Branch 1.4.0

NOTICE.txt

@@ -1,5 +1,5 @@
 Apache Sentry
-Copyright 2013 The Apache Software Foundation
+Copyright 2013-2014  The Apache Software Foundation
 
 This product includes software developed at
 The Apache Software Foundation (http://www.apache.org/).

pom.xml

@@ -25,7 +25,7 @@ limitations under the License.
 
   <groupId>org.apache.sentry</groupId>
   <artifactId>sentry</artifactId>
-  <version>1.4.0-incubating-SNAPSHOT</version>
+  <version>1.4.0-incubating</version>
   <description>Sentry component</description>
   <name>Sentry</name>
   <packaging>pom</packaging>
@@ -67,8 +67,8 @@ limitations under the License.
     <jdo-api.version>3.0.1</jdo-api.version>
     <derby.version>10.4.2.0</derby.version>
     <commons-cli.version>1.2</commons-cli.version>
-    <hive.version>0.12.0-cdh5.1.0-SNAPSHOT</hive.version>
-    <hadoop.version>2.3.0-cdh5.1.0-SNAPSHOT</hadoop.version>
+    <hive.version>0.12.0-cdh5.1.0</hive.version>
+    <hadoop.version>2.3.0-cdh5.1.0</hadoop.version>
     <fest.reflect.version>1.4.1</fest.reflect.version>
     <guava.version>11.0.2</guava.version>
     <junit.version>4.9</junit.version>
@@ -79,9 +79,9 @@ limitations under the License.
     <shiro.version>1.2.1</shiro.version>
     <slf4j.version>1.6.1</slf4j.version>
     <solr.version>4.8.0</solr.version>
-    <solr.sentry.handlers.version>4.4.0-cdh5.1.0-SNAPSHOT</solr.sentry.handlers.version>
-    <zookeeper.version>3.4.5-cdh5.1.0-SNAPSHOT</zookeeper.version>
-    <pig.version>0.12.0-cdh5.1.0-SNAPSHOT</pig.version>
+    <solr.sentry.handlers.version>4.4.0-cdh5.1.0</solr.sentry.handlers.version>
+    <zookeeper.version>3.4.5-cdh5.1.0</zookeeper.version>
+    <pig.version>0.12.0-cdh5.1.0</pig.version>
   </properties>
 
   <dependencyManagement>

sentry-binding/pom.xml

@@ -22,7 +22,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
 
   <artifactId>sentry-binding</artifactId>

sentry-binding/sentry-binding-hive/pom.xml

@@ -22,7 +22,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-binding</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
 
   <artifactId>sentry-binding-hive</artifactId>

sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java

@@ -38,6 +38,7 @@
 import org.apache.hadoop.hive.ql.HiveDriverFilterHookResultImpl;
 import org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask;
 import org.apache.hadoop.hive.ql.exec.Task;
+import org.apache.hadoop.hive.ql.exec.Utilities;
 import org.apache.hadoop.hive.ql.hooks.Entity;
 import org.apache.hadoop.hive.ql.hooks.Entity.Type;
 import org.apache.hadoop.hive.ql.hooks.Hook;
@@ -192,7 +193,9 @@ public ASTNode preAnalyze(HiveSemanticAnalyzerHookContext context, ASTNode ast)
       case HiveParser.TOK_CREATEFUNCTION:
         String udfClassName = BaseSemanticAnalyzer.unescapeSQLString(ast.getChild(1).getText());
         try {
-          CodeSource udfSrc = Class.forName(udfClassName).getProtectionDomain().getCodeSource();
+          CodeSource udfSrc =
+              Class.forName(udfClassName, true, Utilities.getSessionSpecifiedClassLoader())
+                  .getProtectionDomain().getCodeSource();
           if (udfSrc == null) {
             throw new SemanticException("Could not resolve the jar for UDF class " + udfClassName);
           }
@@ -203,7 +206,7 @@ public ASTNode preAnalyze(HiveSemanticAnalyzerHookContext context, ASTNode ast)
           }
           udfURI = parseURI(udfSrc.getLocation().toString(), true);
         } catch (ClassNotFoundException e) {
-          throw new SemanticException("Error retrieving udf class", e);
+          throw new SemanticException("Error retrieving udf class:" + e.getMessage(), e);
         }
         // create/drop function is allowed with any database
         currDB = Database.ALL;
@@ -396,7 +399,11 @@ private void authorizeWithHiveBindings(HiveSemanticAnalyzerHookContext context,
       outputHierarchy.add(dbHierarchy);
 
       for(ReadEntity readEntity:inputs) {
-      	 // If this is a UDF, then check whether its allowed to be executed
+        // skip the tables/view that are part of expanded view definition.
+        if (isChildTabForView(readEntity)) {
+          continue;
+        }
+        // If this is a UDF, then check whether its allowed to be executed
          // TODO: when we support execute privileges on UDF, this can be removed.
         if (isUDF(readEntity)) {
           if (isBuiltinUDF(readEntity)) {

sentry-binding/sentry-binding-solr/pom.xml

@@ -22,7 +22,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-binding</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
 
   <artifactId>sentry-binding-solr</artifactId>

sentry-core/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
 
   <artifactId>sentry-core</artifactId>

sentry-core/sentry-core-common/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-core</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
 
   <artifactId>sentry-core-common</artifactId>

sentry-core/sentry-core-model-db/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-core</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
 
   <artifactId>sentry-core-model-db</artifactId>

sentry-core/sentry-core-model-search/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-core</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
 
   <artifactId>sentry-core-model-search</artifactId>

sentry-dist/pom.xml

@@ -20,7 +20,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
   <artifactId>sentry-dist</artifactId>
   <name>Sentry Distribution</name>

sentry-policy/pom.xml

@@ -22,7 +22,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
 
   <artifactId>sentry-policy</artifactId>

sentry-policy/sentry-policy-common/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-policy</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
 
   <artifactId>sentry-policy-common</artifactId>

sentry-policy/sentry-policy-db/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-policy</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
 
   <artifactId>sentry-policy-db</artifactId>

sentry-policy/sentry-policy-search/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-policy</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
 
   <artifactId>sentry-policy-search</artifactId>

sentry-provider/pom.xml

@@ -22,7 +22,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
 
   <artifactId>sentry-provider</artifactId>

sentry-provider/sentry-provider-cache/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-provider</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
 
   <artifactId>sentry-provider-cache</artifactId>

sentry-provider/sentry-provider-common/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-provider</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
 
   <artifactId>sentry-provider-common</artifactId>

sentry-provider/sentry-provider-db/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-provider</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
 
   <artifactId>sentry-provider-db</artifactId>

sentry-provider/sentry-provider-file/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-provider</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
 
   <artifactId>sentry-provider-file</artifactId>

sentry-tests/pom.xml

@@ -20,7 +20,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
   <artifactId>sentry-tests</artifactId>
   <name>Sentry Tests</name>

sentry-tests/sentry-tests-hive/pom.xml

@@ -21,7 +21,7 @@ limitations under the License.
   <parent>
     <groupId>org.apache.sentry</groupId>
     <artifactId>sentry-tests</artifactId>
-    <version>1.4.0-incubating-SNAPSHOT</version>
+    <version>1.4.0-incubating</version>
   </parent>
   <artifactId>sentry-tests-hive</artifactId>
   <name>Sentry Hive Tests</name>

sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java

@@ -105,6 +105,7 @@ public abstract class AbstractTestWithStaticConfiguration {
 
   protected static final String SERVER_HOST = "localhost";
   private static final String EXTERNAL_SENTRY_SERVICE = "sentry.e2etest.external.sentry";
+  protected static final String EXTERNAL_HIVE_LIB = "sentry.e2etest.hive.lib";
 
   protected static boolean policy_on_hdfs = false;
   protected static boolean useSentryService = false;
@@ -119,6 +120,7 @@ public abstract class AbstractTestWithStaticConfiguration {
   protected static File policyFileLocation;
   protected static HiveServer hiveServer;
   protected static FileSystem fileSystem;
+  protected static HiveServerFactory.HiveServer2Type hiveServer2Type;
   protected static DFS dfs;
   protected static Map<String, String> properties;
   protected static SentryService sentryServer;
@@ -196,9 +198,12 @@ public static void setupTestStaticConfiguration() throws Exception {
     fileSystem = dfs.getFileSystem();
 
     String policyURI;
+
+    //TODO: We can probably get rid of this.
     PolicyFile policyFile = PolicyFile.setAdminOnServer1(ADMIN1)
         .setUserGroupMapping(StaticUserGroup.getStaticMapping());
     policyFile.write(policyFileLocation);
+
     if (policy_on_hdfs) {
       String dfsUri = fileSystem.getDefaultUri(fileSystem.getConf()).toString();
       LOGGER.error("dfsUri " + dfsUri);
@@ -213,11 +218,26 @@ public static void setupTestStaticConfiguration() throws Exception {
       setupSentryService();
     }
 
-    hiveServer = HiveServerFactory.create(properties, baseDir, confDir, logDir, policyURI, fileSystem);
+    hiveServer = create(properties, baseDir, confDir, logDir, policyURI, fileSystem);
     hiveServer.start();
     createContext();
   }
 
+  public static HiveServer create(Map<String, String> properties,
+                                  File baseDir, File confDir, File logDir, String policyFile,
+                                  FileSystem fileSystem) throws Exception {
+    String type = properties.get(HiveServerFactory.HIVESERVER2_TYPE);
+    if(type == null) {
+      type = System.getProperty(HiveServerFactory.HIVESERVER2_TYPE);
+    }
+    if(type == null) {
+      type = HiveServerFactory.HiveServer2Type.InternalHiveServer2.name();
+    }
+    hiveServer2Type = HiveServerFactory.HiveServer2Type.valueOf(type.trim());
+    return HiveServerFactory.create(hiveServer2Type, properties,
+        baseDir, confDir, logDir, policyFile, fileSystem);
+  }
+
   protected void writePolicyFile(PolicyFile policyFile) throws Exception{
 
     policyFile.write(context.getPolicyFile());

sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestExportImportPrivileges.java

@@ -41,6 +41,8 @@ public void setup() throws Exception {
     Resources.copy(Resources.getResource(SINGLE_TYPE_DATA_FILE_NAME), to);
     to.close();
     policyFile = PolicyFile.setAdminOnServer1(ADMINGROUP);
+    policyFile.setUserGroupMapping(StaticUserGroup.getStaticMapping());
+    writePolicyFile(policyFile);
   }
 
   @Test
@@ -54,7 +56,6 @@ public void testInsertToDirPrivileges() throws Exception {
         .addRolesToGroup(USERGROUP2, "db1_read", "db1_write")
         .addPermissionsToRole("db1_write", "server=server1->db=" + DB1 + "->table=" + TBL1 + "->action=INSERT")
         .addPermissionsToRole("db1_read", "server=server1->db=" + DB1 + "->table=" + TBL1 + "->action=SELECT")
-        .setUserGroupMapping(StaticUserGroup.getStaticMapping())
         .addPermissionsToRole("data_dump", "server=server1->URI=" + dumpDir);
     writePolicyFile(policyFile);
 
@@ -93,21 +94,20 @@ public void testExportImportPrivileges() throws Exception {
     Connection connection = null;
     Statement statement = null;
     String exportDir = dfs.getBaseDir() + "/hive_export1";
+    dropDb(ADMIN1, DB1);
+    createDb(ADMIN1, DB1);
+    createTable(ADMIN1, DB1, dataFile, TBL1);
+
     policyFile
         .addRolesToGroup(USERGROUP1, "tab1_read", "tab1_write", "db1_all", "data_read", "data_export")
         .addRolesToGroup(USERGROUP2, "tab1_write", "tab1_read")
         .addPermissionsToRole("tab1_write", "server=server1->db=" + DB1 + "->table=" + TBL1 + "->action=INSERT")
         .addPermissionsToRole("tab1_read", "server=server1->db=" + DB1 + "->table=" + TBL1 + "->action=SELECT")
         .addPermissionsToRole("db1_all", "server=server1->db=" + DB1)
         .addPermissionsToRole("data_read", "server=server1->URI=file://" + dataFile.getPath())
-        .addPermissionsToRole("data_export", "server=server1->URI=" + exportDir)
-        .setUserGroupMapping(StaticUserGroup.getStaticMapping());
+        .addPermissionsToRole("data_export", "server=server1->URI=" + exportDir);
     writePolicyFile(policyFile);
 
-    dropDb(ADMIN1, DB1);
-    createDb(ADMIN1, DB1);
-    createTable(ADMIN1, DB1, dataFile, TBL1);
-
     // Negative test, user2 doesn't have access to the file being loaded
     connection = context.createConnection(USER2_1);
     statement = context.createStatement(connection);