Spark client can create/alter/drop a view

ql/src/java/org/apache/hadoop/hive/ql/security/authorization/command/CommandAuthorizerV2.java

@@ -24,6 +24,10 @@
 import java.util.Set;
 import java.util.Map.Entry;
 
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.metastore.HiveMetaStore;
+import org.apache.hadoop.hive.metastore.TableType;
 import org.apache.hadoop.hive.metastore.api.Database;
 import org.apache.hadoop.hive.ql.exec.FunctionInfo;
 import org.apache.hadoop.hive.ql.exec.FunctionUtils;
@@ -104,8 +108,25 @@ private static List<HivePrivilegeObject> getHivePrivObjects(List<? extends Entit
         continue;
       }
       if (privObject instanceof ReadEntity && !((ReadEntity)privObject).isDirect()) {
-        // This ReadEntity represents one of the underlying tables/views of a view, so skip it.
-        continue;
+        // This ReadEntity represents one of the underlying tables/views of a view, skip it if
+        // it's not inside a deferred authorized view.
+        ReadEntity reTable = (ReadEntity)privObject;
+        Boolean isDeferred = false;
+        if( reTable.getParents() != null && reTable.getParents().size() > 0){
+          for( ReadEntity re: reTable.getParents()){
+            if (re.getTyp() == Type.TABLE && re.getTable() != null ) {
+              Table t = re.getTable();
+              if(!isDeferredAuthView(t)){
+                continue;
+              }else{
+                isDeferred = true;
+              }
+            }
+          }
+        }
+        if(!isDeferred){
+          continue;
+        }
       }
       if (privObject instanceof WriteEntity && ((WriteEntity)privObject).isTempURI()) {
         // do not authorize temporary uris
@@ -121,6 +142,32 @@ private static List<HivePrivilegeObject> getHivePrivObjects(List<? extends Entit
     return hivePrivobjs;
   }
 
+  /**
+   * A deferred authorization view is view created by non-super user like spark-user. This view contains a parameter "Authorized"
+   * set to false, so ranger will not authorize it during view creation. When a select statement is issued, then the ranger authorizes
+   * the under lying tables.
+   * @param Table t
+   * @return boolean value
+   */
+  private static boolean isDeferredAuthView(Table t){
+    String tableType = t.getTTable().getTableType();
+    String authorizedKeyword = "Authorized";
+    boolean isView = false;
+    if (TableType.MATERIALIZED_VIEW.name().equals(tableType) || TableType.VIRTUAL_VIEW.name().equals(tableType)) {
+      isView = true;
+    }
+    if(isView){
+      Map<String, String> params = t.getParameters();
+      if (params != null && params.containsKey(authorizedKeyword)) {
+        String authorizedValue = params.get(authorizedKeyword);
+        if ("false".equalsIgnoreCase(authorizedValue)) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+
   private static void addHivePrivObject(Entity privObject, Map<String, List<String>> tableName2Cols,
       List<HivePrivilegeObject> hivePrivObjs) {
     HivePrivilegeObjectType privObjType = AuthorizationUtils.getHivePrivilegeObjectType(privObject.getType());

ql/src/java/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/HiveMetaStoreAuthorizer.java

@@ -60,6 +60,7 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.Map;
 
 /**
  * HiveMetaStoreAuthorizer :  Do authorization checks on MetaStore Events in MetaStorePreEventListener
@@ -380,19 +381,25 @@ HiveMetaStoreAuthzInfo buildAuthzContext(PreEventContext preEventContext) throws
         case CREATE_TABLE:
           authzEvent = new CreateTableEvent(preEventContext);
           if (isViewOperation(preEventContext) && (!isSuperUser(getCurrentUser(authzEvent)))) {
-            throw new MetaException(getErrorMessage("CREATE_VIEW", getCurrentUser(authzEvent)));
+            //we allow view to be created, but mark it as having not been authorized
+            PreCreateTableEvent pcte = (PreCreateTableEvent)preEventContext;
+            Map<String, String> params = pcte.getTable().getParameters();
+            params.put("Authorized", "false");
           }
           break;
         case ALTER_TABLE:
           authzEvent = new AlterTableEvent(preEventContext);
           if (isViewOperation(preEventContext) && (!isSuperUser(getCurrentUser(authzEvent)))) {
-            throw new MetaException(getErrorMessage("ALTER_VIEW", getCurrentUser(authzEvent)));
+            //we allow view to be altered, but mark it as having not been authorized
+            PreAlterTableEvent pcte = (PreAlterTableEvent)preEventContext;
+            Map<String, String> params = pcte.getNewTable().getParameters();
+            params.put("Authorized", "false");
           }
           break;
         case DROP_TABLE:
           authzEvent = new DropTableEvent(preEventContext);
           if (isViewOperation(preEventContext) && (!isSuperUser(getCurrentUser(authzEvent)))) {
-            throw new MetaException(getErrorMessage("DROP_VIEW", getCurrentUser(authzEvent)));
+            //TODO: do we need to check Authorized flag?
           }
           break;
         case ADD_PARTITION:

ql/src/test/org/apache/hadoop/hive/ql/security/authorization/plugin/metastore/TestHiveMetaStoreAuthorizer.java

@@ -36,10 +36,12 @@
 import org.junit.runners.MethodSorters;
 import org.junit.Before;
 import org.junit.Test;
+import java.util.Map;
 
 import java.io.File;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 
 /*
 Test whether HiveAuthorizer for MetaStore operation is trigger and HiveMetaStoreAuthzInfo is created by HiveMetaStoreAuthorizer
@@ -138,10 +140,37 @@ public void testC_CreateView_anyUser() throws Exception {
               .setOwner(authorizedUser)
               .build(conf);
       hmsHandler.create_table(viewObj);
+      Map<String, String> params = viewObj.getParameters();
+      assertTrue(params.containsKey("Authorized"));
+      assertTrue("false".equalsIgnoreCase(params.get("Authorized")));
     } catch (Exception e) {
-      String err = e.getMessage();
-      String expected = "Operation type CREATE_VIEW not allowed for user:" + authorizedUser;
-      assertEquals(expected, err);
+      // no Exceptions for user same as normal user is now allowed CREATE_VIEW operation
+    }
+  }
+
+  @Test
+  public void testC2_AlterView_anyUser() throws Exception{
+    UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(authorizedUser));
+    try {
+      Table viewObj = new TableBuilder()
+              .setTableName(viewName)
+              .setType(TableType.VIRTUAL_VIEW.name())
+              .addCol("name", ColumnType.STRING_TYPE_NAME)
+              .setOwner(authorizedUser)
+              .build(conf);
+      hmsHandler.create_table(viewObj);
+      viewObj = new TableBuilder()
+              .setTableName(viewName)
+              .setType(TableType.VIRTUAL_VIEW.name())
+              .addCol("dep", ColumnType.STRING_TYPE_NAME)
+              .setOwner(authorizedUser)
+              .build(conf);
+      hmsHandler.alter_table("default", viewName, viewObj);
+      Map<String, String> params = viewObj.getParameters();
+      assertTrue(params.containsKey("Authorized"));
+      assertTrue("false".equalsIgnoreCase(params.get("Authorized")));
+    } catch (Exception e) {
+      // no Exceptions for user same as normal user is now allowed Alter_VIEW operation
     }
   }