/** SHOW CURRENT ROLE */
 @Test
 public void testShowCurrentRole() throws Exception {
   DDLWork work = analyze(parse("SHOW CURRENT ROLES"));
   RoleDDLDesc roleDDLDesc = work.getRoleDDLDesc();
   Assert.assertEquals(PrincipalType.USER, roleDDLDesc.getPrincipalType());
   Assert.assertEquals(RoleOperation.SHOW_CURRENT_ROLE, roleDDLDesc.getOperation());
 }
 /** CREATE ROLE ... */
 @Test
 public void testCreateRole() throws Exception {
   DDLWork work = analyze(parse("CREATE ROLE " + ROLE));
   RoleDDLDesc roleDesc = work.getRoleDDLDesc();
   Assert.assertNotNull("Role should not be null", roleDesc);
   Assert.assertEquals(RoleOperation.CREATE_ROLE, roleDesc.getOperation());
   Assert.assertFalse("Did not expect a group", roleDesc.getGroup());
   Assert.assertEquals(ROLE, roleDesc.getName());
 }
 /** SHOW ROLE GRANT GROUP ... */
 @Test
 public void testShowRoleGrantGroup() throws Exception {
   DDLWork work = analyze(parse("SHOW ROLE GRANT GROUP " + GROUP));
   RoleDDLDesc roleDesc = work.getRoleDDLDesc();
   Assert.assertNotNull("Role should not be null", roleDesc);
   Assert.assertEquals(RoleOperation.SHOW_ROLE_GRANT, roleDesc.getOperation());
   Assert.assertEquals(PrincipalType.GROUP, roleDesc.getPrincipalType());
   Assert.assertEquals(GROUP, roleDesc.getName());
 }
 /** SHOW GRANT ROLE ... ON TABLE ... */
 @Test
 public void testShowGrantRoleOnTable() throws Exception {
   DDLWork work = analyze(parse("SHOW GRANT ROLE " + ROLE + " ON TABLE " + TABLE));
   ShowGrantDesc grantDesc = work.getShowGrantDesc();
   Assert.assertNotNull("Show grant should not be null", grantDesc);
   Assert.assertEquals(PrincipalType.ROLE, grantDesc.getPrincipalDesc().getType());
   Assert.assertEquals(ROLE, grantDesc.getPrincipalDesc().getName());
   Assert.assertTrue("Expected table", grantDesc.getHiveObj().getTable());
   Assert.assertEquals(TABLE, grantDesc.getHiveObj().getObject());
   Assert.assertTrue("Expected table", grantDesc.getHiveObj().getTable());
 }
 /** REVOKE ... ON TABLE ... FROM ROLE ... */
 @Test
 public void testRevokeRoleTable() throws Exception {
   DDLWork work = analyze(parse("REVOKE " + ALL + " ON TABLE " + TABLE + " FROM ROLE " + ROLE));
   RevokeDesc grantDesc = work.getRevokeDesc();
   Assert.assertNotNull("Revoke should not be null", grantDesc);
   for (PrincipalDesc principal : assertSize(1, grantDesc.getPrincipals())) {
     Assert.assertEquals(PrincipalType.ROLE, principal.getType());
     Assert.assertEquals(ROLE, principal.getName());
   }
   for (PrivilegeDesc privilege : assertSize(1, grantDesc.getPrivileges())) {
     Assert.assertEquals(Privilege.ALL, privilege.getPrivilege());
   }
   Assert.assertTrue("Expected table", grantDesc.getPrivilegeSubjectDesc().getTable());
   Assert.assertEquals(TABLE, grantDesc.getPrivilegeSubjectDesc().getObject());
 }
 /** REVOKE ROLE ... FROM GROUP ... */
 @Test
 public void testRevokeRoleGroup() throws Exception {
   DDLWork work = analyze(parse("REVOKE ROLE " + ROLE + " FROM GROUP " + GROUP));
   GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL();
   Assert.assertNotNull("Grant should not be null", grantDesc);
   Assert.assertFalse("Did not expect grant ", grantDesc.getGrant());
   Assert.assertFalse("Grant option is always true ", grantDesc.isGrantOption());
   Assert.assertEquals(currentUser, grantDesc.getGrantor());
   Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType());
   for (String role : assertSize(1, grantDesc.getRoles())) {
     Assert.assertEquals(ROLE, role);
   }
   for (PrincipalDesc principal : assertSize(1, grantDesc.getPrincipalDesc())) {
     Assert.assertEquals(PrincipalType.GROUP, principal.getType());
     Assert.assertEquals(GROUP, principal.getName());
   }
 }
 /** GRANT ... ON TABLE ... TO ROLE ... WITH GRANT OPTION */
 @Test
 public void testGrantRoleTableWithGrantOption() throws Exception {
   DDLWork work =
       analyze(
           parse(
               "GRANT " + ALL + " ON TABLE " + TABLE + " TO ROLE " + ROLE + " WITH GRANT OPTION"));
   GrantDesc grantDesc = work.getGrantDesc();
   Assert.assertNotNull("Grant should not be null", grantDesc);
   for (PrincipalDesc principal : assertSize(1, grantDesc.getPrincipals())) {
     Assert.assertEquals(PrincipalType.ROLE, principal.getType());
     Assert.assertEquals(ROLE, principal.getName());
   }
   for (PrivilegeDesc privilege : assertSize(1, grantDesc.getPrivileges())) {
     Assert.assertEquals(Privilege.ALL, privilege.getPrivilege());
   }
   Assert.assertTrue("Expected table", grantDesc.getPrivilegeSubjectDesc().getTable());
   Assert.assertTrue("Expected grantOption is true", grantDesc.isGrantOption());
   Assert.assertEquals(TABLE, grantDesc.getPrivilegeSubjectDesc().getObject());
 }
 /** SHOW ROLES */
 @Test
 public void testShowRoles() throws Exception {
   DDLWork work = analyze(parse("SHOW ROLES"));
   RoleDDLDesc roleDDLDesc = work.getRoleDDLDesc();
   Assert.assertEquals(RoleOperation.SHOW_ROLES, roleDDLDesc.getOperation());
 }
Beispiel #9
0
  @Override
  protected void authorizeDDLWork(HiveSemanticAnalyzerHookContext cntxt, Hive hive, DDLWork work)
      throws HiveException {
    // DB opereations, none of them are enforced by Hive right now.

    ShowDatabasesDesc showDatabases = work.getShowDatabasesDesc();
    if (showDatabases != null) {
      authorize(
          HiveOperation.SHOWDATABASES.getInputRequiredPrivileges(),
          HiveOperation.SHOWDATABASES.getOutputRequiredPrivileges());
    }

    DropDatabaseDesc dropDb = work.getDropDatabaseDesc();
    if (dropDb != null) {
      Database db = cntxt.getHive().getDatabase(dropDb.getDatabaseName());
      authorize(db, Privilege.DROP);
    }

    DescDatabaseDesc descDb = work.getDescDatabaseDesc();
    if (descDb != null) {
      Database db = cntxt.getHive().getDatabase(descDb.getDatabaseName());
      authorize(db, Privilege.SELECT);
    }

    SwitchDatabaseDesc switchDb = work.getSwitchDatabaseDesc();
    if (switchDb != null) {
      Database db = cntxt.getHive().getDatabase(switchDb.getDatabaseName());
      authorize(db, Privilege.SELECT);
    }

    ShowTablesDesc showTables = work.getShowTblsDesc();
    if (showTables != null) {
      String dbName =
          showTables.getDbName() == null
              ? SessionState.get().getCurrentDatabase()
              : showTables.getDbName();
      authorize(cntxt.getHive().getDatabase(dbName), Privilege.SELECT);
    }

    ShowTableStatusDesc showTableStatus = work.getShowTblStatusDesc();
    if (showTableStatus != null) {
      String dbName =
          showTableStatus.getDbName() == null
              ? SessionState.get().getCurrentDatabase()
              : showTableStatus.getDbName();
      authorize(cntxt.getHive().getDatabase(dbName), Privilege.SELECT);
    }

    // TODO: add alter database support in HCat

    // Table operations.

    DropTableDesc dropTable = work.getDropTblDesc();
    if (dropTable != null) {
      if (dropTable.getPartSpecs() == null) {
        // drop table is already enforced by Hive. We only check for table level location even if
        // the
        // table is partitioned.
      } else {
        // this is actually a ALTER TABLE DROP PARITITION statement
        for (DropTableDesc.PartSpec partSpec : dropTable.getPartSpecs()) {
          // partitions are not added as write entries in drop partitions in Hive
          Table table =
              hive.getTable(SessionState.get().getCurrentDatabase(), dropTable.getTableName());
          List<Partition> partitions = null;
          try {
            partitions = hive.getPartitionsByFilter(table, partSpec.getPartSpec().getExprString());
          } catch (Exception e) {
            throw new HiveException(e);
          }

          for (Partition part : partitions) {
            authorize(part, Privilege.DROP);
          }
        }
      }
    }

    AlterTableDesc alterTable = work.getAlterTblDesc();
    if (alterTable != null) {
      Table table =
          hive.getTable(SessionState.get().getCurrentDatabase(), alterTable.getOldName(), false);

      Partition part = null;
      if (alterTable.getPartSpec() != null) {
        part = hive.getPartition(table, alterTable.getPartSpec(), false);
      }

      String newLocation = alterTable.getNewLocation();

      /* Hcat requires ALTER_DATA privileges for ALTER TABLE LOCATION statements
       * for the old table/partition location and the new location.
       */
      if (alterTable.getOp() == AlterTableDesc.AlterTableTypes.ALTERLOCATION) {
        if (part != null) {
          authorize(part, Privilege.ALTER_DATA); // authorize for the old
          // location, and new location
          part.setLocation(newLocation);
          authorize(part, Privilege.ALTER_DATA);
        } else {
          authorize(table, Privilege.ALTER_DATA); // authorize for the old
          // location, and new location
          table.getTTable().getSd().setLocation(newLocation);
          authorize(table, Privilege.ALTER_DATA);
        }
      }
      // other alter operations are already supported by Hive
    }

    // we should be careful when authorizing table based on just the
    // table name. If columns have separate authorization domain, it
    // must be honored
    DescTableDesc descTable = work.getDescTblDesc();
    if (descTable != null) {
      String tableName = extractTableName(descTable.getTableName());
      authorizeTable(cntxt.getHive(), tableName, Privilege.SELECT);
    }

    ShowPartitionsDesc showParts = work.getShowPartsDesc();
    if (showParts != null) {
      String tableName = extractTableName(showParts.getTabName());
      authorizeTable(cntxt.getHive(), tableName, Privilege.SELECT);
    }
  }