/** SHOW CURRENT ROLE */
@Test
public void testShowCurrentRole() throws Exception {
DDLWork work = analyze(parse("SHOW CURRENT ROLES"));
RoleDDLDesc roleDDLDesc = work.getRoleDDLDesc();
Assert.assertEquals(PrincipalType.USER, roleDDLDesc.getPrincipalType());
Assert.assertEquals(RoleOperation.SHOW_CURRENT_ROLE, roleDDLDesc.getOperation());
}
/** CREATE ROLE ... */
@Test
public void testCreateRole() throws Exception {
DDLWork work = analyze(parse("CREATE ROLE " + ROLE));
RoleDDLDesc roleDesc = work.getRoleDDLDesc();
Assert.assertNotNull("Role should not be null", roleDesc);
Assert.assertEquals(RoleOperation.CREATE_ROLE, roleDesc.getOperation());
Assert.assertFalse("Did not expect a group", roleDesc.getGroup());
Assert.assertEquals(ROLE, roleDesc.getName());
}
/** SHOW ROLE GRANT GROUP ... */
@Test
public void testShowRoleGrantGroup() throws Exception {
DDLWork work = analyze(parse("SHOW ROLE GRANT GROUP " + GROUP));
RoleDDLDesc roleDesc = work.getRoleDDLDesc();
Assert.assertNotNull("Role should not be null", roleDesc);
Assert.assertEquals(RoleOperation.SHOW_ROLE_GRANT, roleDesc.getOperation());
Assert.assertEquals(PrincipalType.GROUP, roleDesc.getPrincipalType());
Assert.assertEquals(GROUP, roleDesc.getName());
}
/** SHOW GRANT ROLE ... ON TABLE ... */
@Test
public void testShowGrantRoleOnTable() throws Exception {
DDLWork work = analyze(parse("SHOW GRANT ROLE " + ROLE + " ON TABLE " + TABLE));
ShowGrantDesc grantDesc = work.getShowGrantDesc();
Assert.assertNotNull("Show grant should not be null", grantDesc);
Assert.assertEquals(PrincipalType.ROLE, grantDesc.getPrincipalDesc().getType());
Assert.assertEquals(ROLE, grantDesc.getPrincipalDesc().getName());
Assert.assertTrue("Expected table", grantDesc.getHiveObj().getTable());
Assert.assertEquals(TABLE, grantDesc.getHiveObj().getObject());
Assert.assertTrue("Expected table", grantDesc.getHiveObj().getTable());
}
/** REVOKE ... ON TABLE ... FROM ROLE ... */
@Test
public void testRevokeRoleTable() throws Exception {
DDLWork work = analyze(parse("REVOKE " + ALL + " ON TABLE " + TABLE + " FROM ROLE " + ROLE));
RevokeDesc grantDesc = work.getRevokeDesc();
Assert.assertNotNull("Revoke should not be null", grantDesc);
for (PrincipalDesc principal : assertSize(1, grantDesc.getPrincipals())) {
Assert.assertEquals(PrincipalType.ROLE, principal.getType());
Assert.assertEquals(ROLE, principal.getName());
}
for (PrivilegeDesc privilege : assertSize(1, grantDesc.getPrivileges())) {
Assert.assertEquals(Privilege.ALL, privilege.getPrivilege());
}
Assert.assertTrue("Expected table", grantDesc.getPrivilegeSubjectDesc().getTable());
Assert.assertEquals(TABLE, grantDesc.getPrivilegeSubjectDesc().getObject());
}
/** REVOKE ROLE ... FROM GROUP ... */
@Test
public void testRevokeRoleGroup() throws Exception {
DDLWork work = analyze(parse("REVOKE ROLE " + ROLE + " FROM GROUP " + GROUP));
GrantRevokeRoleDDL grantDesc = work.getGrantRevokeRoleDDL();
Assert.assertNotNull("Grant should not be null", grantDesc);
Assert.assertFalse("Did not expect grant ", grantDesc.getGrant());
Assert.assertFalse("Grant option is always true ", grantDesc.isGrantOption());
Assert.assertEquals(currentUser, grantDesc.getGrantor());
Assert.assertEquals(PrincipalType.USER, grantDesc.getGrantorType());
for (String role : assertSize(1, grantDesc.getRoles())) {
Assert.assertEquals(ROLE, role);
}
for (PrincipalDesc principal : assertSize(1, grantDesc.getPrincipalDesc())) {
Assert.assertEquals(PrincipalType.GROUP, principal.getType());
Assert.assertEquals(GROUP, principal.getName());
}
}
/** GRANT ... ON TABLE ... TO ROLE ... WITH GRANT OPTION */
@Test
public void testGrantRoleTableWithGrantOption() throws Exception {
DDLWork work =
analyze(
parse(
"GRANT " + ALL + " ON TABLE " + TABLE + " TO ROLE " + ROLE + " WITH GRANT OPTION"));
GrantDesc grantDesc = work.getGrantDesc();
Assert.assertNotNull("Grant should not be null", grantDesc);
for (PrincipalDesc principal : assertSize(1, grantDesc.getPrincipals())) {
Assert.assertEquals(PrincipalType.ROLE, principal.getType());
Assert.assertEquals(ROLE, principal.getName());
}
for (PrivilegeDesc privilege : assertSize(1, grantDesc.getPrivileges())) {
Assert.assertEquals(Privilege.ALL, privilege.getPrivilege());
}
Assert.assertTrue("Expected table", grantDesc.getPrivilegeSubjectDesc().getTable());
Assert.assertTrue("Expected grantOption is true", grantDesc.isGrantOption());
Assert.assertEquals(TABLE, grantDesc.getPrivilegeSubjectDesc().getObject());
}
/** SHOW ROLES */
@Test
public void testShowRoles() throws Exception {
DDLWork work = analyze(parse("SHOW ROLES"));
RoleDDLDesc roleDDLDesc = work.getRoleDDLDesc();
Assert.assertEquals(RoleOperation.SHOW_ROLES, roleDDLDesc.getOperation());
}
@Override
protected void authorizeDDLWork(HiveSemanticAnalyzerHookContext cntxt, Hive hive, DDLWork work)
throws HiveException {
// DB opereations, none of them are enforced by Hive right now.
ShowDatabasesDesc showDatabases = work.getShowDatabasesDesc();
if (showDatabases != null) {
authorize(
HiveOperation.SHOWDATABASES.getInputRequiredPrivileges(),
HiveOperation.SHOWDATABASES.getOutputRequiredPrivileges());
}
DropDatabaseDesc dropDb = work.getDropDatabaseDesc();
if (dropDb != null) {
Database db = cntxt.getHive().getDatabase(dropDb.getDatabaseName());
authorize(db, Privilege.DROP);
}
DescDatabaseDesc descDb = work.getDescDatabaseDesc();
if (descDb != null) {
Database db = cntxt.getHive().getDatabase(descDb.getDatabaseName());
authorize(db, Privilege.SELECT);
}
SwitchDatabaseDesc switchDb = work.getSwitchDatabaseDesc();
if (switchDb != null) {
Database db = cntxt.getHive().getDatabase(switchDb.getDatabaseName());
authorize(db, Privilege.SELECT);
}
ShowTablesDesc showTables = work.getShowTblsDesc();
if (showTables != null) {
String dbName =
showTables.getDbName() == null
? SessionState.get().getCurrentDatabase()
: showTables.getDbName();
authorize(cntxt.getHive().getDatabase(dbName), Privilege.SELECT);
}
ShowTableStatusDesc showTableStatus = work.getShowTblStatusDesc();
if (showTableStatus != null) {
String dbName =
showTableStatus.getDbName() == null
? SessionState.get().getCurrentDatabase()
: showTableStatus.getDbName();
authorize(cntxt.getHive().getDatabase(dbName), Privilege.SELECT);
}
// TODO: add alter database support in HCat
// Table operations.
DropTableDesc dropTable = work.getDropTblDesc();
if (dropTable != null) {
if (dropTable.getPartSpecs() == null) {
// drop table is already enforced by Hive. We only check for table level location even if
// the
// table is partitioned.
} else {
// this is actually a ALTER TABLE DROP PARITITION statement
for (DropTableDesc.PartSpec partSpec : dropTable.getPartSpecs()) {
// partitions are not added as write entries in drop partitions in Hive
Table table =
hive.getTable(SessionState.get().getCurrentDatabase(), dropTable.getTableName());
List<Partition> partitions = null;
try {
partitions = hive.getPartitionsByFilter(table, partSpec.getPartSpec().getExprString());
} catch (Exception e) {
throw new HiveException(e);
}
for (Partition part : partitions) {
authorize(part, Privilege.DROP);
}
}
}
}
AlterTableDesc alterTable = work.getAlterTblDesc();
if (alterTable != null) {
Table table =
hive.getTable(SessionState.get().getCurrentDatabase(), alterTable.getOldName(), false);
Partition part = null;
if (alterTable.getPartSpec() != null) {
part = hive.getPartition(table, alterTable.getPartSpec(), false);
}
String newLocation = alterTable.getNewLocation();
/* Hcat requires ALTER_DATA privileges for ALTER TABLE LOCATION statements
* for the old table/partition location and the new location.
*/
if (alterTable.getOp() == AlterTableDesc.AlterTableTypes.ALTERLOCATION) {
if (part != null) {
authorize(part, Privilege.ALTER_DATA); // authorize for the old
// location, and new location
part.setLocation(newLocation);
authorize(part, Privilege.ALTER_DATA);
} else {
authorize(table, Privilege.ALTER_DATA); // authorize for the old
// location, and new location
table.getTTable().getSd().setLocation(newLocation);
authorize(table, Privilege.ALTER_DATA);
}
}
// other alter operations are already supported by Hive
}
// we should be careful when authorizing table based on just the
// table name. If columns have separate authorization domain, it
// must be honored
DescTableDesc descTable = work.getDescTblDesc();
if (descTable != null) {
String tableName = extractTableName(descTable.getTableName());
authorizeTable(cntxt.getHive(), tableName, Privilege.SELECT);
}
ShowPartitionsDesc showParts = work.getShowPartsDesc();
if (showParts != null) {
String tableName = extractTableName(showParts.getTabName());
authorizeTable(cntxt.getHive(), tableName, Privilege.SELECT);
}
}