This is an automated email from the ASF dual-hosted git repository.
dengzh pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push:
new e4348422c6f HIVE-27304: Exclude CTAS condition while forming storage
handler url permissions in HS2 authorizer (Sai Hemanth Gantasala, reviewed by
Attila Turoczy, Zhihua Deng, Janos Kovacs)
e4348422c6f is described below
commit e4348422c6f3b1910a8600ea7c7bd839894dcd6f
Author: Sai Hemanth Gantasala
<68923650+saihemanth-cloud...@users.noreply.github.com>
AuthorDate: Tue Aug 15 17:45:38 2023 -0700
HIVE-27304: Exclude CTAS condition while forming storage handler url
permissions in HS2 authorizer (Sai Hemanth Gantasala, reviewed by Attila
Turoczy, Zhihua Deng, Janos Kovacs)
Closes #4276
---
.../authorization/command/CommandAuthorizerV2.java | 5 +-
.../authorization_privilege_objects.q | 45 ++++++
.../llap/authorization_privilege_objects.q.out | 177 +++++++++++++++++++++
3 files changed, 225 insertions(+), 2 deletions(-)
diff --git
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java
index c21dca345ef..08e016223e4 100644
---
a/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java
+++
b/ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java
@@ -200,9 +200,10 @@ final class CommandAuthorizerV2 {
if (table.getStorageHandler() != null &&
HiveConf.getBoolVar(SessionState.getSessionConf(),
HiveConf.ConfVars.HIVE_AUTHORIZATION_TABLES_ON_STORAGEHANDLERS)) {
//TODO: add hive privilege object for storage based handlers for
create and alter table commands.
- if (hiveOpType == HiveOperationType.CREATETABLE ||
+ if (privObject instanceof WriteEntity &&
+ (hiveOpType == HiveOperationType.CREATETABLE ||
hiveOpType == HiveOperationType.ALTERTABLE_PROPERTIES ||
- hiveOpType == HiveOperationType.CREATETABLE_AS_SELECT) {
+ hiveOpType == HiveOperationType.CREATETABLE_AS_SELECT)) {
try {
String storageUri =
table.getStorageHandler().getURIForAuth(table.getTTable()).toString();
hivePrivObjs.add(new
HivePrivilegeObject(HivePrivilegeObjectType.STORAGEHANDLER_URI, null,
storageUri, null, null,
diff --git
a/ql/src/test/queries/clientpositive/authorization_privilege_objects.q
b/ql/src/test/queries/clientpositive/authorization_privilege_objects.q
index 79f8c90a492..2f80064c7e7 100644
--- a/ql/src/test/queries/clientpositive/authorization_privilege_objects.q
+++ b/ql/src/test/queries/clientpositive/authorization_privilege_objects.q
@@ -19,3 +19,48 @@ DROP TABLE test_auth_obj_db.test_privs2;
set user.name=testuser;
DROP TABLE test_auth_obj_db.test_privs;
DROP DATABASE test_auth_obj_db;
+
+set user.name=hive_admin_user;
+set role admin;
+
+CREATE TEMPORARY FUNCTION dboutput AS
'org.apache.hadoop.hive.contrib.genericudf.example.GenericUDFDBOutput';
+
+SELECT
+dboutput (
'jdbc:derby:;databaseName=${system:test.tmp.dir}/test_derby_as_external_table_db;create=true','','',
+'CREATE TABLE SIMPLE_DERBY_TABLE1 ("ikey" INTEGER, "bkey" BIGINT, "fkey" REAL,
"dkey" DOUBLE)' );
+
+CREATE EXTERNAL TABLE ext_simple_derby_table_src
+(
+ ikey int,
+ bkey bigint,
+ fkey float,
+ dkey double
+)
+STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
+TBLPROPERTIES (
+ "hive.sql.database.type" = "DERBY",
+ "hive.sql.jdbc.driver" =
"org.apache.derby.jdbc.EmbeddedDriver",
+ "hive.sql.jdbc.url" =
"jdbc:derby:;databaseName=${system:test.tmp.dir}/test_derby_as_external_table_db;create=true;collation=TERRITORY_BASED:PRIMARY",
+ "hive.sql.dbcp.username" = "APP",
+ "hive.sql.dbcp.password" = "mine",
+ "hive.sql.table" = "SIMPLE_DERBY_TABLE1",
+ "hive.sql.dbcp.maxActive" = "1"
+);
+
+create table ext_simple_derby_table_ctas as select * from
ext_simple_derby_table_src;
+
+CREATE EXTERNAL TABLE default.jdbctable_from_ctas
+STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
+TBLPROPERTIES (
+ "hive.sql.database.type" = "DERBY",
+ "hive.sql.jdbc.driver" =
"org.apache.derby.jdbc.EmbeddedDriver",
+ "hive.sql.jdbc.url" =
"jdbc:derby:;databaseName=${system:test.tmp.dir}/test_derby_as_external_table_db;create=true;collation=TERRITORY_BASED:PRIMARY",
+ "hive.sql.dbcp.username" = "APP",
+ "hive.sql.dbcp.password" = "mine",
+ "hive.sql.table" = "SIMPLE_DERBY_TABLE1",
+ "hive.sql.dbcp.maxActive" = "1"
+) as select * from default.ext_simple_derby_table_ctas;
+
+drop table default.jdbctable_from_ctas;
+drop table default.ext_simple_derby_table_ctas;
+drop table default.ext_simple_derby_table_src;
diff --git
a/ql/src/test/results/clientpositive/llap/authorization_privilege_objects.q.out
b/ql/src/test/results/clientpositive/llap/authorization_privilege_objects.q.out
index aad682f2465..7fc7b371c31 100644
---
a/ql/src/test/results/clientpositive/llap/authorization_privilege_objects.q.out
+++
b/ql/src/test/results/clientpositive/llap/authorization_privilege_objects.q.out
@@ -225,3 +225,180 @@ POSTHOOK: query: DROP DATABASE test_auth_obj_db
POSTHOOK: type: DROPDATABASE
POSTHOOK: Input: database:test_auth_obj_db
POSTHOOK: Output: database:test_auth_obj_db
+PREHOOK: query: set role admin
+PREHOOK: type: SHOW_ROLES
+POSTHOOK: query: set role admin
+POSTHOOK: type: SHOW_ROLES
+outputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: dboutput type: FUNCTION actionType: OTHER}
+PREHOOK: query: CREATE TEMPORARY FUNCTION dboutput AS
'org.apache.hadoop.hive.contrib.genericudf.example.GenericUDFDBOutput'
+PREHOOK: type: CREATEFUNCTION
+PREHOOK: Output: dboutput
+POSTHOOK: query: CREATE TEMPORARY FUNCTION dboutput AS
'org.apache.hadoop.hive.contrib.genericudf.example.GenericUDFDBOutput'
+POSTHOOK: type: CREATEFUNCTION
+POSTHOOK: Output: dboutput
+PREHOOK: query: SELECT
+#### A masked pattern was here ####
+'CREATE TABLE SIMPLE_DERBY_TABLE1 ("ikey" INTEGER, "bkey" BIGINT, "fkey" REAL,
"dkey" DOUBLE)' )
+PREHOOK: type: QUERY
+PREHOOK: Input: _dummy_database@_dummy_table
+#### A masked pattern was here ####
+POSTHOOK: query: SELECT
+#### A masked pattern was here ####
+'CREATE TABLE SIMPLE_DERBY_TABLE1 ("ikey" INTEGER, "bkey" BIGINT, "fkey" REAL,
"dkey" DOUBLE)' )
+POSTHOOK: type: QUERY
+POSTHOOK: Input: _dummy_database@_dummy_table
+#### A masked pattern was here ####
+0
+outputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_src type:
TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user
OWNERTYPE: USER}
+#### A masked pattern was here ####
+HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default
OWNER: public OWNERTYPE: ROLE}
+PREHOOK: query: CREATE EXTERNAL TABLE ext_simple_derby_table_src
+(
+ ikey int,
+ bkey bigint,
+ fkey float,
+ dkey double
+)
+STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
+TBLPROPERTIES (
+ "hive.sql.database.type" = "DERBY",
+ "hive.sql.jdbc.driver" =
"org.apache.derby.jdbc.EmbeddedDriver",
+#### A masked pattern was here ####
+ "hive.sql.dbcp.username" = "APP",
+ "hive.sql.dbcp.password" = "mine",
+ "hive.sql.table" = "SIMPLE_DERBY_TABLE1",
+ "hive.sql.dbcp.maxActive" = "1"
+)
+PREHOOK: type: CREATETABLE
+PREHOOK: Output: database:default
+PREHOOK: Output: default@ext_simple_derby_table_src
+POSTHOOK: query: CREATE EXTERNAL TABLE ext_simple_derby_table_src
+(
+ ikey int,
+ bkey bigint,
+ fkey float,
+ dkey double
+)
+STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
+TBLPROPERTIES (
+ "hive.sql.database.type" = "DERBY",
+ "hive.sql.jdbc.driver" =
"org.apache.derby.jdbc.EmbeddedDriver",
+#### A masked pattern was here ####
+ "hive.sql.dbcp.username" = "APP",
+ "hive.sql.dbcp.password" = "mine",
+ "hive.sql.table" = "SIMPLE_DERBY_TABLE1",
+ "hive.sql.dbcp.maxActive" = "1"
+)
+POSTHOOK: type: CREATETABLE
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@ext_simple_derby_table_src
+applyRowFilterAndColumnMasking:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_src type:
TABLE_OR_VIEW actionType: OTHER dbName: default columns: [ikey, bkey, fkey,
dkey]}
+inputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_src type:
TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user
OWNERTYPE: USER columns: [bkey, dkey, fkey, ikey]}
+outputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_ctas type:
TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user
OWNERTYPE: USER}
+HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default
OWNER: public OWNERTYPE: ROLE}
+PREHOOK: query: create table ext_simple_derby_table_ctas as select * from
ext_simple_derby_table_src
+PREHOOK: type: CREATETABLE_AS_SELECT
+PREHOOK: Input: default@ext_simple_derby_table_src
+PREHOOK: Output: database:default
+PREHOOK: Output: default@ext_simple_derby_table_ctas
+POSTHOOK: query: create table ext_simple_derby_table_ctas as select * from
ext_simple_derby_table_src
+POSTHOOK: type: CREATETABLE_AS_SELECT
+POSTHOOK: Input: default@ext_simple_derby_table_src
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@ext_simple_derby_table_ctas
+POSTHOOK: Lineage: ext_simple_derby_table_ctas.bkey SIMPLE
[(ext_simple_derby_table_src)ext_simple_derby_table_src.FieldSchema(name:bkey,
type:bigint, comment:from deserializer), ]
+POSTHOOK: Lineage: ext_simple_derby_table_ctas.dkey SIMPLE
[(ext_simple_derby_table_src)ext_simple_derby_table_src.FieldSchema(name:dkey,
type:double, comment:from deserializer), ]
+POSTHOOK: Lineage: ext_simple_derby_table_ctas.fkey SIMPLE
[(ext_simple_derby_table_src)ext_simple_derby_table_src.FieldSchema(name:fkey,
type:float, comment:from deserializer), ]
+POSTHOOK: Lineage: ext_simple_derby_table_ctas.ikey SIMPLE
[(ext_simple_derby_table_src)ext_simple_derby_table_src.FieldSchema(name:ikey,
type:int, comment:from deserializer), ]
+applyRowFilterAndColumnMasking:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_ctas type:
TABLE_OR_VIEW actionType: OTHER dbName: default columns: [bkey, dkey, fkey,
ikey]}
+inputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_ctas type:
TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user
OWNERTYPE: USER columns: [bkey, dkey, fkey, ikey]}
+outputHObjs:
+#### A masked pattern was here ####
+HIVE PRIVILEGE OBJECT { objectName: jdbctable_from_ctas type: TABLE_OR_VIEW
actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER}
+HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default
OWNER: public OWNERTYPE: ROLE}
+PREHOOK: query: CREATE EXTERNAL TABLE default.jdbctable_from_ctas
+STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
+TBLPROPERTIES (
+ "hive.sql.database.type" = "DERBY",
+ "hive.sql.jdbc.driver" =
"org.apache.derby.jdbc.EmbeddedDriver",
+#### A masked pattern was here ####
+ "hive.sql.dbcp.username" = "APP",
+ "hive.sql.dbcp.password" = "mine",
+ "hive.sql.table" = "SIMPLE_DERBY_TABLE1",
+ "hive.sql.dbcp.maxActive" = "1"
+) as select * from default.ext_simple_derby_table_ctas
+PREHOOK: type: CREATETABLE_AS_SELECT
+PREHOOK: Input: default@ext_simple_derby_table_ctas
+PREHOOK: Output: database:default
+PREHOOK: Output: default@jdbctable_from_ctas
+POSTHOOK: query: CREATE EXTERNAL TABLE default.jdbctable_from_ctas
+STORED BY 'org.apache.hive.storage.jdbc.JdbcStorageHandler'
+TBLPROPERTIES (
+ "hive.sql.database.type" = "DERBY",
+ "hive.sql.jdbc.driver" =
"org.apache.derby.jdbc.EmbeddedDriver",
+#### A masked pattern was here ####
+ "hive.sql.dbcp.username" = "APP",
+ "hive.sql.dbcp.password" = "mine",
+ "hive.sql.table" = "SIMPLE_DERBY_TABLE1",
+ "hive.sql.dbcp.maxActive" = "1"
+) as select * from default.ext_simple_derby_table_ctas
+POSTHOOK: type: CREATETABLE_AS_SELECT
+POSTHOOK: Input: default@ext_simple_derby_table_ctas
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@jdbctable_from_ctas
+POSTHOOK: Lineage: jdbctable_from_ctas.bkey SIMPLE
[(ext_simple_derby_table_ctas)ext_simple_derby_table_ctas.FieldSchema(name:bkey,
type:bigint, comment:null), ]
+POSTHOOK: Lineage: jdbctable_from_ctas.dkey SIMPLE
[(ext_simple_derby_table_ctas)ext_simple_derby_table_ctas.FieldSchema(name:dkey,
type:double, comment:null), ]
+POSTHOOK: Lineage: jdbctable_from_ctas.fkey SIMPLE
[(ext_simple_derby_table_ctas)ext_simple_derby_table_ctas.FieldSchema(name:fkey,
type:float, comment:null), ]
+POSTHOOK: Lineage: jdbctable_from_ctas.ikey SIMPLE
[(ext_simple_derby_table_ctas)ext_simple_derby_table_ctas.FieldSchema(name:ikey,
type:int, comment:null), ]
+inputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: jdbctable_from_ctas type: TABLE_OR_VIEW
actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER}
+outputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: jdbctable_from_ctas type: TABLE_OR_VIEW
actionType: OTHER dbName: default OWNER: hive_admin_user OWNERTYPE: USER}
+HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default
OWNER: public OWNERTYPE: ROLE}
+PREHOOK: query: drop table default.jdbctable_from_ctas
+PREHOOK: type: DROPTABLE
+PREHOOK: Input: default@jdbctable_from_ctas
+PREHOOK: Output: database:default
+PREHOOK: Output: default@jdbctable_from_ctas
+POSTHOOK: query: drop table default.jdbctable_from_ctas
+POSTHOOK: type: DROPTABLE
+POSTHOOK: Input: default@jdbctable_from_ctas
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@jdbctable_from_ctas
+inputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_ctas type:
TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user
OWNERTYPE: USER}
+outputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_ctas type:
TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user
OWNERTYPE: USER}
+HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default
OWNER: public OWNERTYPE: ROLE}
+PREHOOK: query: drop table default.ext_simple_derby_table_ctas
+PREHOOK: type: DROPTABLE
+PREHOOK: Input: default@ext_simple_derby_table_ctas
+PREHOOK: Output: database:default
+PREHOOK: Output: default@ext_simple_derby_table_ctas
+POSTHOOK: query: drop table default.ext_simple_derby_table_ctas
+POSTHOOK: type: DROPTABLE
+POSTHOOK: Input: default@ext_simple_derby_table_ctas
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@ext_simple_derby_table_ctas
+inputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_src type:
TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user
OWNERTYPE: USER}
+outputHObjs:
+HIVE PRIVILEGE OBJECT { objectName: ext_simple_derby_table_src type:
TABLE_OR_VIEW actionType: OTHER dbName: default OWNER: hive_admin_user
OWNERTYPE: USER}
+HIVE PRIVILEGE OBJECT { type: DATABASE actionType: OTHER dbName: default
OWNER: public OWNERTYPE: ROLE}
+PREHOOK: query: drop table default.ext_simple_derby_table_src
+PREHOOK: type: DROPTABLE
+PREHOOK: Input: default@ext_simple_derby_table_src
+PREHOOK: Output: database:default
+PREHOOK: Output: default@ext_simple_derby_table_src
+POSTHOOK: query: drop table default.ext_simple_derby_table_src
+POSTHOOK: type: DROPTABLE
+POSTHOOK: Input: default@ext_simple_derby_table_src
+POSTHOOK: Output: database:default
+POSTHOOK: Output: default@ext_simple_derby_table_src
