This is an automated email from the ASF dual-hosted git repository. kgyrtkirk pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push: new f53bb7c HIVE-25532: Fixing authorization for Kill Query command. (#2649) (Abhay Chennagiri reviewed by Saihemanth Gantasala and Zoltan Haindrich) f53bb7c is described below commit f53bb7cefe64cd652b48bb802eaf0716f84fa592 Author: achennagiri <77031092+achennag...@users.noreply.github.com> AuthorDate: Wed Oct 13 04:54:09 2021 -0700 HIVE-25532: Fixing authorization for Kill Query command. (#2649) (Abhay Chennagiri reviewed by Saihemanth Gantasala and Zoltan Haindrich) --- .../plugin/TestHiveAuthorizerCheckInvocation.java | 40 +++++++++++++++++++++- .../apache/hive/service/server/KillQueryImpl.java | 7 +++- 2 files changed, 45 insertions(+), 2 deletions(-) diff --git a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java index 13656c5..ee6925d 100644 --- a/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java +++ b/itests/hive-unit/src/test/java/org/apache/hadoop/hive/ql/security/authorization/plugin/TestHiveAuthorizerCheckInvocation.java @@ -40,6 +40,7 @@ import org.apache.hadoop.hive.conf.HiveConf; import org.apache.hadoop.hive.conf.HiveConf.ConfVars; import org.apache.hadoop.hive.metastore.utils.TestTxnDbUtil; import org.apache.hadoop.hive.ql.Driver; +import org.apache.hadoop.hive.ql.QueryState; import org.apache.hadoop.hive.ql.exec.Registry; import org.apache.hadoop.hive.ql.lockmgr.DbTxnManager; import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider; @@ -47,6 +48,10 @@ import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator; import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType; import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hadoop.hive.ql.stats.StatsUtils; +import org.apache.hive.service.cli.operation.OperationManager; +import org.apache.hive.service.server.KillQueryImpl; +import org.apache.hive.service.server.KillQueryZookeeperManager; + import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Test; @@ -64,6 +69,7 @@ public class TestHiveAuthorizerCheckInvocation { private final Logger LOG = LoggerFactory.getLogger(this.getClass().getName());; protected static HiveConf conf; protected static Driver driver; + protected static SessionState ss; private static final String tableName = TestHiveAuthorizerCheckInvocation.class.getSimpleName() + "Table"; private static final String viewName = TestHiveAuthorizerCheckInvocation.class.getSimpleName() @@ -102,10 +108,17 @@ public class TestHiveAuthorizerCheckInvocation { conf.setVar(ConfVars.HIVE_TXN_MANAGER, DbTxnManager.class.getName()); conf.setBoolVar(ConfVars.HIVE_QUERY_RESULTS_CACHE_ENABLED, true); conf.setVar(HiveConf.ConfVars.HIVEMAPREDMODE, "nonstrict"); + conf.setBoolVar(ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE, true); + conf.setBoolVar(ConfVars.HIVE_ZOOKEEPER_KILLQUERY_ENABLE, false); TestTxnDbUtil.prepDb(conf); - SessionState.start(conf); + SessionState ss = SessionState.start(conf); + OperationManager operationManager = Mockito.mock(OperationManager.class); + KillQueryZookeeperManager killQueryZookeeperManager = Mockito.mock(KillQueryZookeeperManager.class); + KillQueryImpl killQueryImpl = new KillQueryImpl(operationManager, killQueryZookeeperManager); + ss.setKillQuery(killQueryImpl); + driver = new Driver(conf); runCmd("create table " + tableName + " (i int, j int, k string) partitioned by (city string, `date` string) "); @@ -676,4 +689,29 @@ public class TestHiveAuthorizerCheckInvocation { inputsCapturer.getValue(), outputsCapturer.getValue()); } + /** + * Unit test for HIVE-25532. + * Checks if the right privilege objects are being sent when a kill query call is made. + * @throws Exception + */ + @Test + public void testKillQueryAuthorization() throws Exception { + int queryStatus = driver.compile("select " + viewName + ".i, " + tableName + ".city from " + + viewName + " join " + tableName + " on " + viewName + ".city = " + tableName + + ".city where " + tableName + ".k = 'X'", true); + assertEquals(0, queryStatus); + + resetAuthorizer(); + QueryState queryState = driver.getQueryState(); + String queryId = queryState.getQueryId(); + int killQueryStatus = driver.compile("kill query '" + queryId + "'", true); + assertEquals(0, killQueryStatus); + driver.run(); + + List<HivePrivilegeObject> inputs = getHivePrivilegeObjectInputs().getLeft(); + HivePrivilegeObject dbObj = inputs.get(0); + assertEquals("input type", HivePrivilegeObjectType.SERVICE_NAME, dbObj.getType()); + assertEquals("object name","hiveservice", dbObj.getObjectName()); + } + } diff --git a/service/src/java/org/apache/hive/service/server/KillQueryImpl.java b/service/src/java/org/apache/hive/service/server/KillQueryImpl.java index bd54026..c4196cb 100644 --- a/service/src/java/org/apache/hive/service/server/KillQueryImpl.java +++ b/service/src/java/org/apache/hive/service/server/KillQueryImpl.java @@ -18,6 +18,8 @@ package org.apache.hive.service.server; +import java.util.Arrays; + import org.apache.commons.lang3.StringUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hive.conf.HiveConf; @@ -26,6 +28,7 @@ import org.apache.hadoop.hive.ql.ddl.process.kill.KillQueriesOperation; import org.apache.hadoop.hive.ql.metadata.HiveException; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext; import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType; +import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject; import org.apache.hadoop.hive.ql.session.KillQuery; import org.apache.hadoop.hive.ql.session.SessionState; import org.apache.hadoop.security.UserGroupInformation; @@ -116,6 +119,8 @@ public class KillQueryImpl implements KillQuery { private static boolean isAdmin() { boolean isAdmin = false; + // RANGER-1851 + HivePrivilegeObject serviceNameObj = new HivePrivilegeObject(HivePrivilegeObject.HivePrivilegeObjectType.SERVICE_NAME, null, "hiveservice"); SessionState ss = SessionState.get(); if (!HiveConf.getBoolVar(ss.getConf(), HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) { // If authorization is disabled, hs2 process owner should have kill privileges @@ -128,7 +133,7 @@ public class KillQueryImpl implements KillQuery { } if (ss.getAuthorizerV2() != null) { try { - ss.getAuthorizerV2().checkPrivileges(HiveOperationType.KILL_QUERY, new ArrayList<>(), new ArrayList<>(), + ss.getAuthorizerV2().checkPrivileges(HiveOperationType.KILL_QUERY, Arrays.asList(serviceNameObj), new ArrayList<HivePrivilegeObject>(), new HiveAuthzContext.Builder().build()); isAdmin = true; } catch (Exception e) {