mirror of
https://github.com/apache/impala.git
synced 2026-02-01 21:00:29 -05:00
2039746ebe
We found that a test case run in test_grant_revoke_with_role() that is used to verify a requesting user does not possess the necessary privilege to perform the GRANT operation could fail since the expected AuthorizationException is not returned after the query. Since the privilege of GRANT was revoked immediately before this test case, we suspect the authorization-related metadata has not been updated. To make this test case less flaky, in this patch we add a REFRESH AUTHORIZATION after the query that revoked the GRANT privilege from the requesting user. Testing: - Verified that this patch passes the core tests in an ASAN build. Change-Id: I7407bac0407e162ab5ba623505bd7ee49bdf3abf Reviewed-on: http://gerrit.cloudera.org:8080/17165 Reviewed-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com> Tested-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com>
1276 lines
45 KiB
Plaintext
1276 lines
45 KiB
Plaintext
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
create role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
'Role has been created.'
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
create role grant_revoke_test_ALL_TEST_DB
|
|
---- RESULTS
|
|
'Role has been created.'
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
create role grant_revoke_test_SELECT_INSERT_TEST_TBL
|
|
---- RESULTS
|
|
'Role has been created.'
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
create role grant_revoke_test_ALL_URI
|
|
---- RESULTS
|
|
'Role has been created.'
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
refresh authorization;
|
|
show roles;
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
'grant_revoke_test_ALL_SERVER'
|
|
'grant_revoke_test_ALL_TEST_DB'
|
|
'grant_revoke_test_SELECT_INSERT_TEST_TBL'
|
|
'grant_revoke_test_ALL_URI'
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
grant all on server to grant_revoke_test_ALL_SERVER
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# Grant the privilege to the group `$GROUP_NAME`, to which the user 'getuser()' belongs
|
|
# so that the user 'getuser()' could perform the some of the following operations on the
|
|
# database 'grant_rev_db'.
|
|
# Group name will be replaced with the group of 'getuser()' in the test.
|
|
# framework.
|
|
grant role grant_revoke_test_ALL_SERVER to group `$GROUP_NAME`
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
refresh authorization
|
|
====
|
|
---- QUERY
|
|
show current roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
'grant_revoke_test_ALL_SERVER'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- USER
|
|
does_not_exist
|
|
---- QUERY
|
|
# Run this query as a different user and verify no roles show up but the
|
|
# stmt does not fail with an authorization error.
|
|
show current roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on server
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','','','','*','','all',false,regex:.+
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','','','','*','all',false,regex:.+
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
does_not_exist
|
|
---- QUERY
|
|
# A user that is not a Ranger administrator should not have privileges to execute
|
|
# SHOW ROLES
|
|
show roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
---- CATCH
|
|
User does_not_exist does not have permission for this operation
|
|
====
|
|
---- USER
|
|
does_not_exist
|
|
---- QUERY
|
|
# A user that is not a Ranger administrator should not have privilege to execute
|
|
# SHOW ROLE GRANT GROUP for a group the user does not belong to.
|
|
show role grant group non_owner
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
---- CATCH
|
|
User does_not_exist does not have permission for this operation
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# The 'non_owner' user doesn't have any roles granted to them, but since it is part of the
|
|
# 'non_owner' group, they should have privileges to execute this statement.
|
|
# Note that this test case requires that impalad was started with the argument
|
|
# '--use_customized_user_groups_mapper_for_ranger' so that a customized user-to-groups
|
|
# mapper will be used to retrieve the groups the user 'non_owner' belongs to, which
|
|
# consists of exactly one group, the group 'non_owner'.
|
|
show role grant group non_owner
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
drop database if exists grant_rev_db
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
create table grant_rev_db.test_tbl1(i int)
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
'test_tbl1'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
create function grant_rev_db.fn() RETURNS int
|
|
LOCATION '$FILESYSTEM_PREFIX/test-warehouse/libTestUdfs.so' SYMBOL='Fn'
|
|
====
|
|
---- QUERY
|
|
show functions in grant_rev_db
|
|
---- RESULTS
|
|
'INT','fn()','NATIVE','true'
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING
|
|
====
|
|
---- QUERY
|
|
show create function grant_rev_db.fn
|
|
---- RESULTS: MULTI_LINE
|
|
['CREATE FUNCTION grant_rev_db.fn()
|
|
RETURNS INT
|
|
LOCATION ''$NAMENODE/test-warehouse/libTestUdfs.so''
|
|
SYMBOL=''_Z2FnPN10impala_udf15FunctionContextE''
|
|
']
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# To prevent the user 'getuser()' (which belongs to the group '$GROUP_NAME') from
|
|
# performing any operation on the database 'grant_rev_db', we also need to alter
|
|
# the owner of 'grant_rev_db' since 'getuser()' is the owner of this database, which by
|
|
# default is allowed by Ranger to perform any operation on the database.
|
|
revoke role grant_revoke_test_ALL_SERVER from group `$GROUP_NAME`;
|
|
alter database grant_rev_db set owner user admin;
|
|
refresh authorization;
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db.*
|
|
====
|
|
---- QUERY
|
|
show functions in grant_rev_db
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
show create function grant_rev_db.fn
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
show create function _impala_builtins.sin
|
|
---- RESULTS: MULTI_LINE
|
|
['CREATE FUNCTION _impala_builtins.sin(DOUBLE)
|
|
RETURNS DOUBLE
|
|
SYMBOL=''_ZN6impala13MathFunctions3SinEPN10impala_udf15FunctionContextERKNS1_9DoubleValE''
|
|
']
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
grant role grant_revoke_test_ALL_TEST_DB to group `$GROUP_NAME`
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# Should now have all privileges on the test db
|
|
grant all on database grant_rev_db to grant_revoke_test_ALL_TEST_DB
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
'test_tbl1'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
# Even though the user has all privileges on the database, they do not have privileges
|
|
# on any URIs. The FE tests have additional error message verification.
|
|
create table grant_rev_db.test_tbl2(i int) location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_tbl2';
|
|
---- CATCH
|
|
does not have privileges to access: $NAMENODE/test-warehouse/grant_rev_test_tbl2
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
grant role grant_revoke_test_ALL_URI to group `$GROUP_NAME`
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
grant all on uri '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_tbl2' to grant_revoke_test_ALL_URI
|
|
====
|
|
---- QUERY
|
|
# Should now have privileges to create the table.
|
|
create table grant_rev_db.test_tbl2(i int) location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_tbl2';
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# Running grant on a URI with upper case letters
|
|
grant all on uri '$FILESYSTEM_PREFIX/test-warehouse/GRANT_REV_TEST_TBL3' to grant_revoke_test_ALL_URI
|
|
====
|
|
---- QUERY
|
|
# Should now have privileges to create the table.
|
|
create table grant_rev_db.test_tbl_uppercase(i int) location '$FILESYSTEM_PREFIX/test-warehouse/GRANT_REV_TEST_TBL3';
|
|
====
|
|
---- QUERY
|
|
# Privileges on the uri '$FILESYSTEM_PREFIX/test-warehouse/GRANT_REV_TEST_TBL3' do not
|
|
# imply privileges on any location under
|
|
# '$FILESYSTEM_PREFIX/test-warehouse/GRANT_REV_TEST_TBL3'.
|
|
create table grant_rev_db.test_tbl2_uppercase(i int) location '$FILESYSTEM_PREFIX/test-warehouse/GRANT_REV_TEST_TBL3/test';
|
|
---- CATCH
|
|
does not have privileges to access: $NAMENODE/test-warehouse/GRANT_REV_TEST_TBL3/test
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
'test_tbl1'
|
|
'test_tbl2'
|
|
'test_tbl_uppercase'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
# IMPALA-1670: User does not have privileges to access URI when adding partitions
|
|
create table grant_rev_db.test_tbl_partitioned(i int) partitioned by (j int);
|
|
alter table grant_rev_db.test_tbl_partitioned add
|
|
partition (j=1)
|
|
partition (j=2) location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_prt';
|
|
---- CATCH
|
|
does not have privileges to access: $NAMENODE/test-warehouse/grant_rev_test_prt
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
grant all on uri '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_prt'
|
|
to grant_revoke_test_ALL_URI;
|
|
====
|
|
---- QUERY
|
|
# Should now have privileges to add partitions
|
|
alter table grant_rev_db.test_tbl_partitioned add
|
|
partition (j=1)
|
|
partition (j=2) location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_prt';
|
|
show partitions grant_rev_db.test_tbl_partitioned;
|
|
---- RESULTS
|
|
'1',-1,0,'0B','NOT CACHED','NOT CACHED','TEXT','false',regex:.*/j=1
|
|
'2',-1,0,'0B','NOT CACHED','NOT CACHED','TEXT','false','$NAMENODE/test-warehouse/grant_rev_test_prt'
|
|
'Total',-1,0,'0B','0B','','','',''
|
|
---- TYPES
|
|
STRING, BIGINT, BIGINT, STRING, STRING, STRING, STRING, STRING, STRING
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_URI on uri '$NAMENODE/test-warehouse/grant_rev_test_tbl2'
|
|
---- RESULTS
|
|
'ROLE','grant_revoke_test_ALL_URI','','','','$NAMENODE/test-warehouse/grant_rev_test_tbl2','','all',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_URI on uri '$NAMENODE/test-warehouse/GRANT_REV_TEST_TBL3'
|
|
---- RESULTS
|
|
'ROLE','grant_revoke_test_ALL_URI','','','','$NAMENODE/test-warehouse/GRANT_REV_TEST_TBL3','','all',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_URI on uri '$NAMENODE/test-warehouse/grant_rev_test_prt'
|
|
---- RESULTS
|
|
'ROLE','grant_revoke_test_ALL_URI','','','','$NAMENODE/test-warehouse/grant_rev_test_prt','','all',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# Does not result in an AuthorizationException since '$GROUP_NAME' is still assigned the
|
|
# role 'grant_revoke_test_ALL_TEST_DB', which is granted the 'ALL' privilege on the
|
|
# database 'grant_rev_db'
|
|
# TODO(IMPALA-10401): Investigate whether the privilege on the provided uri should be
|
|
# verified.
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
Database already exists: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
# To create a database server-level privileges are required.
|
|
create database grant_rev_db2 location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db2.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db2
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# Currently dropping the role does not remove its associated privileges.
|
|
drop role grant_revoke_test_ALL_TEST_DB
|
|
---- CATCH
|
|
Role 'grant_revoke_test_ALL_TEST_DB' can not be deleted as it is referenced in one or more policies
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# We have to manually remove the privilege associated with the role
|
|
# 'grant_revoke_test_ALL_TEST_DB' before removing it.
|
|
revoke all on database grant_rev_db from grant_revoke_test_ALL_TEST_DB;
|
|
drop role grant_revoke_test_ALL_TEST_DB;
|
|
====
|
|
---- QUERY
|
|
# Recall that the owner of the database 'grant_rev_db' has been changed to 'admin'.
|
|
show tables in grant_rev_db
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db.*
|
|
====
|
|
---- QUERY
|
|
# The user 'getuser()' can select the data from the table 'grant_rev_db.test_tbl1'
|
|
# because 'getuser()' is still the owner of 'grant_rev_db.test_tbl1'.
|
|
select * from grant_rev_db.test_tbl1
|
|
---- RESULTS
|
|
---- TYPES
|
|
INT
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# Up to this point, the owner of the tables 'grant_rev_db.test_tbl1' and
|
|
# 'grant_rev_db.test_tbl1' is the user 'getuser()'. Changing the owner of these tables to
|
|
# the user 'admin' prevents 'getuser()' from accessing the data in those tables.
|
|
alter table grant_rev_db.test_tbl1 set owner user admin;
|
|
alter table grant_rev_db.test_tbl2 set owner user admin;
|
|
====
|
|
---- QUERY
|
|
# After changing the owner of the table 'grant_rev_db.test_tbl1' to the user 'admin',
|
|
# the user 'getuser()' can no longer select the data from 'grant_rev_db.test_tbl1'.
|
|
select * from grant_rev_db.test_tbl1
|
|
---- CATCH
|
|
does not have privileges to execute 'SELECT' on: grant_rev_db.test_tbl1
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
grant role grant_revoke_test_SELECT_INSERT_TEST_TBL to group `$GROUP_NAME`
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
GRANT SELECT ON TABLE grant_rev_db.test_tbl1 TO grant_revoke_test_SELECT_INSERT_TEST_TBL
|
|
====
|
|
---- QUERY
|
|
# This query succeeds since the user 'getuser()' has been granted the role
|
|
# 'grant_revoke_test_SELECT_INSERT_TEST_TBL', which in turn has been granted the SELECT
|
|
# privilege on the table 'grant_rev_db.test_tbl1'.
|
|
select * from grant_rev_db.test_tbl1
|
|
---- RESULTS
|
|
---- TYPES
|
|
INT
|
|
====
|
|
---- QUERY
|
|
# The user 'getuser()' should not be able to select the data from the table
|
|
# 'grant_rev_db.test_tbl2'.
|
|
select * from grant_rev_db.test_tbl2
|
|
---- CATCH
|
|
does not have privileges to execute 'SELECT' on: grant_rev_db.test_tbl2
|
|
====
|
|
---- QUERY
|
|
insert overwrite grant_rev_db.test_tbl1 select 1
|
|
---- CATCH
|
|
does not have privileges to execute 'INSERT' on: grant_rev_db.test_tbl1
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
GRANT INSERT ON TABLE grant_rev_db.test_tbl1 TO grant_revoke_test_SELECT_INSERT_TEST_TBL
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_SELECT_INSERT_TEST_TBL on table grant_rev_db.test_tbl1
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_SELECT_INSERT_TEST_TBL','grant_rev_db','test_tbl1','*','','','insert',false,regex:.+
|
|
'ROLE','grant_revoke_test_SELECT_INSERT_TEST_TBL','grant_rev_db','test_tbl1','*','','','select',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
insert overwrite grant_rev_db.test_tbl1 select 1
|
|
---- RESULTS
|
|
: 1
|
|
====
|
|
---- QUERY
|
|
select * from grant_rev_db.test_tbl1
|
|
---- RESULTS
|
|
1
|
|
---- TYPES
|
|
INT
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
create role some_test_role
|
|
---- CATCH
|
|
User test_user does not have permission for this operation
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
drop role grant_revoke_test_ALL_SERVER
|
|
---- CATCH
|
|
User test_user does not have permission for this operation
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
# A non-Ranger administrator should not be able to tell from the result that the role
|
|
# does not exist.
|
|
drop role grant_revoke_test_NON_EXISTING
|
|
---- CATCH
|
|
User test_user does not have permission for this operation
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
grant role grant_revoke_test_ALL_SERVER to group `$GROUP_NAME`
|
|
---- CATCH
|
|
User doesn't have permissions to grant role grant_revoke_test_ALL_SERVER
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
revoke role grant_revoke_test_ALL_SERVER from group `$GROUP_NAME`
|
|
---- CATCH
|
|
User doesn't have permissions to revoke role grant_revoke_test_ALL_SERVER
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# Grantor is required to exist in Ranger and thus we set the user to 'non_owner', which
|
|
# is currently a user created in Ranger in Impala's development environment.
|
|
grant all on server to grant_revoke_test_ALL_SERVER
|
|
---- CATCH
|
|
User doesn't have necessary permission to grant access
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# Grantor is required to exist in Ranger and thus we set the user to 'non_owner', which
|
|
# is currently a user created in Ranger in Impala's development environment.
|
|
revoke all on server from grant_revoke_test_ALL_SERVER
|
|
---- CATCH
|
|
User doesn't have necessary permission to revoke access
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# Set up a role to test the WITH GRANT OPTION.
|
|
# Note that the group 'non_owner' and the user 'non_owner' are created in Ranger in
|
|
# Impala's development environment and that the group 'non_owner' is a group to which the
|
|
# user 'non_owner' belongs according to the user-to-groups mapper provided for impalad
|
|
# and catalogd via the argument of "--use_customized_user_groups_mapper_for_ranger".
|
|
create role grant_revoke_test_NON_OWNER;
|
|
grant role grant_revoke_test_NON_OWNER to group non_owner;
|
|
grant all on database functional to grant_revoke_test_NON_OWNER WITH GRANT OPTION;
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# There should only be one role that exists for non_owner.
|
|
show current roles
|
|
---- RESULTS
|
|
'grant_revoke_test_NON_OWNER'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# This privilege is actually active.
|
|
show databases
|
|
---- RESULTS
|
|
'default','Default Hive database'
|
|
'functional',''
|
|
---- TYPES
|
|
STRING,STRING
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# The non_owner user should be able to grant/revoke child privileges.
|
|
grant all on table functional.alltypes to grant_revoke_test_NON_OWNER
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_NON_OWNER on database functional
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_NON_OWNER','functional','','','','*','all',true,regex:.+
|
|
'ROLE','grant_revoke_test_NON_OWNER','functional','*','*','','','all',true,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
# Note that the column of 'grant_option' is false for this privilege.
|
|
show grant role grant_revoke_test_NON_OWNER on table functional.alltypes
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_NON_OWNER','functional','alltypes','*','','','all',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
revoke all on table functional.alltypes from grant_revoke_test_NON_OWNER
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# User should not be able to grant privileges outside of this scope of the database
|
|
# 'functional'.
|
|
grant all on table functional_seq.alltypes to grant_revoke_test_NON_OWNER
|
|
---- CATCH
|
|
User doesn't have necessary permission to grant access
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# Also cannot create/drop/grant roles
|
|
create role grant_revoke_test_NON_OWNER2
|
|
---- CATCH
|
|
User non_owner does not have permission for this operation
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# Also cannot create/drop/grant roles
|
|
grant role grant_revoke_test_NON_OWNER to group non_owner
|
|
---- CATCH
|
|
User doesn't have permissions to grant role grant_revoke_test_NON_OWNER
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# Revoke the GRANT OPTION and verify the user can no longer GRANT or REVOKE
|
|
revoke grant option for all on database functional from grant_revoke_test_NON_OWNER;
|
|
refresh authorization;
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
grant all on table functional.alltypes to grant_revoke_test_NON_OWNER
|
|
---- CATCH
|
|
User doesn't have necessary permission to grant access
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# This privilege is actually active.
|
|
show databases
|
|
---- RESULTS
|
|
'default','Default Hive database'
|
|
'functional',''
|
|
---- TYPES
|
|
STRING,STRING
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
# Also, privilege still exists, but grant option is set to false.
|
|
show grant role grant_revoke_test_NON_OWNER on database functional
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_NON_OWNER','functional','','','','*','all',false,regex:.+
|
|
'ROLE','grant_revoke_test_NON_OWNER','functional','*','*','','','all',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# After the following two statements, there is no role assigned to the group
|
|
# '$GROUP_NAME' to which the user 'getuser()' belongs.
|
|
REVOKE ROLE grant_revoke_test_ALL_URI FROM GROUP `$GROUP_NAME`;
|
|
REVOKE ROLE grant_revoke_test_SELECT_INSERT_TEST_TBL FROM GROUP `$GROUP_NAME`;
|
|
---- RESULTS
|
|
'Role has been revoked.'
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
GRANT ROLE grant_revoke_test_ALL_SERVER TO GROUP `$GROUP_NAME`
|
|
---- RESULTS
|
|
'Role has been granted.'
|
|
====
|
|
---- QUERY
|
|
show current roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
'grant_revoke_test_ALL_SERVER'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
# Create a table with multiple columns to test column-level security.
|
|
create table grant_rev_db.test_tbl3(a int, b int, c int, d int, e int) partitioned by (x int, y int)
|
|
---- RESULTS
|
|
'Table has been created.'
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
GRANT SELECT (a, b, x) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
'Privilege(s) have been granted.'
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
# Note that after IMPALA-8587, the related privileges with regard to the specified
|
|
# resource will be shown as well.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.a
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
'ROLE','grant_revoke_test_ALL_SERVER','grant_rev_db','test_tbl3','a','','','select',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.b
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
'ROLE','grant_revoke_test_ALL_SERVER','grant_rev_db','test_tbl3','b','','','select',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.x
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
'ROLE','grant_revoke_test_ALL_SERVER','grant_rev_db','test_tbl3','x','','','select',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# After granting the privileges on (c, d, y), we will check if they are indeed granted in
|
|
# the following 3 SHOW GRANT statements.
|
|
GRANT SELECT (c, d, y) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
'Privilege(s) have been granted.'
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.c
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
'ROLE','grant_revoke_test_ALL_SERVER','grant_rev_db','test_tbl3','c','','','select',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.d
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
'ROLE','grant_revoke_test_ALL_SERVER','grant_rev_db','test_tbl3','d','','','select',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.y
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
'ROLE','grant_revoke_test_ALL_SERVER','grant_rev_db','test_tbl3','y','','','select',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
GRANT SELECT (a, a, e, x) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
'Privilege(s) have been granted.'
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
# Verify that the privilege on 'grant_rev_db.test_tbl3.e' is indeed granted.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.e
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
'ROLE','grant_revoke_test_ALL_SERVER','grant_rev_db','test_tbl3','e','','','select',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# Revoke SELECT privileges from columns.
|
|
# Verify the privileges on (a, b, y) are indeed revoked in the following 3 queries.
|
|
REVOKE SELECT (a, b, b, y) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
'Privilege(s) have been revoked.'
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.a
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.b
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.y
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# Verify the privileges on (b, c, x) are indeed revoked in the following 3 queries.
|
|
# Recall that the privilege on (a) had been revoked previously.
|
|
REVOKE SELECT (a, b, c, x) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
'Privilege(s) have been revoked.'
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.b
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.c
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.x
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# Verify the privileges on (d, e) are indeed revoked in the following 2 queries.
|
|
# Recall that the privilege on (a) had been revoked previously.
|
|
REVOKE SELECT (a, b, c, d, e) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ALL_SERVER;
|
|
---- RESULTS
|
|
'Privilege(s) have been revoked.'
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.d
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.e
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# Grant SELECT on table to 'non_owner' without 'WITH GRANT' option.
|
|
GRANT ROLE grant_revoke_test_NON_OWNER TO GROUP non_owner;
|
|
GRANT SELECT ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_NON_OWNER;
|
|
REVOKE ALL ON DATABASE functional FROM grant_revoke_test_NON_OWNER;
|
|
---- RESULTS
|
|
'Privilege(s) have been revoked.'
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
# Verify that the SELECT privilege is indeed granted to the role
|
|
# 'grant_revoke_test_NON_OWNER'.
|
|
show grant role grant_revoke_test_NON_OWNER on table grant_rev_db.test_tbl3
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_NON_OWNER','grant_rev_db','test_tbl3','*','','','select',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
GRANT SELECT (a) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_NON_OWNER
|
|
---- CATCH
|
|
User doesn't have necessary permission to grant access
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
REVOKE SELECT ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_NON_OWNER
|
|
---- RESULTS
|
|
'Privilege(s) have been revoked.'
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# Grant SELECT on table to 'non_owner' with 'WITH GRANT' option.
|
|
GRANT SELECT ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_NON_OWNER WITH GRANT OPTION
|
|
---- RESULTS
|
|
'Privilege(s) have been granted.'
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
GRANT SELECT (a) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_NON_OWNER
|
|
---- RESULTS
|
|
'Privilege(s) have been granted.'
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
# Verify that the privilege on the column 'grant_rev_db.test_tbl3.a' is indeed granted.
|
|
# TODO: Notice that at this point, the role 'grant_revoke_test_NON_OWNER' has also been
|
|
# granted the SELECT privilege on the table 'grant_rev_db.test_tbl3'. We need to
|
|
# investigate whether this is the expected behavior after IMPALA-8587.
|
|
show grant role grant_revoke_test_NON_OWNER on column grant_rev_db.test_tbl3.a
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_NON_OWNER','grant_rev_db','test_tbl3','a','','','select',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# Grant the SELECT privileges on the columns (a, c, e) and verify in the following 3
|
|
# queries that the privileges are granted with the column of 'grant_option' being true.
|
|
GRANT SELECT (a, c, e) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ALL_SERVER WITH GRANT OPTION
|
|
---- RESULTS
|
|
'Privilege(s) have been granted.'
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.a
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
'ROLE','grant_revoke_test_ALL_SERVER','grant_rev_db','test_tbl3','a','','','select',true,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.c
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
'ROLE','grant_revoke_test_ALL_SERVER','grant_rev_db','test_tbl3','c','','','select',true,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.e
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
'ROLE','grant_revoke_test_ALL_SERVER','grant_rev_db','test_tbl3','e','','','select',true,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# Revoke the granting privilege on the columns (a, c) and veviry in the following 2
|
|
# queries that the column of 'grant_option' is indeed false.
|
|
REVOKE GRANT OPTION FOR SELECT (a, c) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
'Privilege(s) have been revoked.'
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.a
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
'ROLE','grant_revoke_test_ALL_SERVER','grant_rev_db','test_tbl3','a','','','select',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER on column grant_rev_db.test_tbl3.c
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER','*','*','*','','','all',false,regex:.+
|
|
'ROLE','grant_revoke_test_ALL_SERVER','grant_rev_db','test_tbl3','c','','','select',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# At this point, the group '$GROUP_NAME' is still assigned the role of
|
|
# 'grant_revoke_test_ALL_SERVER'.
|
|
revoke role grant_revoke_test_ALL_SERVER from group `$GROUP_NAME`
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# Test 'grant all on server' with explicit server name specified.
|
|
create role grant_revoke_test_ALL_SERVER1
|
|
---- RESULTS
|
|
'Role has been created.'
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
grant all on server server1 to grant_revoke_test_ALL_SERVER1
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# Grant role to the group '$GROUP_NAME' to which the user 'getuser()' belongs.
|
|
grant role grant_revoke_test_ALL_SERVER1 to group `$GROUP_NAME`
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# We will be testing whether the user 'getuser()' is able to drop and then create the
|
|
# database 'grant_rev_db'. Thus, we have to revoke the privileges on the resources under
|
|
# the database 'grant_rev_db' in advance. Otherwise, we won't be able to revoke the
|
|
# privileges after dropping the database since revoking the privileges on those
|
|
# non-existing resources would result AnalysisException's. If we are not able to remove
|
|
# these privileges, then we won't be able to drop those roles they reference after the
|
|
# execution of this test file, leaving some roles and privileges that are not well-defined.
|
|
REVOKE SELECT ON TABLE grant_rev_db.test_tbl1 FROM grant_revoke_test_SELECT_INSERT_TEST_TBL;
|
|
REVOKE INSERT ON TABLE grant_rev_db.test_tbl1 FROM grant_revoke_test_SELECT_INSERT_TEST_TBL;
|
|
REVOKE SELECT ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_NON_OWNER;
|
|
REVOKE SELECT (a) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_NON_OWNER;
|
|
REVOKE SELECT (a, c, e) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ALL_SERVER;
|
|
====
|
|
---- QUERY
|
|
# Verify that the user 'getuser()' is able to drop the database.
|
|
drop database grant_rev_db cascade
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# To prevent the user 'getuser()' (which belongs to the group '$GROUP_NAME') from
|
|
# performing any operation on the database 'grant_rev_db', we also need to alter
|
|
# the owner of 'grant_rev_db' since 'getuser()' is the owner of this database, which by
|
|
# default is allowed by Ranger to perform any operation on the database.
|
|
revoke role grant_revoke_test_ALL_SERVER1 from group `$GROUP_NAME`;
|
|
alter database grant_rev_db set owner user admin;
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_ALL_SERVER1 on server
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'ROLE','grant_revoke_test_ALL_SERVER1','','','','*','','all',false,regex:.+
|
|
'ROLE','grant_revoke_test_ALL_SERVER1','*','','','','*','all',false,regex:.+
|
|
'ROLE','grant_revoke_test_ALL_SERVER1','*','*','*','','','all',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
revoke all on server server1 from grant_revoke_test_ALL_SERVER1
|
|
====
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
# Verify that the privilege on server is indeed revoked.
|
|
show grant role grant_revoke_test_ALL_SERVER1 on server
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# IMPALA-4951: make sure database is visible to a user having only column level access
|
|
# to a table in the database
|
|
grant role grant_revoke_test_ALL_SERVER to group non_owner
|
|
---- RESULTS
|
|
'Role has been granted.'
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
create role grant_revoke_test_COLUMN_PRIV
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
grant role grant_revoke_test_COLUMN_PRIV to group non_owner
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
create database if not exists grant_rev_db;
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
create table grant_rev_db.test_tbl4 (col1 int, col2 int)
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
revoke role grant_revoke_test_ALL_SERVER from group non_owner
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# We have to specify the resource for SHOW GRANT since SHOW GRANT is not supported
|
|
# without a defined resource in Ranger.
|
|
show grant role grant_revoke_test_COLUMN_PRIV on table grant_rev_db.test_tbl4
|
|
---- RESULTS
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# grant_rev_db is not visible as user does not have any level of access to it
|
|
show databases
|
|
---- RESULTS
|
|
'default','Default Hive database'
|
|
---- TYPES
|
|
STRING,STRING
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
grant select(col1) on table grant_rev_db.test_tbl4 to role grant_revoke_test_COLUMN_PRIV
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
show grant role grant_revoke_test_COLUMN_PRIV on column grant_rev_db.test_tbl4.col1
|
|
---- RESULTS
|
|
'ROLE','grant_revoke_test_COLUMN_PRIV','grant_rev_db','test_tbl4','col1','','','select',false,regex:.+
|
|
---- LABELS
|
|
principal_type, principal_name, database, table, column, uri, udf, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
non_owner
|
|
---- QUERY
|
|
# Verify that the database 'grant_rev_db' is visible to the user 'non_owner'.
|
|
show databases
|
|
---- RESULTS
|
|
'default','Default Hive database'
|
|
'grant_rev_db',''
|
|
---- TYPES
|
|
STRING,STRING
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
# We will be testing whether the user 'getuser()' is able to drop a database if the group
|
|
# 'getuser()' belongs to is assigned the role 'grant_revoke_test_ALL_SERVER', which is
|
|
# granted the ALL privilege on the server. Before dropping a database, the user also has
|
|
# to revoke every privilege granted on the resources of the database and thus we grant
|
|
# the ALL privilege with the grant option.
|
|
grant all on server to role grant_revoke_test_ALL_SERVER with grant option;
|
|
grant role grant_revoke_test_ALL_SERVER to group `$GROUP_NAME`;
|
|
---- RESULTS
|
|
'Role has been granted.'
|
|
====
|
|
---- QUERY
|
|
# The user 'getuser()' has to revoke the privileges on the resources under the database
|
|
# 'grant_rev_db' before dropping the database. Otherwise, the revocation would fail due
|
|
# to an AnalysisException thrown because 'grant_rev_db' does not exist.
|
|
revoke select(col1) on table grant_rev_db.test_tbl4 from role grant_revoke_test_COLUMN_PRIV;
|
|
drop database if exists grant_rev_db cascade;
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
revoke role grant_revoke_test_ALL_SERVER from group `$GROUP_NAME`
|
|
---- RESULTS
|
|
'Role has been revoked.'
|
|
====
|
|
---- USER
|
|
admin
|
|
---- QUERY
|
|
revoke role grant_revoke_test_COLUMN_PRIV from group `$GROUP_NAME`
|
|
====
|
|
---- QUERY
|
|
# Verify that the user 'getuser()', which belongs to the group '$GROUP_NAME' is not
|
|
# assigned any role afterwards.
|
|
show current roles
|
|
---- RESULTS
|
|
====
|