mirror of
https://github.com/apache/impala.git
synced 2026-01-06 06:01:03 -05:00
858f5c2197
Before this patch, we would simply read the INT96 Parquet timestamp representation and assume that it's valid. However, not all bit permutations represent a valid timestamp. One of the boost functions raised an exception (that we didn't catch) when passed an invalid boost date object, which resulted in a crash. This patch fixes problem by validating that the date falls into 1400..9999 year range as we are scanning Parquet. Change-Id: Ieaab5d33e6f0df831d0e67e1d318e5416ffb90ac Reviewed-on: http://gerrit.cloudera.org:8080/5343 Reviewed-by: Taras Bobrovytsky <tbobrovytsky@cloudera.com> Tested-by: Internal Jenkins
724 lines
20 KiB
Plaintext
724 lines
20 KiB
Plaintext
====
|
|
---- QUERY
|
|
create role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
create role grant_revoke_test_ALL_TEST_DB
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
create role grant_revoke_test_SELECT_INSERT_TEST_TBL
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
create role grant_revoke_test_ALL_URI
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
# Shows all roles in the system
|
|
show roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
'grant_revoke_test_ALL_SERVER'
|
|
'grant_revoke_test_ALL_TEST_DB'
|
|
'grant_revoke_test_SELECT_INSERT_TEST_TBL'
|
|
'grant_revoke_test_ALL_URI'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
grant all on server to grant_revoke_test_ALL_SERVER
|
|
====
|
|
---- QUERY
|
|
# Group name will be replaced with the actual user's group in the test
|
|
# framework.
|
|
grant role grant_revoke_test_ALL_SERVER to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
show current roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
'grant_revoke_test_ALL_SERVER'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- USER
|
|
does_not_exist
|
|
---- QUERY
|
|
# Run this query as a different user and verify no roles show up but the
|
|
# stmt does not fail with an authorization error.
|
|
show current roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER on server
|
|
---- RESULTS
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
does_not_exist
|
|
---- QUERY
|
|
# User should not have privileges to execute SHOW ROLES
|
|
show roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
---- CATCH
|
|
User 'does_not_exist' does not have privileges to access the requested policy metadata
|
|
====
|
|
---- USER
|
|
does_not_exist
|
|
---- QUERY
|
|
# User should not have privileges to execute SHOW ROLE GRANT GROUP for a group they do not
|
|
# belong to.
|
|
show role grant group root
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
---- CATCH
|
|
User 'does_not_exist' does not have privileges to access the requested policy metadata
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# The 'root' user doesn't have any roles granted to them, but since they are part of the
|
|
# 'root' group, they should have privileges to execute this statement.
|
|
show role grant group root
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
drop database if exists grant_rev_db
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
create table grant_rev_db.test_tbl1(i int)
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
'test_tbl1'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
create function grant_rev_db.fn() RETURNS int
|
|
LOCATION '$FILESYSTEM_PREFIX/test-warehouse/libTestUdfs.so' SYMBOL='Fn'
|
|
====
|
|
---- QUERY
|
|
show functions in grant_rev_db
|
|
---- RESULTS
|
|
'INT','fn()','NATIVE','true'
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING
|
|
====
|
|
---- QUERY
|
|
show create function grant_rev_db.fn
|
|
---- RESULTS: MULTI_LINE
|
|
['CREATE FUNCTION grant_rev_db.fn()
|
|
RETURNS INT
|
|
LOCATION '$NAMENODE/test-warehouse/libTestUdfs.so'
|
|
SYMBOL='_Z2FnPN10impala_udf15FunctionContextE'
|
|
']
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
revoke role grant_revoke_test_ALL_SERVER from group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db.*
|
|
====
|
|
---- QUERY
|
|
show functions in grant_rev_db
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
show create function grant_rev_db.fn
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
show create function _impala_builtins.sin
|
|
---- RESULTS: MULTI_LINE
|
|
['CREATE FUNCTION _impala_builtins.sin(DOUBLE)
|
|
RETURNS DOUBLE
|
|
LOCATION 'null'
|
|
SYMBOL='_ZN6impala13MathFunctions3SinEPN10impala_udf15FunctionContextERKNS1_9DoubleValE'
|
|
']
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
grant role grant_revoke_test_ALL_TEST_DB to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
# Should now have all privileges on the test db
|
|
grant all on database grant_rev_db to grant_revoke_test_ALL_TEST_DB
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
'test_tbl1'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
# Even though the user has all privileges on the database, they do not have privileges
|
|
# on any URIs. The FE tests have additional error message verification.
|
|
create table grant_rev_db.test_tbl2(i int) location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_tbl2';
|
|
---- CATCH
|
|
does not have privileges to access: __HDFS_FILENAME__
|
|
====
|
|
---- QUERY
|
|
grant role grant_revoke_test_ALL_URI to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
grant all on uri '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_tbl2' to grant_revoke_test_ALL_URI
|
|
====
|
|
---- QUERY
|
|
# Should now have privileges to create the table.
|
|
create table grant_rev_db.test_tbl2(i int) location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_tbl2';
|
|
====
|
|
---- QUERY
|
|
# Running grant on a URI with upper case letters
|
|
grant all on uri '$FILESYSTEM_PREFIX/test-warehouse/GRANT_REV_TEST_TBL3' to grant_revoke_test_ALL_URI
|
|
====
|
|
---- QUERY
|
|
# Should now have privileges to create the table.
|
|
create table grant_rev_db.test_tbl_uppercase(i int) location '$FILESYSTEM_PREFIX/test-warehouse/GRANT_REV_TEST_TBL3/test';
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
'test_tbl1'
|
|
'test_tbl2'
|
|
'test_tbl_uppercase'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_URI
|
|
---- RESULTS
|
|
'URI','','','','$NAMENODE/test-warehouse/grant_rev_test_tbl2','ALL',FALSE,regex:.+
|
|
'URI','','','','$NAMENODE/test-warehouse/GRANT_REV_TEST_TBL3','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# To create a database server-level privileges are required.
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
# Dropping the role should remove the privileges
|
|
drop role grant_revoke_test_ALL_TEST_DB
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db.*
|
|
====
|
|
---- QUERY
|
|
grant role grant_revoke_test_SELECT_INSERT_TEST_TBL to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
GRANT SELECT ON TABLE grant_rev_db.test_tbl1 TO grant_revoke_test_SELECT_INSERT_TEST_TBL
|
|
====
|
|
---- QUERY
|
|
select * from grant_rev_db.test_tbl1
|
|
---- RESULTS
|
|
---- TYPES
|
|
INT
|
|
====
|
|
---- QUERY
|
|
select * from grant_rev_db.test_tbl2
|
|
---- CATCH
|
|
does not have privileges to execute 'SELECT' on: grant_rev_db.test_tbl2
|
|
====
|
|
---- QUERY
|
|
insert overwrite grant_rev_db.test_tbl1 select 1
|
|
---- CATCH
|
|
does not have privileges to execute 'INSERT' on: grant_rev_db.test_tbl1
|
|
====
|
|
---- QUERY
|
|
GRANT INSERT ON TABLE grant_rev_db.test_tbl1 TO grant_revoke_test_SELECT_INSERT_TEST_TBL
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_SELECT_INSERT_TEST_TBL on table grant_rev_db.test_tbl1
|
|
---- RESULTS
|
|
'TABLE','grant_rev_db','test_tbl1','','','SELECT',FALSE,regex:.+
|
|
'TABLE','grant_rev_db','test_tbl1','','','INSERT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
insert overwrite grant_rev_db.test_tbl1 select 1
|
|
---- RESULTS
|
|
: 1
|
|
====
|
|
---- QUERY
|
|
select * from grant_rev_db.test_tbl1
|
|
---- RESULTS
|
|
1
|
|
---- TYPES
|
|
INT
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
create role some_test_role
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: CREATE_ROLE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
drop role grant_revoke_test_ALL_SERVER
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: DROP_ROLE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
grant role grant_revoke_test_ALL_SERVER to group $GROUP_NAME
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: GRANT_ROLE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
revoke role grant_revoke_test_ALL_SERVER from group $GROUP_NAME
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: REVOKE_ROLE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
grant all on server to grant_revoke_test_ALL_SERVER
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: GRANT_PRIVILEGE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
revoke all on server from grant_revoke_test_ALL_SERVER
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: REVOKE_PRIVILEGE
|
|
====
|
|
---- QUERY
|
|
# Set up a role to test the WITH GRANT OPTION. Assumes that tests are not running as
|
|
# 'root' and that 'root' exists on all machines.
|
|
create role grant_revoke_test_ROOT;
|
|
grant role grant_revoke_test_ROOT to group root;
|
|
grant all on database functional to grant_revoke_test_ROOT WITH GRANT OPTION;
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# There should only be one role that exists for root
|
|
show current roles
|
|
---- RESULTS
|
|
'grant_revoke_test_ROOT'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# This privilege actually active
|
|
show databases
|
|
---- RESULTS
|
|
'default','Default Hive database'
|
|
'functional',''
|
|
---- TYPES
|
|
STRING,STRING
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# The root user should be able to grant/revoke child privileges.
|
|
# Due to SENTRY-445 they cannot grant SELECT/INSERT even though they have been granted
|
|
# ALL.
|
|
grant all on table functional.alltypes to grant_revoke_test_ROOT
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ROOT
|
|
---- RESULTS
|
|
'DATABASE','functional','','','','ALL',TRUE,regex:.+
|
|
'TABLE','functional','alltypes','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
---- USER
|
|
root
|
|
====
|
|
---- QUERY
|
|
revoke all on table functional.alltypes from grant_revoke_test_ROOT
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# User should not be able to grant privileges outside of this scope.
|
|
grant all on table functional_seq.alltypes to grant_revoke_test_ROOT
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: GRANT_PRIVILEGE
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# Also cannot create/drop/grant roles
|
|
create role grant_revoke_test_ROOT2
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: CREATE_ROLE
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# Also cannot create/drop/grant roles
|
|
grant role grant_revoke_test_ROOT to group root
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: GRANT_ROLE
|
|
====
|
|
---- QUERY
|
|
# Revoke the GRANT OPTION and verify the user can no longer GRANT or REVOKE
|
|
revoke grant option for all on database functional from grant_revoke_test_ROOT
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
grant all on table functional.alltypes to grant_revoke_test_ROOT
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: GRANT_PRIVILEGE
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# The privilege is still active
|
|
show databases
|
|
---- RESULTS
|
|
'default','Default Hive database'
|
|
'functional',''
|
|
---- TYPES
|
|
STRING,STRING
|
|
====
|
|
---- QUERY
|
|
# Privilege still exists, but grant option is set to false
|
|
show grant role grant_revoke_test_ROOT
|
|
---- RESULTS
|
|
'DATABASE','functional','','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
---- USER
|
|
root
|
|
====
|
|
---- QUERY
|
|
REVOKE ROLE grant_revoke_test_ALL_URI FROM GROUP $GROUP_NAME;
|
|
REVOKE ROLE grant_revoke_test_SELECT_INSERT_TEST_TBL FROM GROUP $GROUP_NAME;
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
GRANT ROLE grant_revoke_test_ALL_SERVER TO GROUP $GROUP_NAME
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show current roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
'grant_revoke_test_ALL_SERVER'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
# Create a table with multiple columns to test column-level security.
|
|
create table grant_rev_db.test_tbl3(a int, b int, c int, d int, e int) partitioned by (x int, y int)
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
GRANT SELECT (a, b, x) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','b','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','x','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
GRANT SELECT (c, d, y) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','b','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','c','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','d','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','x','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','y','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
GRANT SELECT (a, a, e, x) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','b','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','c','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','d','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','e','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','x','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','y','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# Revoke SELECT privileges from columns
|
|
REVOKE SELECT (a, b, b, y) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','c','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','d','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','e','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','x','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
REVOKE SELECT (a, b, c, x) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','d','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','e','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
REVOKE SELECT (a, b, c, d, e) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ALL_SERVER;
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# Grant SELECT on table to 'root' without 'WITH GRANT' option.
|
|
GRANT ROLE grant_revoke_test_ROOT TO GROUP root;
|
|
GRANT SELECT ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ROOT;
|
|
REVOKE ALL ON DATABASE functional FROM grant_revoke_test_ROOT;
|
|
---- RESULTS
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ROOT
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'TABLE','grant_rev_db','test_tbl3','','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
GRANT SELECT (a) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ROOT
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: GRANT_PRIVILEGE
|
|
====
|
|
---- QUERY
|
|
REVOKE SELECT ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ROOT
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
# Grant SELECT on table to 'root' with 'WITH GRANT' option.
|
|
GRANT SELECT ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ROOT WITH GRANT OPTION
|
|
---- RESULTS
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
GRANT SELECT (a) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ROOT
|
|
---- RESULTS
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ROOT
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'TABLE','grant_rev_db','test_tbl3','','','SELECT',TRUE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
GRANT SELECT (a, c, e) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ALL_SERVER WITH GRANT OPTION
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',TRUE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','c','','SELECT',TRUE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','e','','SELECT',TRUE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
REVOKE GRANT OPTION FOR SELECT (a, c) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
# TODO: Add a test case that exercises the cascading effect of REVOKE ALL.
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','c','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','e','','SELECT',TRUE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
revoke role grant_revoke_test_ALL_SERVER from group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
# Test 'grant all on server' with explicit server name specified.
|
|
create role grant_revoke_test_ALL_SERVER1
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
grant all on server server1 to grant_revoke_test_ALL_SERVER1
|
|
====
|
|
---- QUERY
|
|
grant role grant_revoke_test_ALL_SERVER1 to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
drop database grant_rev_db cascade
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
====
|
|
---- QUERY
|
|
revoke role grant_revoke_test_ALL_SERVER1 from group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER1
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
revoke all on server server1 from grant_revoke_test_ALL_SERVER1
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER1
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# Cleanup test roles
|
|
drop role grant_revoke_test_ALL_SERVER;
|
|
drop role grant_revoke_test_SELECT_INSERT_TEST_TBL;
|
|
drop role grant_revoke_test_ALL_URI;
|
|
drop role grant_revoke_test_ROOT;
|
|
---- RESULTS
|
|
====
|