SENTRY-702: Hive binding should support RELOAD command (Dapeng Sun vi…

…a Prasad Mujumdar)
apache · Apr 30, 2015 · 0b8d822 · 0b8d822
1 parent 16ef2c3
commit 0b8d822
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 2 deletions.
diff --git a/...inding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java b/...inding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
@@ -57,6 +57,7 @@ public class HiveAuthzBindingSessionHook
     ConfVars.HIVE_SECURITY_COMMAND_WHITELIST.varname,
     ConfVars.HIVE_AUTHORIZATION_TASK_FACTORY.varname,
     ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY.varname,
+    ConfVars.HIVERELOADABLEJARS.varname,
     HiveAuthzConf.HIVE_ACCESS_CONF_URL,
     HiveAuthzConf.HIVE_SENTRY_CONF_URL,
     HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME,
@@ -95,7 +96,7 @@ public void applyAuthorizationConfigPolicy(HiveConf conf) {
    * 2. Set additional config properties required for auth
    *      set HIVE_EXTENDED_ENITITY_CAPTURE = true
    *      set SCRATCHDIRPERMISSION = 700
-   * 3. Add sensetive config parameters to the config restrict list so that they can't be overridden by users
+   * 3. Add sensitive config parameters to the config restrict list so that they can't be overridden by users
    */
   @Override
   public void run(HiveSessionHookContext sessionHookContext) throws HiveSQLException {
@@ -104,7 +105,11 @@ public void run(HiveSessionHookContext sessionHookContext) throws HiveSQLExcepti
 
     appendConfVar(sessionConf, ConfVars.SEMANTIC_ANALYZER_HOOK.varname,
         SEMANTIC_HOOK);
-    sessionConf.setVar(ConfVars.HIVE_SECURITY_COMMAND_WHITELIST, "set");
+    HiveAuthzConf authzConf = HiveAuthzBindingHook.loadAuthzConf(sessionConf);
+    String commandWhitelist =
+        authzConf.get(HiveAuthzConf.HIVE_SENTRY_SECURITY_COMMAND_WHITELIST,
+            HiveAuthzConf.HIVE_SENTRY_SECURITY_COMMAND_WHITELIST_DEFAULT);
+    sessionConf.setVar(ConfVars.HIVE_SECURITY_COMMAND_WHITELIST, commandWhitelist);
     sessionConf.setVar(ConfVars.SCRATCHDIRPERMISSION, SCRATCH_DIR_PERMISSIONS);
     sessionConf.setBoolVar(ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY, true);
 

diff --git a/.../sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java b/.../sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java
@@ -47,6 +47,10 @@ public class HiveAuthzConf extends Configuration {
    */
   public static final String SENTRY_ACTIVE_ROLE_SET = "hive.sentry.active.role.set";
 
+  public static final String HIVE_SENTRY_SECURITY_COMMAND_WHITELIST =
+      "hive.sentry.security.command.whitelist";
+  public static final String HIVE_SENTRY_SECURITY_COMMAND_WHITELIST_DEFAULT =
+      "set,reset,reload";
 
   /**
    * Config setting definitions

diff --git a/...entry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java b/...entry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestReloadPrivileges.java
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.tests.e2e.hive;
+
+import java.sql.Connection;
+import java.sql.Statement;
+
+import org.apache.sentry.provider.file.PolicyFile;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class TestReloadPrivileges extends AbstractTestWithStaticConfiguration {
+  private PolicyFile policyFile;
+
+  @BeforeClass
+  public static void setupTestStaticConfiguration() throws Exception {
+    AbstractTestWithStaticConfiguration.setupTestStaticConfiguration();
+  }
+
+  @Before
+  public void setup() throws Exception {
+    policyFile =
+        PolicyFile.setAdminOnServer1(ADMINGROUP).setUserGroupMapping(
+            StaticUserGroup.getStaticMapping());
+    writePolicyFile(policyFile);
+  }
+
+  @Test
+  public void testReload() throws Exception {
+    Connection connection = context.createConnection(USER1_1);
+    Statement statement = context.createStatement(connection);
+    statement.execute("RELOAD");
+    statement.close();
+    connection.close();
+  }
+
+}