IMPALA-7345: Add the OWNER privilege
This patch adds the OWNER privilege to the set of privileges that can
exist for a role/user. The privilege is equivalent to ALL, but cannot
be granted or revoked. It is granted/revoked by Sentry, if configured,
during CREATE, DROP, or ALTER DATABASE/TABLE SET OWNER statements.
Testing:
- Updated authorization tests
- Ran core tests
Change-Id: If63c2faa6daea6deb6d771503fe50943ae070705
Reviewed-on: http://gerrit.cloudera.org:8080/11245
Reviewed-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com>
Tested-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com>
diff --git a/common/thrift/CatalogObjects.thrift b/common/thrift/CatalogObjects.thrift
index 29f54e4..cbd0ba1 100644
--- a/common/thrift/CatalogObjects.thrift
+++ b/common/thrift/CatalogObjects.thrift
@@ -518,7 +518,8 @@
REFRESH,
CREATE,
ALTER,
- DROP
+ DROP,
+ OWNER
}
// Represents a privilege in an authorization policy. Privileges contain the level
diff --git a/fe/src/main/java/org/apache/impala/authorization/Privilege.java b/fe/src/main/java/org/apache/impala/authorization/Privilege.java
index 0b1c2f8..877b6ad 100644
--- a/fe/src/main/java/org/apache/impala/authorization/Privilege.java
+++ b/fe/src/main/java/org/apache/impala/authorization/Privilege.java
@@ -64,7 +64,8 @@
ALTER.getCode() |
CREATE.getCode() |
DROP.getCode() |
- REFRESH.getCode());
+ REFRESH.getCode()),
+ OWNER("owner", ALL.getCode());
private final BitFieldAction bitFieldAction_;
diff --git a/fe/src/test/java/org/apache/impala/analysis/AuthorizationStmtTest.java b/fe/src/test/java/org/apache/impala/analysis/AuthorizationStmtTest.java
index abfff91..7e10eee 100644
--- a/fe/src/test/java/org/apache/impala/analysis/AuthorizationStmtTest.java
+++ b/fe/src/test/java/org/apache/impala/analysis/AuthorizationStmtTest.java
@@ -347,57 +347,72 @@
authorize("select id from functional.alltypes"),
// With clause with select.
authorize("with t as (select id from functional.alltypes) select * from t")}) {
- authzTest.ok(onServer(TPrivilegeLevel.ALL))
+ authzTest
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.SELECT))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.SELECT))
.ok(onColumn("functional", "alltypes", "id", TPrivilegeLevel.SELECT))
.error(selectError("functional.alltypes"))
.error(selectError("functional.alltypes"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes"), onTable("functional",
- "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)));
+ "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)));
}
// Select without referencing a column.
authorize("select 1 from functional.alltypes")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.SELECT))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.SELECT))
.error(selectError("functional.alltypes"))
.error(selectError("functional.alltypes"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes"), onTable("functional", "alltypes",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)));
// Select a specific column on a view.
// Column-level privileges on views are not currently supported.
authorize("select id from functional.alltypes_view")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.SELECT))
.ok(onTable("functional", "alltypes_view", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes_view", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes_view", TPrivilegeLevel.SELECT))
.error(selectError("functional.alltypes_view"))
.error(selectError("functional.alltypes_view"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes_view"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes_view"), onTable("functional",
- "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)));
+ "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)));
// Constant select.
authorize("select 1").ok();
@@ -406,51 +421,68 @@
authorize("select a.id from functional.view_view a " +
"join functional.alltypesagg b ON (a.id = b.id)")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.SELECT))
.ok(onTable("functional", "view_view", TPrivilegeLevel.ALL),
onTable("functional", "alltypesagg", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "view_view", TPrivilegeLevel.OWNER),
+ onTable("functional", "alltypesagg", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "view_view", TPrivilegeLevel.ALL),
onTable("functional", "alltypesagg", TPrivilegeLevel.SELECT))
+ .ok(onTable("functional", "view_view", TPrivilegeLevel.OWNER),
+ onTable("functional", "alltypesagg", TPrivilegeLevel.SELECT))
.ok(onTable("functional", "view_view", TPrivilegeLevel.SELECT),
onTable("functional", "alltypesagg", TPrivilegeLevel.ALL))
.ok(onTable("functional", "view_view", TPrivilegeLevel.SELECT),
+ onTable("functional", "alltypesagg", TPrivilegeLevel.OWNER))
+ .ok(onTable("functional", "view_view", TPrivilegeLevel.SELECT),
onTable("functional", "alltypesagg", TPrivilegeLevel.SELECT))
.error(selectError("functional.view_view"))
.error(selectError("functional.view_view"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT)))
.error(selectError("functional.view_view"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)))
.error(selectError("functional.view_view"), onTable("functional", "view_view",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)), onTable("functional",
- "alltypesagg", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)), onTable("functional", "alltypesagg",
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)));
// Tests authorization after a statement has been rewritten (IMPALA-3915).
authorize("select * from functional_seq_snap.subquery_view")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.SELECT))
.ok(onDatabase("functional_seq_snap", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional_seq_snap", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional_seq_snap", TPrivilegeLevel.SELECT))
.ok(onTable("functional_seq_snap", "subquery_view", TPrivilegeLevel.ALL))
+ .ok(onTable("functional_seq_snap", "subquery_view", TPrivilegeLevel.OWNER))
.ok(onTable("functional_seq_snap", "subquery_view", TPrivilegeLevel.SELECT))
.error(selectError("functional_seq_snap.subquery_view"))
.error(selectError("functional_seq_snap.subquery_view"), onServer(
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
- .error(selectError("functional_seq_snap.subquery_view"),
- onDatabase("functional_seq_snap", allExcept(TPrivilegeLevel.ALL,
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
TPrivilegeLevel.SELECT)))
.error(selectError("functional_seq_snap.subquery_view"),
+ onDatabase("functional_seq_snap", allExcept(TPrivilegeLevel.ALL,
+ TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT)))
+ .error(selectError("functional_seq_snap.subquery_view"),
onTable("functional_seq_snap", "subquery_view", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT)));
// Select a UDF.
ScalarFunction fn = addFunction("functional", "f");
try {
authorize("select functional.f()")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(viewMetadataPrivileges()))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", viewMetadataPrivileges()))
.error(accessError("functional"))
.error(accessError("functional"), onServer(allExcept(
@@ -472,75 +504,96 @@
// Select with inline view.
authorize("select a.* from (select * from functional.alltypes) a")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.SELECT))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.SELECT))
.ok(onColumn("functional", "alltypes", ALLTYPES_COLUMNS, TPrivilegeLevel.SELECT))
.error(selectError("functional.alltypes"))
.error(selectError("functional.alltypes"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes"), onTable("functional", "alltypes",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)));
// Select with columns referenced in function, where clause and group by.
authorize("select count(id), int_col from functional.alltypes where id = 10 " +
"group by id, int_col")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.SELECT))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.SELECT))
.ok(onColumn("functional", "alltypes", new String[]{"id", "int_col"},
TPrivilegeLevel.SELECT))
.error(selectError("functional.alltypes"))
.error(selectError("functional.alltypes"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes"), onTable("functional", "alltypes",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)));
// Select on tables with complex types.
authorize("select a.int_struct_col.f1 from functional.allcomplextypes a " +
"where a.id = 1")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.SELECT))
.ok(onTable("functional", "allcomplextypes", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "allcomplextypes", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "allcomplextypes", TPrivilegeLevel.SELECT))
.ok(onColumn("functional", "allcomplextypes",
new String[]{"id", "int_struct_col"}, TPrivilegeLevel.SELECT))
.error(selectError("functional.allcomplextypes"))
.error(selectError("functional.allcomplextypes"), onServer(
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)))
.error(selectError("functional.allcomplextypes"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)))
.error(selectError("functional.allcomplextypes"), onTable("functional",
- "allcomplextypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)));
+ "allcomplextypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)));
authorize("select key, pos, item.f1, f2 from functional.allcomplextypes t, " +
"t.struct_array_col, functional.allcomplextypes.int_map_col")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.SELECT))
.ok(onTable("functional", "allcomplextypes", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "allcomplextypes", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "allcomplextypes", TPrivilegeLevel.SELECT))
.ok(onColumn("functional", "allcomplextypes",
new String[]{"struct_array_col", "int_map_col"}, TPrivilegeLevel.SELECT))
.error(selectError("functional.allcomplextypes"))
.error(selectError("functional.allcomplextypes"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT)))
.error(selectError("functional.allcomplextypes"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)))
.error(selectError("functional.allcomplextypes"), onTable("functional",
- "allcomplextypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)));
+ "allcomplextypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)));
for (AuthzTest authzTest: new AuthzTest[]{
// Select with cross join.
@@ -550,15 +603,23 @@
authorize("select * from functional.alltypes a cross join " +
"functional.alltypessmall b")}) {
authzTest.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.SELECT))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL),
onTable("functional", "alltypessmall", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER),
+ onTable("functional", "alltypessmall", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.SELECT),
onTable("functional", "alltypessmall", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.SELECT),
+ onTable("functional", "alltypessmall", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL),
onTable("functional", "alltypessmall", TPrivilegeLevel.SELECT))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER),
+ onTable("functional", "alltypessmall", TPrivilegeLevel.SELECT))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.SELECT),
onTable("functional", "alltypessmall", TPrivilegeLevel.SELECT))
.ok(onColumn("functional", "alltypes", ALLTYPES_COLUMNS,
@@ -566,12 +627,15 @@
ALLTYPES_COLUMNS, TPrivilegeLevel.SELECT))
.error(selectError("functional.alltypes"))
.error(selectError("functional.alltypes"), onServer(
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes"), onTable("functional", "alltypes",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)),
- onTable("functional", "alltypessmall", allExcept(TPrivilegeLevel.ALL,
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)), onTable("functional", "alltypessmall",
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypessmall"), onColumn("functional",
"alltypes", ALLTYPES_COLUMNS, TPrivilegeLevel.SELECT))
@@ -584,23 +648,30 @@
authorize("select id from functional.alltypes_view union all " +
"select x from functional.alltypes_view_sub")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.SELECT))
.ok(onTable("functional", "alltypes_view", TPrivilegeLevel.ALL),
onTable("functional", "alltypes_view_sub", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes_view", TPrivilegeLevel.OWNER),
+ onTable("functional", "alltypes_view_sub", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes_view", TPrivilegeLevel.SELECT),
onTable("functional", "alltypes_view_sub", TPrivilegeLevel.SELECT))
.error(selectError("functional.alltypes_view"))
.error(selectError("functional.alltypes_view"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes_view"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes_view"), onTable("functional",
- "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)),
+ "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)),
onTable("functional", "alltypes_view_sub", TPrivilegeLevel.SELECT))
.error(selectError("functional.alltypes_view_sub"), onTable("functional",
- "alltypes_view_sub", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)),
+ "alltypes_view_sub", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)),
onTable("functional", "alltypes_view", TPrivilegeLevel.SELECT));
// Union from non-existent databases.
@@ -620,18 +691,23 @@
// Explain insert.
authorize("explain insert into functional.zipcode_incomes(id) values('123')")}) {
test.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.INSERT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.INSERT))
.ok(onTable("functional", "zipcode_incomes", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "zipcode_incomes", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "zipcode_incomes", TPrivilegeLevel.INSERT))
.error(insertError("functional.zipcode_incomes"))
.error(insertError("functional.zipcode_incomes"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.INSERT)))
.error(insertError("functional.zipcode_incomes"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT)))
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.INSERT)))
.error(insertError("functional.zipcode_incomes"), onTable("functional",
- "zipcode_incomes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT)));
+ "zipcode_incomes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.INSERT)));
}
for (AuthzTest test: new AuthzTest[]{
@@ -643,11 +719,15 @@
authorize("insert into functional.alltypes partition(month, year) " +
"select * from functional.alltypestiny where id < 100")}) {
test.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL),
onTable("functional", "alltypestiny", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER),
+ onTable("functional", "alltypestiny", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.INSERT),
onTable("functional", "alltypestiny", TPrivilegeLevel.SELECT))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.INSERT),
@@ -655,16 +735,19 @@
TPrivilegeLevel.SELECT))
.error(selectError("functional.alltypestiny"))
.error(selectError("functional.alltypestiny"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)))
- .error(selectError("functional.alltypestiny"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT,
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.INSERT,
TPrivilegeLevel.SELECT)))
+ .error(selectError("functional.alltypestiny"), onDatabase("functional",
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)))
.error(insertError("functional.alltypes"), onTable("functional",
"alltypestiny", TPrivilegeLevel.SELECT), onTable("functional",
- "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT)))
+ "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.INSERT)))
.error(selectError("functional.alltypestiny"), onTable("functional",
- "alltypestiny", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)),
- onTable("functional", "alltypes", TPrivilegeLevel.INSERT));
+ "alltypestiny", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)), onTable("functional", "alltypes",
+ TPrivilegeLevel.INSERT));
}
// Insert with select on a target view.
@@ -672,24 +755,31 @@
authorize("insert into functional.alltypes partition(month, year) " +
"select * from functional.alltypes_view where id < 100")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL),
onTable("functional", "alltypes_view", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER),
+ onTable("functional", "alltypes_view", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.INSERT),
onTable("functional", "alltypes_view", TPrivilegeLevel.SELECT))
.error(selectError("functional.alltypes_view"))
.error(selectError("functional.alltypes_view"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.INSERT,
+ TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes_view"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT,
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.INSERT,
TPrivilegeLevel.SELECT)))
.error(insertError("functional.alltypes"), onTable("functional",
"alltypes_view", TPrivilegeLevel.SELECT), onTable("functional",
- "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT)))
+ "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.INSERT)))
.error(selectError("functional.alltypes_view"), onTable("functional",
- "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)),
+ "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)),
onTable("functional", "alltypes", TPrivilegeLevel.INSERT));
// Insert with inline view.
@@ -697,31 +787,41 @@
"select b.* from functional.alltypesagg a join (select * from " +
"functional.alltypestiny) b on (a.int_col = b.int_col)")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL),
onTable("functional", "alltypesagg", TPrivilegeLevel.ALL),
onTable("functional", "alltypestiny", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER),
+ onTable("functional", "alltypesagg", TPrivilegeLevel.OWNER),
+ onTable("functional", "alltypestiny", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.INSERT),
onTable("functional", "alltypesagg", TPrivilegeLevel.SELECT),
onTable("functional", "alltypestiny", TPrivilegeLevel.SELECT))
.error(selectError("functional.alltypesagg"))
.error(selectError("functional.alltypesagg"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.INSERT,
+ TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypesagg"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.INSERT,
+ TPrivilegeLevel.SELECT)))
.error(insertError("functional.alltypes"), onTable("functional",
"alltypesagg", TPrivilegeLevel.SELECT), onTable("functional",
"alltypestiny", TPrivilegeLevel.SELECT), onTable("functional",
- "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT)))
+ "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.INSERT)))
.error(selectError("functional.alltypesagg"), onTable("functional",
- "alltypesagg", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)),
+ "alltypesagg", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)),
onTable("functional", "alltypestiny", TPrivilegeLevel.SELECT),
onTable("functional", "alltypes", TPrivilegeLevel.INSERT))
.error(selectError("functional.alltypestiny"), onTable("functional",
"alltypesagg", TPrivilegeLevel.SELECT), onTable("functional",
- "alltypestiny", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)),
+ "alltypestiny", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)),
onTable("functional", "alltypes", TPrivilegeLevel.INSERT));
// Inserting into a view is not allowed.
@@ -763,18 +863,22 @@
// Truncate a table.
authorize("truncate table functional.alltypes")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.INSERT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.INSERT))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.INSERT))
.error(insertError("functional.alltypes"))
.error(insertError("functional.alltypes"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.INSERT)))
.error(insertError("functional.alltypes"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.INSERT)))
.error(insertError("functional.alltypes"), onTable("functional", "alltypes",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.INSERT)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.INSERT)));
// Truncate a non-existent database.
authorize("truncate table nodb.alltypes")
@@ -795,18 +899,31 @@
authorize("load data inpath 'hdfs://localhost:20500/test-warehouse/tpch.lineitem' " +
"into table functional.alltypes partition(month=10, year=2009)")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALL),
onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem",
TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER),
+ onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem",
+ TPrivilegeLevel.OWNER))
+ .ok(onDatabase("functional", TPrivilegeLevel.INSERT),
+ onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem",
+ TPrivilegeLevel.ALL))
.ok(onDatabase("functional", TPrivilegeLevel.INSERT),
onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem",
- TPrivilegeLevel.ALL))
+ TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL),
onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem",
TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER),
+ onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem",
+ TPrivilegeLevel.OWNER))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.INSERT),
+ onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem",
+ TPrivilegeLevel.ALL))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.INSERT),
onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem",
- TPrivilegeLevel.ALL))
+ TPrivilegeLevel.OWNER))
.error(insertError("functional.alltypes"))
.error(accessError("hdfs://localhost:20500/test-warehouse/tpch.lineitem"),
onDatabase("functional", TPrivilegeLevel.INSERT))
@@ -814,7 +931,10 @@
onTable("functional", "alltypes", TPrivilegeLevel.INSERT))
.error(insertError("functional.alltypes"),
onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem",
- TPrivilegeLevel.ALL));
+ TPrivilegeLevel.ALL))
+ .error(insertError("functional.alltypes"),
+ onUri("hdfs://localhost:20500/test-warehouse/tpch.lineitem",
+ TPrivilegeLevel.OWNER));
// Load from non-existent URI.
authorize("load data inpath 'hdfs://localhost:20500/test-warehouse/nouri' " +
@@ -830,14 +950,18 @@
"into table nodb.alltypes partition(month=10, year=2009)")
.error(insertError("nodb.alltypes"))
.error(insertError("nodb.alltypes"), onUri(
- "hdfs://localhost:20500/test-warehouse/tpch.nouri", TPrivilegeLevel.ALL));
+ "hdfs://localhost:20500/test-warehouse/tpch.nouri", TPrivilegeLevel.ALL))
+ .error(insertError("nodb.alltypes"), onUri(
+ "hdfs://localhost:20500/test-warehouse/tpch.nouri", TPrivilegeLevel.OWNER));
// Load into non-existent table.
authorize("load data inpath 'hdfs://localhost:20500/test-warehouse/tpch.lineitem' " +
"into table functional.notbl partition(month=10, year=2009)")
.error(insertError("functional.notbl"))
.error(insertError("functional.notbl"), onUri(
- "hdfs://localhost:20500/test-warehouse/tpch.nouri", TPrivilegeLevel.ALL));
+ "hdfs://localhost:20500/test-warehouse/tpch.nouri", TPrivilegeLevel.ALL))
+ .error(insertError("functional.notbl"), onUri(
+ "hdfs://localhost:20500/test-warehouse/tpch.nouri", TPrivilegeLevel.OWNER));
// Load into a view is not supported.
authorize("load data inpath 'hdfs://localhost:20500/test-warehouse/tpch.lineitem' " +
@@ -850,6 +974,7 @@
// Invalidate metadata on server.
authorize("invalidate metadata")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.REFRESH))
.error(refreshError("server"));
@@ -859,28 +984,33 @@
authorize("invalidate metadata functional." + name),
authorize("refresh functional." + name)}) {
test.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.REFRESH))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.REFRESH))
.ok(onTable("functional", name, TPrivilegeLevel.ALL))
+ .ok(onTable("functional", name, TPrivilegeLevel.OWNER))
.ok(onTable("functional", name, TPrivilegeLevel.REFRESH))
.error(refreshError("functional." + name))
.error(refreshError("functional." + name), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.REFRESH)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.REFRESH)))
.error(refreshError("functional." + name), onTable("functional", name,
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.REFRESH)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.REFRESH)));
}
}
authorize("refresh functions functional")
.ok(onServer(TPrivilegeLevel.REFRESH))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.REFRESH))
.error(refreshError("functional"))
.error(refreshError("functional"), onServer(allExcept(TPrivilegeLevel.ALL,
- TPrivilegeLevel.REFRESH)))
+ TPrivilegeLevel.OWNER, TPrivilegeLevel.REFRESH)))
.error(refreshError("functional"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.REFRESH)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.REFRESH)));
// Reset metadata in non-existent database.
authorize("invalidate metadata nodb").error(refreshError("default.nodb"));
@@ -1187,69 +1317,81 @@
// Compute stats.
authorize("compute stats functional.alltypes")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALTER,
TPrivilegeLevel.SELECT))
.error(alterError("functional.alltypes"))
.error(alterError("functional.alltypes"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER,
+ TPrivilegeLevel.SELECT)))
.error(alterError("functional.alltypes"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER,
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER,
TPrivilegeLevel.SELECT)))
.error(alterError("functional.alltypes"), onTable("functional", "alltypes",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER,
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER,
TPrivilegeLevel.SELECT)));
// Compute stats on database that does not exist.
authorize("compute stats nodb.notbl")
.error(alterError("nodb.notbl"))
.error(alterError("nodb.notbl"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER,
+ TPrivilegeLevel.SELECT)))
.error(alterError("nodb.notbl"), onDatabase("nodb", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER,
+ TPrivilegeLevel.SELECT)));
// Compute stats on table that does not exist.
authorize("compute stats functional.notbl")
.error(alterError("functional.notbl"))
.error(alterError("functional.notbl"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER,
+ TPrivilegeLevel.SELECT)))
.error(alterError("functional.notbl"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER,
+ TPrivilegeLevel.SELECT)));
// Drop stats.
authorize("drop stats functional.alltypes")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.ALTER))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALTER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALTER))
.error(alterError("functional.alltypes"))
.error(alterError("functional.alltypes"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional.alltypes"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional.alltypes"), onTable("functional", "alltypes",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.ALTER)));
// Drop stats on database that does not exist.
authorize("drop stats nodb.notbl")
.error(alterError("nodb.notbl"))
.error(alterError("nodb.notbl"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("nodb.notbl"), onDatabase("nodb", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)));
// Drop stats on table that does not exist.
authorize("drop stats functional.notbl")
.error(alterError("functional.notbl"))
.error(alterError("functional.notbl"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional.notbl"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)));
}
@Test
@@ -1258,22 +1400,29 @@
authorize("create database newdb"),
authorize("create database if not exists newdb")}) {
test.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.CREATE))
.error(createError("newdb"))
.error(createError("newdb"), onServer(allExcept(TPrivilegeLevel.ALL,
- TPrivilegeLevel.CREATE)));
+ TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)));
}
// Create a database with a specific location.
authorize("create database newdb location " +
"'hdfs://localhost:20500/test-warehouse/new_location'")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.CREATE), onUri(
"hdfs://localhost:20500/test-warehouse/new_location", TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.CREATE), onUri(
+ "hdfs://localhost:20500/test-warehouse/new_location", TPrivilegeLevel.OWNER))
.error(createError("newdb"))
.error(createError("newdb"), onServer(allExcept(TPrivilegeLevel.ALL,
- TPrivilegeLevel.CREATE)), onUri(
+ TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onUri(
"hdfs://localhost:20500/test-warehouse/new_location", TPrivilegeLevel.ALL))
+ .error(createError("newdb"), onServer(allExcept(TPrivilegeLevel.ALL,
+ TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onUri(
+ "hdfs://localhost:20500/test-warehouse/new_location", TPrivilegeLevel.OWNER))
.error(accessError("hdfs://localhost:20500/test-warehouse/new_location"),
onServer(TPrivilegeLevel.CREATE));
@@ -1283,11 +1432,12 @@
authorize("create database if not exists functional")}) {
test.error(createError("functional"))
.error(createError("functional"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)));
}
authorize("create database if not exists _impala_builtins")
- .error(systemDbError(), onServer(TPrivilegeLevel.ALL));
+ .error(systemDbError(), onServer(TPrivilegeLevel.ALL))
+ .error(systemDbError(), onServer(TPrivilegeLevel.OWNER));
}
@Test
@@ -1296,20 +1446,24 @@
authorize("create table functional.new_table(i int)"),
authorize("create external table functional.new_table(i int)")}) {
test.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.CREATE))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.CREATE))
.error(createError("functional"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)))
.error(createError("functional"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)));
}
// Create table like.
authorize("create table functional.new_table like functional.alltypes")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(join(viewMetadataPrivileges(), TPrivilegeLevel.CREATE)))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", join(viewMetadataPrivileges(),
TPrivilegeLevel.CREATE)))
.ok(onDatabase("functional"), onDatabase("functional", TPrivilegeLevel.CREATE),
@@ -1318,9 +1472,10 @@
.error(accessError("functional.alltypes"), onServer(allExcept(
join(viewMetadataPrivileges(), TPrivilegeLevel.CREATE))))
.error(createError("functional"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE,
+ TPrivilegeLevel.SELECT)))
.error(createError("functional"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)), onTable(
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onTable(
"functional", "alltypes", viewMetadataPrivileges()))
.error(accessError("functional.alltypes"), onDatabase("functional",
TPrivilegeLevel.CREATE), onTable("functional", "alltypes", allExcept(
@@ -1332,9 +1487,9 @@
authorize("create table if not exists functional.alltypes(i int)")}) {
test.error(createError("functional"))
.error(createError("functional"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)))
.error(createError("functional"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)));
}
// CTAS.
@@ -1345,9 +1500,11 @@
authorize("explain create table functional.new_table as " +
"select int_col from functional.alltypes")}) {
test.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT,
TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT,
TPrivilegeLevel.SELECT))
.ok(onDatabase("functional"), onDatabase("functional", TPrivilegeLevel.CREATE,
@@ -1356,32 +1513,44 @@
.ok(onDatabase("functional"), onDatabase("functional", TPrivilegeLevel.CREATE,
TPrivilegeLevel.INSERT), onColumn("functional", "alltypes", "int_col",
TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional"), onDatabase("functional", TPrivilegeLevel.CREATE,
+ TPrivilegeLevel.INSERT), onColumn("functional", "alltypes", "int_col",
+ TPrivilegeLevel.OWNER))
.error(createError("functional"))
.error(createError("functional"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT,
- TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE,
+ TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)))
.error(createError("functional"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT,
- TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE,
+ TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)))
.error(createError("functional"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT)),
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE,
+ TPrivilegeLevel.INSERT)),
onTable("functional", "alltypes", TPrivilegeLevel.SELECT))
.error(selectError("functional"), onDatabase("functional",
TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT), onTable("functional",
- "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)));
+ "alltypes", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)));
}
// Table with a specific location.
authorize("create table functional.new_table(i int) location " +
"'hdfs://localhost:20500/test-warehouse/new_table'")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.CREATE),
onUri("hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.CREATE),
+ onUri("hdfs://localhost:20500/test-warehouse/new_table",
+ TPrivilegeLevel.OWNER))
.error(createError("functional"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)))
.error(createError("functional"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)), onUri(
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onUri(
"hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.ALL))
+ .error(createError("functional"), onDatabase("functional", allExcept(
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onUri(
+ "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.OWNER))
.error(accessError("hdfs://localhost:20500/test-warehouse/new_table"),
onDatabase("functional", TPrivilegeLevel.CREATE));
@@ -1389,65 +1558,93 @@
authorize("create external table functional.new_table(i int) location " +
"'hdfs://localhost:20500/test-warehouse/UPPER_CASE/test'")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.CREATE),
onUri("hdfs://localhost:20500/test-warehouse/UPPER_CASE/test",
TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.CREATE),
+ onUri("hdfs://localhost:20500/test-warehouse/UPPER_CASE/test",
+ TPrivilegeLevel.OWNER))
// Wrong case letters on URI.
.error(accessError("hdfs://localhost:20500/test-warehouse/UPPER_CASE/test"),
onServer(TPrivilegeLevel.CREATE),
onUri("hdfs://localhost:20500/test-warehouse/upper_case/test",
TPrivilegeLevel.ALL))
+ .error(accessError("hdfs://localhost:20500/test-warehouse/UPPER_CASE/test"),
+ onServer(TPrivilegeLevel.CREATE),
+ onUri("hdfs://localhost:20500/test-warehouse/upper_case/test",
+ TPrivilegeLevel.OWNER))
.error(createError("functional"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)))
.error(createError("functional"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)), onUri(
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onUri(
"hdfs://localhost:20500/test-warehouse/UPPER_CASE/test", TPrivilegeLevel.ALL))
+ .error(createError("functional"), onDatabase("functional", allExcept(
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onUri(
+ "hdfs://localhost:20500/test-warehouse/UPPER_CASE/test",
+ TPrivilegeLevel.OWNER))
.error(accessError("hdfs://localhost:20500/test-warehouse/UPPER_CASE/test"),
onDatabase("functional", TPrivilegeLevel.CREATE));
authorize("create table functional.new_table like parquet "
+ "'hdfs://localhost:20500/test-warehouse/schemas/alltypestiny.parquet'")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.CREATE),
onUri("hdfs://localhost:20500/test-warehouse/schemas/alltypestiny.parquet",
TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.CREATE),
+ onUri("hdfs://localhost:20500/test-warehouse/schemas/alltypestiny.parquet",
+ TPrivilegeLevel.OWNER))
.error(accessError(
"hdfs://localhost:20500/test-warehouse/schemas/alltypestiny.parquet"),
- onServer(allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)))
+ onServer(allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.CREATE)))
.error(createError("functional"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)), onUri(
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onUri(
"hdfs://localhost:20500/test-warehouse/schemas/alltypestiny.parquet",
TPrivilegeLevel.ALL))
+ .error(createError("functional"), onDatabase("functional", allExcept(
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)), onUri(
+ "hdfs://localhost:20500/test-warehouse/schemas/alltypestiny.parquet",
+ TPrivilegeLevel.OWNER))
.error(accessError(
"hdfs://localhost:20500/test-warehouse/schemas/alltypestiny.parquet"),
onDatabase("functional", TPrivilegeLevel.CREATE));
authorize("create table if not exists _impala_builtins.new_table(i int)")
- .error(systemDbError(), onServer(TPrivilegeLevel.ALL));
+ .error(systemDbError(), onServer(TPrivilegeLevel.ALL))
+ .error(systemDbError(), onServer(TPrivilegeLevel.OWNER));
- // IMPALA-4000: Only users with ALL privileges on SERVER may create external Kudu
- // tables.
+ // IMPALA-4000: Only users with ALL/OWNER privileges on SERVER may create external
+ // Kudu tables.
authorize("create external table functional.kudu_tbl stored as kudu " +
"tblproperties ('kudu.master_addresses'='127.0.0.1', 'kudu.table_name'='tbl')")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.error(createError("functional"))
- .error(accessError("server1"), onServer(allExcept(TPrivilegeLevel.ALL)))
- .error(accessError("server1"), onDatabase("functional", TPrivilegeLevel.ALL));
+ .error(accessError("server1"), onServer(allExcept(TPrivilegeLevel.ALL,
+ TPrivilegeLevel.OWNER)))
+ .error(accessError("server1"), onDatabase("functional", TPrivilegeLevel.ALL))
+ .error(accessError("server1"), onDatabase("functional", TPrivilegeLevel.OWNER));
- // IMPALA-4000: ALL privileges on SERVER are not required to create managed tables.
+ // IMPALA-4000: ALL/OWNER privileges on SERVER are not required to create managed
+ // tables.
authorize("create table functional.kudu_tbl (i int, j int, primary key (i))" +
" partition by hash (i) partitions 9 stored as kudu")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.CREATE))
.error(createError("functional"))
.error(createError("functional"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)))
.error(createError("functional"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)));
// IMPALA-6451: CTAS for Kudu tables on non-external tables and without
- // TBLPROPERTIES ('kudu.master_addresses') should not require ALL privileges
+ // TBLPROPERTIES ('kudu.master_addresses') should not require ALL/OWNER privileges
// on SERVER.
// The statement below causes the SQL statement to be rewritten.
authorize("create table functional.kudu_tbl primary key (bigint_col) " +
@@ -1456,22 +1653,24 @@
"from functional.alltypes " +
"where exists (select 1 from functional.alltypes)")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT,
TPrivilegeLevel.SELECT))
.error(createError("functional"))
.error(createError("functional"), onServer(allExcept(TPrivilegeLevel.ALL,
- TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT,
+ TPrivilegeLevel.SELECT)))
.error(createError("functional"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE, TPrivilegeLevel.INSERT,
- TPrivilegeLevel.SELECT)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE,
+ TPrivilegeLevel.INSERT, TPrivilegeLevel.SELECT)));
// Database does not exist.
authorize("create table nodb.new_table(i int)")
.error(createError("nodb"))
.error(createError("nodb"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)))
.error(createError("nodb"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)));
}
@Test
@@ -1482,35 +1681,44 @@
authorize("create view functional.new_view(a) as " +
"select int_col from functional.alltypes")}) {
test.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.CREATE, TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.CREATE, TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.CREATE), onTable(
"functional", "alltypes", TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.CREATE), onColumn(
"functional", "alltypes", "int_col", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.CREATE), onColumn(
+ "functional", "alltypes", "int_col", TPrivilegeLevel.OWNER))
.error(selectError("functional.alltypes"))
.error(selectError("functional.alltypes"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE,
+ TPrivilegeLevel.SELECT)))
.error(createError("functional"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)))
.error(selectError("functional.alltypes"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes"), onTable("functional", "alltypes",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)));
}
// View with constant select.
authorize("create view functional.new_view as select 1")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.CREATE))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.CREATE))
.error(createError("functional"))
.error(createError("functional"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE,
+ TPrivilegeLevel.SELECT)))
.error(createError("functional"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)));
// View already exists.
for (AuthzTest test: new AuthzTest[]{
@@ -1520,25 +1728,28 @@
"select int_col from functional.alltypes")}) {
test.error(selectError("functional.alltypes"))
.error(selectError("functional.alltypes"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE,
+ TPrivilegeLevel.SELECT)))
.error(createError("functional"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)))
.error(selectError("functional.alltypes"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes"), onTable("functional", "alltypes",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)));
}
authorize("create view if not exists _impala_builtins.new_view as select 1")
- .error(systemDbError(), onServer(TPrivilegeLevel.ALL));
+ .error(systemDbError(), onServer(TPrivilegeLevel.ALL))
+ .error(systemDbError(), onServer(TPrivilegeLevel.OWNER));
// Database does not exist.
authorize("create view nodb.new_view as select 1")
.error(createError("nodb"))
.error(createError("nodb"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)))
.error(createError("nodb"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.CREATE)));
}
@Test
@@ -1548,14 +1759,17 @@
authorize("drop database functional cascade"),
authorize("drop database functional restrict")}) {
test.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.DROP))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.DROP))
.error(dropError("functional"))
.error(dropError("functional"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)))
.error(dropError("functional"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.DROP)));
}
// Database does not exist.
@@ -1565,7 +1779,8 @@
authorize("drop database nodb restrict")}) {
test.error(dropError("nodb"))
.error(dropError("nodb"), onServer(
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.DROP)));
}
// Database does not exist but with if exists clause.
@@ -1574,117 +1789,132 @@
authorize("drop database if exists nodb cascade"),
authorize("drop database if exists nodb restrict")}) {
test.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.DROP))
.error(dropError("nodb"))
.error(dropError("nodb"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)));
}
- // Dropping system database is not allowed even if with ALL privilege on server.
+ // Dropping system database is not allowed even if with ALL/OWNER privilege on server.
authorize("drop database _impala_builtins")
- .error(systemDbError(), onServer(TPrivilegeLevel.ALL));
+ .error(systemDbError(), onServer(TPrivilegeLevel.ALL))
+ .error(systemDbError(), onServer(TPrivilegeLevel.OWNER));
}
@Test
public void testDropTable() throws ImpalaException {
authorize("drop table functional.alltypes")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.DROP))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.DROP))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.DROP))
.error(dropError("functional.alltypes"))
.error(dropError("functional.alltypes"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)))
.error(dropError("functional.alltypes"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)))
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)))
.error(dropError("functional.alltypes"), onTable("functional", "alltypes",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)));
// Database/Table does not exist.
authorize("drop table nodb.notbl")
.error(dropError("nodb.notbl"))
.error(dropError("nodb.notbl"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)))
.error(dropError("nodb.notbl"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)));
// Table does not exist.
authorize("drop table functional.notbl")
.error(dropError("functional.notbl"))
.error(dropError("functional.notbl"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)))
.error(dropError("functional.notbl"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)));
// Table does not exist but with if exists clause.
authorize("drop table if exists functional.notbl")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.DROP))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.DROP))
.error(dropError("functional.notbl"))
.error(dropError("functional.notbl"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)))
.error(dropError("functional.notbl"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)));
- // Dropping any tables in the system database is not allowed even with ALL privilege
- // on server.
+ // Dropping any tables in the system database is not allowed even with ALL/OWNER
+ // privilege on server.
authorize("drop table _impala_builtins.tbl")
- .error(systemDbError(), onServer(TPrivilegeLevel.ALL));
+ .error(systemDbError(), onServer(TPrivilegeLevel.ALL))
+ .error(systemDbError(), onServer(TPrivilegeLevel.OWNER));
}
@Test
public void testDropView() throws ImpalaException {
authorize("drop view functional.alltypes_view")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.DROP))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.DROP))
.ok(onTable("functional", "alltypes_view", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes_view", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes_view", TPrivilegeLevel.DROP))
.error(dropError("functional.alltypes_view"))
.error(dropError("functional.alltypes_view"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)))
.error(dropError("functional.alltypes_view"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)))
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)))
.error(dropError("functional.alltypes_view"), onTable("functional",
- "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)));
+ "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.DROP)));
// Database does not exist.
authorize("drop view nodb.noview")
.error(dropError("nodb.noview"))
.error(dropError("nodb.noview"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)))
.error(dropError("nodb.noview"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)));
// View does not exist.
authorize("drop table functional.noview")
.error(dropError("functional.noview"))
.error(dropError("functional.noview"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)))
.error(dropError("functional.noview"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)));
// View does not exist but with if exists clause.
authorize("drop table if exists functional.noview")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.DROP))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.DROP))
.error(dropError("functional.noview"))
.error(dropError("functional.noview"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)))
.error(dropError("functional.noview"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)));
- // Dropping any views in the system database is not allowed even with ALL privilege
- // on server.
+ // Dropping any views in the system database is not allowed even with ALL/OWNER
+ // privilege on server.
authorize("drop table _impala_builtins.v")
- .error(systemDbError(), onServer(TPrivilegeLevel.ALL));
+ .error(systemDbError(), onServer(TPrivilegeLevel.ALL))
+ .error(systemDbError(), onServer(TPrivilegeLevel.OWNER));
}
@Test
@@ -1715,37 +1945,45 @@
authorize("alter table functional.alltypes set owner user foo_owner"),
authorize("alter table functional.alltypes set owner role foo_owner")}) {
test.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.ALTER))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALTER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALTER))
.error(alterError("functional.alltypes"))
.error(alterError("functional.alltypes"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional.alltypes"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional.alltypes"), onTable("functional", "alltypes",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.ALTER)));
}
// Alter table rename.
authorize("alter table functional.alltypes rename to functional.new_table")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.ALTER, TPrivilegeLevel.CREATE))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALTER, TPrivilegeLevel.CREATE))
.ok(onDatabase("functional", TPrivilegeLevel.CREATE), onTable("functional",
"alltypes", TPrivilegeLevel.ALTER))
.error(alterError("functional.alltypes"))
.error(alterError("functional.alltypes"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilegeLevel.CREATE)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER,
+ TPrivilegeLevel.CREATE)))
.error(alterError("functional.alltypes"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilegeLevel.CREATE)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER,
+ TPrivilegeLevel.CREATE)))
.error(alterError("functional.alltypes"), onDatabase("functional",
TPrivilegeLevel.CREATE), onTable("functional", "alltypes", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(createError("functional"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)),
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.CREATE)),
onTable("functional", "alltypes", TPrivilegeLevel.ALTER));
// Only for Kudu tables.
@@ -1759,18 +1997,23 @@
authorize("alter table functional_kudu.testtbl drop range partition " +
"1 < values < 2")}) {
test.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.ALTER))
.ok(onDatabase("functional_kudu", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional_kudu", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional_kudu", TPrivilegeLevel.ALTER))
.ok(onTable("functional_kudu", "testtbl", TPrivilegeLevel.ALL))
+ .ok(onTable("functional_kudu", "testtbl", TPrivilegeLevel.OWNER))
.ok(onTable("functional_kudu", "testtbl", TPrivilegeLevel.ALTER))
.error(alterError("functional_kudu.testtbl"))
.error(alterError("functional_kudu.testtbl"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional_kudu.testtbl"), onDatabase("functional_kudu",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.ALTER)))
.error(alterError("functional_kudu.testtbl"), onTable("functional_kudu",
- "testtbl", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ "testtbl", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.ALTER)));
}
// Alter table set location.
@@ -1780,25 +2023,38 @@
authorize("alter table functional.alltypes partition(year=2009, month=1) " +
"set location 'hdfs://localhost:20500/test-warehouse/new_table'")}) {
test.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.ALTER), onUri(
"hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.ALTER), onUri(
+ "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALL), onUri(
"hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER), onUri(
+ "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALTER), onUri(
"hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.ALTER), onUri(
+ "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL), onUri(
"hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER), onUri(
+ "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALTER), onUri(
"hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.ALTER), onUri(
+ "hdfs://localhost:20500/test-warehouse/new_table", TPrivilegeLevel.OWNER))
.error(alterError("functional.alltypes"))
.error(alterError("functional.alltypes"),
- onServer(allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)),
+ onServer(allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.ALTER)),
onUri("hdfs://localhost:20500/test-warehouse/new_table"))
.error(alterError("functional.alltypes"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)),
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)),
onUri("hdfs://localhost:20500/test-warehouse/new_table"))
.error(alterError("functional.alltypes"), onTable("functional", "alltypes",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)),
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.ALTER)),
onUri("hdfs://localhost:20500/test-warehouse/new_table"))
.error(accessError("hdfs://localhost:20500/test-warehouse/new_table"),
onDatabase("functional", TPrivilegeLevel.ALTER))
@@ -1810,15 +2066,15 @@
authorize("alter table nodb.alltypes add columns(c1 int)")
.error(alterError("nodb"))
.error(alterError("nodb"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)));
// Table does not exist.
authorize("alter table functional.notbl add columns(c1 int)")
.error(alterError("functional.notbl"))
.error(alterError("functional.notbl"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional.notbl"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)));
}
@Test
@@ -1829,95 +2085,115 @@
authorize("alter view functional.alltypes_view(a) as " +
"select int_col from functional.alltypes")}) {
test.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.ALTER), onTable("functional", "alltypes",
TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER,
TPrivilegeLevel.SELECT))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER,
+ TPrivilegeLevel.SELECT))
.ok(onTable("functional", "alltypes_view", TPrivilegeLevel.ALTER),
onTable("functional", "alltypes", TPrivilegeLevel.SELECT))
.error(selectError("functional.alltypes"))
.error(selectError("functional.alltypes"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER,
+ TPrivilegeLevel.SELECT)))
.error(selectError("functional.alltypes"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER,
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER,
TPrivilegeLevel.SELECT)))
.error(alterError("functional.alltypes_view"), onTable("functional", "alltypes",
TPrivilegeLevel.SELECT), onTable("functional", "alltypes_view", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(selectError("functional.alltypes"), onTable("functional", "alltypes",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)),
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)),
onTable("functional", "alltypes_view", TPrivilegeLevel.ALTER));
}
// Alter view rename.
authorize("alter view functional.alltypes_view rename to functional.new_view")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.ALTER, TPrivilegeLevel.CREATE))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALTER, TPrivilegeLevel.CREATE))
.ok(onDatabase("functional", TPrivilegeLevel.CREATE), onTable("functional",
"alltypes_view", TPrivilegeLevel.ALTER))
.error(alterError("functional.alltypes_view"))
.error(alterError("functional.alltypes_view"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilegeLevel.CREATE)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER,
+ TPrivilegeLevel.CREATE)))
.error(alterError("functional.alltypes_view"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER, TPrivilegeLevel.CREATE)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER,
+ TPrivilegeLevel.CREATE)))
.error(alterError("functional.alltypes_view"), onDatabase("functional",
TPrivilegeLevel.CREATE), onTable("functional", "alltypes_view", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(createError("functional"), onDatabase("functional",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.CREATE)),
- onTable("functional", "alltypes_view", TPrivilegeLevel.ALTER));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.CREATE)), onTable("functional", "alltypes_view",
+ TPrivilegeLevel.ALTER));
// Alter view with constant select.
authorize("alter view functional.alltypes_view as select 1")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.ALTER))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALTER))
.ok(onTable("functional", "alltypes_view", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes_view", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes_view", TPrivilegeLevel.ALTER))
.error(alterError("functional.alltypes_view"))
.error(alterError("functional.alltypes_view"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional.alltypes_view"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional.alltypes_view"), onTable("functional",
- "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.ALTER)));
// Alter view set owner.
for (AuthzTest test: new AuthzTest[]{
authorize("alter view functional.alltypes_view set owner user foo_owner"),
authorize("alter view functional.alltypes_view set owner role foo_owner")}) {
test.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.ALTER))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALTER))
.ok(onTable("functional", "alltypes_view", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes_view", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes_view", TPrivilegeLevel.ALTER))
.error(alterError("functional.alltypes_view"))
.error(alterError("functional.alltypes_view"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
- .error(alterError("functional.alltypes_view"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
+ .error(alterError("functional.alltypes_view"), onDatabase("functional",
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.ALTER)))
.error(alterError("functional.alltypes_view"), onTable("functional",
- "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.ALTER)));
}
// Database does not exist.
authorize("alter view nodb.alltypes_view as select 1")
.error(alterError("nodb"))
.error(alterError("nodb"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)));
// View does not exist.
authorize("alter view functional.noview as select 1")
.error(alterError("functional.noview"))
.error(alterError("functional.noview"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional.noview"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)));
}
@Test
@@ -1925,20 +2201,22 @@
for (String ownerType: new String[]{"user", "role"}) {
authorize(String.format("alter database functional set owner %s foo", ownerType))
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.ALTER))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALTER))
.error(alterError("functional"))
.error(alterError("functional"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)));
// Database does not exist.
authorize(String.format("alter database nodb set owner %s foo", ownerType))
.error(alterError("nodb"))
.error(alterError("nodb"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)));
}
}
@@ -1950,24 +2228,26 @@
// Explain update.
authorize("explain update functional_kudu.alltypes set int_col = 1")}) {
test.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.error(accessError("functional_kudu.alltypes"))
.error(accessError("functional_kudu.alltypes"), onServer(allExcept(
- TPrivilegeLevel.ALL)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER)));
}
// Database does not exist.
authorize("update nodb.alltypes set int_col = 1")
.error(selectError("nodb"))
.error(selectError("nodb"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT)));
// Table does not exist.
authorize("update functional_kudu.notbl set int_col = 1")
.error(selectError("functional_kudu.notbl"))
.error(selectError("functional_kudu.notbl"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT)))
.error(selectError("functional_kudu.notbl"), onDatabase("functional_kudu",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)));
}
@Test
@@ -1982,31 +2262,34 @@
authorize("explain upsert into table functional_kudu.testtbl(id, name) " +
"values(1, 'a')")}) {
test.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.error(accessError("functional_kudu.testtbl"))
.error(accessError("functional_kudu.testtbl"), onServer(allExcept(
- TPrivilegeLevel.ALL)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER)));
}
// Upsert select.
authorize("upsert into table functional_kudu.testtbl(id) " +
"select int_col from functional.alltypes")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.error(selectError("functional.alltypes"))
.error(accessError("functional_kudu.testtbl"), onServer(allExcept(
- TPrivilegeLevel.ALL)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER)));
// Database does not exist.
authorize("upsert into table nodb.testtbl(id, name) values(1, 'a')")
.error(accessError("nodb.testtbl"))
- .error(accessError("nodb.testtbl"), onServer(allExcept(TPrivilegeLevel.ALL)));
+ .error(accessError("nodb.testtbl"), onServer(allExcept(TPrivilegeLevel.ALL,
+ TPrivilegeLevel.OWNER)));
// Table does not exist.
authorize("upsert into table functional_kudu.notbl(id, name) values(1, 'a')")
.error(accessError("functional_kudu.notbl"))
.error(accessError("functional_kudu.notbl"), onServer(allExcept(
- TPrivilegeLevel.ALL)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER)))
.error(accessError("functional_kudu.notbl"), onDatabase("functional_kudu",
- allExcept(TPrivilegeLevel.ALL)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER)));
}
@Test
@@ -2016,24 +2299,26 @@
authorize("delete from functional_kudu.alltypes"),
authorize("explain delete from functional_kudu.alltypes")}) {
test.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.error(accessError("functional_kudu.alltypes"))
.error(accessError("functional_kudu.alltypes"), onServer(allExcept(
- TPrivilegeLevel.ALL)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER)));
}
// Database does not exist.
authorize("delete from nodb.alltypes")
.error(selectError("nodb"))
.error(selectError("nodb"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT)));
// Table does not exist.
authorize("delete from functional_kudu.notbl")
.error(selectError("functional_kudu.notbl"))
.error(selectError("functional_kudu.notbl"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.SELECT)))
.error(selectError("functional_kudu.notbl"), onDatabase("functional_kudu",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT)));
}
@Test
@@ -2041,78 +2326,96 @@
// Comment on database.
authorize("comment on database functional is 'comment'")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.ALTER))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALTER))
.error(alterError("functional"))
.error(alterError("functional"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)));
// Comment on table.
authorize("comment on table functional.alltypes is 'comment'")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.ALTER))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALTER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALTER))
.error(alterError("functional.alltypes"))
.error(alterError("functional.alltypes"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional.alltypes"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional.alltypes"), onTable("functional", "alltypes",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.ALTER)));
// Comment on view.
authorize("comment on view functional.alltypes_view is 'comment'")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.ALTER))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALTER))
.ok(onTable("functional", "alltypes_view", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes_view", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes_view", TPrivilegeLevel.ALTER))
.error(alterError("functional.alltypes_view"))
.error(alterError("functional.alltypes_view"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional.alltypes_view"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional.alltypes_view"), onTable("functional",
- "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.ALTER)));
// Comment on table column.
authorize("comment on column functional.alltypes.id is 'comment'")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.ALTER))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALTER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes", TPrivilegeLevel.ALTER))
.error(alterError("functional.alltypes"))
.error(alterError("functional.alltypes"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional.alltypes"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional.alltypes"), onTable("functional", "alltypes",
- allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.ALTER)));
// Comment on view column.
authorize("comment on column functional.alltypes_view.id is 'comment'")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.ALTER))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALTER))
.ok(onTable("functional", "alltypes_view", TPrivilegeLevel.ALL))
+ .ok(onTable("functional", "alltypes_view", TPrivilegeLevel.OWNER))
.ok(onTable("functional", "alltypes_view", TPrivilegeLevel.ALTER))
.error(alterError("functional.alltypes_view"))
.error(alterError("functional.alltypes_view"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional.alltypes_view"), onDatabase("functional", allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)))
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.ALTER)))
.error(alterError("functional.alltypes_view"), onTable("functional",
- "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.ALTER)));
+ "alltypes_view", allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.ALTER)));
}
@Test
@@ -2121,60 +2424,80 @@
authorize("create function functional.f() returns int location " +
"'/test-warehouse/libTestUdfs.so' symbol='NoArgs'")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.CREATE), onUri("/test-warehouse/libTestUdfs.so",
TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.CREATE), onUri("/test-warehouse/libTestUdfs.so",
+ TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALL),
onUri("/test-warehouse/libTestUdfs.so", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER),
+ onUri("/test-warehouse/libTestUdfs.so", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.CREATE),
onUri("/test-warehouse/libTestUdfs.so", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.CREATE),
+ onUri("/test-warehouse/libTestUdfs.so", TPrivilegeLevel.OWNER))
.error(createFunctionError("functional.f()"))
.error(accessError("hdfs://localhost:20500/test-warehouse/libTestUdfs.so"),
- onServer(allExcept(TPrivilegeLevel.ALL)))
+ onServer(allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER)))
.error(createFunctionError("functional.f()"),
- onUri("/test-warehouse/libTestUdfs.so", TPrivilegeLevel.ALL));
+ onUri("/test-warehouse/libTestUdfs.so", TPrivilegeLevel.ALL))
+ .error(createFunctionError("functional.f()"),
+ onUri("/test-warehouse/libTestUdfs.so", TPrivilegeLevel.OWNER));
// Create a function name that has the same name as built-in function is OK.
authorize("create function functional.sin() returns int location " +
"'/test-warehouse/libTestUdfs.so' symbol='NoArgs'")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.CREATE), onUri("/test-warehouse/libTestUdfs.so",
TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.CREATE), onUri("/test-warehouse/libTestUdfs.so",
+ TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.ALL),
onUri("/test-warehouse/libTestUdfs.so", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER),
+ onUri("/test-warehouse/libTestUdfs.so", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.CREATE),
onUri("/test-warehouse/libTestUdfs.so", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.CREATE),
+ onUri("/test-warehouse/libTestUdfs.so", TPrivilegeLevel.OWNER))
.error(createFunctionError("functional.sin()"))
.error(accessError("hdfs://localhost:20500/test-warehouse/libTestUdfs.so"),
- onServer(allExcept(TPrivilegeLevel.ALL)))
+ onServer(allExcept(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER)))
.error(createFunctionError("functional.sin()"),
- onUri("/test-warehouse/libTestUdfs.so", TPrivilegeLevel.ALL));
+ onUri("/test-warehouse/libTestUdfs.so", TPrivilegeLevel.ALL))
+ .error(createFunctionError("functional.sin()"),
+ onUri("/test-warehouse/libTestUdfs.so", TPrivilegeLevel.OWNER));
- // Creating a function in the system database even with ALL privilege on SERVER is
- // not allowed.
+ // Creating a function in the system database even with ALL/OWNER privilege on SERVER
+ // is not allowed.
for (AuthzTest test: new AuthzTest[] {
authorize("create function _impala_builtins.sin() returns int location " +
"'/test-warehouse/libTestUdfs.so' symbol='NoArgs'"),
authorize("create function _impala_builtins.f() returns int location " +
"'/test-warehouse/libTestUdfs.so' symbol='NoArgs'")}) {
- test.error(systemDbError(), onServer(TPrivilegeLevel.ALL));
+ test.error(systemDbError(), onServer(TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER));
}
ScalarFunction fn = addFunction("functional", "f");
try {
authorize("drop function functional.f()")
.ok(onServer(TPrivilegeLevel.ALL))
+ .ok(onServer(TPrivilegeLevel.OWNER))
.ok(onServer(TPrivilegeLevel.DROP))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", TPrivilegeLevel.DROP))
.error(dropFunctionError("functional.f()"))
.error(dropFunctionError("functional.f()"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)));
// Function does not exist but with if exists clause.
authorize("drop function if exists functional.g()")
.error(dropFunctionError("functional.g()"))
.error(dropFunctionError("functional.g()"), onServer(allExcept(
- TPrivilegeLevel.ALL, TPrivilegeLevel.DROP)));
+ TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER, TPrivilegeLevel.DROP)));
} finally {
removeFunction(fn);
}
@@ -2197,6 +2520,7 @@
"select functional.to_lower('ABCDEF')")}) {
test.ok(onServer(TPrivilegeLevel.SELECT))
.ok(onDatabase("functional", TPrivilegeLevel.ALL))
+ .ok(onDatabase("functional", TPrivilegeLevel.OWNER))
.ok(onDatabase("functional", viewMetadataPrivileges()))
.error(accessError("functional"))
.error(accessError("functional"), onDatabase("functional",
@@ -2294,8 +2618,8 @@
}
private TPrivilegeLevel[] viewMetadataPrivileges() {
- return new TPrivilegeLevel[]{TPrivilegeLevel.ALL, TPrivilegeLevel.SELECT,
- TPrivilegeLevel.INSERT, TPrivilegeLevel.REFRESH};
+ return new TPrivilegeLevel[]{TPrivilegeLevel.ALL, TPrivilegeLevel.OWNER,
+ TPrivilegeLevel.SELECT, TPrivilegeLevel.INSERT, TPrivilegeLevel.REFRESH};
}
private static TPrivilegeLevel[] allExcept(TPrivilegeLevel... excludedPrivLevels) {
diff --git a/fe/src/test/java/org/apache/impala/authorization/ImpalaActionFactoryTest.java b/fe/src/test/java/org/apache/impala/authorization/ImpalaActionFactoryTest.java
index bd39839..9d0ecea 100644
--- a/fe/src/test/java/org/apache/impala/authorization/ImpalaActionFactoryTest.java
+++ b/fe/src/test/java/org/apache/impala/authorization/ImpalaActionFactoryTest.java
@@ -57,7 +57,8 @@
ImpalaAction.CREATE,
ImpalaAction.DROP,
ImpalaAction.REFRESH,
- ImpalaAction.ALL);
+ ImpalaAction.ALL,
+ ImpalaAction.OWNER);
assertBitFieldActions(expected, actual);
actual = factory.getActionsByCode(ImpalaAction.ALL.getCode());
@@ -68,7 +69,8 @@
ImpalaAction.CREATE,
ImpalaAction.DROP,
ImpalaAction.REFRESH,
- ImpalaAction.ALL);
+ ImpalaAction.ALL,
+ ImpalaAction.OWNER);
assertBitFieldActions(expected, actual);
try {