jprdonnelly/impala
1
0
Fork 0
mirror of https://github.com/apache/impala.git synced 2026-01-22 18:02:34 -05:00
Code Issues Projects Releases Wiki Activity
Files
2114fc6155e5bb21e398ded21c5bdfd1e7f49879
impala/testdata/workloads/functional-query/queries/QueryTest/create-database.test
Vihang Karajgaonkar 026c5345e0 IMPALA-8851: Do not throw authorization exception in drop if exists queries 
Note that this is the continuation of work in
https://github.com/vihangk1/impala/commits/IMPALA-8851

This patch's goal is to change Impala's behavior in the following case:
- the query is a DROP TABLE/VIEW/DATABASE/FUNCTIONS IF EXISTS statement
- the given object does not exist
- the user has some kind of privilege on the object, which imples the
  privilege to know whether object exists, but does not have DROP
  privilege on the object

Until now this lead to an authorization exception, while it will be
allowed with this change.

An example where this is useful is a user who has CREATE privilege on
a database, and creates table t_owned, and gets ownership of the
table. In this case DROP TABLE IF EXISTS was non idempotent:
DROP TABLE IF EXISTS t_owned;
-> success
DROP TABLE IF EXISTS t_owned;
-> authorization error, as the privileges for the table were
   deleted when the table was successfully dropped

After this change the second statement will be also successful.

The authorization logic has to avoid leaking information that the
user has no right to know. For this reason DROP IF EXISTS has to
return the same error message regardless whether the object exists
or not if the user has no right to know it's existence. This is
achieved with the following pattern:
- in the IF EXISTS case first an ANY privilege is registered, then
  the existence of the object is checked and if it doesn't exist,
  the analysis returns successfully
- if the object exists, the DROP privilege is registered (if there is
  no IF EXISTS in the query, this always happens)
- as the authorization logic checks privileges in the order of
  registration, first the ANY will be checked, and DROP will be only
  checked if the user has ANY privileges

Testing:
- Added a new test case in the sentry tests which confirms that the
authorization exception is not thrown when a drop if exists query is
issued on a object which does not exist.
- Changed several tests affected by the new behavior.
- Ran core tests.

Change-Id: Iba068935e5da92d71e16e2321afdb8e7b781086a
Reviewed-on: http://gerrit.cloudera.org:8080/14121
Reviewed-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com>
Tested-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com>
2019-08-29 12:34:56 +00:00

133 lines
3.3 KiB
Plaintext
Raw Blame History

====
---- QUERY
create database $DATABASE_2 comment "For testing"
---- RESULTS
'Database has been created.'
====
---- QUERY
show databases like "$DATABASE_2"
---- RESULTS
'$DATABASE_2','For testing'
---- TYPES
STRING, STRING
====
---- QUERY
# Test that DESCRIBE shows the proper database location
# for a newly created database (regression test for IMPALA-7439)
describe database $DATABASE_2
---- RESULTS
'$DATABASE_2','$NAMENODE/test-warehouse/$DATABASE_2.db','For testing'
---- TYPES
string, string, string
====
---- QUERY
# Test that DESCRIBE EXTENDED also has all of the necessary info.
describe database extended $DATABASE_2
---- RESULTS
'$DATABASE_2','$NAMENODE/test-warehouse/$DATABASE_2.db','For testing'
'Owner: ','',''
'','$USER','USER'
---- TYPES
string, string, string
====
---- QUERY
# Make sure creating a database with the same name doesn't throw an error when
# IF NOT EXISTS is specified.
create database if not exists $DATABASE_2
---- RESULTS
'Database already exists.'
====
---- QUERY
# Test dropping the database.
drop database $DATABASE_2
---- RESULTS
'Database has been dropped.'
====
---- QUERY
show databases like "$DATABASE_2"
---- RESULTS
---- TYPES
STRING, STRING
====
---- QUERY
# Dropping a non-existent databases is ok with IF EXISTS
drop database if exists $DATABASE_2
---- RESULTS
'Database does not exist.'
====
---- QUERY
# Test DROP DATABASE ... CASCADE
create database if not exists $DATABASE_cascade
====
---- QUERY
create table if not exists $DATABASE_cascade.t1 (i int);
create table if not exists $DATABASE_cascade.t2 (i int)
partitioned by (year smallint, month smallint);
insert into $DATABASE_cascade.t2 partition (year=2015, month=8) values(1);
create external table if not exists $DATABASE_cascade.t3 like functional.alltypes
location '$FILESYSTEM_PREFIX/test-warehouse/alltypes_external';
create view if not exists $DATABASE_cascade.v1 as
select int_col from functional.alltypes;
create function if not exists $DATABASE_cascade.f1() returns string
location '$FILESYSTEM_PREFIX/test-warehouse/libTestUdfs.so' symbol='NoArgs';
create aggregate function if not exists $DATABASE_cascade.f2(int, string) RETURNS int
location '$FILESYSTEM_PREFIX/test-warehouse/libTestUdas.so' UPDATE_FN='TwoArgUpdate'
---- RESULTS
'Function has been created.'
====
---- QUERY
show tables in $DATABASE_cascade
---- RESULTS
't1'
't2'
't3'
'v1'
---- TYPES
STRING
====
---- QUERY
show functions in $DATABASE_cascade
---- RESULTS
'STRING','f1()','NATIVE','true'
---- TYPES
STRING, STRING, STRING, STRING
====
---- QUERY
show aggregate functions in $DATABASE_cascade
---- RESULTS
'INT','f2(INT, STRING)','NATIVE','true'
---- TYPES
STRING, STRING, STRING, STRING
====
---- QUERY
# Should drop all tables, functions, and aggregate functions, as well
# as the database itself.
drop database $DATABASE_cascade cascade
---- RESULTS
'Database has been dropped.'
====
---- QUERY
show databases like '$DATABASE_cascade'
---- RESULTS
====
---- QUERY
# Test that DROP DATABASE ... RESTRICT executes ok.
create database if not exists $DATABASE_restrict
====
---- QUERY
show databases like '$DATABASE_restrict'
---- RESULTS
'$DATABASE_restrict',''
---- TYPES
STRING,STRING
====
---- QUERY
drop database $DATABASE_restrict restrict
---- RESULTS
'Database has been dropped.'
====
---- QUERY
show databases like '$DATABASE_restrict'
---- RESULTS
====
Reference in New Issue View Git Blame Copy Permalink