Repository: incubator-sentry Updated Branches: refs/heads/master 444031474 -> 7613ede9c
SENTRY-810: CTAS without location is not verified properly (Ryan P via Lenni Kuff) Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/7613ede9 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/7613ede9 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/7613ede9 Branch: refs/heads/master Commit: 7613ede9c6b940fe132e6cc7657bac9b0cf236b2 Parents: 4440314 Author: Lenni Kuff <[email protected]> Authored: Wed Aug 5 00:46:04 2015 -0700 Committer: Lenni Kuff <[email protected]> Committed: Wed Aug 5 00:46:38 2015 -0700 ---------------------------------------------------------------------- .../hive/authz/HiveAuthzPrivilegesMap.java | 2 ++ .../sentry/tests/e2e/hive/TestOperations.java | 38 +++++++++++++++----- 2 files changed, 32 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7613ede9/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java ---------------------------------------------------------------------- diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java index 6efeed6..0291b6c 100644 --- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java +++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java @@ -23,6 +23,7 @@ import java.util.Map; import org.apache.hadoop.hive.ql.plan.HiveOperation; import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationScope; import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType; +import org.apache.sentry.core.common.Authorizable; import org.apache.sentry.core.model.db.DBModelAction; import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType; @@ -283,6 +284,7 @@ public class HiveAuthzPrivilegesMap { new HiveAuthzPrivileges.AuthzPrivilegeBuilder(). addInputObjectPriviledge(AuthorizableType.Table, EnumSet.of(DBModelAction.SELECT)). addInputObjectPriviledge(AuthorizableType.Column, EnumSet.of(DBModelAction.SELECT)). + addInputObjectPriviledge(AuthorizableType.URI,EnumSet.of(DBModelAction.ALL)). addOutputObjectPriviledge(AuthorizableType.Db, EnumSet.of(DBModelAction.CREATE)). setOperationScope(HiveOperationScope.DATABASE). setOperationType(HiveOperationType.DDL). http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/7613ede9/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java ---------------------------------------------------------------------- diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java index 2fbdfa6..29b2d60 100644 --- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java +++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestOperations.java @@ -897,6 +897,8 @@ public class TestOperations extends AbstractTestWithStaticConfiguration { adminCreate(DB1, tableName); adminCreate(DB2, null); + String location = dfs.getBaseDir() + "/" + Math.random(); + Connection connection = context.createConnection(ADMIN1); Statement statement = context.createStatement(connection); statement.execute("Use " + DB1); @@ -905,19 +907,27 @@ public class TestOperations extends AbstractTestWithStaticConfiguration { connection.close(); policyFile - .addPermissionsToRole("select_db1_tb1", privileges.get("select_db1_tb1")) - .addPermissionsToRole("select_db1_view1", privileges.get("select_db1_view1")) - .addPermissionsToRole("create_db2", privileges.get("create_db2")) - .addRolesToGroup(USERGROUP1, "select_db1_tb1", "create_db2") - .addRolesToGroup(USERGROUP2, "select_db1_view1", "create_db2"); + .addPermissionsToRole("select_db1_tb1", privileges.get("select_db1_tb1")) + .addPermissionsToRole("select_db1_view1", privileges.get("select_db1_view1")) + .addPermissionsToRole("create_db2", privileges.get("create_db2")) + .addPermissionsToRole("all_uri", "server=server1->uri=" + location) + .addRolesToGroup(USERGROUP1, "select_db1_tb1", "create_db2") + .addRolesToGroup(USERGROUP2, "select_db1_view1", "create_db2") + .addRolesToGroup(USERGROUP3, "select_db1_tb1", "create_db2,all_uri"); writePolicyFile(policyFile); connection = context.createConnection(USER1_1); statement = context.createStatement(connection); statement.execute("Use " + DB2); - statement.execute("create table tb2 as select a from " + DB1 + ".tb1" ); + statement.execute("create table tb2 as select a from " + DB1 + ".tb1"); + //Ensure CTAS fails without URI + context.assertSentrySemanticException(statement, "create table tb3 location '" + location + + "' as select a from " + DB1 + ".tb1", + semanticException); context.assertSentrySemanticException(statement, "create table tb3 as select a from " + DB1 + ".view1", - semanticException); + semanticException); + + statement.close(); connection.close(); @@ -926,12 +936,24 @@ public class TestOperations extends AbstractTestWithStaticConfiguration { statement.execute("Use " + DB2); statement.execute("create table tb3 as select a from " + DB1 + ".view1" ); context.assertSentrySemanticException(statement, "create table tb4 as select a from " + DB1 + ".tb1", - semanticException); + semanticException); statement.close(); connection.close(); + + connection = context.createConnection(USER3_1); + statement = context.createStatement(connection); + //CTAS is valid with URI + statement.execute("Use " + DB2); + statement.execute("create table tb4 location '" + location + + "' as select a from " + DB1 + ".tb1"); + + statement.close(); + connection.close(); + } + /* 1. INSERT : IP: select on table, OP: insert on table + all on uri(optional) */
