jjiang037 commented on code in PR #5819:
URL: https://github.com/apache/hive/pull/5819#discussion_r2153189866
##########
ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/TestHiveMetaStoreAuthorizer.java:
##########
@@ -547,76 +642,29 @@ public void testUnAuthorizedCause() {
.build(conf);
hmsHandler.create_database(db);
} catch (Exception e) {
- String[] rootCauseStackTrace = ExceptionUtils.getRootCauseStackTrace(e);
- assertTrue(Arrays.stream(rootCauseStackTrace)
- .anyMatch(stack ->
stack.contains(DummyHiveAuthorizer.class.getName())));
- }
- }
-
- @Test
- public void testTableFilterContextWithOwnership() throws Exception {
- List<TableMeta> tableMetas = new ArrayList<>();
- TableMeta ownerTableMeta = new TableMeta();
- ownerTableMeta.setCatName("hive");
- ownerTableMeta.setDbName(default_db);
- ownerTableMeta.setTableName("owner_table");
- ownerTableMeta.setOwnerName(authorizedUser);
-
ownerTableMeta.setOwnerType(org.apache.hadoop.hive.metastore.api.PrincipalType.USER);
- tableMetas.add(ownerTableMeta);
-
- TableMeta otherTableMeta = new TableMeta();
- otherTableMeta.setCatName("hive");
- otherTableMeta.setDbName(default_db);
- otherTableMeta.setTableName("other_table");
- otherTableMeta.setOwnerName(unAuthorizedUser);
-
otherTableMeta.setOwnerType(org.apache.hadoop.hive.metastore.api.PrincipalType.USER);
- tableMetas.add(otherTableMeta);
-
- TableFilterContext filterContext =
TableFilterContext.createFromTableMetas(default_db, tableMetas);
- List<Table> tables = filterContext.getTables();
- assertEquals("Should have two tables in context", 2, tables.size());
-
- boolean foundOwnerTable = false;
- boolean foundOtherTable = false;
-
- for (Table table : tables) {
- if (table.getTableName().equals("owner_table")) {
- foundOwnerTable = true;
- assertEquals("owner_table should have authorized user as owner",
authorizedUser, table.getOwner());
- assertEquals("owner_table should have correct owner type",
- org.apache.hadoop.hive.metastore.api.PrincipalType.USER,
table.getOwnerType());
- } else if (table.getTableName().equals("other_table")) {
- foundOtherTable = true;
- assertEquals("other_table should have unauthorized user as owner",
unAuthorizedUser, table.getOwner());
- assertEquals("other_table should have correct owner type",
- org.apache.hadoop.hive.metastore.api.PrincipalType.USER,
table.getOwnerType());
+ // Check if the exception chain contains HiveAuthzPluginException
+ Throwable current = e;
+ boolean foundAuthzException = false;
+ while (current != null) {
+ if (current instanceof HiveAuthzPluginException) {
+ foundAuthzException = true;
+ String expectedErrMsg = "Operation type " +
HiveOperationType.CREATEDATABASE + " not allowed for user:" + unAuthorizedUser;
+ assertTrue("Expected error message mismatch. Actual: '" +
current.getMessage() + "'", current.getMessage().contains(expectedErrMsg));
+ break;
+ }
+ current = current.getCause();
}
- }
-
- assertTrue("owner_table not found in tables", foundOwnerTable);
- assertTrue("other_table not found in tables", foundOtherTable);
-
- HiveMetaStoreAuthzInfo authzInfo = filterContext.getAuthzContext();
- List<HivePrivilegeObject> privObjects = authzInfo.getInputHObjs();
- assertEquals("Should have two privilege objects", 2, privObjects.size());
-
- foundOwnerTable = false;
- foundOtherTable = false;
-
- for (HivePrivilegeObject obj : privObjects) {
- if (obj.getObjectName().equals("owner_table")) {
- foundOwnerTable = true;
- assertEquals("owner_table privilege object should have authorized user
as owner",
- authorizedUser, obj.getOwnerName());
- } else if (obj.getObjectName().equals("other_table")) {
- foundOtherTable = true;
- assertEquals("other_table privilege object should have unauthorized
user as owner",
- unAuthorizedUser, obj.getOwnerName());
+ if (!foundAuthzException) {
+ Throwable rootCause = ExceptionUtils.getRootCause(e);
+ if (rootCause instanceof HiveAuthzPluginException) {
Review Comment:
I initially removed this test believing MockMetaStoreFilterHook provided
equivalent coverage since both handle ownership-based filtering. I am restoring
this test because it validates the data transformation layer that
MockMetaStoreFilterHook cannot cover. Specifically, it ensures that when
converting TableMeta objects to HivePrivilegeObjects, ownership information is
correctly preserved during transformation. This complements
MockMetaStoreFilterHook, which tests the actual filtering decisions.
##########
ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/TestHiveMetaStoreAuthorizer.java:
##########
@@ -547,76 +642,29 @@ public void testUnAuthorizedCause() {
.build(conf);
hmsHandler.create_database(db);
} catch (Exception e) {
- String[] rootCauseStackTrace = ExceptionUtils.getRootCauseStackTrace(e);
- assertTrue(Arrays.stream(rootCauseStackTrace)
- .anyMatch(stack ->
stack.contains(DummyHiveAuthorizer.class.getName())));
- }
- }
-
- @Test
- public void testTableFilterContextWithOwnership() throws Exception {
- List<TableMeta> tableMetas = new ArrayList<>();
- TableMeta ownerTableMeta = new TableMeta();
- ownerTableMeta.setCatName("hive");
- ownerTableMeta.setDbName(default_db);
- ownerTableMeta.setTableName("owner_table");
- ownerTableMeta.setOwnerName(authorizedUser);
-
ownerTableMeta.setOwnerType(org.apache.hadoop.hive.metastore.api.PrincipalType.USER);
- tableMetas.add(ownerTableMeta);
-
- TableMeta otherTableMeta = new TableMeta();
- otherTableMeta.setCatName("hive");
- otherTableMeta.setDbName(default_db);
- otherTableMeta.setTableName("other_table");
- otherTableMeta.setOwnerName(unAuthorizedUser);
-
otherTableMeta.setOwnerType(org.apache.hadoop.hive.metastore.api.PrincipalType.USER);
- tableMetas.add(otherTableMeta);
-
- TableFilterContext filterContext =
TableFilterContext.createFromTableMetas(default_db, tableMetas);
- List<Table> tables = filterContext.getTables();
- assertEquals("Should have two tables in context", 2, tables.size());
-
- boolean foundOwnerTable = false;
- boolean foundOtherTable = false;
-
- for (Table table : tables) {
- if (table.getTableName().equals("owner_table")) {
- foundOwnerTable = true;
- assertEquals("owner_table should have authorized user as owner",
authorizedUser, table.getOwner());
- assertEquals("owner_table should have correct owner type",
- org.apache.hadoop.hive.metastore.api.PrincipalType.USER,
table.getOwnerType());
- } else if (table.getTableName().equals("other_table")) {
- foundOtherTable = true;
- assertEquals("other_table should have unauthorized user as owner",
unAuthorizedUser, table.getOwner());
- assertEquals("other_table should have correct owner type",
- org.apache.hadoop.hive.metastore.api.PrincipalType.USER,
table.getOwnerType());
+ // Check if the exception chain contains HiveAuthzPluginException
+ Throwable current = e;
+ boolean foundAuthzException = false;
+ while (current != null) {
+ if (current instanceof HiveAuthzPluginException) {
+ foundAuthzException = true;
+ String expectedErrMsg = "Operation type " +
HiveOperationType.CREATEDATABASE + " not allowed for user:" + unAuthorizedUser;
+ assertTrue("Expected error message mismatch. Actual: '" +
current.getMessage() + "'", current.getMessage().contains(expectedErrMsg));
+ break;
+ }
+ current = current.getCause();
}
- }
-
- assertTrue("owner_table not found in tables", foundOwnerTable);
- assertTrue("other_table not found in tables", foundOtherTable);
-
- HiveMetaStoreAuthzInfo authzInfo = filterContext.getAuthzContext();
- List<HivePrivilegeObject> privObjects = authzInfo.getInputHObjs();
- assertEquals("Should have two privilege objects", 2, privObjects.size());
-
- foundOwnerTable = false;
- foundOtherTable = false;
-
- for (HivePrivilegeObject obj : privObjects) {
- if (obj.getObjectName().equals("owner_table")) {
- foundOwnerTable = true;
- assertEquals("owner_table privilege object should have authorized user
as owner",
- authorizedUser, obj.getOwnerName());
- } else if (obj.getObjectName().equals("other_table")) {
- foundOtherTable = true;
- assertEquals("other_table privilege object should have unauthorized
user as owner",
- unAuthorizedUser, obj.getOwnerName());
+ if (!foundAuthzException) {
+ Throwable rootCause = ExceptionUtils.getRootCause(e);
+ if (rootCause instanceof HiveAuthzPluginException) {
Review Comment:
I initially removed this test believing MockMetaStoreFilterHook provided
equivalent coverage since both handle ownership-based filtering. I am restoring
this test because it validates the data transformation layer that
MockMetaStoreFilterHook cannot cover. Specifically, it ensures that when
converting TableMeta objects to HivePrivilegeObjects, ownership information is
correctly preserved during transformation. This complements
MockMetaStoreFilterHook, which tests the actual filtering decisions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For additional commands, e-mail: gitbox-h...@hive.apache.org
