mirror of
https://github.com/apache/impala.git
synced 2026-01-04 00:00:56 -05:00
5cae398a48
This commit fixes an issue where a GRANT ALL ON SERVER to role_name statement followed by a REVOKE ALL ON SERVER from role_name statement would not revoke all privileges from role_name. The problem was triggered by a specific combination of Sentry client API calls used in Impala during grant/revoke statements at server scope. In particular, during GRANT, Impala was using an API call that didn't explicitly specify the privilege action (Sentry uses '*' if no action is specified). In contrast, the corresponding REVOKE call was explicitly specifying the privilege action to be 'ALL'. Sentry doesn't seem to handle this case correctly, thereby failing to remove all the privileges after a REVOKE ALL ON SERVER call. The fix from the Impala side, that results in the correct behavior, is to always specify the privilege action by using the appropriate API calls. Change-Id: I6b3a0d10f5e88c6a0a10bd20f620562d2de7ab25 Reviewed-on: http://gerrit.cloudera.org:8080/2979 Reviewed-by: Dimitris Tsirogiannis <dtsirogiannis@cloudera.com> Tested-by: Internal Jenkins
724 lines
21 KiB
Plaintext
724 lines
21 KiB
Plaintext
====
|
|
---- QUERY
|
|
create role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
create role grant_revoke_test_ALL_TEST_DB
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
create role grant_revoke_test_SELECT_INSERT_TEST_TBL
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
create role grant_revoke_test_ALL_URI
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
# Shows all roles in the system
|
|
show roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
'grant_revoke_test_ALL_SERVER'
|
|
'grant_revoke_test_ALL_TEST_DB'
|
|
'grant_revoke_test_SELECT_INSERT_TEST_TBL'
|
|
'grant_revoke_test_ALL_URI'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
grant all on server to grant_revoke_test_ALL_SERVER
|
|
====
|
|
---- QUERY
|
|
# Group name will be replaced with the actual user's group in the test
|
|
# framework.
|
|
grant role grant_revoke_test_ALL_SERVER to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
show current roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
'grant_revoke_test_ALL_SERVER'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- USER
|
|
does_not_exist
|
|
---- QUERY
|
|
# Run this query as a different user and verify no roles show up but the
|
|
# stmt does not fail with an authorization error.
|
|
show current roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER on server
|
|
---- RESULTS
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
does_not_exist
|
|
---- QUERY
|
|
# User should not have privileges to execute SHOW ROLES
|
|
show roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
---- CATCH
|
|
User 'does_not_exist' does not have privileges to access the requested policy metadata
|
|
====
|
|
---- USER
|
|
does_not_exist
|
|
---- QUERY
|
|
# User should not have privileges to execute SHOW ROLE GRANT GROUP for a group they do not
|
|
# belong to.
|
|
show role grant group root
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
---- CATCH
|
|
User 'does_not_exist' does not have privileges to access the requested policy metadata
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# The 'root' user doesn't have any roles granted to them, but since they are part of the
|
|
# 'root' group, they should have privileges to execute this statement.
|
|
show role grant group root
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
drop database if exists grant_rev_db
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
create table grant_rev_db.test_tbl1(i int)
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
'test_tbl1'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
create function grant_rev_db.fn() RETURNS int
|
|
LOCATION '$FILESYSTEM_PREFIX/test-warehouse/libTestUdfs.so' SYMBOL='Fn'
|
|
====
|
|
---- QUERY
|
|
show functions in grant_rev_db
|
|
---- RESULTS
|
|
'INT','fn()','NATIVE','true'
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING
|
|
====
|
|
---- QUERY
|
|
show create function grant_rev_db.fn
|
|
---- RESULTS: MULTI_LINE
|
|
['CREATE FUNCTION grant_rev_db.fn()
|
|
RETURNS INT
|
|
LOCATION '$NAMENODE/test-warehouse/libTestUdfs.so'
|
|
SYMBOL='_Z2FnPN10impala_udf15FunctionContextE'
|
|
']
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
revoke role grant_revoke_test_ALL_SERVER from group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db.*
|
|
====
|
|
---- QUERY
|
|
show functions in grant_rev_db
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
show create function grant_rev_db.fn
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
show create function _impala_builtins.sin
|
|
---- RESULTS: MULTI_LINE
|
|
['CREATE FUNCTION _impala_builtins.sin(DOUBLE)
|
|
RETURNS DOUBLE
|
|
LOCATION 'null'
|
|
SYMBOL='_ZN6impala13MathFunctions3SinEPN10impala_udf15FunctionContextERKNS1_9DoubleValE'
|
|
']
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
grant role grant_revoke_test_ALL_TEST_DB to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
# Should now have all privileges on the test db
|
|
grant all on database grant_rev_db to grant_revoke_test_ALL_TEST_DB
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
'test_tbl1'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
# Even though the user has all privileges on the database, they do not have privileges
|
|
# on any URIs. The FE tests have additional error message verification.
|
|
create table grant_rev_db.test_tbl2(i int) location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_tbl2';
|
|
---- CATCH
|
|
does not have privileges to access: $NAMENODE/test-warehouse/grant_rev_test_tbl2
|
|
====
|
|
---- QUERY
|
|
grant role grant_revoke_test_ALL_URI to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
grant all on uri '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_tbl2' to grant_revoke_test_ALL_URI
|
|
====
|
|
---- QUERY
|
|
# Should now have privileges to create the table.
|
|
create table grant_rev_db.test_tbl2(i int) location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_test_tbl2';
|
|
====
|
|
---- QUERY
|
|
# Running grant on a URI with upper case letters
|
|
grant all on uri '$FILESYSTEM_PREFIX/test-warehouse/GRANT_REV_TEST_TBL3' to grant_revoke_test_ALL_URI
|
|
====
|
|
---- QUERY
|
|
# Should now have privileges to create the table.
|
|
create table grant_rev_db.test_tbl_uppercase(i int) location '$FILESYSTEM_PREFIX/test-warehouse/GRANT_REV_TEST_TBL3/test';
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- RESULTS
|
|
'test_tbl1'
|
|
'test_tbl2'
|
|
'test_tbl_uppercase'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_URI
|
|
---- RESULTS
|
|
'URI','','','','$NAMENODE/test-warehouse/grant_rev_test_tbl2','ALL',FALSE,regex:.+
|
|
'URI','','','','$NAMENODE/test-warehouse/GRANT_REV_TEST_TBL3','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# To create a database server-level privileges are required.
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
# Dropping the role should remove the privileges
|
|
drop role grant_revoke_test_ALL_TEST_DB
|
|
====
|
|
---- QUERY
|
|
show tables in grant_rev_db
|
|
---- CATCH
|
|
does not have privileges to access: grant_rev_db.*
|
|
====
|
|
---- QUERY
|
|
grant role grant_revoke_test_SELECT_INSERT_TEST_TBL to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
GRANT SELECT ON TABLE grant_rev_db.test_tbl1 TO grant_revoke_test_SELECT_INSERT_TEST_TBL
|
|
====
|
|
---- QUERY
|
|
select * from grant_rev_db.test_tbl1
|
|
---- RESULTS
|
|
---- TYPES
|
|
INT
|
|
====
|
|
---- QUERY
|
|
select * from grant_rev_db.test_tbl2
|
|
---- CATCH
|
|
does not have privileges to execute 'SELECT' on: grant_rev_db.test_tbl2
|
|
====
|
|
---- QUERY
|
|
insert overwrite grant_rev_db.test_tbl1 select 1
|
|
---- CATCH
|
|
does not have privileges to execute 'INSERT' on: grant_rev_db.test_tbl1
|
|
====
|
|
---- QUERY
|
|
GRANT INSERT ON TABLE grant_rev_db.test_tbl1 TO grant_revoke_test_SELECT_INSERT_TEST_TBL
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_SELECT_INSERT_TEST_TBL on table grant_rev_db.test_tbl1
|
|
---- RESULTS
|
|
'TABLE','grant_rev_db','test_tbl1','','','SELECT',FALSE,regex:.+
|
|
'TABLE','grant_rev_db','test_tbl1','','','INSERT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
insert overwrite grant_rev_db.test_tbl1 select 1
|
|
---- RESULTS
|
|
: 1
|
|
====
|
|
---- QUERY
|
|
select * from grant_rev_db.test_tbl1
|
|
---- RESULTS
|
|
1
|
|
---- TYPES
|
|
INT
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
create role some_test_role
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: CREATE_ROLE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
drop role grant_revoke_test_ALL_SERVER
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: DROP_ROLE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
grant role grant_revoke_test_ALL_SERVER to group $GROUP_NAME
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: GRANT_ROLE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
revoke role grant_revoke_test_ALL_SERVER from group $GROUP_NAME
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: REVOKE_ROLE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
grant all on server to grant_revoke_test_ALL_SERVER
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: GRANT_PRIVILEGE
|
|
====
|
|
---- USER
|
|
test_user
|
|
---- QUERY
|
|
revoke all on server from grant_revoke_test_ALL_SERVER
|
|
---- CATCH
|
|
User 'test_user' does not have privileges to execute: REVOKE_PRIVILEGE
|
|
====
|
|
---- QUERY
|
|
# Set up a role to test the WITH GRANT OPTION. Assumes that tests are not running as
|
|
# 'root' and that 'root' exists on all machines.
|
|
create role grant_revoke_test_ROOT;
|
|
grant role grant_revoke_test_ROOT to group root;
|
|
grant all on database functional to grant_revoke_test_ROOT WITH GRANT OPTION;
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# There should only be one role that exists for root
|
|
show current roles
|
|
---- RESULTS
|
|
'grant_revoke_test_ROOT'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# This privilege actually active
|
|
show databases
|
|
---- RESULTS
|
|
'default','Default Hive database'
|
|
'functional',''
|
|
---- TYPES
|
|
STRING,STRING
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# The root user should be able to grant/revoke child privileges.
|
|
# Due to SENTRY-445 they cannot grant SELECT/INSERT even though they have been granted
|
|
# ALL.
|
|
grant all on table functional.alltypes to grant_revoke_test_ROOT
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ROOT
|
|
---- RESULTS
|
|
'DATABASE','functional','','','','ALL',TRUE,regex:.+
|
|
'TABLE','functional','alltypes','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
---- USER
|
|
root
|
|
====
|
|
---- QUERY
|
|
revoke all on table functional.alltypes from grant_revoke_test_ROOT
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# User should not be able to grant privileges outside of this scope.
|
|
grant all on table functional_seq.alltypes to grant_revoke_test_ROOT
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: GRANT_PRIVILEGE
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# Also cannot create/drop/grant roles
|
|
create role grant_revoke_test_ROOT2
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: CREATE_ROLE
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# Also cannot create/drop/grant roles
|
|
grant role grant_revoke_test_ROOT to group root
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: GRANT_ROLE
|
|
====
|
|
---- QUERY
|
|
# Revoke the GRANT OPTION and verify the user can no longer GRANT or REVOKE
|
|
revoke grant option for all on database functional from grant_revoke_test_ROOT
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
grant all on table functional.alltypes to grant_revoke_test_ROOT
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: GRANT_PRIVILEGE
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
# The privilege is still active
|
|
show databases
|
|
---- RESULTS
|
|
'default','Default Hive database'
|
|
'functional',''
|
|
---- TYPES
|
|
STRING,STRING
|
|
====
|
|
---- QUERY
|
|
# Privilege still exists, but grant option is set to false
|
|
show grant role grant_revoke_test_ROOT
|
|
---- RESULTS
|
|
'DATABASE','functional','','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
---- USER
|
|
root
|
|
====
|
|
---- QUERY
|
|
REVOKE ROLE grant_revoke_test_ALL_URI FROM GROUP $GROUP_NAME;
|
|
REVOKE ROLE grant_revoke_test_SELECT_INSERT_TEST_TBL FROM GROUP $GROUP_NAME;
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
GRANT ROLE grant_revoke_test_ALL_SERVER TO GROUP $GROUP_NAME
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show current roles
|
|
---- RESULTS: VERIFY_IS_SUBSET
|
|
'grant_revoke_test_ALL_SERVER'
|
|
---- TYPES
|
|
STRING
|
|
====
|
|
---- QUERY
|
|
# Create a table with multiple columns to test column-level security.
|
|
create table grant_rev_db.test_tbl3(a int, b int, c int, d int, e int) partitioned by (x int, y int)
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
GRANT SELECT (a, b, x) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','b','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','x','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
GRANT SELECT (c, d, y) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','b','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','c','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','d','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','x','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','y','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
GRANT SELECT (a, a, e, x) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','b','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','c','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','d','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','e','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','x','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','y','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# Revoke SELECT privileges from columns
|
|
REVOKE SELECT (a, b, b, y) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','c','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','d','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','e','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','x','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
REVOKE SELECT (a, b, c, x) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','d','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','e','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
REVOKE SELECT (a, b, c, d, e) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ALL_SERVER;
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# Grant SELECT on table to 'root' without 'WITH GRANT' option.
|
|
GRANT ROLE grant_revoke_test_ROOT TO GROUP root;
|
|
GRANT SELECT ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ROOT;
|
|
REVOKE ALL ON DATABASE functional FROM grant_revoke_test_ROOT;
|
|
---- RESULTS
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ROOT
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'TABLE','grant_rev_db','test_tbl3','','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
GRANT SELECT (a) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ROOT
|
|
---- CATCH
|
|
User 'root' does not have privileges to execute: GRANT_PRIVILEGE
|
|
====
|
|
---- QUERY
|
|
REVOKE SELECT ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ROOT
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
# Grant SELECT on table to 'root' with 'WITH GRANT' option.
|
|
GRANT SELECT ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ROOT WITH GRANT OPTION
|
|
---- RESULTS
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
GRANT SELECT (a) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ROOT
|
|
---- RESULTS
|
|
====
|
|
---- USER
|
|
root
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ROOT
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'TABLE','grant_rev_db','test_tbl3','','','SELECT',TRUE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
GRANT SELECT (a, c, e) ON TABLE grant_rev_db.test_tbl3 TO grant_revoke_test_ALL_SERVER WITH GRANT OPTION
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',TRUE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','c','','SELECT',TRUE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','e','','SELECT',TRUE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
REVOKE GRANT OPTION FOR SELECT (a, c) ON TABLE grant_rev_db.test_tbl3 FROM grant_revoke_test_ALL_SERVER
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
# TODO: Add a test case that exercises the cascading effect of REVOKE ALL.
|
|
show grant role grant_revoke_test_ALL_SERVER
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','a','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','c','','SELECT',FALSE,regex:.+
|
|
'COLUMN','grant_rev_db','test_tbl3','e','','SELECT',TRUE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
revoke role grant_revoke_test_ALL_SERVER from group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
# Test 'grant all on server' with explicit server name specified.
|
|
create role grant_revoke_test_ALL_SERVER1
|
|
---- RESULTS
|
|
====
|
|
---- QUERY
|
|
grant all on server server1 to grant_revoke_test_ALL_SERVER1
|
|
====
|
|
---- QUERY
|
|
grant role grant_revoke_test_ALL_SERVER1 to group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
drop database grant_rev_db cascade
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
====
|
|
---- QUERY
|
|
revoke role grant_revoke_test_ALL_SERVER1 from group $GROUP_NAME
|
|
====
|
|
---- QUERY
|
|
create database grant_rev_db location '$FILESYSTEM_PREFIX/test-warehouse/grant_rev_db.db'
|
|
---- CATCH
|
|
does not have privileges to execute 'CREATE' on: grant_rev_db
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER1
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
'SERVER','','','','','ALL',FALSE,regex:.+
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
revoke all on server server1 from grant_revoke_test_ALL_SERVER1
|
|
====
|
|
---- QUERY
|
|
show grant role grant_revoke_test_ALL_SERVER1
|
|
---- RESULTS: VERIFY_IS_EQUAL_SORTED
|
|
---- LABELS
|
|
scope, database, table, column, uri, privilege, grant_option, create_time
|
|
---- TYPES
|
|
STRING, STRING, STRING, STRING, STRING, STRING, BOOLEAN, STRING
|
|
====
|
|
---- QUERY
|
|
# Cleanup test roles
|
|
drop role grant_revoke_test_ALL_SERVER;
|
|
drop role grant_revoke_test_SELECT_INSERT_TEST_TBL;
|
|
drop role grant_revoke_test_ALL_URI;
|
|
drop role grant_revoke_test_ROOT;
|
|
---- RESULTS
|
|
====
|