Do not allow to create or drop mixed case Hive reserved role

trinodb · Jul 4, 2019 · 8d173de · 8d173de
1 parent 1b1eb8a
commit 8d173de
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/...ive/src/main/java/io/prestosql/plugin/hive/security/SqlStandardAccessControlMetadata.java b/...ive/src/main/java/io/prestosql/plugin/hive/security/SqlStandardAccessControlMetadata.java
@@ -37,6 +37,7 @@
 import static io.prestosql.plugin.hive.security.SqlStandardAccessControl.ADMIN_ROLE_NAME;
 import static io.prestosql.spi.StandardErrorCode.ALREADY_EXISTS;
 import static io.prestosql.spi.security.PrincipalType.USER;
+import static java.util.Locale.ENGLISH;
 import static java.util.Objects.requireNonNull;
 import static java.util.stream.Collectors.toSet;
 
@@ -55,20 +56,25 @@ public SqlStandardAccessControlMetadata(SemiTransactionalHiveMetastore metastore
     @Override
     public void createRole(ConnectorSession session, String role, Optional<HivePrincipal> grantor)
     {
-        // roles are case insensitive in Hive
-        if (RESERVED_ROLES.contains(role)) {
-            throw new PrestoException(ALREADY_EXISTS, "Role name cannot be one of the reserved roles: " + RESERVED_ROLES);
-        }
+        checkRoleIsNotReserved(role);
         metastore.createRole(role, null);
     }
 
     @Override
     public void dropRole(ConnectorSession session, String role)
     {
-        // roles are case insensitive in Hive
+        checkRoleIsNotReserved(role);
         metastore.dropRole(role);
     }
 
+    private static void checkRoleIsNotReserved(String role)
+    {
+        // roles are case insensitive in Hive
+        if (RESERVED_ROLES.contains(role.toLowerCase(ENGLISH))) {
+            throw new PrestoException(ALREADY_EXISTS, "Role name cannot be one of the reserved roles: " + RESERVED_ROLES);
+        }
+    }
+
     @Override
     public Set<String> listRoles(ConnectorSession session)
     {

diff --git a/presto-hive/src/test/java/io/prestosql/plugin/hive/TestHiveRoles.java b/presto-hive/src/test/java/io/prestosql/plugin/hive/TestHiveRoles.java
@@ -81,6 +81,7 @@ public void testCreateReservedRole()
         assertQueryFails(createAdminSession(), "CREATE ROLE all", "Role name cannot be one of the reserved roles: \\[all, default, none\\]");
         assertQueryFails(createAdminSession(), "CREATE ROLE default", "Role name cannot be one of the reserved roles: \\[all, default, none\\]");
         assertQueryFails(createAdminSession(), "CREATE ROLE none", "Role name cannot be one of the reserved roles: \\[all, default, none\\]");
+        assertQueryFails(createAdminSession(), "CREATE ROLE None", "Role name cannot be one of the reserved roles: \\[all, default, none\\]");
     }
 
     @Test