Add test cases to reproduce HiveAccessControlException

Author: okumin

iceberg/iceberg-catalog/src/test/java/org/apache/iceberg/hive/HiveAuthorizerFactoryForTest.java

@@ -0,0 +1,35 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.iceberg.hive;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
+
+public class HiveAuthorizerFactoryForTest implements HiveAuthorizerFactory {
+  @Override
+  public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf,
+      HiveAuthenticationProvider hiveAuthenticator, HiveAuthzSessionContext ctx) {
+    return new HiveAuthorizerForTest(hiveAuthenticator);
+  }
+}

iceberg/iceberg-catalog/src/test/java/org/apache/iceberg/hive/HiveAuthorizerForTest.java

@@ -0,0 +1,142 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.iceberg.hive;
+
+import java.util.List;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.AbstractHiveAuthorizer;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class HiveAuthorizerForTest extends AbstractHiveAuthorizer {
+  public static final String PERMISSION_TEST_USER = "permission_test_user";
+  private static final Logger LOG = LoggerFactory.getLogger(HiveAuthorizerForTest.class);
+
+  private final HiveAuthenticationProvider authenticator;
+
+  public HiveAuthorizerForTest(HiveAuthenticationProvider authenticator) {
+    this.authenticator = authenticator;
+  }
+
+  @Override
+  public VERSION getVersion() {
+    return null;
+  }
+
+  @Override
+  public void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,
+      HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) {
+  }
+
+  @Override
+  public void revokePrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,
+      HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) {
+  }
+
+  @Override
+  public void createRole(String roleName, HivePrincipal adminGrantor) {
+  }
+
+  @Override
+  public void dropRole(String roleName) {
+  }
+
+  @Override
+  public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) {
+    return List.of();
+  }
+
+  @Override
+  public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) {
+    return List.of();
+  }
+
+  @Override
+  public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption,
+      HivePrincipal grantorPrinc) {
+  }
+
+  @Override
+  public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption,
+      HivePrincipal grantorPrinc) {
+
+  }
+
+  @Override
+  public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputsHObjs,
+      List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAccessControlException {
+    LOG.info("Checking privileges. User={}, Operation={}, inputs={}, outputs={}", authenticator.getUserName(),
+        hiveOpType, inputsHObjs, outputHObjs);
+    if (PERMISSION_TEST_USER.equals(authenticator.getUserName())) {
+      throw new HiveAccessControlException(String.format("Unauthorized. Operation=%s, inputs=%s, outputs=%s",
+          hiveOpType, inputsHObjs, outputHObjs));
+    }
+  }
+
+  @Override
+  public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, HiveAuthzContext context) {
+    return List.of();
+  }
+
+  @Override
+  public List<String> getAllRoles() {
+    return List.of();
+  }
+
+  @Override
+  public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) {
+    return List.of();
+  }
+
+  @Override
+  public void setCurrentRole(String roleName) {
+
+  }
+
+  @Override
+  public List<String> getCurrentRoleNames() {
+    return List.of();
+  }
+
+  @Override
+  public void applyAuthorizationConfigPolicy(HiveConf hiveConf) {
+
+  }
+
+  @Override
+  public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context,
+      List<HivePrivilegeObject> privObjs) {
+    return List.of();
+  }
+
+  @Override
+  public boolean needTransform() {
+    return false;
+  }
+}

iceberg/iceberg-catalog/src/test/java/org/apache/iceberg/hive/HiveMetastoreExtension.java

@@ -49,7 +49,7 @@ public void beforeAll(ExtensionContext extensionContext) throws Exception {
       }
     }
 
-    metastore.start(hiveConfWithOverrides, 5, true);
+    metastore.start(hiveConfWithOverrides, 20, true);
     metastoreClient = new HiveMetaStoreClient(hiveConfWithOverrides);
     if (null != databaseName) {
       String dbPath = metastore.getDatabasePath(databaseName);

iceberg/iceberg-catalog/src/test/java/org/apache/iceberg/hive/TestHiveCatalogAccessControl.java

@@ -0,0 +1,176 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.iceberg.hive;
+
+import java.security.PrivilegedExceptionAction;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+import java.util.function.Consumer;
+import org.apache.hadoop.hive.metastore.conf.MetastoreConf.ConfVars;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.iceberg.CatalogProperties;
+import org.apache.iceberg.CatalogUtil;
+import org.apache.iceberg.Schema;
+import org.apache.iceberg.catalog.Namespace;
+import org.apache.iceberg.catalog.TableIdentifier;
+import org.apache.iceberg.exceptions.ForbiddenException;
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+public class TestHiveCatalogAccessControl {
+  @RegisterExtension
+  private static final HiveMetastoreExtension HIVE_METASTORE_EXTENSION = HiveMetastoreExtension.builder()
+      .withConfig(Map.of(
+          ConfVars.HIVE_AUTHORIZATION_MANAGER.getVarname(), HiveAuthorizerFactoryForTest.class.getName(),
+          ConfVars.PRE_EVENT_LISTENERS.getVarname(), HiveMetaStoreAuthorizer.class.getName()
+      )).build();
+
+  @AfterEach
+  public void afterEach() throws Exception {
+    HIVE_METASTORE_EXTENSION.metastore().reset();
+  }
+
+  @Test
+  public void testNamespace() throws Exception {
+    var namespace = Namespace.of("permission_test_db");
+    asAuthorized(catalog -> {
+      catalog.createNamespace(namespace, Collections.emptyMap());
+    });
+    asUnauthorized(catalog -> {
+      // Should HMS omit namespaces?
+      Assertions.assertThat(catalog.listNamespaces()).isEqualTo(List.of(Namespace.of("default"), namespace));
+      Assertions.assertThatThrownBy(() ->
+          catalog.namespaceExists(namespace)).isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() ->
+          catalog.loadNamespaceMetadata(namespace)).isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() ->
+          catalog.createNamespace(Namespace.of("new_db"))).isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() ->
+          catalog.dropNamespace(namespace)).isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() ->
+          catalog.setProperties(namespace, Collections.singletonMap("key", "value")))
+          .isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() ->
+          catalog.removeProperties(namespace, Collections.singleton("key"))).isInstanceOf(ForbiddenException.class);
+    });
+  }
+
+  @Test
+  public void testTable() throws Exception {
+    Namespace namespace = Namespace.of("permission_test_db");
+    TableIdentifier table = TableIdentifier.of(namespace, "permission_test_table");
+    asAuthorized(catalog -> {
+      catalog.createNamespace(namespace, Collections.emptyMap());
+      catalog.createTable(table, new Schema());
+    });
+    asUnauthorized(catalog -> {
+      // Should HMS omit namespaces?
+      Assertions.assertThat(catalog.listTables(namespace)).isEqualTo(Collections.singletonList(table));
+      Assertions.assertThatThrownBy(() ->
+          catalog.tableExists(table)).isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() ->
+          catalog.loadTable(table)).isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() ->
+          catalog.createTable(TableIdentifier.of(namespace, "new_tbl"), new Schema()))
+          .isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() ->
+          catalog.renameTable(table, TableIdentifier.of(namespace, "new_tbl"))).isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() ->
+          catalog.dropTable(table)).isInstanceOf(ForbiddenException.class);
+    });
+  }
+
+  @Test
+  public void testView() throws Exception {
+    Namespace namespace = Namespace.of("permission_test_db");
+    TableIdentifier view = TableIdentifier.of(namespace, "permission_test_view");
+    asAuthorized(catalog -> {
+      catalog.createNamespace(namespace, Collections.emptyMap());
+      catalog.buildView(view).withQuery("hive", "SELECT 1 AS id").withSchema(new Schema())
+          .withDefaultNamespace(namespace).create();
+    });
+    asUnauthorized(catalog -> {
+      // Should HMS omit namespaces?
+      Assertions.assertThat(catalog.listViews(namespace)).isEqualTo(Collections.singletonList(view));
+      Assertions.assertThatThrownBy(() ->
+          catalog.viewExists(view)).isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() ->
+          catalog.loadView(view)).isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() ->
+          catalog.buildView(TableIdentifier.of(namespace, "new_view")).withQuery("hive", "SELECT 1 AS id")
+              .withSchema(new Schema()).withDefaultNamespace(namespace).create())
+          .isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() ->
+          catalog.renameView(view, TableIdentifier.of(namespace, "new_view"))).isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() ->
+          catalog.dropView(view)).isInstanceOf(ForbiddenException.class);
+    });
+  }
+
+  @Test
+  public void testTransaction() throws Exception {
+    var namespace = Namespace.of("permission_test_db");
+    asAuthorized(catalog -> {
+      catalog.createNamespace(namespace, Collections.emptyMap());
+    });
+    asUnauthorized(catalog -> {
+      Assertions.assertThatThrownBy(() ->
+          catalog.newCreateTableTransaction(TableIdentifier.of(namespace, "new_table"), new Schema()))
+          .isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() ->
+              catalog.newReplaceTableTransaction(TableIdentifier.of(namespace, "new_table"), new Schema(), true))
+          .isInstanceOf(ForbiddenException.class);
+    });
+  }
+
+  private static void asAuthorized(Consumer<HiveCatalog> consumer) throws Exception {
+    withUser("authorized_user", consumer);
+  }
+
+  private static void asUnauthorized(Consumer<HiveCatalog> consumer) throws Exception {
+    withUser(HiveAuthorizerForTest.PERMISSION_TEST_USER, consumer);
+  }
+
+  private static void withUser(String username, Consumer<HiveCatalog> consumer) throws Exception {
+    var ugi = UserGroupInformation.createRemoteUser(username);
+    ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
+      try (HiveCatalog catalog = createCatalog()) {
+        consumer.accept(catalog);
+        return null;
+      }
+    });
+  }
+
+  private static HiveCatalog createCatalog() {
+    return (HiveCatalog)
+        CatalogUtil.loadCatalog(
+            HiveCatalog.class.getName(),
+            UUID.randomUUID().toString(),
+            Map.of(
+                CatalogProperties.CLIENT_POOL_CACHE_KEYS, "ugi"
+            ),
+            HIVE_METASTORE_EXTENSION.hiveConf());
+  }
+}