This is an automated email from the ASF dual-hosted git repository. dengzh pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push: new e4348422c6f HIVE-27304: Exclude CTAS condition while forming storage handler url permissions in HS2 authorizer (Sai Hemanth Gantasala, reviewed by Attila Turoczy, Zhihua Deng, Janos Kovacs) e4348422c6f is described below commit e4348422c6f3b1910a8600ea7c7bd839894dcd6f Author: Sai Hemanth Gantasala <68923650+saihemanth-cloud...@users.noreply.github.com> AuthorDate: Tue Aug 15 17:45:38 2023 -0700 HIVE-27304: Exclude CTAS condition while forming storage handler url permissions in HS2 authorizer (Sai Hemanth Gantasala, reviewed by Attila Turoczy, Zhihua Deng, Janos Kovacs) Closes #4276 --- .../authorization/command/CommandAuthorizerV2.java | 5 +- .../authorization_privilege_objects.q | 45 ++++++ .../llap/authorization_privilege_objects.q.out | 177 +++++++++++++++++++++ 3 files changed, 225 insertions(+), 2 deletions(-) diff --git a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java index c21dca345ef..08e016223e4 100644 --- a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java +++ b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java @@ -200,9 +200,10 @@ final class CommandAuthorizerV2 { if (table.getStorageHandler() != null && HiveConf.getBoolVar(SessionState.getSessionConf(), HiveConf.ConfVars.HIVE_AUTHORIZATION_TABLES_ON_STORAGEHANDLERS)) { //TODO: add hive privilege object for storage based handlers for create and alter table commands. - if (hiveOpType == HiveOperationType.CREATETABLE || + if (privObject instanceof WriteEntity && + (hiveOpType == HiveOperationType.CREATETABLE || hiveOpType == HiveOperationType.ALTERTABLE_PROPERTIES || - hiveOpType == HiveOperationType.CREATETABLE_AS_SELECT) { + hiveOpType == HiveOperationType.CREATETABLE_AS_SELECT)) { try { String storageUri = table.getStorageHandler().getURIForAuth(table.getTTable()).toString(); hivePrivObjs.add(new HivePrivilegeObject(HivePrivilegeObjectType.STORAGEHANDLER_URI, null, storageUri, null, null, diff --git a/ql/src/test/queries/clientpositive/authorization_privilege_objects.q b/ql/src/test/queries/clientpositive/authorization_privilege_objects.q index 79f8c90a492..2f80064c7e7 100644 --- a/ql/src/test/queries/clientpositive/authorization_privilege_objects.q +++ b/ql/src/test/queries/clientpositive/authorization_privilege_objects.q @@ -19,3 +19,48 @@ DROP TABLE test_auth_obj_db.test_privs2; set user.name=testuser; DROP TABLE test_auth_obj_db.test_privs; DROP DATABASE test_auth_obj_db; + +set user.name=hive_admin_user; +set role admin; + +CREATE TEMPORARY FUNCTION dboutput AS 'org.apache.hadoop.hive.contrib.genericudf.example.GenericUDFDBOutput'; + +SELECT +dboutput ( 'jdbc:derby:;databaseName=${system:test.tmp.dir}/test_derby_as_external_table_db;create=true','','', +'CREATE TABLE SIMPLE_DERBY_TABLE1 ("ikey" INTEGER, "bkey" BIGINT, "fkey" REAL, "dkey" DOUBLE)' ); + +CREATE EXTERNAL TABLE ext_simple_derby_table_src +( + ikey int, + bkey bigint, + fkey float, + dkey double +) +STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' +TBLPROPERTIES ( + "hive.sql.database.type" = "DERBY", + "hive.sql.jdbc.driver" = "org.apache.derby.jdbc.EmbeddedDriver", + "hive.sql.jdbc.url" = "jdbc:derby:;databaseName=${system:test.tmp.dir}/test_derby_as_external_table_db;create=true;collation=TERRITORY_BASED:PRIMARY", + "hive.sql.dbcp.username" = "APP", + "hive.sql.dbcp.password" = "mine", + "hive.sql.table" = "SIMPLE_DERBY_TABLE1", + "hive.sql.dbcp.maxActive" = "1" +); + +create table ext_simple_derby_table_ctas as select * from ext_simple_derby_table_src; + +CREATE EXTERNAL TABLE default.jdbctable_from_ctas +STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' +TBLPROPERTIES ( + "hive.sql.database.type" = "DERBY", + "hive.sql.jdbc.driver" = "org.apache.derby.jdbc.EmbeddedDriver", + "hive.sql.jdbc.url" = "jdbc:derby:;databaseName=${system:test.tmp.dir}/test_derby_as_external_table_db;create=true;collation=TERRITORY_BASED:PRIMARY", + "hive.sql.dbcp.username" = "APP", + "hive.sql.dbcp.password" = "mine", + "hive.sql.table" = "SIMPLE_DERBY_TABLE1", + "hive.sql.dbcp.maxActive" = "1" +) as select * from default.ext_simple_derby_table_ctas; + +drop table default.jdbctable_from_ctas; +drop table default.ext_simple_derby_table_ctas; +drop table default.ext_simple_derby_table_src; diff --git a/ql/src/test/results/clientpositive/llap/authorization_privilege_objects.q.out b/ql/src/test/results/clientpositive/llap/authorization_privilege_objects.q.out index aad682f2465..7fc7b371c31 100644 --- a/ql/src/test/results/clientpositive/llap/authorization_privilege_objects.q.out +++ b/ql/src/test/results/clientpositive/llap/authorization_privilege_objects.q.out @@ -225,3 +225,180 @@ POSTHOOK: query: DROP DATABASE test_auth_obj_db POSTHOOK: type: DROPDATABASE POSTHOOK: Input: database:test_auth_obj_db POSTHOOK: Output: database:test_auth_obj_db +PREHOOK: query: set role admin +PREHOOK: type: SHOW_ROLES +POSTHOOK: query: set role admin +POSTHOOK: type: SHOW_ROLES +outputHObjs: +HIVE PRIVILEGE OBJECT { objectName: dboutput type: FUNCTION actionType: OTHER} +PREHOOK: query: CREATE TEMPORARY FUNCTION dboutput AS 'org.apache.hadoop.hive.contrib.genericudf.example.GenericUDFDBOutput' +PREHOOK: type: CREATEFUNCTION +PREHOOK: Output: dboutput +POSTHOOK: query: CREATE TEMPORARY FUNCTION dboutput AS 'org.apache.hadoop.hive.contrib.genericudf.example.GenericUDFDBOutput' +POSTHOOK: type: CREATEFUNCTION +POSTHOOK: Output: dboutput +PREHOOK: query: SELECT +#### A masked pattern was here #### +'CREATE TABLE SIMPLE_DERBY_TABLE1 ("ikey" INTEGER, "bkey" BIGINT, "fkey" REAL, "dkey" DOUBLE)' ) +PREHOOK: type: QUERY +PREHOOK: Input: _dummy_database@_dummy_table +#### A masked pattern was here #### +POSTHOOK: query: SELECT +#### A masked pattern was here #### +'CREATE TABLE SIMPLE_DERBY_TABLE1 ("ikey" INTEGER, "bkey" BIGINT, "fkey" REAL, "dkey" DOUBLE)' ) +POSTHOOK: type: QUERY +POSTHOOK: Input: _dummy_database@_dummy_table +#### A masked pattern was here #### +0 +outputHObjs: +HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_src type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER} +#### A masked pattern was here #### +HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default OWNER: public OWNERTYPE: ROLE} +PREHOOK: query: CREATE EXTERNAL TABLE ext_simple_derby_table_src +( + ikey int, + bkey bigint, + fkey float, + dkey double +) +STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' +TBLPROPERTIES ( + "hive.sql.database.type" = "DERBY", + "hive.sql.jdbc.driver" = "org.apache.derby.jdbc.EmbeddedDriver", +#### A masked pattern was here #### + "hive.sql.dbcp.username" = "APP", + "hive.sql.dbcp.password" = "mine", + "hive.sql.table" = "SIMPLE_DERBY_TABLE1", + "hive.sql.dbcp.maxActive" = "1" +) +PREHOOK: type: CREATETABLE +PREHOOK: Output: database:default +PREHOOK: Output: default@ext_simple_derby_table_src +POSTHOOK: query: CREATE EXTERNAL TABLE ext_simple_derby_table_src +( + ikey int, + bkey bigint, + fkey float, + dkey double +) +STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' +TBLPROPERTIES ( + "hive.sql.database.type" = "DERBY", + "hive.sql.jdbc.driver" = "org.apache.derby.jdbc.EmbeddedDriver", +#### A masked pattern was here #### + "hive.sql.dbcp.username" = "APP", + "hive.sql.dbcp.password" = "mine", + "hive.sql.table" = "SIMPLE_DERBY_TABLE1", + "hive.sql.dbcp.maxActive" = "1" +) +POSTHOOK: type: CREATETABLE +POSTHOOK: Output: database:default +POSTHOOK: Output: default@ext_simple_derby_table_src +applyRowFilterAndColumnMasking: +HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_src type: TABLE_OR_VIEW actionType: OTHER dbName: default columns: [ikey, bkey, fkey, dkey]} +inputHObjs: +HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_src type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER columns: [bkey, dkey, fkey, ikey]} +outputHObjs: +HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_ctas type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER} +HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default OWNER: public OWNERTYPE: ROLE} +PREHOOK: query: create table ext_simple_derby_table_ctas as select * from ext_simple_derby_table_src +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@ext_simple_derby_table_src +PREHOOK: Output: database:default +PREHOOK: Output: default@ext_simple_derby_table_ctas +POSTHOOK: query: create table ext_simple_derby_table_ctas as select * from ext_simple_derby_table_src +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@ext_simple_derby_table_src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@ext_simple_derby_table_ctas +POSTHOOK: Lineage: ext_simple_derby_table_ctas.bkey SIMPLE [(ext_simple_derby_table_src)ext_simple_derby_table_src.FieldSchema(name:bkey, type:bigint, comment:from deserializer), ] +POSTHOOK: Lineage: ext_simple_derby_table_ctas.dkey SIMPLE [(ext_simple_derby_table_src)ext_simple_derby_table_src.FieldSchema(name:dkey, type:double, comment:from deserializer), ] +POSTHOOK: Lineage: ext_simple_derby_table_ctas.fkey SIMPLE [(ext_simple_derby_table_src)ext_simple_derby_table_src.FieldSchema(name:fkey, type:float, comment:from deserializer), ] +POSTHOOK: Lineage: ext_simple_derby_table_ctas.ikey SIMPLE [(ext_simple_derby_table_src)ext_simple_derby_table_src.FieldSchema(name:ikey, type:int, comment:from deserializer), ] +applyRowFilterAndColumnMasking: +HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_ctas type: TABLE_OR_VIEW actionType: OTHER dbName: default columns: [bkey, dkey, fkey, ikey]} +inputHObjs: +HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_ctas type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER columns: [bkey, dkey, fkey, ikey]} +outputHObjs: +#### A masked pattern was here #### +HIVE PRIVILEGE OBJECT { objectName: jdbctable_from_ctas type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER} +HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default OWNER: public OWNERTYPE: ROLE} +PREHOOK: query: CREATE EXTERNAL TABLE default.jdbctable_from_ctas +STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' +TBLPROPERTIES ( + "hive.sql.database.type" = "DERBY", + "hive.sql.jdbc.driver" = "org.apache.derby.jdbc.EmbeddedDriver", +#### A masked pattern was here #### + "hive.sql.dbcp.username" = "APP", + "hive.sql.dbcp.password" = "mine", + "hive.sql.table" = "SIMPLE_DERBY_TABLE1", + "hive.sql.dbcp.maxActive" = "1" +) as select * from default.ext_simple_derby_table_ctas +PREHOOK: type: CREATETABLE_AS_SELECT +PREHOOK: Input: default@ext_simple_derby_table_ctas +PREHOOK: Output: database:default +PREHOOK: Output: default@jdbctable_from_ctas +POSTHOOK: query: CREATE EXTERNAL TABLE default.jdbctable_from_ctas +STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler' +TBLPROPERTIES ( + "hive.sql.database.type" = "DERBY", + "hive.sql.jdbc.driver" = "org.apache.derby.jdbc.EmbeddedDriver", +#### A masked pattern was here #### + "hive.sql.dbcp.username" = "APP", + "hive.sql.dbcp.password" = "mine", + "hive.sql.table" = "SIMPLE_DERBY_TABLE1", + "hive.sql.dbcp.maxActive" = "1" +) as select * from default.ext_simple_derby_table_ctas +POSTHOOK: type: CREATETABLE_AS_SELECT +POSTHOOK: Input: default@ext_simple_derby_table_ctas +POSTHOOK: Output: database:default +POSTHOOK: Output: default@jdbctable_from_ctas +POSTHOOK: Lineage: jdbctable_from_ctas.bkey SIMPLE [(ext_simple_derby_table_ctas)ext_simple_derby_table_ctas.FieldSchema(name:bkey, type:bigint, comment:null), ] +POSTHOOK: Lineage: jdbctable_from_ctas.dkey SIMPLE [(ext_simple_derby_table_ctas)ext_simple_derby_table_ctas.FieldSchema(name:dkey, type:double, comment:null), ] +POSTHOOK: Lineage: jdbctable_from_ctas.fkey SIMPLE [(ext_simple_derby_table_ctas)ext_simple_derby_table_ctas.FieldSchema(name:fkey, type:float, comment:null), ] +POSTHOOK: Lineage: jdbctable_from_ctas.ikey SIMPLE [(ext_simple_derby_table_ctas)ext_simple_derby_table_ctas.FieldSchema(name:ikey, type:int, comment:null), ] +inputHObjs: +HIVE PRIVILEGE OBJECT { objectName: jdbctable_from_ctas type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER} +outputHObjs: +HIVE PRIVILEGE OBJECT { objectName: jdbctable_from_ctas type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER} +HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default OWNER: public OWNERTYPE: ROLE} +PREHOOK: query: drop table default.jdbctable_from_ctas +PREHOOK: type: DROPTABLE +PREHOOK: Input: default@jdbctable_from_ctas +PREHOOK: Output: database:default +PREHOOK: Output: default@jdbctable_from_ctas +POSTHOOK: query: drop table default.jdbctable_from_ctas +POSTHOOK: type: DROPTABLE +POSTHOOK: Input: default@jdbctable_from_ctas +POSTHOOK: Output: database:default +POSTHOOK: Output: default@jdbctable_from_ctas +inputHObjs: +HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_ctas type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER} +outputHObjs: +HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_ctas type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER} +HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default OWNER: public OWNERTYPE: ROLE} +PREHOOK: query: drop table default.ext_simple_derby_table_ctas +PREHOOK: type: DROPTABLE +PREHOOK: Input: default@ext_simple_derby_table_ctas +PREHOOK: Output: database:default +PREHOOK: Output: default@ext_simple_derby_table_ctas +POSTHOOK: query: drop table default.ext_simple_derby_table_ctas +POSTHOOK: type: DROPTABLE +POSTHOOK: Input: default@ext_simple_derby_table_ctas +POSTHOOK: Output: database:default +POSTHOOK: Output: default@ext_simple_derby_table_ctas +inputHObjs: +HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_src type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER} +outputHObjs: +HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_src type: TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER} +HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default OWNER: public OWNERTYPE: ROLE} +PREHOOK: query: drop table default.ext_simple_derby_table_src +PREHOOK: type: DROPTABLE +PREHOOK: Input: default@ext_simple_derby_table_src +PREHOOK: Output: database:default +PREHOOK: Output: default@ext_simple_derby_table_src +POSTHOOK: query: drop table default.ext_simple_derby_table_src +POSTHOOK: type: DROPTABLE +POSTHOOK: Input: default@ext_simple_derby_table_src +POSTHOOK: Output: database:default +POSTHOOK: Output: default@ext_simple_derby_table_src