SENTRY-1068

sentry-binding/sentry-binding-hive/src/main/java/org/apache/hadoop/hive/ql/exec/SentryHivePrivilegeObjectDesc.java

@@ -22,6 +22,7 @@
 public class SentryHivePrivilegeObjectDesc extends PrivilegeObjectDesc {
   private boolean isUri;
   private boolean isServer;
+  private String owner;
 
   public SentryHivePrivilegeObjectDesc() {
     // reset table type which is on by default
@@ -48,4 +49,11 @@ public boolean isSentryPrivObjectDesc() {
     return isServer || isUri;
   }
 
+  public String getOwner() {
+    return owner;
+  }
+
+  public void setOwner(String owner) {
+    this.owner = owner;
+  }
 }

sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java

@@ -32,6 +32,7 @@
 import org.apache.hadoop.hive.ql.hooks.ReadEntity;
 import org.apache.hadoop.hive.ql.hooks.WriteEntity;
 import org.apache.hadoop.hive.ql.metadata.Hive;
+import org.apache.hadoop.hive.ql.metadata.HiveException;
 import org.apache.hadoop.hive.ql.parse.ASTNode;
 import org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer;
 import org.apache.hadoop.hive.ql.parse.HiveParser;
@@ -60,8 +61,10 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization
 
   private static final Logger LOG = LoggerFactory.getLogger(SentryHiveAuthorizationTaskFactoryImpl.class);
 
-  public SentryHiveAuthorizationTaskFactoryImpl(HiveConf conf, Hive db) { //NOPMD
+  private final Hive db;
 
+  public SentryHiveAuthorizationTaskFactoryImpl(HiveConf conf, Hive db) { //NOPMD
+    this.db = db;
   }
 
   @Override
@@ -295,6 +298,17 @@ private SentryHivePrivilegeObjectDesc analyzePrivilegeObject(ASTNode ast)
           subject.setTable(true);
           String[] qualified = BaseSemanticAnalyzer.getQualifiedTableName(gchild);
           subject.setObject(qualified[1]);
+          try {
+            subject.setOwner(db.getTable(qualified[1]).getOwner());
+          } catch (HiveException e) {
+            // Ignore the exception.
+          }
+        } else if (astChild.getToken().getType() == HiveParser.TOK_DB_TYPE) {
+          try {
+            subject.setOwner(db.getDatabase(privilegeObject).getOwnerName());
+          } catch (HiveException e) {
+            // Ignore the exception.
+          }
         }
       for (int i = 1; i < astChild.getChildCount(); i++) {
         gchild = (ASTNode) astChild.getChild(i);

sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java

@@ -405,25 +405,23 @@ void clearAllTables() {
     }
   }
 
-  public CommitContext alterSentryRoleGrantPrivilege(String grantorPrincipal,
-      String roleName, TSentryPrivilege privilege)
-      throws SentryUserException {
-    return alterSentryRoleGrantPrivileges(grantorPrincipal,
-        roleName, Sets.newHashSet(privilege));
+  public CommitContext alterSentryRoleGrantPrivilege(String grantorPrincipal, String roleName,
+      TSentryPrivilege privilege) throws SentryUserException {
+    return alterSentryRoleGrantPrivileges(grantorPrincipal, roleName, Sets.newHashSet(privilege));
   }
 
-  public CommitContext alterSentryRoleGrantPrivileges(String grantorPrincipal,
-      String roleName, Set<TSentryPrivilege> privileges)
-      throws SentryUserException {
+  public CommitContext alterSentryRoleGrantPrivileges(String grantorPrincipal, String roleName,
+      Set<TSentryPrivilege> privileges) throws SentryUserException {
     boolean rollbackTransaction = true;
     PersistenceManager pm = null;
     roleName = trimAndLower(roleName);
     try {
       pm = openTransaction();
       for (TSentryPrivilege privilege : privileges) {
-        // first do grant check
-        grantOptionCheck(pm, grantorPrincipal, privilege);
-
+        if (privilege.isCheckGrantOperation()) {
+          // first do grant check
+          grantOptionCheck(pm, grantorPrincipal, privilege);
+        }
         MSentryPrivilege mPrivilege = alterSentryRoleGrantPrivilegeCore(pm, roleName, privilege);
 
         if (mPrivilege != null) {
@@ -498,23 +496,23 @@ private MSentryPrivilege alterSentryRoleGrantPrivilegeCore(PersistenceManager pm
     return mPrivilege;
   }
 
-  public CommitContext alterSentryRoleRevokePrivilege(String grantorPrincipal,
-      String roleName, TSentryPrivilege tPrivilege) throws SentryUserException {
-    return alterSentryRoleRevokePrivileges(grantorPrincipal,
-        roleName, Sets.newHashSet(tPrivilege));
+  public CommitContext alterSentryRoleRevokePrivilege(String grantorPrincipal, String roleName,
+      TSentryPrivilege tPrivilege) throws SentryUserException {
+    return alterSentryRoleRevokePrivileges(grantorPrincipal, roleName, Sets.newHashSet(tPrivilege));
   }
 
-  public CommitContext alterSentryRoleRevokePrivileges(String grantorPrincipal,
-      String roleName, Set<TSentryPrivilege> tPrivileges) throws SentryUserException {
-    boolean rollbackTransaction = true;
+  public CommitContext alterSentryRoleRevokePrivileges(String grantorPrincipal, String roleName,
+      Set<TSentryPrivilege> tPrivileges) throws SentryUserException {
+   boolean rollbackTransaction = true;
     PersistenceManager pm = null;
     roleName = safeTrimLower(roleName);
     try {
       pm = openTransaction();
       for (TSentryPrivilege tPrivilege : tPrivileges) {
-        // first do revoke check
-        grantOptionCheck(pm, grantorPrincipal, tPrivilege);
-
+        if (tPrivilege.isCheckGrantOperation()) {
+          // first do revoke check
+          grantOptionCheck(pm, grantorPrincipal, tPrivilege);
+        }
         alterSentryRoleRevokePrivilegeCore(pm, roleName, tPrivilege);
       }