(ctx, hiveConf); + String adminString = hiveConf.getVar(HiveConf.ConfVars.USERS_IN_ADMIN_ROLE); + if (adminString != null) { + admins = hiveConf.getVar(HiveConf.ConfVars.USERS_IN_ADMIN_ROLE).split(","); + } + } + + /** + * Change the session context based on configuration to aid in testing of sql + * std auth + * + * @param ctx + * @param conf + * @return + */ + static HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext ctx, HiveConf conf) { + if (conf.getBoolVar(HiveConf.ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE) + && ctx.getClientType() == HiveAuthzSessionContext.CLIENT_TYPE.HIVECLI) { + // create new session ctx object with HS2 as client type + HiveAuthzSessionContext.Builder ctxBuilder = new HiveAuthzSessionContext.Builder(ctx); + ctxBuilder.setClientType(HiveAuthzSessionContext.CLIENT_TYPE.HIVESERVER2); + return ctxBuilder.build(); + } + return ctx; + } + + @Override + public VERSION getVersion() { + return VERSION.V1; + } + + @Override + public void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, + HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean + grantOption) throws HiveAuthzPluginException { + throw new HiveAuthzPluginException("grantPrivileges not implemented in FallbackHiveAuthorizer"); + } + + @Override + public void revokePrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges, + HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean + grantOption) throws HiveAuthzPluginException { + throw new HiveAuthzPluginException("revokePrivileges not implemented in FallbackHiveAuthorizer"); + } + + @Override + public void createRole(String roleName, HivePrincipal adminGrantor) throws HiveAuthzPluginException { + throw new HiveAuthzPluginException("createRole not implemented in FallbackHiveAuthorizer"); + } + + @Override + public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException { + throw new HiveAuthzPluginException("dropRole not implemented in FallbackHiveAuthorizer"); + } + + @Override + public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) throws HiveAuthzPluginException, + HiveAccessControlException { + throw new HiveAuthzPluginException("getPrincipalGrantInfoForRole not implemented in FallbackHiveAuthorizer"); + } + + @Override + public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) throws HiveAuthzPluginException, + HiveAccessControlException { + throw new HiveAuthzPluginException("getRoleGrantInfoForPrincipal not implemented in FallbackHiveAuthorizer"); + } + + @Override + public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption, HivePrincipal + grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { + throw new HiveAuthzPluginException("grantRole not implemented in FallbackHiveAuthorizer"); + } + + @Override + public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption, HivePrincipal + grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException { + throw new HiveAuthzPluginException("revokeRole not implemented in FallbackHiveAuthorizer"); + } + + @Override + public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputHObjs, + List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws + HiveAuthzPluginException, HiveAccessControlException { + String userName = authenticator.getUserName(); + // check privileges on input and output objects + List<String> deniedMessages = new ArrayList<>(); + checkPrivileges(hiveOpType, inputHObjs, userName, Operation2Privilege.IOType.INPUT, deniedMessages); + checkPrivileges(hiveOpType, outputHObjs, userName, Operation2Privilege.IOType.OUTPUT, deniedMessages); + + SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, + HivePrincipal.HivePrincipalType.USER), hiveOpType, deniedMessages); + } + + // Adapted from SQLStdHiveAuthorizationValidator, only check privileges for LOAD/ADD/DFS/COMPILE and admin privileges + private void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> hiveObjects, + String userName, Operation2Privilege.IOType ioType, List<String> deniedMessages) { + + if (hiveObjects == null) { + return; + } + if (admins != null && Arrays.stream(admins).parallel().anyMatch(n -> n.equals(userName))) { + return; // Skip rest of checks if user is admin + } + + // Special-casing for ADMIN-level operations that do not require object checking. + if (Operation2Privilege.isAdminPrivOperation(hiveOpType)) { + // Require ADMIN privilege + deniedMessages.add(SQLPrivTypeGrant.ADMIN_PRIV.toString() + " on " + ioType); + return; // Ignore object, fail if not admin, succeed if admin. + } + + boolean needAdmin = false; + for (HivePrivilegeObject hiveObj : hiveObjects) { + // If involving local file system + if (hiveObj.getType() == HivePrivilegeObject.HivePrivilegeObjectType.LOCAL_URI) { + needAdmin = true; + break; + } + } + if (!needAdmin) { + switch (hiveOpType) { + case ADD: + case DFS: + case COMPILE: + needAdmin = true; + break; + default: + break; + } + } + if (needAdmin) { + deniedMessages.add("ADMIN"); + } + } + + @Override + public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, HiveAuthzContext context) { + return listObjs; + } + + @Override + public List<String> getAllRoles() throws HiveAuthzPluginException { + throw new HiveAuthzPluginException("getAllRoles not implemented in FallbackHiveAuthorizer"); + } + + @Override + public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) throws + HiveAuthzPluginException { + throw new HiveAuthzPluginException("showPrivileges not implemented in FallbackHiveAuthorizer"); + } + + @Override + public void setCurrentRole(String roleName) throws HiveAuthzPluginException { + throw new HiveAuthzPluginException("setCurrentRole not implemented in FallbackHiveAuthorizer"); + } + + @Override + public List<String> getCurrentRoleNames() throws HiveAuthzPluginException { + throw new HiveAuthzPluginException("getCurrentRoleNames not implemented in FallbackHiveAuthorizer"); + } + + @Override + public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException { + // from SQLStdHiveAccessController.applyAuthorizationConfigPolicy() + if (sessionCtx.getClientType() == HiveAuthzSessionContext.CLIENT_TYPE.HIVESERVER2 + && hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) { + + // Configure PREEXECHOOKS with DisallowTransformHook to disallow transform queries + String hooks = hiveConf.getVar(HiveConf.ConfVars.PREEXECHOOKS).trim(); + if (hooks.isEmpty()) { + hooks = DisallowTransformHook.class.getName(); + } else { + hooks = hooks + "," + DisallowTransformHook.class.getName(); + } + LOG.debug("Configuring hooks : " + hooks); + hiveConf.setVar(HiveConf.ConfVars.PREEXECHOOKS, hooks); + + SettableConfigUpdater.setHiveConfWhiteList(hiveConf); + String curBlackList = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST); + if (curBlackList != null && curBlackList.trim().equals("reflect,reflect2,java_method")) { + hiveConf.setVar(HiveConf.ConfVars.HIVE_SERVER2_BUILTIN_UDF_BLACKLIST, "reflect,reflect2,java_method,in_file"); + } + + } + } + + @Override + public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context, List<HivePrivilegeObject> + privObjs) throws SemanticException { + return privObjs; + } + + @Override + public boolean needTransform() { + return false; + } +} http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizerFactory.java ---------------------------------------------------------------------- diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizerFactory.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizerFactory.java new file mode 100644 index 0000000..4dae8d3 --- /dev/null +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/fallback/FallbackHiveAuthorizerFactory.java @@ -0,0 +1,36 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hive.ql.security.authorization.plugin.fallback; + +import org.apache.hadoop.hive.conf.HiveConf; +import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory; + +public class FallbackHiveAuthorizerFactory implements HiveAuthorizerFactory { + @Override + public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, + HiveConf conf, HiveAuthenticationProvider authenticator, + HiveAuthzSessionContext ctx) { + return new FallbackHiveAuthorizer(conf, authenticator, ctx); + } +} http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/queries/clientnegative/fallbackauth_addjar.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientnegative/fallbackauth_addjar.q b/ql/src/test/queries/clientnegative/fallbackauth_addjar.q new file mode 100644 index 0000000..c91d28f --- /dev/null +++ b/ql/src/test/queries/clientnegative/fallbackauth_addjar.q @@ -0,0 +1,4 @@ +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory; + +add jar dummy.jar http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/queries/clientnegative/fallbackauth_compile.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientnegative/fallbackauth_compile.q b/ql/src/test/queries/clientnegative/fallbackauth_compile.q new file mode 100644 index 0000000..bf62264 --- /dev/null +++ b/ql/src/test/queries/clientnegative/fallbackauth_compile.q @@ -0,0 +1,9 @@ +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory; + +compile `import org.apache.hadoop.hive.ql.exec.UDF \; +public class Pyth extends UDF { + public double evaluate(double a, double b){ + return Math.sqrt((a*a) + (b*b)) \; + } +} ` AS GROOVY NAMED Pyth.groovy; http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/queries/clientnegative/fallbackauth_create_func1.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientnegative/fallbackauth_create_func1.q b/ql/src/test/queries/clientnegative/fallbackauth_create_func1.q new file mode 100644 index 0000000..7d4fd42 --- /dev/null +++ b/ql/src/test/queries/clientnegative/fallbackauth_create_func1.q @@ -0,0 +1,5 @@ +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory; + +-- permanent function creation should fail for non-admin roles +create function perm_fn as 'org.apache.hadoop.hive.ql.udf.UDFAscii'; http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/queries/clientnegative/fallbackauth_create_func2.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientnegative/fallbackauth_create_func2.q b/ql/src/test/queries/clientnegative/fallbackauth_create_func2.q new file mode 100644 index 0000000..fc371d9 --- /dev/null +++ b/ql/src/test/queries/clientnegative/fallbackauth_create_func2.q @@ -0,0 +1,6 @@ +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory; + +-- temp function creation should fail for non-admin roles +create temporary function temp_fn as 'org.apache.hadoop.hive.ql.udf.UDFAscii'; + http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/queries/clientnegative/fallbackauth_dfs.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientnegative/fallbackauth_dfs.q b/ql/src/test/queries/clientnegative/fallbackauth_dfs.q new file mode 100644 index 0000000..da0ac80 --- /dev/null +++ b/ql/src/test/queries/clientnegative/fallbackauth_dfs.q @@ -0,0 +1,4 @@ +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory; + +dfs -ls; http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/queries/clientnegative/fallbackauth_disallow_transform.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientnegative/fallbackauth_disallow_transform.q b/ql/src/test/queries/clientnegative/fallbackauth_disallow_transform.q new file mode 100644 index 0000000..eb9f680 --- /dev/null +++ b/ql/src/test/queries/clientnegative/fallbackauth_disallow_transform.q @@ -0,0 +1,6 @@ +set hive.test.authz.sstd.hs2.mode=true; +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory; + +create table t1(i int); +SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM t1; http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/queries/clientnegative/fallbackauth_load.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientnegative/fallbackauth_load.q b/ql/src/test/queries/clientnegative/fallbackauth_load.q new file mode 100644 index 0000000..10db24c --- /dev/null +++ b/ql/src/test/queries/clientnegative/fallbackauth_load.q @@ -0,0 +1,15 @@ +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory; + +!cp ../../data/files/kv1.txt .; + +create table fallbackauthload(c1 string, c2 string); + +!chmod 777 kv1.txt; +load data local inpath 'kv1.txt' into table fallbackauthload; + +!chmod 755 kv1.txt; +load data local inpath 'kv1.txt' into table fallbackauthload; + +!rm kv1.txt; +drop table fallbackauthload; http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/queries/clientnegative/fallbackauth_set_invalidconf.q ---------------------------------------------------------------------- diff --git a/ql/src/test/queries/clientnegative/fallbackauth_set_invalidconf.q b/ql/src/test/queries/clientnegative/fallbackauth_set_invalidconf.q new file mode 100644 index 0000000..4ebf276 --- /dev/null +++ b/ql/src/test/queries/clientnegative/fallbackauth_set_invalidconf.q @@ -0,0 +1,8 @@ +set hive.test.authz.sstd.hs2.mode=true; +set hive.security.authorization.enabled=true; +set hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.fallback.FallbackHiveAuthorizerFactory; + +-- run a sql query to initialize authorization, then try setting a allowed config and then a disallowed config param +use default; +set hive.optimize.listbucketing=true; +set hive.security.authorization.enabled=true; http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/results/clientnegative/fallbackauth_addjar.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientnegative/fallbackauth_addjar.q.out b/ql/src/test/results/clientnegative/fallbackauth_addjar.q.out new file mode 100644 index 0000000..2aae669 --- /dev/null +++ b/ql/src/test/results/clientnegative/fallbackauth_addjar.q.out @@ -0,0 +1 @@ +Query returned non-zero code: 1, cause: Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation ADD [ADMIN] http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/results/clientnegative/fallbackauth_compile.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientnegative/fallbackauth_compile.q.out b/ql/src/test/results/clientnegative/fallbackauth_compile.q.out new file mode 100644 index 0000000..5699efe --- /dev/null +++ b/ql/src/test/results/clientnegative/fallbackauth_compile.q.out @@ -0,0 +1 @@ +Query returned non-zero code: 1, cause: Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation COMPILE [ADMIN] http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/results/clientnegative/fallbackauth_create_func1.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientnegative/fallbackauth_create_func1.q.out b/ql/src/test/results/clientnegative/fallbackauth_create_func1.q.out new file mode 100644 index 0000000..b2532eb --- /dev/null +++ b/ql/src/test/results/clientnegative/fallbackauth_create_func1.q.out @@ -0,0 +1 @@ +FAILED: HiveAccessControlException Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation CREATEFUNCTION [ADMIN PRIVILEGE on INPUT, ADMIN PRIVILEGE on OUTPUT] http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/results/clientnegative/fallbackauth_create_func2.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientnegative/fallbackauth_create_func2.q.out b/ql/src/test/results/clientnegative/fallbackauth_create_func2.q.out new file mode 100644 index 0000000..b2532eb --- /dev/null +++ b/ql/src/test/results/clientnegative/fallbackauth_create_func2.q.out @@ -0,0 +1 @@ +FAILED: HiveAccessControlException Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation CREATEFUNCTION [ADMIN PRIVILEGE on INPUT, ADMIN PRIVILEGE on OUTPUT] http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/results/clientnegative/fallbackauth_dfs.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientnegative/fallbackauth_dfs.q.out b/ql/src/test/results/clientnegative/fallbackauth_dfs.q.out new file mode 100644 index 0000000..9f4a71b --- /dev/null +++ b/ql/src/test/results/clientnegative/fallbackauth_dfs.q.out @@ -0,0 +1 @@ +Query returned non-zero code: 1, cause: Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation DFS [ADMIN] http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/results/clientnegative/fallbackauth_disallow_transform.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientnegative/fallbackauth_disallow_transform.q.out b/ql/src/test/results/clientnegative/fallbackauth_disallow_transform.q.out new file mode 100644 index 0000000..1ac04db --- /dev/null +++ b/ql/src/test/results/clientnegative/fallbackauth_disallow_transform.q.out @@ -0,0 +1,16 @@ +PREHOOK: query: create table t1(i int) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +PREHOOK: Output: default@t1 +POSTHOOK: query: create table t1(i int) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@t1 +PREHOOK: query: SELECT TRANSFORM (*) USING 'cat' AS (key, value) FROM t1 +PREHOOK: type: QUERY +PREHOOK: Input: default@t1 +#### A masked pattern was here #### +FAILED: Hive Internal Error: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException(Query with transform clause is disallowed in current configuration.) +org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Query with transform clause is disallowed in current configuration. +#### A masked pattern was here #### + http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/results/clientnegative/fallbackauth_load.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientnegative/fallbackauth_load.q.out b/ql/src/test/results/clientnegative/fallbackauth_load.q.out new file mode 100644 index 0000000..d2bcafc --- /dev/null +++ b/ql/src/test/results/clientnegative/fallbackauth_load.q.out @@ -0,0 +1,9 @@ +PREHOOK: query: create table fallbackauthload(c1 string, c2 string) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +PREHOOK: Output: default@fallbackauthload +POSTHOOK: query: create table fallbackauthload(c1 string, c2 string) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@fallbackauthload +FAILED: HiveAccessControlException Permission denied: Principal [name=hive_test_user, type=USER] does not have following privileges for operation LOAD [ADMIN] http://git-wip-us.apache.org/repos/asf/hive/blob/12d2b2db/ql/src/test/results/clientnegative/fallbackauth_set_invalidconf.q.out ---------------------------------------------------------------------- diff --git a/ql/src/test/results/clientnegative/fallbackauth_set_invalidconf.q.out b/ql/src/test/results/clientnegative/fallbackauth_set_invalidconf.q.out new file mode 100644 index 0000000..dd6092b --- /dev/null +++ b/ql/src/test/results/clientnegative/fallbackauth_set_invalidconf.q.out @@ -0,0 +1,7 @@ +PREHOOK: query: use default +PREHOOK: type: SWITCHDATABASE +PREHOOK: Input: database:default +POSTHOOK: query: use default +POSTHOOK: type: SWITCHDATABASE +POSTHOOK: Input: database:default +Query returned non-zero code: 1, cause: Cannot modify hive.security.authorization.enabled at runtime. It is not in list of params that are allowed to be modified at runtime