Add test cases to reproduce HiveAccessControlException

Author: okumin

iceberg/iceberg-catalog/src/test/java/org/apache/iceberg/hive/HiveMetastoreExtension.java

@@ -49,7 +49,7 @@ public void beforeAll(ExtensionContext extensionContext) throws Exception {
       }
     }
 
-    metastore.start(hiveConfWithOverrides, 5, true);
+    metastore.start(hiveConfWithOverrides, 20, true);
     metastoreClient = new HiveMetaStoreClient(hiveConfWithOverrides);
     if (null != databaseName) {
       String dbPath = metastore.getDatabasePath(databaseName);

iceberg/iceberg-catalog/src/test/java/org/apache/iceberg/hive/MockHiveAuthorizer.java

@@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.iceberg.hive;
+
+import java.util.List;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.AbstractHiveAuthorizer;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class MockHiveAuthorizer extends AbstractHiveAuthorizer {
+  public static final String PERMISSION_TEST_USER = "permission_test_user";
+  private static final Logger LOG = LoggerFactory.getLogger(MockHiveAuthorizer.class);
+
+  private final HiveAuthenticationProvider authenticator;
+
+  public MockHiveAuthorizer(HiveAuthenticationProvider authenticator) {
+    this.authenticator = authenticator;
+  }
+
+  @Override
+  public VERSION getVersion() {
+    return null;
+  }
+
+  @Override
+  public void grantPrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,
+      HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) {
+    // NOP
+  }
+
+  @Override
+  public void revokePrivileges(List<HivePrincipal> hivePrincipals, List<HivePrivilege> hivePrivileges,
+      HivePrivilegeObject hivePrivObject, HivePrincipal grantorPrincipal, boolean grantOption) {
+    // NOP
+  }
+
+  @Override
+  public void createRole(String roleName, HivePrincipal adminGrantor) {
+    // NOP
+  }
+
+  @Override
+  public void dropRole(String roleName) {
+    // NOP
+  }
+
+  @Override
+  public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName) {
+    return List.of();
+  }
+
+  @Override
+  public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal) {
+    return List.of();
+  }
+
+  @Override
+  public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption,
+      HivePrincipal grantorPrinc) {
+    // NOP
+  }
+
+  @Override
+  public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption,
+      HivePrincipal grantorPrinc) {
+    // NOP
+  }
+
+  @Override
+  public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputsHObjs,
+      List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context) throws HiveAccessControlException {
+    LOG.info("Checking privileges. User={}, Operation={}, inputs={}, outputs={}", authenticator.getUserName(),
+        hiveOpType, inputsHObjs, outputHObjs);
+    if (PERMISSION_TEST_USER.equals(authenticator.getUserName())) {
+      throw new HiveAccessControlException(String.format("Unauthorized. Operation=%s, inputs=%s, outputs=%s",
+          hiveOpType, inputsHObjs, outputHObjs));
+    }
+  }
+
+  @Override
+  public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> listObjs, HiveAuthzContext context) {
+    return List.of();
+  }
+
+  @Override
+  public List<String> getAllRoles() {
+    return List.of();
+  }
+
+  @Override
+  public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj) {
+    return List.of();
+  }
+
+  @Override
+  public void setCurrentRole(String roleName) {
+    // NOP
+  }
+
+  @Override
+  public List<String> getCurrentRoleNames() {
+    return List.of();
+  }
+
+  @Override
+  public void applyAuthorizationConfigPolicy(HiveConf hiveConf) {
+    // NOP
+  }
+
+  @Override
+  public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext context,
+      List<HivePrivilegeObject> privObjs) {
+    return List.of();
+  }
+
+  @Override
+  public boolean needTransform() {
+    return false;
+  }
+}

iceberg/iceberg-catalog/src/test/java/org/apache/iceberg/hive/MockHiveAuthorizerFactory.java

@@ -0,0 +1,35 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.iceberg.hive;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
+
+public class MockHiveAuthorizerFactory implements HiveAuthorizerFactory {
+  @Override
+  public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory, HiveConf conf,
+      HiveAuthenticationProvider hiveAuthenticator, HiveAuthzSessionContext ctx) {
+    return new MockHiveAuthorizer(hiveAuthenticator);
+  }
+}

iceberg/iceberg-catalog/src/test/java/org/apache/iceberg/hive/TestHiveCatalogAccessControl.java

@@ -0,0 +1,164 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.iceberg.hive;
+
+import java.security.PrivilegedExceptionAction;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+import java.util.function.Consumer;
+import org.apache.hadoop.hive.metastore.conf.MetastoreConf.ConfVars;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.metastore.HiveMetaStoreAuthorizer;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.iceberg.CatalogProperties;
+import org.apache.iceberg.CatalogUtil;
+import org.apache.iceberg.Schema;
+import org.apache.iceberg.catalog.Namespace;
+import org.apache.iceberg.catalog.TableIdentifier;
+import org.apache.iceberg.exceptions.ForbiddenException;
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+class TestHiveCatalogAccessControl {
+  private static final Schema DUMMY_SCHEMA = new Schema();
+
+  @RegisterExtension
+  private static final HiveMetastoreExtension HIVE_METASTORE_EXTENSION = HiveMetastoreExtension.builder()
+      .withConfig(Map.of(
+          ConfVars.HIVE_AUTHORIZATION_MANAGER.getVarname(), MockHiveAuthorizerFactory.class.getName(),
+          ConfVars.PRE_EVENT_LISTENERS.getVarname(), HiveMetaStoreAuthorizer.class.getName()
+      )).build();
+
+  @AfterEach
+  void afterEach() throws Exception {
+    HIVE_METASTORE_EXTENSION.metastore().reset();
+  }
+
+  @Test
+  void testNamespace() throws Exception {
+    var namespace = Namespace.of("permission_test_db");
+    asAuthorized(catalog -> catalog.createNamespace(namespace, Collections.emptyMap()));
+    asUnauthorized(catalog -> {
+      // Should HMS omit namespaces?
+      Assertions.assertThat(catalog.listNamespaces()).isEqualTo(List.of(Namespace.of("default"), namespace));
+      Assertions.assertThatThrownBy(() -> catalog.namespaceExists(namespace)).isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() -> catalog.loadNamespaceMetadata(namespace))
+          .isInstanceOf(ForbiddenException.class);
+      var newNamespace = Namespace.of("new_db");
+      Assertions.assertThatThrownBy(() -> catalog.createNamespace(newNamespace)).isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() -> catalog.dropNamespace(namespace)).isInstanceOf(ForbiddenException.class);
+      var properties = Collections.singletonMap("key", "value");
+      Assertions.assertThatThrownBy(() -> catalog.setProperties(namespace, properties))
+          .isInstanceOf(ForbiddenException.class);
+      var propertyKeys = properties.keySet();
+      Assertions.assertThatThrownBy(() -> catalog.removeProperties(namespace, propertyKeys))
+          .isInstanceOf(ForbiddenException.class);
+    });
+  }
+
+  @Test
+  void testTable() throws Exception {
+    Namespace namespace = Namespace.of("permission_test_db");
+    TableIdentifier table = TableIdentifier.of(namespace, "permission_test_table");
+    asAuthorized(catalog -> {
+      catalog.createNamespace(namespace, Collections.emptyMap());
+      catalog.createTable(table, new Schema());
+    });
+    asUnauthorized(catalog -> {
+      // Should HMS omit namespaces?
+      Assertions.assertThat(catalog.listTables(namespace)).isEqualTo(Collections.singletonList(table));
+      Assertions.assertThatThrownBy(() -> catalog.tableExists(table)).isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() -> catalog.loadTable(table)).isInstanceOf(ForbiddenException.class);
+      var newTable = TableIdentifier.of(namespace, "new_table");
+      Assertions.assertThatThrownBy(() -> catalog.createTable(newTable, DUMMY_SCHEMA))
+          .isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() -> catalog.renameTable(table, newTable)).isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() -> catalog.dropTable(table)).isInstanceOf(ForbiddenException.class);
+    });
+  }
+
+  @Test
+  void testView() throws Exception {
+    Namespace namespace = Namespace.of("permission_test_db");
+    TableIdentifier view = TableIdentifier.of(namespace, "permission_test_view");
+    asAuthorized(catalog -> {
+      catalog.createNamespace(namespace, Collections.emptyMap());
+      catalog.buildView(view).withQuery("hive", "SELECT 1 AS id").withSchema(new Schema())
+          .withDefaultNamespace(namespace).create();
+    });
+    asUnauthorized(catalog -> {
+      // Should HMS omit namespaces?
+      Assertions.assertThat(catalog.listViews(namespace)).isEqualTo(Collections.singletonList(view));
+      Assertions.assertThatThrownBy(() -> catalog.viewExists(view)).isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() -> catalog.loadView(view)).isInstanceOf(ForbiddenException.class);
+      var newView = TableIdentifier.of(namespace, "new_view");
+      var builder = catalog.buildView(newView).withQuery("hive", "SELECT 1 AS id").withSchema(DUMMY_SCHEMA)
+          .withDefaultNamespace(namespace);
+      Assertions.assertThatThrownBy(builder::create).isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() -> catalog.renameView(view, newView)).isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() -> catalog.dropView(view)).isInstanceOf(ForbiddenException.class);
+    });
+  }
+
+  @Test
+  void testTransaction() throws Exception {
+    var namespace = Namespace.of("permission_test_db");
+    asAuthorized(catalog -> catalog.createNamespace(namespace, Collections.emptyMap()));
+    asUnauthorized(catalog -> {
+      var newTable = TableIdentifier.of(namespace, "new_table");
+      Assertions.assertThatThrownBy(() -> catalog.newCreateTableTransaction(newTable, DUMMY_SCHEMA))
+          .isInstanceOf(ForbiddenException.class);
+      Assertions.assertThatThrownBy(() -> catalog.newReplaceTableTransaction(newTable, DUMMY_SCHEMA, true))
+          .isInstanceOf(ForbiddenException.class);
+    });
+  }
+
+  private static void asAuthorized(Consumer<HiveCatalog> consumer) throws Exception {
+    withUser("authorized_user", consumer);
+  }
+
+  private static void asUnauthorized(Consumer<HiveCatalog> consumer) throws Exception {
+    withUser(MockHiveAuthorizer.PERMISSION_TEST_USER, consumer);
+  }
+
+  private static void withUser(String username, Consumer<HiveCatalog> consumer) throws Exception {
+    var ugi = UserGroupInformation.createRemoteUser(username);
+    ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
+      try (HiveCatalog catalog = createCatalog()) {
+        consumer.accept(catalog);
+        return null;
+      }
+    });
+  }
+
+  private static HiveCatalog createCatalog() {
+    return (HiveCatalog)
+        CatalogUtil.loadCatalog(
+            HiveCatalog.class.getName(),
+            UUID.randomUUID().toString(),
+            Map.of(
+                CatalogProperties.CLIENT_POOL_CACHE_KEYS, "ugi"
+            ),
+            HIVE_METASTORE_EXTENSION.hiveConf());
+  }
+}

iceberg/iceberg-catalog/src/test/java/org/apache/iceberg/hive/TestHiveMetastore.java

@@ -33,16 +33,20 @@
 import org.apache.hadoop.hive.metastore.IHMSHandler;
 import org.apache.hadoop.hive.metastore.IMetaStoreClient;
 import org.apache.hadoop.hive.metastore.TSetIpAddressProcessor;
+import org.apache.hadoop.hive.metastore.TUGIBasedProcessor;
 import org.apache.hadoop.hive.metastore.api.GetTableRequest;
 import org.apache.hadoop.hive.metastore.api.Table;
 import org.apache.hadoop.hive.metastore.conf.MetastoreConf;
+import org.apache.hadoop.hive.metastore.conf.MetastoreConf.ConfVars;
+import org.apache.hadoop.hive.metastore.security.TUGIContainingTransport;
 import org.apache.hadoop.hive.metastore.utils.TestTxnDbUtil;
 import org.apache.iceberg.ClientPool;
 import org.apache.iceberg.catalog.TableIdentifier;
 import org.apache.iceberg.common.DynConstructors;
 import org.apache.iceberg.common.DynMethods;
 import org.apache.iceberg.hadoop.Util;
 import org.apache.thrift.TException;
+import org.apache.thrift.TProcessor;
 import org.apache.thrift.protocol.TBinaryProtocol;
 import org.apache.thrift.server.TServer;
 import org.apache.thrift.server.TThreadPoolServer;
@@ -244,9 +248,18 @@ private TServer newThriftServer(TServerSocket socket, int poolSize, HiveConf con
     baseHandler = HMS_HANDLER_CTOR.newInstance("new db based metaserver", serverConf);
     IHMSHandler handler = GET_BASE_HMS_HANDLER.invoke(serverConf, baseHandler, false);
 
+    TProcessor processor;
+    TTransportFactory transportFactory;
+    if (MetastoreConf.getBoolVar(conf, ConfVars.EXECUTE_SET_UGI)) {
+      processor = new TUGIBasedProcessor<>(handler);
+      transportFactory = new TUGIContainingTransport.Factory();
+    } else {
+      processor = new TSetIpAddressProcessor<>(handler);
+      transportFactory = new TTransportFactory();
+    }
     TThreadPoolServer.Args args = new TThreadPoolServer.Args(socket)
-        .processor(new TSetIpAddressProcessor<>(handler))
-        .transportFactory(new TTransportFactory())
+        .processor(processor)
+        .transportFactory(transportFactory)
         .protocolFactory(new TBinaryProtocol.Factory())
         .minWorkerThreads(poolSize)
         .maxWorkerThreads(poolSize);