HIVE-1935 set hive.security.authorization.createtable.owner.grants to…

… null by default (He Yongqiang via namit) git-svn-id: https://svn.apache.org/repos/asf/hive/trunk@1065458 13f79535-47bb-0310-9956-ffa450edef68
apache · Jan 31, 2011 · 2cbbccc · 2cbbccc
1 parent 374f83b
commit 2cbbccc
Show file tree

Hide file tree

Showing 27 changed files with 116 additions and 171 deletions.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -163,6 +163,9 @@ Trunk -  Unreleased
     HIVE-1929 A way to disable owner grants
     (He Yongqiang via namit)
 
+    HIVE-1935 set hive.security.authorization.createtable.owner.grants to null
+    by default (He Yongqiang via namit)
+
   IMPROVEMENTS
 
     HIVE-1692. FetchOperator.getInputFormatFromCache hides causal exception (Philip Zeyliger via cws)

diff --git a/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java b/common/src/java/org/apache/hadoop/hive/conf/HiveConf.java
@@ -362,7 +362,7 @@ public static enum ConfVars {
     HIVE_AUTHORIZATION_TABLE_USER_GRANTS("hive.security.authorization.createtable.user.grants", null),
     HIVE_AUTHORIZATION_TABLE_GROUP_GRANTS("hive.security.authorization.createtable.group.grants", null),
     HIVE_AUTHORIZATION_TABLE_ROLE_GRANTS("hive.security.authorization.createtable.role.grants", null),
-    HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS("hive.security.authorization.createtable.owner.grants", "All"),
+    HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS("hive.security.authorization.createtable.owner.grants", null),
     // Print column names in output
     HIVE_CLI_PRINT_HEADER("hive.cli.print.header", false),
 

diff --git a/conf/hive-default.xml b/conf/hive-default.xml
@@ -913,7 +913,7 @@
 
 <property>
   <name>hive.security.authorization.createtable.owner.grants</name>
-  <value>All</value>
+  <value></value>
   <description>the privileges automatically granted to the owner whenever a table gets created. 
    An example like "select,drop" will grant select and drop privilege to the owner of the table</description>
 </property>

diff --git a/ql/src/test/queries/clientnegative/authorization_fail_1.q b/ql/src/test/queries/clientnegative/authorization_fail_1.q
@@ -1,8 +1,6 @@
 create table authorization_fail_1 (key int, value string);
 set hive.security.authorization.enabled=true;
 
-revoke `ALL` on table authorization_fail_1 from user hive_test_user;
-
 grant `Create` on table authorization_fail_1 to user hive_test_user;
 grant `Create` on table authorization_fail_1 to user hive_test_user;
 

diff --git a/ql/src/test/queries/clientnegative/authorization_fail_2.q b/ql/src/test/queries/clientnegative/authorization_fail_2.q
@@ -1,7 +1,5 @@
 create table authorization_fail_2 (key int, value string) partitioned by (ds string);
 
-revoke `ALL` on table authorization_fail_2 from user hive_test_user;
-
 set hive.security.authorization.enabled=true;
 
 alter table authorization_fail_2 add partition (ds='2010');

diff --git a/ql/src/test/queries/clientnegative/authorization_fail_3.q b/ql/src/test/queries/clientnegative/authorization_fail_3.q
@@ -1,8 +1,6 @@
 create table authorization_fail_3 (key int, value string) partitioned by (ds string);
 set hive.security.authorization.enabled=true;
 
-revoke `ALL` on table authorization_fail_3 from user hive_test_user;
-
 grant `Create` on table authorization_fail_3 to user hive_test_user;
 alter table authorization_fail_3 add partition (ds='2010');
 

diff --git a/ql/src/test/queries/clientnegative/authorization_fail_4.q b/ql/src/test/queries/clientnegative/authorization_fail_4.q
@@ -1,7 +1,5 @@
 create table authorization_fail_4 (key int, value string) partitioned by (ds string);
 
-revoke `ALL` on table authorization_fail_4 from user hive_test_user;
-
 set hive.security.authorization.enabled=true;
 grant `Alter` on table authorization_fail_4 to user hive_test_user;
 ALTER TABLE authorization_fail_4 SET TBLPROPERTIES ("PARTITION_LEVEL_PRIVILEGE"="TRUE");

diff --git a/ql/src/test/queries/clientnegative/authorization_fail_5.q b/ql/src/test/queries/clientnegative/authorization_fail_5.q
@@ -1,8 +1,6 @@
 create table authorization_fail (key int, value string) partitioned by (ds string);
 set hive.security.authorization.enabled=true;
 
-revoke `ALL` on table authorization_fail from user hive_test_user;
-
 grant `Alter` on table authorization_fail to user hive_test_user;
 ALTER TABLE authorization_fail SET TBLPROPERTIES ("PARTITION_LEVEL_PRIVILEGE"="TRUE");
 

diff --git a/ql/src/test/queries/clientnegative/authorization_fail_6.q b/ql/src/test/queries/clientnegative/authorization_fail_6.q
@@ -1,5 +1,4 @@
 create table authorization_part_fail (key int, value string) partitioned by (ds string);
-revoke `ALL` on table authorization_part_fail from user hive_test_user;
 set hive.security.authorization.enabled=true;
 
 ALTER TABLE authorization_part_fail SET TBLPROPERTIES ("PARTITION_LEVEL_PRIVILEGE"="TRUE");
diff --git a/ql/src/test/queries/clientnegative/authorization_fail_7.q b/ql/src/test/queries/clientnegative/authorization_fail_7.q
@@ -1,5 +1,4 @@
 create table authorization_fail (key int, value string);
-revoke `ALL` on table authorization_fail from user hive_test_user;
 
 set hive.security.authorization.enabled=true;
 

diff --git a/ql/src/test/queries/clientnegative/authorization_part.q b/ql/src/test/queries/clientnegative/authorization_part.q
@@ -2,8 +2,6 @@ create table authorization_part_fail (key int, value string) partitioned by (ds
 ALTER TABLE authorization_part_fail SET TBLPROPERTIES ("PARTITION_LEVEL_PRIVILEGE"="TRUE");
 set hive.security.authorization.enabled=true;
 
-revoke `ALL` on table authorization_part_fail from user hive_test_user;
-
 grant `Create` on table authorization_part_fail to user hive_test_user;
 grant `Update` on table authorization_part_fail to user hive_test_user;
 grant `Drop` on table authorization_part_fail to user hive_test_user;

diff --git a/ql/src/test/queries/clientpositive/authorization_1.q b/ql/src/test/queries/clientpositive/authorization_1.q
@@ -1,7 +1,5 @@
 create table src_autho_test as select * from src;
 
-revoke `ALL` on table src_autho_test from user hive_test_user;
-
 set hive.security.authorization.enabled=true;
 
 --table grant to user

diff --git a/ql/src/test/queries/clientpositive/authorization_2.q b/ql/src/test/queries/clientpositive/authorization_2.q
@@ -1,7 +1,5 @@
 create table authorization_part (key int, value string) partitioned by (ds string);
 
-revoke `ALL` on table authorization_part from user hive_test_user;
-
 ALTER TABLE authorization_part SET TBLPROPERTIES ("PARTITION_LEVEL_PRIVILEGE"="TRUE");
 set hive.security.authorization.enabled=true;
 

diff --git a/ql/src/test/queries/clientpositive/authorization_3.q b/ql/src/test/queries/clientpositive/authorization_3.q
@@ -1,7 +1,5 @@
 create table src_autho_test as select * from src;
 
-revoke `ALL` on table src_autho_test from user hive_test_user;
-
 grant `drop` on table src_autho_test to user hive_test_user;
 grant `select` on table src_autho_test to user hive_test_user;
 

diff --git a/ql/src/test/queries/clientpositive/authorization_4.q b/ql/src/test/queries/clientpositive/authorization_4.q
@@ -1,5 +1,7 @@
 create table src_autho_test as select * from src;
 
+grant `All` on table src_autho_test to user hive_test_user;
+
 set hive.security.authorization.enabled=true;
 
 show grant user hive_test_user on table src_autho_test;

diff --git a/ql/src/test/results/clientnegative/authorization_fail_1.q.out b/ql/src/test/results/clientnegative/authorization_fail_1.q.out
@@ -3,10 +3,6 @@ PREHOOK: type: CREATETABLE
 POSTHOOK: query: create table authorization_fail_1 (key int, value string)
 POSTHOOK: type: CREATETABLE
 POSTHOOK: Output: default@authorization_fail_1
-PREHOOK: query: revoke `ALL` on table authorization_fail_1 from user hive_test_user
-PREHOOK: type: REVOKE_PRIVILEGE
-POSTHOOK: query: revoke `ALL` on table authorization_fail_1 from user hive_test_user
-POSTHOOK: type: REVOKE_PRIVILEGE
 PREHOOK: query: grant `Create` on table authorization_fail_1 to user hive_test_user
 PREHOOK: type: GRANT_PRIVILEGE
 POSTHOOK: query: grant `Create` on table authorization_fail_1 to user hive_test_user

diff --git a/ql/src/test/results/clientnegative/authorization_fail_2.q.out b/ql/src/test/results/clientnegative/authorization_fail_2.q.out
@@ -3,8 +3,4 @@ PREHOOK: type: CREATETABLE
 POSTHOOK: query: create table authorization_fail_2 (key int, value string) partitioned by (ds string)
 POSTHOOK: type: CREATETABLE
 POSTHOOK: Output: default@authorization_fail_2
-PREHOOK: query: revoke `ALL` on table authorization_fail_2 from user hive_test_user
-PREHOOK: type: REVOKE_PRIVILEGE
-POSTHOOK: query: revoke `ALL` on table authorization_fail_2 from user hive_test_user
-POSTHOOK: type: REVOKE_PRIVILEGE
 Authorization failed:No privilege 'Create' found for inputs { database:default, table:authorization_fail_2}. Use show grant to get more details.
diff --git a/ql/src/test/results/clientnegative/authorization_fail_3.q.out b/ql/src/test/results/clientnegative/authorization_fail_3.q.out
@@ -3,10 +3,6 @@ PREHOOK: type: CREATETABLE
 POSTHOOK: query: create table authorization_fail_3 (key int, value string) partitioned by (ds string)
 POSTHOOK: type: CREATETABLE
 POSTHOOK: Output: default@authorization_fail_3
-PREHOOK: query: revoke `ALL` on table authorization_fail_3 from user hive_test_user
-PREHOOK: type: REVOKE_PRIVILEGE
-POSTHOOK: query: revoke `ALL` on table authorization_fail_3 from user hive_test_user
-POSTHOOK: type: REVOKE_PRIVILEGE
 PREHOOK: query: grant `Create` on table authorization_fail_3 to user hive_test_user
 PREHOOK: type: GRANT_PRIVILEGE
 POSTHOOK: query: grant `Create` on table authorization_fail_3 to user hive_test_user
@@ -28,7 +24,7 @@ table	authorization_fail_3
 principalName	hive_test_user	
 principalType	USER	
 privilege	Create	
-grantTime	1292569774	
+grantTime	1296259808	
 grantor	hive_test_user	
 PREHOOK: query: show grant user hive_test_user on table authorization_fail_3 partition (ds='2010')
 PREHOOK: type: SHOW_GRANT

diff --git a/ql/src/test/results/clientnegative/authorization_fail_4.q.out b/ql/src/test/results/clientnegative/authorization_fail_4.q.out
@@ -3,10 +3,6 @@ PREHOOK: type: CREATETABLE
 POSTHOOK: query: create table authorization_fail_4 (key int, value string) partitioned by (ds string)
 POSTHOOK: type: CREATETABLE
 POSTHOOK: Output: default@authorization_fail_4
-PREHOOK: query: revoke `ALL` on table authorization_fail_4 from user hive_test_user
-PREHOOK: type: REVOKE_PRIVILEGE
-POSTHOOK: query: revoke `ALL` on table authorization_fail_4 from user hive_test_user
-POSTHOOK: type: REVOKE_PRIVILEGE
 PREHOOK: query: grant `Alter` on table authorization_fail_4 to user hive_test_user
 PREHOOK: type: GRANT_PRIVILEGE
 POSTHOOK: query: grant `Alter` on table authorization_fail_4 to user hive_test_user
@@ -40,15 +36,15 @@ table	authorization_fail_4
 principalName	hive_test_user	
 principalType	USER	
 privilege	Alter	
-grantTime	1292569775	
+grantTime	1296259809	
 grantor	hive_test_user	
 
 database	default	
 table	authorization_fail_4	
 principalName	hive_test_user	
 principalType	USER	
 privilege	Create	
-grantTime	1292569776	
+grantTime	1296259810	
 grantor	hive_test_user	
 PREHOOK: query: show grant user hive_test_user on table authorization_fail_4 partition (ds='2010')
 PREHOOK: type: SHOW_GRANT
@@ -61,7 +57,7 @@ partition	ds=2010
 principalName	hive_test_user	
 principalType	USER	
 privilege	Alter	
-grantTime	1292569776	
+grantTime	1296259810	
 grantor	hive_test_user	
 
 database	default	
@@ -70,6 +66,6 @@ partition	ds=2010
 principalName	hive_test_user	
 principalType	USER	
 privilege	Create	
-grantTime	1292569776	
+grantTime	1296259810	
 grantor	hive_test_user	
 Authorization failed:No privilege 'Select' found for inputs { database:default, table:authorization_fail_4, partitionName:ds=2010, columnName:key}. Use show grant to get more details.
diff --git a/ql/src/test/results/clientnegative/authorization_fail_5.q.out b/ql/src/test/results/clientnegative/authorization_fail_5.q.out
@@ -3,10 +3,6 @@ PREHOOK: type: CREATETABLE
 POSTHOOK: query: create table authorization_fail (key int, value string) partitioned by (ds string)
 POSTHOOK: type: CREATETABLE
 POSTHOOK: Output: default@authorization_fail
-PREHOOK: query: revoke `ALL` on table authorization_fail from user hive_test_user
-PREHOOK: type: REVOKE_PRIVILEGE
-POSTHOOK: query: revoke `ALL` on table authorization_fail from user hive_test_user
-POSTHOOK: type: REVOKE_PRIVILEGE
 PREHOOK: query: grant `Alter` on table authorization_fail to user hive_test_user
 PREHOOK: type: GRANT_PRIVILEGE
 POSTHOOK: query: grant `Alter` on table authorization_fail to user hive_test_user
@@ -44,23 +40,23 @@ table	authorization_fail
 principalName	hive_test_user	
 principalType	USER	
 privilege	Alter	
-grantTime	1292570198	
+grantTime	1296259811	
 grantor	hive_test_user	
 
 database	default	
 table	authorization_fail	
 principalName	hive_test_user	
 principalType	USER	
 privilege	Create	
-grantTime	1292570198	
+grantTime	1296259811	
 grantor	hive_test_user	
 
 database	default	
 table	authorization_fail	
 principalName	hive_test_user	
 principalType	USER	
 privilege	Select	
-grantTime	1292570198	
+grantTime	1296259811	
 grantor	hive_test_user	
 PREHOOK: query: show grant user hive_test_user on table authorization_fail partition (ds='2010')
 PREHOOK: type: SHOW_GRANT
@@ -73,7 +69,7 @@ partition	ds=2010
 principalName	hive_test_user	
 principalType	USER	
 privilege	Alter	
-grantTime	1292570198	
+grantTime	1296259811	
 grantor	hive_test_user	
 
 database	default	
@@ -82,7 +78,7 @@ partition	ds=2010
 principalName	hive_test_user	
 principalType	USER	
 privilege	Create	
-grantTime	1292570198	
+grantTime	1296259811	
 grantor	hive_test_user	
 
 database	default	
@@ -91,7 +87,7 @@ partition	ds=2010
 principalName	hive_test_user	
 principalType	USER	
 privilege	Select	
-grantTime	1292570198	
+grantTime	1296259811	
 grantor	hive_test_user	
 PREHOOK: query: revoke `Select` on table authorization_fail partition (ds='2010') from user hive_test_user
 PREHOOK: type: REVOKE_PRIVILEGE
@@ -108,7 +104,7 @@ partition	ds=2010
 principalName	hive_test_user	
 principalType	USER	
 privilege	Alter	
-grantTime	1292570198	
+grantTime	1296259811	
 grantor	hive_test_user	
 
 database	default	
@@ -117,6 +113,6 @@ partition	ds=2010
 principalName	hive_test_user	
 principalType	USER	
 privilege	Create	
-grantTime	1292570198	
+grantTime	1296259811	
 grantor	hive_test_user	
 Authorization failed:No privilege 'Select' found for inputs { database:default, table:authorization_fail, partitionName:ds=2010, columnName:key}. Use show grant to get more details.
diff --git a/ql/src/test/results/clientnegative/authorization_fail_6.q.out b/ql/src/test/results/clientnegative/authorization_fail_6.q.out
@@ -3,8 +3,4 @@ PREHOOK: type: CREATETABLE
 POSTHOOK: query: create table authorization_part_fail (key int, value string) partitioned by (ds string)
 POSTHOOK: type: CREATETABLE
 POSTHOOK: Output: default@authorization_part_fail
-PREHOOK: query: revoke `ALL` on table authorization_part_fail from user hive_test_user
-PREHOOK: type: REVOKE_PRIVILEGE
-POSTHOOK: query: revoke `ALL` on table authorization_part_fail from user hive_test_user
-POSTHOOK: type: REVOKE_PRIVILEGE
 Authorization failed:No privilege 'Alter' found for inputs { database:default, table:authorization_part_fail}. Use show grant to get more details.
diff --git a/ql/src/test/results/clientnegative/authorization_fail_7.q.out b/ql/src/test/results/clientnegative/authorization_fail_7.q.out
@@ -3,10 +3,6 @@ PREHOOK: type: CREATETABLE
 POSTHOOK: query: create table authorization_fail (key int, value string)
 POSTHOOK: type: CREATETABLE
 POSTHOOK: Output: default@authorization_fail
-PREHOOK: query: revoke `ALL` on table authorization_fail from user hive_test_user
-PREHOOK: type: REVOKE_PRIVILEGE
-POSTHOOK: query: revoke `ALL` on table authorization_fail from user hive_test_user
-POSTHOOK: type: REVOKE_PRIVILEGE
 PREHOOK: query: create role hive_test_role_fail
 PREHOOK: type: CREATEROLE
 POSTHOOK: query: create role hive_test_role_fail
@@ -35,7 +31,7 @@ table	authorization_fail
 principalName	hive_test_role_fail	
 principalType	ROLE	
 privilege	Select	
-grantTime	1292570201	
+grantTime	1296259812	
 grantor	hive_test_user	
 PREHOOK: query: drop role hive_test_role_fail
 PREHOOK: type: DROPROLE