mirror of
https://github.com/apache/impala.git
synced 2026-01-07 00:02:28 -05:00
ef0dac661c
This commit adds a new feature to persist hive/java udfs across catalog restarts. IMPALA-1748 already added this for non-java udfs by storing them in parameters map of the Db object and reading them back at catalog startup. However we follow a different approach for hive udfs by converting them to Hive's function format and adding them as hive functions to the metastore. This makes it possible to share udfs between hive and Impala as the udfs added from one service are accessible to other. This commit takes care of format conversions between hive and impala and user can just add function once in either of the services. Background: Hive and impala treat udfs differently. Hive resolves the evaluate function in the udf class at runtime depending on the data types of the input arguments. So user can add one function by name and can pass any arguments to it as long as there is a compatible evaluate function in the udf class. However Impala takes the input types of the udf as a part of function definition (that maps to only one evaluate function) and loads the function only for those set of input argument types. If we have multiple 'evaluate' methods, we need to add multiple functions one for each of them. This commit adds new variants of CREATE | DROP FUNCTIONS to Impala which lets the user to create and drop hive/java udfs without input argument types or return types. Catalog takes care of loading/dropping the udf signatures corresponding to each "evaluate" method in the udf symbol class. The syntax is as follows, CREATE FUNCTION [IF NOT EXISTS] <function name> <function_opts> DROP FUNCTION [IF EXISTS] <function name> Examples: CREATE FUNCTION IF NOT EXISTS foo location '/path/to/jar' SYMBOL='TestUdf'; CREATE FUNCTION bar location '/path/to/jar' SYMBOL='TestUdf2'; DROP FUNCTION foo; DROP FUNCTION IF EXISTS bar; The older way of creating hive/java udfs with specific signature is still supported, however they are *not* persisted across restarts. So a restart of catalog can wipe them out. Additionally this commit also loads all the compatible java udfs added outside of Impala and they needn't be separately loaded. One thing to note here is that the functions added using the new CREATE FUNCTION can only be dropped using the new DROP FUNCTION syntax (without signature). The same rule applies for the java udfs added using the old CREATE FUNCTION syntax (with signature). Change-Id: If31ed3d5ac4192e3bc2d57610a9a0bbe1f62b42d Reviewed-on: http://gerrit.cloudera.org:8080/2250 Reviewed-by: Bharath Vissapragada <bharathv@cloudera.com> Tested-by: Internal Jenkins
676 lines
19 KiB
Plaintext
676 lines
19 KiB
Plaintext
====
|
|
---- QUERY
|
|
create role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
create role grant_revoke_test_ALL_TEST_DB
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
create role grant_revoke_test_SELECT_INSERT_TEST_TBL
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
create role grant_revoke_test_ALL_URI
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
# Shows all roles in the system
|
|
show roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
'grant_revoke_test_ALL_SERVER'
|
|
'grant_revoke_test_ALL_TEST_DB'
|
|
'grant_revoke_test_SELECT_INSERT_TEST_TBL'
|
|
'grant_revoke_test_ALL_URI'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
grant all on server to grant_revoke_test_ALL_SERVER
|
|
====
|
|
---- QUERY
|
|
# Group name will be replaced with the actual user's group in the test
|
|
# framework.
|
|
grant role grant_revoke_test_ALL_SERVER to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
show current roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
'grant_revoke_test_ALL_SERVER'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- USER
|
|
does_not_exist
|
|
---- QUERY
|
|
# Run this query as a different user and verify no roles show up but the
|
|
# stmt does not fail with an authorization error.
|
|
show current roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER on server
|
|
---- RESULTS
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
does_not_exist
|
|
---- QUERY
|
|
# User should not have privileges to execute SHOW ROLES
|
|
show roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
---- CATCH
|
|
User 'does_not_exist' does not have privileges to access the requested policy metadata
|
|
====
|
|
---- USER
|
|
does_not_exist
|
|
---- QUERY
|
|
# User should not have privileges to execute SHOW ROLE GRANT GROUP for a group they do not
|
|
# belong to.
|
|
show role grant group root
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
---- CATCH
|
|
User 'does_not_exist' does not have privileges to access the requested policy metadata
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# The 'root' user doesn't have any roles granted to them, but since they are part of the
|
|
# 'root' group, they should have privileges to execute this statement.
|
|
show role grant group root
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
drop database if exists grant_rev_db
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
create table grant_rev_db.test_tbl1(i int)
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
'test_tbl1'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
create function grant_rev_db.fn() RETURNS int
|
|
LOCATION '$FILESYSTEM_PREFIX/test-warehouse/libTestUdfs.so' SYMBOL='Fn'
|
|
====
|
|
---- QUERY
|
|
show functions in grant_rev_db
|
|
---- RESULTS
|
|
'INT','fn()','NATIVE','true'
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING
|
|
====
|
|
---- QUERY
|
|
show create function grant_rev_db.fn
|
|
---- RESULTS: MULTI_LINE
|
|
['CREATE FUNCTION grant_rev_db.fn()
|
|
RETURNS INT
|
|
LOCATION '$NAMENODE/test-warehouse/libTestUdfs.so'
|
|
SYMBOL='_Z2FnPN10impala_udf15FunctionContextE'
|
|
']
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
revoke role grant_revoke_test_ALL_SERVER from group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db.*
|
|
====
|
|
---- QUERY
|
|
show functions in grant_rev_db
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
show create function grant_rev_db.fn
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
show create function _impala_builtins.sin
|
|
---- RESULTS: MULTI_LINE
|
|
['CREATE FUNCTION _impala_builtins.sin(DOUBLE)
|
|
RETURNS DOUBLE
|
|
LOCATION 'null'
|
|
SYMBOL='_ZN6impala13MathFunctions3SinEPN10impala_udf15FunctionContextERKNS1_9DoubleValE'
|
|
']
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
grant role grant_revoke_test_ALL_TEST_DB to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
# Should now have all privileges on the test db
|
|
grant all on database grant_rev_db to grant_revoke_test_ALL_TEST_DB
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
'test_tbl1'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
# Even though the user has all privileges on the database, they do not have privileges
|
|
# on any URIs. The FE tests have additional error message verification.
|
|
create table grant_rev_db.test_tbl2(i int) location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_tbl2';
|
|
---- CATCH
|
|
does not have privileges to access: $NAMENODE/test-warehouse/grant_rev_test_tbl2
|
|
====
|
|
---- QUERY
|
|
grant role grant_revoke_test_ALL_URI to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
grant all on uri '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_tbl2' to grant_revoke_test_ALL_URI
|
|
====
|
|
---- QUERY
|
|
# Should now have privileges to create the table.
|
|
create table grant_rev_db.test_tbl2(i int) location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_tbl2';
|
|
====
|
|
---- QUERY
|
|
# Running grant on a URI with upper case letters
|
|
grant all on uri '$FILESYSTEM_PREFIX/test-warehouse/GRANT_REV_TEST_TBL3' to grant_revoke_test_ALL_URI
|
|
====
|
|
---- QUERY
|
|
# Should now have privileges to create the table.
|
|
create table grant_rev_db.test_tbl_uppercase(i int) location '$FILESYSTEM_PREFIX/test-warehouse/GRANT_REV_TEST_TBL3/test';
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
'test_tbl1'
|
|
'test_tbl2'
|
|
'test_tbl_uppercase'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_URI
|
|
---- RESULTS
|
|
'URI','','','','$NAMENODE/test-warehouse/grant_rev_test_tbl2','ALL',FALSE,regex:.+
|
|
'URI','','','','$NAMENODE/test-warehouse/GRANT_REV_TEST_TBL3','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# To create a database server-level privileges are required.
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
# Dropping the role should remove the privileges
|
|
drop role grant_revoke_test_ALL_TEST_DB
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db.*
|
|
====
|
|
---- QUERY
|
|
grant role grant_revoke_test_SELECT_INSERT_TEST_TBL to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
GRANT SELECT ON TABLE grant_rev_db.test_tbl1 TO grant_revoke_test_SELECT_INSERT_TEST_TBL
|
|
====
|
|
---- QUERY
|
|
select * from grant_rev_db.test_tbl1
|
|
---- RESULTS
|
|
---- TYPES
|
|
INT
|
|
====
|
|
---- QUERY
|
|
select * from grant_rev_db.test_tbl2
|
|
---- CATCH
|
|
does not have privileges to execute 'SELECT' on: grant_rev_db.test_tbl2
|
|
====
|
|
---- QUERY
|
|
insert overwrite grant_rev_db.test_tbl1 select 1
|
|
---- CATCH
|
|
does not have privileges to execute 'INSERT' on: grant_rev_db.test_tbl1
|
|
====
|
|
---- QUERY
|
|
GRANT INSERT ON TABLE grant_rev_db.test_tbl1 TO grant_revoke_test_SELECT_INSERT_TEST_TBL
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_SELECT_INSERT_TEST_TBL on table grant_rev_db.test_tbl1
|
|
---- RESULTS
|
|
'TABLE','grant_rev_db','test_tbl1','','','SELECT',FALSE,regex:.+
|
|
'TABLE','grant_rev_db','test_tbl1','','','INSERT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
insert overwrite grant_rev_db.test_tbl1 select 1
|
|
---- RESULTS
|
|
: 1
|
|
====
|
|
---- QUERY
|
|
select * from grant_rev_db.test_tbl1
|
|
---- RESULTS
|
|
1
|
|
---- TYPES
|
|
INT
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
create role some_test_role
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: CREATE_ROLE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
drop role grant_revoke_test_ALL_SERVER
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: DROP_ROLE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
grant role grant_revoke_test_ALL_SERVER to group $GROUP_NAME
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: GRANT_ROLE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
revoke role grant_revoke_test_ALL_SERVER from group $GROUP_NAME
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: REVOKE_ROLE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
grant all on server to grant_revoke_test_ALL_SERVER
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: GRANT_PRIVILEGE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
revoke all on server from grant_revoke_test_ALL_SERVER
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: REVOKE_PRIVILEGE
|
|
====
|
|
---- QUERY
|
|
# Set up a role to test the WITH GRANT OPTION. Assumes that tests are not running as
|
|
# 'root' and that 'root' exists on all machines.
|
|
create role grant_revoke_test_ROOT;
|
|
grant role grant_revoke_test_ROOT to group root;
|
|
grant all on database functional to grant_revoke_test_ROOT WITH GRANT OPTION;
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# There should only be one role that exists for root
|
|
show current roles
|
|
---- RESULTS
|
|
'grant_revoke_test_ROOT'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# This privilege actually active
|
|
show databases
|
|
---- RESULTS
|
|
'default','Default Hive database'
|
|
'functional',''
|
|
---- TYPES
|
|
STRING,STRING
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# The root user should be able to grant/revoke child privileges.
|
|
# Due to SENTRY-445 they cannot grant SELECT/INSERT even though they have been granted
|
|
# ALL.
|
|
grant all on table functional.alltypes to grant_revoke_test_ROOT
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ROOT
|
|
---- RESULTS
|
|
'DATABASE','functional','','','','ALL',TRUE,regex:.+
|
|
'TABLE','functional','alltypes','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
---- USER
|
|
root
|
|
====
|
|
---- QUERY
|
|
revoke all on table functional.alltypes from grant_revoke_test_ROOT
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# User should not be able to grant privileges outside of this scope.
|
|
grant all on table functional_seq.alltypes to grant_revoke_test_ROOT
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: GRANT_PRIVILEGE
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# Also cannot create/drop/grant roles
|
|
create role grant_revoke_test_ROOT2
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: CREATE_ROLE
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# Also cannot create/drop/grant roles
|
|
grant role grant_revoke_test_ROOT to group root
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: GRANT_ROLE
|
|
====
|
|
---- QUERY
|
|
# Revoke the GRANT OPTION and verify the user can no longer GRANT or REVOKE
|
|
revoke grant option for all on database functional from grant_revoke_test_ROOT
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
grant all on table functional.alltypes to grant_revoke_test_ROOT
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: GRANT_PRIVILEGE
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# The privilege is still active
|
|
show databases
|
|
---- RESULTS
|
|
'default','Default Hive database'
|
|
'functional',''
|
|
---- TYPES
|
|
STRING,STRING
|
|
====
|
|
---- QUERY
|
|
# Privilege still exists, but grant option is set to false
|
|
show grant role grant_revoke_test_ROOT
|
|
---- RESULTS
|
|
'DATABASE','functional','','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
---- USER
|
|
root
|
|
====
|
|
---- QUERY
|
|
REVOKE ROLE grant_revoke_test_ALL_URI FROM GROUP $GROUP_NAME;
|
|
REVOKE ROLE grant_revoke_test_SELECT_INSERT_TEST_TBL FROM GROUP $GROUP_NAME;
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
GRANT ROLE grant_revoke_test_ALL_SERVER TO GROUP $GROUP_NAME
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show current roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
'grant_revoke_test_ALL_SERVER'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
# Create a table with multiple columns to test column-level security.
|
|
create table grant_rev_db.test_tbl3(a int, b int, c int, d int, e int) partitioned by (x int, y int)
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
GRANT SELECT (a, b, x) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','b','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','x','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
GRANT SELECT (c, d, y) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','b','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','c','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','d','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','x','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','y','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
GRANT SELECT (a, a, e, x) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','b','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','c','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','d','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','e','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','x','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','y','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# Revoke SELECT privileges from columns
|
|
REVOKE SELECT (a, b, b, y) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','c','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','d','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','e','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','x','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
REVOKE SELECT (a, b, c, x) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','d','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','e','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
REVOKE SELECT (a, b, c, d, e) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ALL_SERVER;
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# Grant SELECT on table to 'root' without 'WITH GRANT' option.
|
|
GRANT ROLE grant_revoke_test_ROOT TO GROUP root;
|
|
GRANT SELECT ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ROOT;
|
|
REVOKE ALL ON DATABASE functional FROM grant_revoke_test_ROOT;
|
|
---- RESULTS
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ROOT
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'TABLE','grant_rev_db','test_tbl3','','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
GRANT SELECT (a) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ROOT
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: GRANT_PRIVILEGE
|
|
====
|
|
---- QUERY
|
|
REVOKE SELECT ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ROOT
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
# Grant SELECT on table to 'root' with 'WITH GRANT' option.
|
|
GRANT SELECT ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ROOT WITH GRANT OPTION
|
|
---- RESULTS
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
GRANT SELECT (a) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ROOT
|
|
---- RESULTS
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ROOT
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'TABLE','grant_rev_db','test_tbl3','','','SELECT',TRUE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
GRANT SELECT (a, c, e) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ALL_SERVER WITH GRANT OPTION
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',TRUE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','c','','SELECT',TRUE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','e','','SELECT',TRUE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
REVOKE GRANT OPTION FOR SELECT (a, c) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
# TODO: Add a test case that exercises the cascading effect of REVOKE ALL.
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','c','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','e','','SELECT',TRUE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# Cleanup test roles
|
|
drop role grant_revoke_test_ALL_SERVER;
|
|
drop role grant_revoke_test_SELECT_INSERT_TEST_TBL;
|
|
drop role grant_revoke_test_ALL_URI;
|
|
drop role grant_revoke_test_ROOT;
|
|
---- RESULTS
|
|
====
|