Add grantor to HivePrivilegeInfo

Extracted-From: prestodb/presto#10904

presto-hive/src/main/java/io/prestosql/plugin/hive/HiveMetadata.java

@@ -837,12 +837,13 @@ private static Table buildTableObject(
 
     private static PrincipalPrivileges buildInitialPrivilegeSet(String tableOwner)
     {
+        PrestoPrincipal grantor = new PrestoPrincipal(USER, tableOwner);
         return new PrincipalPrivileges(
                 ImmutableMultimap.<String, HivePrivilegeInfo>builder()
-                        .put(tableOwner, new HivePrivilegeInfo(HivePrivilege.SELECT, true))
-                        .put(tableOwner, new HivePrivilegeInfo(HivePrivilege.INSERT, true))
-                        .put(tableOwner, new HivePrivilegeInfo(HivePrivilege.UPDATE, true))
-                        .put(tableOwner, new HivePrivilegeInfo(HivePrivilege.DELETE, true))
+                        .put(tableOwner, new HivePrivilegeInfo(HivePrivilege.SELECT, true, grantor))
+                        .put(tableOwner, new HivePrivilegeInfo(HivePrivilege.INSERT, true, grantor))
+                        .put(tableOwner, new HivePrivilegeInfo(HivePrivilege.UPDATE, true, grantor))
+                        .put(tableOwner, new HivePrivilegeInfo(HivePrivilege.DELETE, true, grantor))
                         .build(),
                 ImmutableMultimap.of());
     }
@@ -1820,7 +1821,7 @@ public void grantTablePrivileges(ConnectorSession session, SchemaTableName schem
         String tableName = schemaTableName.getTableName();
 
         Set<HivePrivilegeInfo> hivePrivilegeInfos = privileges.stream()
-                .map(privilege -> new HivePrivilegeInfo(toHivePrivilege(privilege), grantOption))
+                .map(privilege -> new HivePrivilegeInfo(toHivePrivilege(privilege), grantOption, new PrestoPrincipal(USER, session.getUser())))
                 .collect(toSet());
 
         metastore.grantTablePrivileges(schemaName, tableName, grantee, hivePrivilegeInfos);
@@ -1833,7 +1834,7 @@ public void revokeTablePrivileges(ConnectorSession session, SchemaTableName sche
         String tableName = schemaTableName.getTableName();
 
         Set<HivePrivilegeInfo> hivePrivilegeInfos = privileges.stream()
-                .map(privilege -> new HivePrivilegeInfo(toHivePrivilege(privilege), grantOption))
+                .map(privilege -> new HivePrivilegeInfo(toHivePrivilege(privilege), grantOption, new PrestoPrincipal(USER, session.getUser())))
                 .collect(toSet());
 
         metastore.revokeTablePrivileges(schemaName, tableName, grantee, hivePrivilegeInfos);

presto-hive/src/main/java/io/prestosql/plugin/hive/metastore/HivePrivilegeInfo.java

@@ -16,6 +16,7 @@
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.google.common.collect.ImmutableSet;
+import io.prestosql.spi.security.PrestoPrincipal;
 import io.prestosql.spi.security.Privilege;
 import io.prestosql.spi.security.PrivilegeInfo;
 
@@ -43,14 +44,17 @@ public enum HivePrivilege
 
     private final HivePrivilege hivePrivilege;
     private final boolean grantOption;
+    private final PrestoPrincipal grantor;
 
     @JsonCreator
     public HivePrivilegeInfo(
             @JsonProperty("hivePrivilege") HivePrivilege hivePrivilege,
-            @JsonProperty("grantOption") boolean grantOption)
+            @JsonProperty("grantOption") boolean grantOption,
+            @JsonProperty("grantor") PrestoPrincipal grantor)
     {
         this.hivePrivilege = requireNonNull(hivePrivilege, "hivePrivilege is null");
         this.grantOption = grantOption;
+        this.grantor = requireNonNull(grantor, "grantor is null");
     }
 
     @JsonProperty
@@ -65,6 +69,12 @@ public boolean isGrantOption()
         return grantOption;
     }
 
+    @JsonProperty
+    public PrestoPrincipal getGrantor()
+    {
+        return grantor;
+    }
+
     public static HivePrivilege toHivePrivilege(Privilege privilege)
     {
         switch (privilege) {

presto-hive/src/main/java/io/prestosql/plugin/hive/metastore/SemiTransactionalHiveMetastore.java

@@ -82,6 +82,7 @@
 import static io.prestosql.spi.StandardErrorCode.ALREADY_EXISTS;
 import static io.prestosql.spi.StandardErrorCode.NOT_SUPPORTED;
 import static io.prestosql.spi.StandardErrorCode.TRANSACTION_CONFLICT;
+import static io.prestosql.spi.security.PrincipalType.USER;
 import static java.lang.String.format;
 import static java.util.Objects.requireNonNull;
 import static org.apache.hadoop.hive.common.FileUtils.makePartName;
@@ -788,7 +789,7 @@ public synchronized Set<HivePrivilegeInfo> listTablePrivileges(String databaseNa
                 Collection<HivePrivilegeInfo> privileges = tableAction.getData().getPrincipalPrivileges().getUserPrivileges().get(principal.getName());
                 return ImmutableSet.<HivePrivilegeInfo>builder()
                         .addAll(privileges)
-                        .add(new HivePrivilegeInfo(OWNERSHIP, true))
+                        .add(new HivePrivilegeInfo(OWNERSHIP, true, new PrestoPrincipal(USER, principal.getName())))
                         .build();
             }
             case INSERT_EXISTING:

presto-hive/src/main/java/io/prestosql/plugin/hive/metastore/file/FileHiveMetastore.java

@@ -944,7 +944,7 @@ public synchronized Set<HivePrivilegeInfo> listTablePrivileges(String databaseNa
         ImmutableSet.Builder<HivePrivilegeInfo> result = ImmutableSet.builder();
         Table table = getRequiredTable(databaseName, tableName);
         if (principal.getType() == USER && table.getOwner().equals(principal.getName())) {
-            result.add(new HivePrivilegeInfo(OWNERSHIP, true));
+            result.add(new HivePrivilegeInfo(OWNERSHIP, true, principal));
         }
         Path permissionFilePath = getPermissionsPath(getPermissionsDirectory(table), principal);
         result.addAll(readFile("permissions", permissionFilePath, permissionsCodec).orElse(ImmutableList.of()).stream()

presto-hive/src/main/java/io/prestosql/plugin/hive/metastore/file/PermissionMetadata.java

@@ -17,7 +17,9 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import io.prestosql.plugin.hive.metastore.HivePrivilegeInfo;
 import io.prestosql.plugin.hive.metastore.HivePrivilegeInfo.HivePrivilege;
+import io.prestosql.spi.security.PrestoPrincipal;
 
+import static io.prestosql.spi.security.PrincipalType.USER;
 import static java.util.Objects.requireNonNull;
 
 public class PermissionMetadata
@@ -54,6 +56,6 @@ public boolean isGrantOption()
 
     public HivePrivilegeInfo toHivePrivilegeInfo()
     {
-        return new HivePrivilegeInfo(permission, grantOption);
+        return new HivePrivilegeInfo(permission, grantOption, new PrestoPrincipal(USER, "admin"));
     }
 }

presto-hive/src/main/java/io/prestosql/plugin/hive/metastore/thrift/ThriftHiveMetastore.java

@@ -92,7 +92,6 @@
 import static io.prestosql.plugin.hive.metastore.thrift.ThriftMetastoreUtil.getHiveBasicStatistics;
 import static io.prestosql.plugin.hive.metastore.thrift.ThriftMetastoreUtil.parsePrivilege;
 import static io.prestosql.plugin.hive.metastore.thrift.ThriftMetastoreUtil.toMetastoreApiPartition;
-import static io.prestosql.plugin.hive.metastore.thrift.ThriftMetastoreUtil.toMetastoreApiPrivilegeGrantInfo;
 import static io.prestosql.plugin.hive.metastore.thrift.ThriftMetastoreUtil.updateStatisticsParameters;
 import static io.prestosql.spi.StandardErrorCode.ALREADY_EXISTS;
 import static io.prestosql.spi.StandardErrorCode.NOT_SUPPORTED;
@@ -1155,7 +1154,7 @@ public List<Partition> getPartitionsByNames(String databaseName, String tableNam
     public void grantTablePrivileges(String databaseName, String tableName, PrestoPrincipal grantee, Set<HivePrivilegeInfo> privileges)
     {
         Set<PrivilegeGrantInfo> requestedPrivileges = privileges.stream()
-                .map(privilege -> toMetastoreApiPrivilegeGrantInfo(grantee, privilege))
+                .map(ThriftMetastoreUtil::toMetastoreApiPrivilegeGrantInfo)
                 .collect(Collectors.toSet());
         checkArgument(!containsAllPrivilege(requestedPrivileges), "\"ALL\" not supported in PrivilegeGrantInfo.privilege");
 
@@ -1206,7 +1205,7 @@ else if (existingPrivilege.isContainedIn(requestedPrivilege)) {
     public void revokeTablePrivileges(String databaseName, String tableName, PrestoPrincipal grantee, Set<HivePrivilegeInfo> privileges)
     {
         Set<PrivilegeGrantInfo> requestedPrivileges = privileges.stream()
-                .map(privilege -> toMetastoreApiPrivilegeGrantInfo(grantee, privilege))
+                .map(ThriftMetastoreUtil::toMetastoreApiPrivilegeGrantInfo)
                 .collect(Collectors.toSet());
         checkArgument(!containsAllPrivilege(requestedPrivileges), "\"ALL\" not supported in PrivilegeGrantInfo.privilege");
 
@@ -1251,7 +1250,7 @@ public Set<HivePrivilegeInfo> listTablePrivileges(String databaseName, String ta
                             Table table = client.getTable(databaseName, tableName);
                             ImmutableSet.Builder<HivePrivilegeInfo> privileges = ImmutableSet.builder();
                             if (principal.getType() == USER && table.getOwner().equals(principal.getName())) {
-                                privileges.add(new HivePrivilegeInfo(OWNERSHIP, true));
+                                privileges.add(new HivePrivilegeInfo(OWNERSHIP, true, principal));
                             }
                             List<HiveObjectPrivilege> hiveObjectPrivilegeList = client.listPrivileges(
                                     principal.getName(),

presto-hive/src/main/java/io/prestosql/plugin/hive/metastore/thrift/ThriftMetastoreUtil.java

@@ -125,6 +125,7 @@
 import static java.lang.Math.round;
 import static java.lang.String.format;
 import static java.util.Locale.ENGLISH;
+import static java.util.Objects.requireNonNull;
 import static java.util.stream.Collectors.toList;
 import static java.util.stream.Collectors.toSet;
 import static org.apache.hadoop.hive.metastore.api.ColumnStatisticsData.binaryStats;
@@ -168,38 +169,38 @@ public static org.apache.hadoop.hive.metastore.api.Table toMetastoreApiTable(Tab
         result.setParameters(table.getParameters());
         result.setPartitionKeys(table.getPartitionColumns().stream().map(ThriftMetastoreUtil::toMetastoreApiFieldSchema).collect(toList()));
         result.setSd(makeStorageDescriptor(table.getTableName(), table.getDataColumns(), table.getStorage()));
-        result.setPrivileges(toMetastoreApiPrincipalPrivilegeSet(new PrestoPrincipal(USER, table.getOwner()), privileges));
+        result.setPrivileges(toMetastoreApiPrincipalPrivilegeSet(privileges));
         result.setViewOriginalText(table.getViewOriginalText().orElse(null));
         result.setViewExpandedText(table.getViewExpandedText().orElse(null));
         return result;
     }
 
-    private static PrincipalPrivilegeSet toMetastoreApiPrincipalPrivilegeSet(PrestoPrincipal grantee, PrincipalPrivileges privileges)
+    private static PrincipalPrivilegeSet toMetastoreApiPrincipalPrivilegeSet(PrincipalPrivileges privileges)
     {
         ImmutableMap.Builder<String, List<PrivilegeGrantInfo>> userPrivileges = ImmutableMap.builder();
         for (Map.Entry<String, Collection<HivePrivilegeInfo>> entry : privileges.getUserPrivileges().asMap().entrySet()) {
             userPrivileges.put(entry.getKey(), entry.getValue().stream()
-                    .map(privilegeInfo -> toMetastoreApiPrivilegeGrantInfo(grantee, privilegeInfo))
+                    .map(ThriftMetastoreUtil::toMetastoreApiPrivilegeGrantInfo)
                     .collect(toList()));
         }
 
         ImmutableMap.Builder<String, List<PrivilegeGrantInfo>> rolePrivileges = ImmutableMap.builder();
         for (Map.Entry<String, Collection<HivePrivilegeInfo>> entry : privileges.getRolePrivileges().asMap().entrySet()) {
             rolePrivileges.put(entry.getKey(), entry.getValue().stream()
-                    .map(privilegeInfo -> toMetastoreApiPrivilegeGrantInfo(grantee, privilegeInfo))
+                    .map(ThriftMetastoreUtil::toMetastoreApiPrivilegeGrantInfo)
                     .collect(toList()));
         }
 
         return new PrincipalPrivilegeSet(userPrivileges.build(), ImmutableMap.of(), rolePrivileges.build());
     }
 
-    public static PrivilegeGrantInfo toMetastoreApiPrivilegeGrantInfo(PrestoPrincipal grantee, HivePrivilegeInfo privilegeInfo)
+    public static PrivilegeGrantInfo toMetastoreApiPrivilegeGrantInfo(HivePrivilegeInfo privilegeInfo)
     {
         return new PrivilegeGrantInfo(
                 privilegeInfo.getHivePrivilege().name().toLowerCase(Locale.ENGLISH),
                 0,
-                grantee.getName(),
-                fromPrestoPrincipalType(grantee.getType()),
+                privilegeInfo.getGrantor().getName(),
+                fromPrestoPrincipalType(privilegeInfo.getGrantor().getType()),
                 privilegeInfo.isGrantOption());
     }
 
@@ -585,6 +586,7 @@ public static org.apache.hadoop.hive.metastore.api.PrincipalType fromPrestoPrinc
 
     public static PrincipalType fromMetastoreApiPrincipalType(org.apache.hadoop.hive.metastore.api.PrincipalType principalType)
     {
+        requireNonNull(principalType, "principalType is null");
         switch (principalType) {
             case USER:
                 return USER;
@@ -657,21 +659,22 @@ public static Set<HivePrivilegeInfo> parsePrivilege(PrivilegeGrantInfo userGrant
     {
         boolean withGrantOption = userGrant.isGrantOption();
         String name = userGrant.getPrivilege().toUpperCase(ENGLISH);
+        PrestoPrincipal grantor = new PrestoPrincipal(ThriftMetastoreUtil.fromMetastoreApiPrincipalType(userGrant.getGrantorType()), userGrant.getGrantor());
         switch (name) {
             case "ALL":
                 return Arrays.stream(HivePrivilegeInfo.HivePrivilege.values())
-                        .map(hivePrivilege -> new HivePrivilegeInfo(hivePrivilege, withGrantOption))
+                        .map(hivePrivilege -> new HivePrivilegeInfo(hivePrivilege, withGrantOption, grantor))
                         .collect(toImmutableSet());
             case "SELECT":
-                return ImmutableSet.of(new HivePrivilegeInfo(SELECT, withGrantOption));
+                return ImmutableSet.of(new HivePrivilegeInfo(SELECT, withGrantOption, grantor));
             case "INSERT":
-                return ImmutableSet.of(new HivePrivilegeInfo(INSERT, withGrantOption));
+                return ImmutableSet.of(new HivePrivilegeInfo(INSERT, withGrantOption, grantor));
             case "UPDATE":
-                return ImmutableSet.of(new HivePrivilegeInfo(UPDATE, withGrantOption));
+                return ImmutableSet.of(new HivePrivilegeInfo(UPDATE, withGrantOption, grantor));
             case "DELETE":
-                return ImmutableSet.of(new HivePrivilegeInfo(DELETE, withGrantOption));
+                return ImmutableSet.of(new HivePrivilegeInfo(DELETE, withGrantOption, grantor));
             case "OWNERSHIP":
-                return ImmutableSet.of(new HivePrivilegeInfo(OWNERSHIP, withGrantOption));
+                return ImmutableSet.of(new HivePrivilegeInfo(OWNERSHIP, withGrantOption, grantor));
             default:
                 throw new IllegalArgumentException("Unsupported privilege name: " + name);
         }

presto-hive/src/main/java/io/prestosql/plugin/hive/security/SqlStandardAccessControl.java

@@ -16,7 +16,6 @@
 import io.prestosql.plugin.hive.HiveConnectorId;
 import io.prestosql.plugin.hive.HiveTransactionHandle;
 import io.prestosql.plugin.hive.metastore.Database;
-import io.prestosql.plugin.hive.metastore.HivePrivilegeInfo;
 import io.prestosql.plugin.hive.metastore.SemiTransactionalHiveMetastore;
 import io.prestosql.spi.connector.ConnectorAccessControl;
 import io.prestosql.spi.connector.ConnectorTransactionHandle;
@@ -419,7 +418,8 @@ private boolean hasGrantOptionForPrivilege(ConnectorTransactionHandle transactio
                 tableName.getSchemaName(),
                 tableName.getTableName(),
                 identity.getUser())
-                .contains(new HivePrivilegeInfo(toHivePrivilege(privilege), true));
+                .stream()
+                .anyMatch(privilegeInfo -> privilegeInfo.getHivePrivilege().equals(toHivePrivilege(privilege)) && privilegeInfo.isGrantOption());
     }
 
     private boolean hasAdminOptionForRoles(ConnectorTransactionHandle transaction, ConnectorIdentity identity, Set<String> roles)