Skip to content

Commit

Permalink
Fix rewrite SHOW GRANTS as a SELECT query
Browse files Browse the repository at this point in the history 
When tables of the same name exist across different schemas, Presto lists privileges
of the table from all schemas instead of the single schema mentioned in the
SHOW GRANTS query. This commit fixes the issue.

Extracted-From: prestodb/presto#10904
  • Loading branch information
@kokosing @sopel39
kokosing authored and sopel39 committed Jan 29, 2019
1 parent 20cf120 commit 729f646
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 8 deletions.
20 changes: 12 additions & 8 deletions presto-main/src/main/java/io/prestosql/sql/rewrite/ShowQueriesRewrite.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,7 @@
import static io.prestosql.metadata.MetadataUtil.createQualifiedObjectName;
import static io.prestosql.spi.StandardErrorCode.INVALID_COLUMN_PROPERTY;
import static io.prestosql.spi.StandardErrorCode.INVALID_TABLE_PROPERTY;
import static io.prestosql.sql.ExpressionUtils.combineConjuncts;
import static io.prestosql.sql.ParsingUtil.createParsingOptions;
import static io.prestosql.sql.QueryUtil.aliased;
import static io.prestosql.sql.QueryUtil.aliasedName;
Expand Down Expand Up @@ -236,16 +237,19 @@ protected Node visitShowGrants(ShowGrants showGrants, Void context)
session.getIdentity(),
new CatalogSchemaName(catalogName, qualifiedTableName.getSchemaName()));

predicate = Optional.of(equal(identifier("table_name"), new StringLiteral(qualifiedTableName.getObjectName())));
}

if (catalogName == null) {
throw new SemanticException(CATALOG_NOT_SPECIFIED, showGrants, "Catalog must be specified when session catalog is not set");
predicate = Optional.of(combineConjuncts(
equal(identifier("table_schema"), new StringLiteral(qualifiedTableName.getSchemaName())),
equal(identifier("table_name"), new StringLiteral(qualifiedTableName.getObjectName()))));
}
else {
if (catalogName == null) {
throw new SemanticException(CATALOG_NOT_SPECIFIED, showGrants, "Catalog must be specified when session catalog is not set");
}

Set<String> allowedSchemas = listSchemas(session, metadata, accessControl, catalogName);
for (String schema : allowedSchemas) {
accessControl.checkCanShowTablesMetadata(session.getRequiredTransactionId(), session.getIdentity(), new CatalogSchemaName(catalogName, schema));
Set<String> allowedSchemas = listSchemas(session, metadata, accessControl, catalogName);
for (String schema : allowedSchemas) {
accessControl.checkCanShowTablesMetadata(session.getRequiredTransactionId(), session.getIdentity(), new CatalogSchemaName(catalogName, schema));
}
}

return simpleQuery(
Expand Down
42 changes: 42 additions & 0 deletions presto-product-tests/src/main/java/io/prestosql/tests/hive/TestRoles.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -670,6 +670,48 @@ public void testAdminCanShowAllGrants()
}
}

@Test(groups = {ROLES, AUTHORIZATION, PROFILE_SPECIFIC_TESTS})
public void testAdminCanShowGrantsOnlyFromCurrentSchema()
{
try {
onPrestoBob().executeQuery("CREATE TABLE hive.default.test_table_bob (foo BIGINT)");
onPresto().executeQuery("CREATE SCHEMA hive.test");
onPresto().executeQuery("GRANT admin TO alice");
onPrestoAlice().executeQuery("SET ROLE ADMIN");
onPrestoAlice().executeQuery("CREATE TABLE hive.test.test_table_bob (foo BIGINT)");

QueryAssert.assertThat(onPrestoAlice().executeQuery("SHOW GRANTS ON hive.default.test_table_bob"))
.containsOnly(ImmutableList.of(
row("bob", "USER", "bob", "USER", "hive", "default", "test_table_bob", "SELECT", "YES", null),
row("bob", "USER", "bob", "USER", "hive", "default", "test_table_bob", "DELETE", "YES", null),
row("bob", "USER", "bob", "USER", "hive", "default", "test_table_bob", "UPDATE", "YES", null),
row("bob", "USER", "bob", "USER", "hive", "default", "test_table_bob", "INSERT", "YES", null)));

QueryAssert.assertThat(onPrestoAlice().executeQuery("SHOW GRANTS ON hive.test.test_table_bob"))
.containsOnly(ImmutableList.of(
row("alice", "USER", "alice", "USER", "hive", "test", "test_table_bob", "SELECT", "YES", null),
row("alice", "USER", "alice", "USER", "hive", "test", "test_table_bob", "DELETE", "YES", null),
row("alice", "USER", "alice", "USER", "hive", "test", "test_table_bob", "UPDATE", "YES", null),
row("alice", "USER", "alice", "USER", "hive", "test", "test_table_bob", "INSERT", "YES", null)));
QueryAssert.assertThat(onPrestoAlice().executeQuery("SELECT * FROM hive.information_schema.table_privileges where table_name = 'test_table_bob'"))
.containsOnly(ImmutableList.of(
row("bob", "USER", "bob", "USER", "hive", "default", "test_table_bob", "SELECT", "YES", null),
row("bob", "USER", "bob", "USER", "hive", "default", "test_table_bob", "DELETE", "YES", null),
row("bob", "USER", "bob", "USER", "hive", "default", "test_table_bob", "UPDATE", "YES", null),
row("bob", "USER", "bob", "USER", "hive", "default", "test_table_bob", "INSERT", "YES", null),
row("alice", "USER", "alice", "USER", "hive", "test", "test_table_bob", "SELECT", "YES", null),
row("alice", "USER", "alice", "USER", "hive", "test", "test_table_bob", "DELETE", "YES", null),
row("alice", "USER", "alice", "USER", "hive", "test", "test_table_bob", "UPDATE", "YES", null),
row("alice", "USER", "alice", "USER", "hive", "test", "test_table_bob", "INSERT", "YES", null)));
}
finally {
onPresto().executeQuery("DROP TABLE hive.default.test_table_bob");
onPrestoAlice().executeQuery("DROP TABLE hive.test.test_table_bob");
onPresto().executeQuery("DROP SCHEMA hive.test");
onPresto().executeQuery("REVOKE admin FROM alice");
}
}

@Test(groups = {ROLES, AUTHORIZATION, PROFILE_SPECIFIC_TESTS})
public void testSetRoleTablePermissions()
{
Expand Down

0 comments on commit 729f646

Please sign in to comment.